A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with:
   'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'.

The following packages have been updated. Please see the full changelogs
for a complete listing of changes:
 * bash: 5.0-6ubuntu1.1 => 5.0-6ubuntu1.2 
 * curl: 7.68.0-1ubuntu2.7 => 7.68.0-1ubuntu2.10 
 * distro-info-data: 0.43ubuntu1.9 => 0.43ubuntu1.10 
 * git: 1:2.25.1-1ubuntu3.3 => 1:2.25.1-1ubuntu3.4 
 * libsepol: 3.0-1 => 3.0-1ubuntu0.1 
 * networkd-dispatcher: 2.1-2~ubuntu20.04.1 => 2.1-2~ubuntu20.04.3 
 * openssl: 1.1.1f-1ubuntu2.12 => 1.1.1f-1ubuntu2.13 
 * rsyslog: 8.2001.0-1ubuntu1.1 => 8.2001.0-1ubuntu1.3 
 * snapd: 2.54.3+20.04.1ubuntu0.2 => 2.54.3+20.04.1ubuntu0.3 
 * sqlite3: 3.31.1-4ubuntu0.2 => 3.31.1-4ubuntu0.3 


The following is a complete changelog for this image.
new: {}
removed: {}
changed: ['bash', 'curl', 'distro-info-data', 'git', 'git-man', 'libcurl3-gnutls:amd64', 'libcurl4:amd64', 'libsepol1:amd64', 'libsqlite3-0:amd64', 'libssl1.1:amd64', 'networkd-dispatcher', 'openssl', 'rsyslog', 'snapd']
new snaps: {}
removed snaps: {}
changed snaps: ['core20', 'snapd']
==== bash: 5.0-6ubuntu1.1 => 5.0-6ubuntu1.2 ====
====     bash
  * SECURITY UPDATE: privilege gain via setuid
    - debian/patches/CVE-2019-18276.patch: replace the use of
      setuid and setgid when possible with setresuid and setresgid,
      respectively.
    - CVE-2019-18276
==== curl: 7.68.0-1ubuntu2.7 => 7.68.0-1ubuntu2.10 ====
====     curl libcurl3-gnutls:amd64 libcurl4:amd64
  * SECURITY UPDATE: OAUTH2 bypass
    - debian/patches/CVE-2022-22576.patch: check sasl additional
      parameters for conn resuse in lib/strcase.c, lib/strcase.h,
      lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
    - CVE-2022-22576
  * SECURITY UPDATE: Credential leak on redirect
    - debian/patches/CVE-2022-27774-1.patch: store conn_remote_port
      in the info struct to make it available after the connection ended
      in lib/connect.c, lib/urldata.h.
    - debian/patches/CVE-2022-27774-2.patch: redirects to other protocols
      or ports clear auth in lib/transfer.c.
    - debian/patches/CVE-2022-27774-3*.patch: adds tests to verify
      these fix in tests/data/Makefile.inc, tests/data/test973,
      tests/data/test974, tests/data/test975, tests/data/test976.
    - CVE-2022-27774
  * SECURITY UPDATE: Bad local IPV6 connection reuse
    - debian/patches/CVE-2022-27775.patch: include the zone id in the
      'bundle' haskey in lib/conncache.c.
    - CVE-2022-27775
  * SECURITY UPDATE: Auth/cookie leak on redirect
    - debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects
      same host diff port in lib/http.c, lib/urldata.h.
    - CVE-2022-27776
  * Correctly initialize OpenSSL API to ensure that engines are only
    loaded and unloaded once. This prevents user-after-free and
    double-free errors when using OpenSSL engines. LP: #1940528
==== distro-info-data: 0.43ubuntu1.9 => 0.43ubuntu1.10 ====
====     distro-info-data
  * Add Ubuntu 22.10, Kinetic Kudu (LP: #1970227)
==== git: 1:2.25.1-1ubuntu3.3 => 1:2.25.1-1ubuntu3.4 ====
====     git git-man
  * SECURITY REGRESSION: Previous update was incomplete causing regressions
    and not correctly fixing the issue.
    - debian/patches/CVE-2022-24765-5.patch: fix safe.directory
      key not being checked in setup.c.
    - debian/patches/CVE-2022-24765-6.patch:
      opt-out of check with safe.directory=* in setup.c. (LP: #1970260)
==== libsepol: 3.0-1 => 3.0-1ubuntu0.1 ====
====     libsepol1:amd64
  * SECURITY UPDATE: use-after-free in __cil_verify_classperms
    - debian/patches/CVE-2021-36084.patch: alter destruction of
      classperms list when resetting classpermission by avoiding
