A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * bash: 5.0-6ubuntu1.1 => 5.0-6ubuntu1.2 * distro-info-data: 0.43ubuntu1.9 => 0.43ubuntu1.10 * git: 1:2.25.1-1ubuntu3.3 => 1:2.25.1-1ubuntu3.4 * libsepol: 3.0-1 => 3.0-1ubuntu0.1 The following is a complete changelog for this image. new: {} removed: {} changed: ['bash', 'distro-info-data', 'git', 'git-man', 'libsepol1:amd64'] new snaps: {} removed snaps: {} changed snaps: ['snapd'] ==== bash: 5.0-6ubuntu1.1 => 5.0-6ubuntu1.2 ==== ==== bash * SECURITY UPDATE: privilege gain via setuid - debian/patches/CVE-2019-18276.patch: replace the use of setuid and setgid when possible with setresuid and setresgid, respectively. - CVE-2019-18276 ==== distro-info-data: 0.43ubuntu1.9 => 0.43ubuntu1.10 ==== ==== distro-info-data * Add Ubuntu 22.10, Kinetic Kudu (LP: #1970227) ==== git: 1:2.25.1-1ubuntu3.3 => 1:2.25.1-1ubuntu3.4 ==== ==== git git-man * SECURITY REGRESSION: Previous update was incomplete causing regressions and not correctly fixing the issue. - debian/patches/CVE-2022-24765-5.patch: fix safe.directory key not being checked in setup.c. - debian/patches/CVE-2022-24765-6.patch: opt-out of check with safe.directory=* in setup.c. (LP: #1970260) ==== libsepol: 3.0-1 => 3.0-1ubuntu0.1 ==== ==== libsepol1:amd64 * SECURITY UPDATE: use-after-free in __cil_verify_classperms - debian/patches/CVE-2021-36084.patch: alter destruction of classperms list when resetting classpermission by avoiding deleting the inner data in cil/src/cil_reset_ast.c - CVE-2021-36084 * SECURITY UPDATE: use-after-free in __cil_verify_classperms - debian/patches/CVE-2021-36085.patch: alter destruction of classperms when resetting a perm by avoiding deleting the inner data in cil/src/cil_reset_ast.c - CVE-2021-36085 * SECURITY UPDATE: use-after-free in cil_reset_classpermission - debian/patches/CVE-2021-36086.patch: prevent cil_reset_classperms_set from resetting classpermission by setting it to NULL in cil/src/cil_reset_ast.c - CVE-2021-36086 * SECURITY UPDATE: heap-based buffer over-read in ebitmap_match_any - debian/patches/CVE-2021-36087.patch: check if a tunable declaration, in-statement, block, blockabstract, or macro definition is found within an optional in cil/src/cil_build_ast.c and cil/src/cil_resolve_ast.c - CVE-2021-36087 -- [1] http://cloud-images.ubuntu.com/releases/focal/release-20220427/ [2] http://cloud-images.ubuntu.com/releases/focal/release-20220419/