A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * git: 1:2.25.1-1ubuntu3.5 => 1:2.25.1-1ubuntu3.6 * linux-meta: 5.4.0.128.129 => 5.4.0.131.131 * linux-signed: 5.4.0-128.144 => 5.4.0-131.147 * zlib: 1:1.2.11.dfsg-2ubuntu1.4 => 1:1.2.11.dfsg-2ubuntu1.5 The following is a complete changelog for this image. new: {'linux-headers-5.4.0-131': '5.4.0-131.147', 'linux-headers-5.4.0-131-generic': '5.4.0-131.147', 'linux-modules-5.4.0-131-generic': '5.4.0-131.147'} removed: {'linux-headers-5.4.0-128-generic': '5.4.0-128.144', 'linux-headers-5.4.0-128': '5.4.0-128.144', 'linux-modules-5.4.0-128-generic': '5.4.0-128.144'} changed: ['git', 'git-man', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.4.0-131-generic', 'linux-image-virtual', 'linux-virtual', 'zlib1g:amd64'] new snaps: {} removed snaps: {} changed snaps: [] ==== git: 1:2.25.1-1ubuntu3.5 => 1:2.25.1-1ubuntu3.6 ==== ==== git git-man * SECURITY UPDATE: Unexpected behavior - debian/patches/CVE-2022-39253-*.patch: disallow --local clones with symlinks and additionally changed the protocol.file.allow to be user by default in builtin/clone.c, transport.c, and modified tests in t/t5604-clone-reference.sh, lib-submodule-update.sh, t/t1091-sparse-checkout-builtin.sh, t/t1500-rev-parse.sh, t/t2400-worktree-add.sh, t/t2403-worktree-move.sh, t/t2405-worktree-submodule.sh, t/t3200-branch.sh, t/t3420-rebase-autostash.sh, t/t3426-rebase-submodule.sh, t/t3512-cherry-pick-submodule.sh, t/t3600-rm.sh, t/t3906-stash-submodule.sh, t/t4059-diff-submodule-not-initialized.sh, t/t4060-diff-submodule-option-diff-format.sh, t/t4067-diff-partial-clone.sh, t/t4208-log-magic-pathspec.sh, t/t5510-fetch.sh, t/t5526-fetch-submodules.sh, t/t5545-push-options.sh, t/t5572-pull-submodule.sh, t/t5601-clone.sh, t/t5614-clone-submodules-shallow.sh, t/t5616-partial-clone.sh, t/t5617-clone-submodules-remote.sh, t/t6008-rev-list-submodule.sh, t/t6134-pathspec-in-submodule.sh, t/t7001-mv.sh, t/t7064-wtstatus-pv2.sh, t/t7300-clean.sh, t/t7400-submodule-basic.sh, t/t7403-submodule-sync.sh, t/t7406-submodule-update.sh, t/t7407-submodule-foreach.sh, t/t7408-submodule-reference.sh, t/t7409-submodule-detached-work-tree.sh, t/t7411-submodule-config.sh, t/t7413-submodule-is-active.sh, t/t7414-submodule-mistakes.sh, t/t7415-submodule-names.sh, t/t7416-submodule-dash-url.sh, t/t7417-submodule-path-url.sh, t/t7418-submodule-sparse-gitmodules.sh, t/t7419-submodule-set-branch.sh, t/t7420-submodule-set-url.sh, t/t7421-submodule-summary-add.sh, t/t7506-status-submodule.sh, t/t7507-commit-verbose.sh, t/t7800-difftool.sh, t/t7814-grep-recurse-submodules.sh, t/t9304-fast-import-marks.sh, t/t9350-fast-export.sh, t/t1092-sparse-checkout-compatibility.sh, t/t2080-parallel-checkout-basics.sh, t/t7450-bad-git-dotfiles.sh. - CVE-2022-39253 * SECURITY UPDATE: Arbitrary heap writes - debian/patches/CVE-2022-39260-*.patch: limit size of interactive commands and reject too-long cmdline strings in split cmdline() in shell.c, t/t9850-shell.sh, alias.c. - CVE-2022-39260 ==== linux-meta: 5.4.0.128.129 => 5.4.0.131.131 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.4.0-131 * Bump ABI 5.4.0-130 ==== linux-signed: 5.4.0-128.144 => 5.4.0-131.147 ==== ==== linux-image-5.4.0-131-generic * Master version: 5.4.0-131.147 * Master version: 5.4.0-130.146 ==== zlib: 1:1.2.11.dfsg-2ubuntu1.4 => 1:1.2.11.dfsg-2ubuntu1.5 ==== ==== zlib1g:amd64 * SECURITY UPDATE: heap-based buffer over-read (LP: #1988548) - debian/patches/CVE-2022-37434-1.patch: in inflate.c, add an extra condition to check if state->head->extra_max is greater than len before copying, and move the len assignment to be placed before the check. - debian/patches/CVE-2022-37434-2.patch: in the previous patch, in inflate.c, the place of the len assignment was causing issues so it was moved to be placed within the check. - CVE-2022-37434 -- [1] http://cloud-images.ubuntu.com/releases/focal/release-20221018/ [2] http://cloud-images.ubuntu.com/releases/focal/release-20221014/