      deleting the inner data in cil/src/cil_reset_ast.c
    - CVE-2021-36084
  * SECURITY UPDATE: use-after-free in __cil_verify_classperms
    - debian/patches/CVE-2021-36085.patch: alter destruction of
      classperms when resetting a perm by avoiding
      deleting the inner data in cil/src/cil_reset_ast.c
    - CVE-2021-36085
  * SECURITY UPDATE: use-after-free in cil_reset_classpermission
    - debian/patches/CVE-2021-36086.patch: prevent 
      cil_reset_classperms_set from resetting classpermission by
      setting it to NULL in cil/src/cil_reset_ast.c
    - CVE-2021-36086
  * SECURITY UPDATE: heap-based buffer over-read in ebitmap_match_any
    - debian/patches/CVE-2021-36087.patch: check if a tunable
      declaration, in-statement, block, blockabstract, or macro definition
      is found within an optional in cil/src/cil_build_ast.c and 
      cil/src/cil_resolve_ast.c
    - CVE-2021-36087
==== networkd-dispatcher: 2.1-2~ubuntu20.04.1 => 2.1-2~ubuntu20.04.3 ====
====     networkd-dispatcher
  * SECURITY REGRESSION: Incomplete security fix (LP: #1971550)
    - debian/patches/CVE-2022-29799-regression.patch: Add initialized state
      in ADMIN_STATES in networkd-dispatcher.
  * SECURITY UPDATE: Directory traversal
    - debian/patches/CVE-2022-29799-pre.patch: Add a word that is missing
      in exception messages in networkd-dispatcher and
      tests/test_networkd-dispatcher.py.
    - debian/patches/CVE-2022-29799.patch: Add allowed admin and
      operational states in networkd-dispatcher and throw exceptions in
      handle_state function if the current state is not one of those and
      add a test case test_handle_state in
      tests/test_networkd-dispatcher.py.
    - CVE-2022-29799
  * SECURITY UPDATE: Time-of-check-time-of-use race condition
    - debian/patches/CVE-2022-29800-1.patch: Add check_perms function that
      will be invoked in scripts_in_path function before appending a file
      path to the script_list in networkd-dispatcher and change
      test_scripts_in_path test case in tests/test_networkd-dispatcher.py
      with follow_symlinks set to false.
    - debian/patches/CVE-2022-29800-2.patch: Passes os.path.dirname(path)
      when checking for permissions in scripts_in_path function in
      networkd-dispatcher.
    - CVE-2022-29800
==== openssl: 1.1.1f-1ubuntu2.12 => 1.1.1f-1ubuntu2.13 ====
====     libssl1.1:amd64 openssl
  * SECURITY UPDATE: c_rehash script allows command injection
    - debian/patches/CVE-2022-1292.patch: do not use shell to invoke
      openssl in tools/c_rehash.in.
    - CVE-2022-1292
==== rsyslog: 8.2001.0-1ubuntu1.1 => 8.2001.0-1ubuntu1.3 ====
====     rsyslog
  * SECURITY UPDATE: Heap buffer overflow
    - debian/patches/CVE-2022-24903.patch: fix a potential heap buffer overflow
      adding boundary checks in contrib/imhttp/imhttp.c,
      plugins/imptcp/imptcp.c, runtime/tcps_sess.c.
    - CVE-2022-24903
==== snapd: 2.54.3+20.04.1ubuntu0.2 => 2.54.3+20.04.1ubuntu0.3 ====
====     snapd
  * Cherry-pick https://github.com/snapcore/snapd/pull/11680 and
    https://github.com/snapcore/snapd/pull/11287:
    - This fixes a bad interaction between snapd and update-notifier
      during a release upgrade (LP: #1969162)
==== sqlite3: 3.31.1-4ubuntu0.2 => 3.31.1-4ubuntu0.3 ====
====     libsqlite3-0:amd64
  
  * SECURITY UPDATE: segmentation fault in idxGetTableInfo
    - debian/patches/CVE-2021-36690.patch: perform validation
      over the column to ensure it has collating sequence in
      ext/expert/sqlite3expert.c
    - CVE-2021-36690

--
[1] http://cloud-images.ubuntu.com/releases/focal/release-20220505/
[2] http://cloud-images.ubuntu.com/releases/focal/release-20220419/