A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * alsa-ucm-conf: 1.2.2-1ubuntu0.5 => 1.2.2-1ubuntu0.6 * apt: 2.0.4 => 2.0.5 * curl: 7.68.0-1ubuntu2.4 => 7.68.0-1ubuntu2.5 * landscape-client: 19.12-0ubuntu4.1 => 19.12-0ubuntu4.2 * libseccomp: 2.4.3-1ubuntu3.20.04.3 => 2.5.1-1ubuntu1~20.04.1 * linux-meta: 5.4.0.70.73 => 5.4.0.71.74 * linux-signed: 5.4.0-70.78 => 5.4.0-71.79 * nettle: 3.5.1+really3.5.1-2 => 3.5.1+really3.5.1-2ubuntu0.1 * pciutils: 1:3.6.4-1 => 1:3.6.4-1ubuntu0.20.04.1 * sosreport: 4.0-1~ubuntu0.20.04.3 => 4.1-1ubuntu0.20.04.1 * systemd: 245.4-4ubuntu3.5 => 245.4-4ubuntu3.6 * ubuntu-keyring: 2020.02.11.2 => 2020.02.11.4 * ubuntu-release-upgrader: 1:20.04.30 => 1:20.04.31 The following is a complete changelog for this image. new: {'linux-headers-5.4.0-71': '5.4.0-71.79', 'linux-headers-5.4.0-71-generic': '5.4.0-71.79', 'linux-modules-5.4.0-71-generic': '5.4.0-71.79'} removed: {'linux-headers-5.4.0-70': '5.4.0-70.78', 'linux-modules-5.4.0-70-generic': '5.4.0-70.78', 'linux-headers-5.4.0-70-generic': '5.4.0-70.78'} changed: ['alsa-ucm-conf', 'apt', 'apt-utils', 'curl', 'landscape-common', 'libapt-pkg6.0:amd64', 'libcurl3-gnutls:amd64', 'libcurl4:amd64', 'libhogweed5:amd64', 'libnettle7:amd64', 'libnss-systemd:amd64', 'libpam-systemd:amd64', 'libpci3:amd64', 'libseccomp2:amd64', 'libsystemd0:amd64', 'libudev1:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.4.0-71-generic', 'linux-image-virtual', 'linux-virtual', 'pciutils', 'python3-distupgrade', 'sosreport', 'systemd', 'systemd-sysv', 'systemd-timesyncd', 'ubuntu-keyring', 'ubuntu-release-upgrader-core', 'udev'] new snaps: {} removed snaps: {} changed snaps: ['core18', 'snapd'] ==== alsa-ucm-conf: 1.2.2-1ubuntu0.5 => 1.2.2-1ubuntu0.6 ==== ==== alsa-ucm-conf * d/p/0001-rt715-init-setup-ADC07-to-a-proper-volume.patch Correct rt715 init volume setting. (LP: #1908677) ==== apt: 2.0.4 => 2.0.5 ==== ==== apt apt-utils libapt-pkg6.0:amd64 [ Julian Andres Klode ] * private-search: Only use V.TranslatedDescription() if good (LP: #1877987) * Implement update --error-on=any (Closes: #594813) (LP: #1693900) * Include all translations when building the cache (LP: #1907850) * Add basic support for the Protected field, and do not require force-loopbreak on Protected/Important packages (Closes: #983014) (LP: #1916725) * Protect currently running kernel at run-time (LP: #1615381) * Make ADDARG{,C}() macros expand to single statements * Default Acquire::AllowReleaseInfoChange::Suite to "true" (Closes: #931566) (LP: #1918907) [ David Kalnischkies ] * Fix incorrect base64 encoding due to int promotion (LP: #1916050) * Harden test for no new acquires after transaction abort (Closes: #984966) (LP: #1918920) ==== curl: 7.68.0-1ubuntu2.4 => 7.68.0-1ubuntu2.5 ==== ==== curl libcurl3-gnutls:amd64 libcurl4:amd64 * SECURITY UPDATE: data leak via referer header field - debian/patches/CVE-2021-22876.patch: strip credentials from the auto-referer header field in lib/transfer.c. - CVE-2021-22876 * SECURITY UPDATE: TLS 1.3 session ticket proxy host mixup - debian/patches/CVE-2021-22890.patch: make sure we set and extract the correct session in lib/vtls/*. - CVE-2021-22890 ==== landscape-client: 19.12-0ubuntu4.1 => 19.12-0ubuntu4.2 ==== ==== landscape-common * d/p/0003-clean-publisher-shutdown.patch: Let publisher services shutdown cleanly (LP: #1870087) ==== libseccomp: 2.4.3-1ubuntu3.20.04.3 => 2.5.1-1ubuntu1~20.04.1 ==== ==== libseccomp2:amd64 * Updated to new upstream 2.5.1 version for updated syscalls support (LP: #1891810) - Removed the following patches that are now included in the new version: + d/p/cython3.patch + d/p/riscv64_support.patch + d/p/fix-aarch64-syscalls.patch + d/p/db-consolidate-some-of-the-code-which-adds-rules.patch + d/p/db-add-shadow-transactions.patch - Deleted the patch to add a local copy of architecture specific header files from linux-libc-dev/focal as this is not needed anymore + d/p/add-5.4-local-syscall-headers.patch - debian/control: Added gperf to Build-Depends as this is now required by upstream - debian/libseccomp2.symbols: Added new symbols * Add system call headers for powerpc required for backport to xenial - d/p/add-5.8-powerpc-syscall-headers.patch ==== linux-meta: 5.4.0.70.73 => 5.4.0.71.74 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.4.0-71 * Packaging resync (LP: #1786013) - [Packaging] resync debian/dkms-versions from main package ==== linux-signed: 5.4.0-70.78 => 5.4.0-71.79 ==== ==== linux-image-5.4.0-71-generic * Master version: 5.4.0-71.79 ==== nettle: 3.5.1+really3.5.1-2 => 3.5.1+really3.5.1-2ubuntu0.1 ==== ==== libhogweed5:amd64 libnettle7:amd64 * SECURITY UPDATE: Out of Bound memory access in signature verification - debian/patches/CVE-2021-20305-1.patch: new functions ecc_mod_mul_canonical and ecc_mod_sqr_canonical in curve25519-eh-to-x.c, curve448-eh-to-x.c, ecc-eh-to-a.c, ecc-internal.h, ecc-j-to-a.c, ecc-mod-arith.c, ecc-mul-m.c. - debian/patches/CVE-2021-20305-2.patch: use ecc_mod_mul_canonical for point comparison in eddsa-verify.c. - debian/patches/CVE-2021-20305-3.patch: fix bug in ecc_ecdsa_verify in ecc-ecdsa-verify.c, testsuite/ecdsa-sign-test.c. - debian/patches/CVE-2021-20305-4.patch: ensure ecdsa_sign output is canonically reduced in ecc-ecdsa-sign.c. - debian/patches/CVE-2021-20305-6.patch: similar fix for eddsa in eddsa-hash.c. - debian/libhogweed5.symbols: added new symbols. - CVE-2021-20305 ==== pciutils: 1:3.6.4-1 => 1:3.6.4-1ubuntu0.20.04.1 ==== ==== libpci3:amd64 pciutils * Fix patch to ln -f (LP: #1915923) ==== sosreport: 4.0-1~ubuntu0.20.04.3 => 4.1-1ubuntu0.20.04.1 ==== ==== sosreport * New 4.1 upstream minor release. (LP: #1917894) - https://github.com/sosreport/sos/releases/tag/4.1 * d/tests/simple.sh: - Update the script from upstream - Modify the script to use /tmp as a target, instead of /var/tmp. * d/tests/control: - Adding isolation-machine as simple.sh wants to interact with the kernel. * Former patches, now fixed: - d/p/0002-fix-dict-order-py38-incompatibility.patch - d/p/0003-sosclean-fix-handling-of-filepath-with-archive-name.patch - d/p/0004-sosclean-fix-tarball-skipping-regex.patch - d/p/0005-ceph-collect-balancer-and-pg-autoscale-status.patch - d/p/0006-rabbitmq-add-info-on-maybe-stuck-processes.patch - d/p/0007-rabbitmq-add-10sec-timeout-to-call-to-maybestuck.patch - d/p/0008-networking-include-ip-neigh-and-rule-info.patch - d/p/0009-conntrack-add-conntrack-info.patch - d/p/0010-conntrack-gather-per-namespace-data.patch - d/p/0011-ceph-include-time-sync-status-for-ceph-mon.patch - d/p/0012-apt-move-unattended-upgrades-log-collection.patch - d/p/0013-bcache-add-a-new-plugin-for-bcache.patch - d/p/0014-k8s-add-cdk-master-auth-webhook-to-journal.patch - d/p/0015-k8s-fix-cdk-related-file-paths.patch - d/p/0016-systemd-prefer-resolvectl-over-systemd-resolve.patch - d/p/0017-ovn-extend-information.patch - d/p/0018-ua-prefer-new-ua-cmd-over-the-deprecated-one.patch - d/p/0019-ovn-fix-sbctl-cmd-execution.patch * Remaining patches: - d/p/0001-debian-change-tmp-dir-location.patch * New patches: - d/p/0002-clean-prevent-parsing-ubuntu-user.patch * Fixing the following LP bugs: - (LP: #1910264) - (LP: #1906302) - (LP: #1913284) - (LP: #1913583) - (LP: #1913581) - (LP: #1915072) [Ponnuvel Palaniyappan] * d/p/0011-ceph-include-time-sync-status-for-ceph-mon.patch: - Ceph mons might get into time sync problems if ntp/chrony isn't installed or configured correctly. Since Luminous release, upstream support 'time-sync-status' to detect this more easily. (LP: #1910264) [Eric Desrochers] * d/p/0012-apt-move-unattended-upgrades-log-collection.patch (LP: #1906302) [Ponnuvel Palaniyappan] * d/p/0013-bcache-add-a-new-plugin-for-bcache.patch (LP: #1913284) [Felipe Reyes] * d/p/0014-k8s-add-cdk-master-auth-webhook-to-journal.patch * d/p/0015-k8s-fix-cdk-related-file-paths.patch (LP: #1913583) [Michael Biebl] * d/p/0016-systemd-prefer-resolvectl-over-systemd-resolve.patch (LP: #1913581) [Edward Hope-Morley] * d/p/0017-ovn-extend-information.patch (LP: #1915072) - Extend ovn informations ==== systemd: 245.4-4ubuntu3.5 => 245.4-4ubuntu3.6 ==== ==== libnss-systemd:amd64 libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv systemd-timesyncd udev * debian/patches/lp1916485-Newer-Glibc-use-faccessat2-to-implement-faccessat.patch: Add support for faccessat2 (LP: #1916485) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=affb2c6507dccfeed02820a2267639648e2a2260 * d/p/lp1918696-shared-seccomp-util-address-family-filtering-is-brok.patch: Stop attempting to restrict address families on ppc archs (LP: #1918696) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=daff4b6604362fcb5d305682216d5ca15a4c5738 * d/p/lp1891810-seccomp-util-add-new-syscalls-from-kernel-5.6-to-sys.patch: Add openat2() syscall to seccomp filter list (LP: #1891810) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=69c8a684e2513b2f6530e5a5cf15c83abfb7bc74 * d/p/lp1915887-Downgrade-a-couple-of-warnings-to-debug.patch: Downgrade some log messages so they stop spamming logs (LP: #1915887) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3c2c4731b90ed430ca1790270e69cd125643b94b * d/p/lp1887744-basic-unit-file-when-loading-linked-unit-files-use-l.patch: Use src name, not dst name, of symlinked unit files (LP: #1887744) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=03770601097cfdc09adeadf5593083da69345409 ==== ubuntu-keyring: 2020.02.11.2 => 2020.02.11.4 ==== ==== ubuntu-keyring * Remove expiry of the ddebs.ubuntu.com key. LP: #1920640 * Update expiry of the ddebs.ubuntu.com key by one year. LP: #1920640 ==== ubuntu-release-upgrader: 1:20.04.30 => 1:20.04.31 ==== ==== python3-distupgrade ubuntu-release-upgrader-core * DistUpgrade/DistUpgradeQuirks.py: use apt's problem resolver to better calculate upgrades where python is replaced by python-is-python2 thereby resolving a host of upgrade failures. Thanks to Julian for the initial patch. (LP: #1898152) -- [1] http://cloud-images.ubuntu.com/releases/focal/release-20210413/ [2] http://cloud-images.ubuntu.com/releases/focal/release-20210325/