A new release of the Ubuntu Cloud Images for stable Ubuntu release 22.04 (Jammy Jellyfish) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * apport: 2.20.11-0ubuntu82 => 2.20.11-0ubuntu82.1 * curl: 7.81.0-1ubuntu1.1 => 7.81.0-1ubuntu1.2 * libxml2: 2.9.13+dfsg-1build1 => 2.9.13+dfsg-1ubuntu0.1 * linux-meta: 5.15.0.27.30 => 5.15.0.30.33 * linux-signed: 5.15.0-27.28 => 5.15.0-30.31 * needrestart: 3.5-5ubuntu2 => 3.5-5ubuntu2.1 * openldap: 2.5.11+dfsg-1~exp1ubuntu3 => 2.5.11+dfsg-1~exp1ubuntu3.1 * openssl: 3.0.2-0ubuntu1.1 => 3.0.2-0ubuntu1.2 * pcre3: 2:8.39-13build5 => 2:8.39-13ubuntu0.22.04.1 * software-properties: 0.99.22 => 0.99.22.1 The following is a complete changelog for this image. new: {'linux-headers-5.15.0-30': '5.15.0-30.31', 'linux-headers-5.15.0-30-generic': '5.15.0-30.31', 'linux-modules-5.15.0-30-generic': '5.15.0-30.31'} removed: {'linux-headers-5.15.0-27-generic': '5.15.0-27.28', 'linux-headers-5.15.0-27': '5.15.0-27.28', 'linux-modules-5.15.0-27-generic': '5.15.0-27.28'} changed: ['apport', 'curl', 'libcurl3-gnutls:amd64', 'libcurl4:amd64', 'libldap-2.5-0:amd64', 'libldap-common', 'libpcre3:amd64', 'libssl3:amd64', 'libxml2:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.15.0-30-generic', 'linux-image-virtual', 'linux-virtual', 'needrestart', 'openssl', 'python3-apport', 'python3-problem-report', 'python3-software-properties', 'software-properties-common'] new snaps: {} removed snaps: {} changed snaps: [] ==== apport: 2.20.11-0ubuntu82 => 2.20.11-0ubuntu82.1 ==== ==== apport python3-apport python3-problem-report * SECURITY UPDATE: Fix multiple security issues - data/apport: Fix too many arguments for error_log(). - data/apport: Use proper argument variable name executable_path. - etc/init.d/apport: Set core_pipe_limit to a non-zero value to make sure the kernel waits for apport to finish before removing the /proc information. - apport/fileutils.py, data/apport: Search for executable name if one wan't provided such as when being called in a container. - data/apport: Limit memory and duration of gdbus call. (CVE-2022-28654, CVE-2022-28656) - data/apport, apport/fileutils.py, test/test_fileutils.py: Validate D-Bus socket location. (CVE-2022-28655) - apport/fileutils.py, test/test_fileutils.py: Turn off interpolation in get_config() to prevent DoS attacks. (CVE-2022-28652) - Refactor duplicate code into search_map() function. - Switch from chroot to container to validating socket owner. (CVE-2022-1242, CVE-2022-28657) - data/apport: Clarify error message. - apport/fileutils.py: Fix typo in comment. - apport/fileutils.py: Do not call str in loop. - data/apport, etc/init.d/apport: Switch to using non-positional arguments. Get real UID and GID from the kernel and make sure they match the process. Also fix executable name space handling in argument parsing. (CVE-2022-28658, CVE-2021-3899) ==== curl: 7.81.0-1ubuntu1.1 => 7.81.0-1ubuntu1.2 ==== ==== curl libcurl3-gnutls:amd64 libcurl4:amd64 * SECURITY UPDATE: percent-encoded path separator in URL host - debian/patches/CVE-2022-27780.patch: reject percent-decoding host name into separator bytes in lib/urlapi.c. - CVE-2022-27780 * SECURITY UPDATE: CERTINFO never-ending busy-loop - debian/patches/CVE-2022-27781.patch: return error if seemingly stuck in a cert loop in lib/vtls/nss.c. - CVE-2022-27781 * SECURITY UPDATE: TLS and SSH connection too eager reuse - debian/patches/CVE-2022-27782.patch: check more TLS details for connection reuse in lib/setopt.c, lib/url.c, lib/urldata.h, lib/vtls/gtls.c, lib/vtls/openssl.c, lib/vtls/nss.c, lib/vtls/vtls.c, lib/vssh/ssh.h. - CVE-2022-27782 ==== libxml2: 2.9.13+dfsg-1build1 => 2.9.13+dfsg-1ubuntu0.1 ==== ==== libxml2:amd64 * SECURITY UPDATE: Integer overflows - debian/patches/CVE-2022-29824.patch: Fix integer overflows in xmlBuf and xmlBuffer in tree.c, buf.c. - CVE-2022-29824 ==== linux-meta: 5.15.0.27.30 => 5.15.0.30.33 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual ==== linux-signed: 5.15.0-27.28 => 5.15.0-30.31 ==== ==== linux-image-5.15.0-30-generic * Master version: 5.15.0-30.31 * Master version: 5.15.0-29.30 * Master version: 5.15.0-28.29 ==== needrestart: 3.5-5ubuntu2 => 3.5-5ubuntu2.1 ==== ==== needrestart * SECURITY UPDATE: arbitrary code exec via unanchored regexes - debian/patches/CVE-2022-30688.patch: improve regexes in perl/lib/NeedRestart/Interp/Perl.pm, perl/lib/NeedRestart/Interp/Python.pm, perl/lib/NeedRestart/Interp/Ruby.pm. - CVE-2022-30688 ==== openldap: 2.5.11+dfsg-1~exp1ubuntu3 => 2.5.11+dfsg-1~exp1ubuntu3.1 ==== ==== libldap-2.5-0:amd64 libldap-common * SECURITY UPDATE: SQL injection in experimental back-sql backend - debian/patches/CVE-2022-29155.patch: escape filter values in servers/slapd/back-sql/search.c. - CVE-2022-29155 ==== openssl: 3.0.2-0ubuntu1.1 => 3.0.2-0ubuntu1.2 ==== ==== libssl3:amd64 openssl * d/p/lp1968997/*: cherry-pick a patchset to fix issues with the Turkish locale (LP: #1968997) ==== pcre3: 2:8.39-13build5 => 2:8.39-13ubuntu0.22.04.1 ==== ==== libpcre3:amd64 * SECURITY UPDATE: buffer over-read in JIT - debian/patches/CVE-2019-20838.patch: check if type is not extended Unicode parameter or Unicode new line in pcre_jit_compile.c. - CVE-2019-20838 ==== software-properties: 0.99.22 => 0.99.22.1 ==== ==== python3-software-properties software-properties-common * cloudarchive: Enable support for the Zed Ubuntu Cloud Archive on 22.04 (LP: #1970244). -- [1] http://cloud-images.ubuntu.com/releases/jammy/release-20220518/ [2] http://cloud-images.ubuntu.com/releases/jammy/release-20220506/