A new release of the Ubuntu Cloud Images for stable Ubuntu release 22.04 (Jammy Jellyfish) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * apparmor: 3.0.4-2ubuntu2 => 3.0.4-2ubuntu2.1 * cloud-init: 22.2-0ubuntu1~22.04.2 => 22.2-0ubuntu1~22.04.3 * curl: 7.81.0-1ubuntu1.2 => 7.81.0-1ubuntu1.3 * gnupg2: 2.2.27-3ubuntu2 => 2.2.27-3ubuntu2.1 * isc-dhcp: 4.4.1-2.3ubuntu2 => 4.4.1-2.3ubuntu2.1 * linux-meta: 5.15.0.39.40 => 5.15.0.40.42 * linux-signed: 5.15.0-39.42 => 5.15.0-40.43 * openssl: 3.0.2-0ubuntu1.5 => 3.0.2-0ubuntu1.6 * systemd: 249.11-0ubuntu3.1 => 249.11-0ubuntu3.4 * ubuntu-advantage-tools: 27.8~22.04.1 => 27.9~22.04.1 The following is a complete changelog for this image. new: {'linux-modules-5.15.0-40-generic': '5.15.0-40.43', 'linux-headers-5.15.0-40': '5.15.0-40.43', 'linux-headers-5.15.0-40-generic': '5.15.0-40.43'} removed: {'linux-modules-5.15.0-39-generic': '5.15.0-39.42', 'linux-headers-5.15.0-39': '5.15.0-39.42', 'linux-headers-5.15.0-39-generic': '5.15.0-39.42'} changed: ['apparmor', 'cloud-init', 'curl', 'dirmngr', 'gnupg', 'gnupg-l10n', 'gnupg-utils', 'gpg', 'gpg-agent', 'gpg-wks-client', 'gpg-wks-server', 'gpgconf', 'gpgsm', 'gpgv', 'isc-dhcp-client', 'isc-dhcp-common', 'libapparmor1:amd64', 'libcurl3-gnutls:amd64', 'libcurl4:amd64', 'libnss-systemd:amd64', 'libpam-systemd:amd64', 'libssl3:amd64', 'libsystemd0:amd64', 'libudev1:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.15.0-40-generic', 'linux-image-virtual', 'linux-virtual', 'openssl', 'systemd', 'systemd-sysv', 'systemd-timesyncd', 'ubuntu-advantage-tools', 'udev'] new snaps: {} removed snaps: {} changed snaps: [] ==== apparmor: 3.0.4-2ubuntu2 => 3.0.4-2ubuntu2.1 ==== ==== apparmor libapparmor1:amd64 * Add upstream commit to remove dbus deny rule from exo-open abstraction to fix evince startup (LP: #1969896) - d/p/u/abstraction-exo-open-Remove-dbus-deny-rule.patch ==== cloud-init: 22.2-0ubuntu1~22.04.2 => 22.2-0ubuntu1~22.04.3 ==== ==== cloud-init * SECURITY UPDATE: schema errors can cause cloud-init to leak userdata to system logs - d/cloud-init.postinst: redact previously leaked schema errors from logs - Remove schema errors from log (LP: #1978422) - CVE-2022-2084 ==== curl: 7.81.0-1ubuntu1.2 => 7.81.0-1ubuntu1.3 ==== ==== curl libcurl3-gnutls:amd64 libcurl4:amd64 * SECURITY UPDATE: Set-cookie denial of service - debian/patches/CVE-2022-32205.patch: apply limits to cookies specifications in lib/cookie.c, lib/cookie.h, lib/http.c, lib/urldata.h. - CVE-2022-32205 * SECURITY UPDATE: HTTP compression denial of service - debian/patches/CVE-2022-32206.patch: return error on too many compression steps in lib/content_encoding.c. - CVE-2022-32206 * SECURITY UPDATE: Unpreserved file permissions - debian/patches/CVE-2022-32207.patch: add Curl_fopen() for better overwriting of files in lib/Makefile.inc, lib/cookie.c, lib/fopen.c, lib/fopen.h. - CVE-2022-32207 * SECURITY UPDATE: FTP-KRB bad msg verification - debian/patches/CVE-2022-32208.patch: return error properly on decode errors in lib/krb5.c. - CVE-2022-32208 ==== gnupg2: 2.2.27-3ubuntu2 => 2.2.27-3ubuntu2.1 ==== ==== dirmngr gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm gpgv * SECURITY UPDATE: signature forgery via injection into the status line - debian/patches/CVE-2022-34903.patch: Fix garbled status messages in NOTATION_DATA in g10/cpr.c. - CVE-2022-34903 ==== isc-dhcp: 4.4.1-2.3ubuntu2 => 4.4.1-2.3ubuntu2.1 ==== ==== isc-dhcp-client isc-dhcp-common * d/apparmor/sbin.dhclient: fix apparmor="DENIED" errors (LP: #1918410) ==== linux-meta: 5.15.0.39.40 => 5.15.0.40.42 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Miscellaneous Ubuntu changes - [Packaging] skip standalone dkms modules for virtual flavour * Bump ABI 5.15.0-40 * Packaging resync (LP: #1786013) - [Packaging] resync debian/dkms-versions from main package * build backport-iwlwifi-dkms as linux-modules-iwlwifi-ABI (LP: #1969434) - [Packaging] support standalone dkms module builds ==== linux-signed: 5.15.0-39.42 => 5.15.0-40.43 ==== ==== linux-image-5.15.0-40-generic * Master version: 5.15.0-40.43 ==== openssl: 3.0.2-0ubuntu1.5 => 3.0.2-0ubuntu1.6 ==== ==== libssl3:amd64 openssl * SECURITY UPDATE: AES OCB fails to encrypt some bytes - debian/patches/CVE-2022-2097-1.patch: fix AES OCB encrypt/decrypt for x86 AES-NI in crypto/aes/asm/aesni-x86.pl. - debian/patches/CVE-2022-2097-2.patch: add AES OCB test vectors in test/recipes/30-test_evp_data/evpciph_aes_ocb.txt. - CVE-2022-2097 ==== systemd: 249.11-0ubuntu3.1 => 249.11-0ubuntu3.4 ==== ==== libnss-systemd:amd64 libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv systemd-timesyncd udev [ Mustafa Kemal Gilor ] * d/p/lp1978079-efi-pstore-not-cleared-on-boot.patch: pstore: Run after modules are loaded. Thanks to Alexander Graf . (LP: #1978079) Author: Mustafa Kemal Gilor File: debian/patches/lp1978079-efi-pstore-not-cleared-on-boot.patch https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=d990b13612810a296246011ad66a165b30166702 [ Nick Rosbrook ] * systemd-oomd: set ManagedOOMSwap=auto on -.slice (LP: #1972159) This has the effect of disabling swap kill by default, so cgroups will only be monitored for memory pressure, and not swap usage. File: debian/extra/systemd-oomd-defaults/-.slice.d/10-oomd-root-slice-defaults.conf https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=e93c944c58ec376454301e9c9b55d35be7c14a89 [ Lukas Mrdian ] * Build with and suggest fido2 and tpm libraries (LP: #1969375) These are used via dlopen only if available by some tools like systemd-cryptsetup, systemd-cryptenroll and systemd-repart, with graceful fallbacks if they are not found. Build-depend on them so that the features get compiled in (apart from stage1 builds), and add appropriate Suggests. Backport of: https://salsa.debian.org/systemd-team/systemd/-/commit/6b5e99f1d7f63c0c83007de9f98f7745f4a564f8 Files: - debian/control - debian/rules - debian/tests/control https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=c3f5affb669794f9ebfea8d81c68b1aacdde0511 * Run tests-in-lxd autopkgtest via LXD snap, deb is no more (LP: #1976607) Files: - debian/tests/control - debian/tests/tests-in-lxd https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=eccfd52b275d1b0544dd44f858bcee8508c0957f [ Nick Rosbrook ] * d/t/boot-and-services: Ignore failed snap mount units in test_no_failed (LP: #1967576) Author: Nick Rosbrook File: debian/tests/boot-and-services https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=cf823bffe5cb47a6eb531d9869f69a844f356376 * d/p/lp1964494-network-do-not-enable-IPv4-ACD-for-IPv4-link-local-a.patch: do not enable IPv4 ACD for IPv4 link-local address if ACD is disabled explicitly (LP: #1964494) ==== ubuntu-advantage-tools: 27.8~22.04.1 => 27.9~22.04.1 ==== ==== ubuntu-advantage-tools * Backport new upstream release: (LP: #1973099) to jammy * d/rules - remove trusty specific code - remove ua-license-check.{timer,service,path} - install ubuntu-advantage.service - only on xenial: install ubuntu-advantage-cloud-id-shim.service * d/tools.preinst: remove old config field to avoid warnings in logs * d/tools.postinst - remove trusty specific code - print warnings if /etc/os-release doesn't have required fields - hardcode service list instead of exec-ing python3 for old migration - refactor python to avoid instantiating UAConfig extra times - refactor python to always use messages module for strings - rm the old marker file that triggered ua-license-check.path - remove unnecessary deb-systemd-helper check in ua-messaging cleanup - clean up old ua-license-check state - run new cloud-id-shim script * d/tools/postrm - clean up ubuntu-advantage-daemon log files * New upstream release 27.9 (LP: #1973099) - cli: + for json formatted output, include additional_info for some errors + new subcommand `ua refresh messages` to update motd and apt messages - daemon: + replace ua-license-check timer with ubuntu-advantage.service daemon + detects on-boot if pro license was added and runs auto-attach + only runs on gcp and does not continuously long-poll by default for now - enable: + fix error message on wrong service name when unattached - fips: + allow enabling generic fips kernel on azure by default + clean up fips reboot message (LP: #1972026) - fix: + handle errors during attach process + fix bug where enable or detach during a fix failed (LP: #1969809) + fix bug where attempting to fix some CVEs would never finish - performance: + remove unnecessary UAConfig object instantiation (also cleans up logs) + cache "apt-cache policy" output to avoid unnecessary subp calls - proxy: + apt_http(s)_proxy renamed to global_apt_http(s)_proxy + apt_http(s)_proxy config var names will still work + new ua_apt_http(s)_proxy for only ua-related apt traffic (LP: #1956764) + global_apt_http(s)_proxy and ua_apt_http(s)_proxy cannot be set at the same time - realtime: adjust warning to clarify that a manual revert is possible - refresh: a normal `ua refresh` will also update motd and apt messages - security-status: add counts of packages from each archive component - status: check if contract has updated and notify user to run "ua refresh" -- [1] http://cloud-images.ubuntu.com/releases/jammy/release-20220706/ [2] http://cloud-images.ubuntu.com/releases/jammy/release-20220622/