A new release of the Ubuntu Cloud Images for stable Ubuntu release 16.04 LTS (Xenial Xerus) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * base-files: 9.4ubuntu4.12 => 9.4ubuntu4.13 * bind9: 1:9.10.3.dfsg.P4-8ubuntu1.16 => 1:9.10.3.dfsg.P4-8ubuntu1.17 * curl: 7.47.0-1ubuntu2.15 => 7.47.0-1ubuntu2.16 * grub2: 2.02~beta2-36ubuntu3.27 => 2.02~beta2-36ubuntu3.28 * grub2-signed: 1.66.27+2.02~beta2-36ubuntu3.27 => 1.66.28+2.02~beta2-36ubuntu3.28 * libx11: 2:1.6.3-1ubuntu2.1 => 2:1.6.3-1ubuntu2.2 * linux-meta: 4.4.0.187.193 => 4.4.0.189.195 * linux-signed: 4.4.0-187.217 => 4.4.0-189.219 * ubuntu-meta: 1.361.4 => 1.361.5 The following is a complete changelog for this image. new: {'linux-headers-4.4.0-189': '4.4.0-189.219', 'linux-headers-4.4.0-189-generic': '4.4.0-189.219', 'motd-news-config': '9.4ubuntu4.13', 'linux-modules-4.4.0-189-generic': '4.4.0-189.219'} removed: {'linux-modules-4.4.0-187-generic': '4.4.0-187.217', 'linux-headers-4.4.0-187-generic': '4.4.0-187.217', 'linux-headers-4.4.0-187': '4.4.0-187.217'} changed: ['base-files', 'bind9-host', 'curl', 'dnsutils', 'grub-common', 'grub-efi-amd64', 'grub-efi-amd64-bin', 'grub-efi-amd64-signed', 'grub-pc', 'grub-pc-bin', 'grub2-common', 'libbind9-140:amd64', 'libcurl3-gnutls:amd64', 'libdns-export162', 'libdns162:amd64', 'libisc-export160', 'libisc160:amd64', 'libisccc140:amd64', 'libisccfg140:amd64', 'liblwres141:amd64', 'libx11-6:amd64', 'libx11-data', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-4.4.0-189-generic', 'linux-image-virtual', 'linux-virtual', 'ubuntu-minimal', 'ubuntu-server', 'ubuntu-standard'] new snaps: {} removed snaps: {} changed snaps: [] ==== base-files: 9.4ubuntu4.12 => 9.4ubuntu4.13 ==== ==== base-files [ Andreas Hasenack ] * motd/50-motd-news: don't include uptime in the user-agent string (LP: #1886572) * Move the /etc/default/motd-news conffile to the motd-news-config package (LP: #1888575): - d/postinst.in, d/postrm, d/preinst: remove /etc/default/motd-news config file on base-files upgrade using dpkg-maintscript-helper - d/rules: install d/preinst - d/control: break on ubuntu-server << 1.361.5 to force an upgrade if it is installed, which will pull motd-news-config and the conffile back in - d/control: new motd-news-config package, carrying the configuration file for the /etc/update-motd.d/50-motd-news script. - d/motd-news-config.postinst: + handle the upgrade case where the motd-news config file was changed while it belonged to base-files + disable motd-news if the config file was removed by hand before the upgrade - d/postinst.in: signal the motd-news-config package if the motd-news config file was removed manually before the upgrade - d/conffiles: remove motd-news - d/rules, d/motd-news-config.conffiles: packaging motd-news-config without debhelper [ Steve Langasek ] * motd/50-motd-news: use wget instead of curl, since wget is standard but curl is optional (LP: #1888572): - This changes the timeout behavior slightly because wget does not have an exact equivalent to curl's --max-time argument, we are using --timeout instead. ==== bind9: 1:9.10.3.dfsg.P4-8ubuntu1.16 => 1:9.10.3.dfsg.P4-8ubuntu1.17 ==== ==== bind9-host dnsutils libbind9-140:amd64 libdns-export162 libdns162:amd64 libisc-export160 libisc160:amd64 libisccc140:amd64 libisccfg140:amd64 liblwres141:amd64 * SECURITY UPDATE: A truncated TSIG response can lead to an assertion failure - debian/patches/CVE-2020-8622.patch: move code in lib/dns/message.c. - CVE-2020-8622 * SECURITY UPDATE: A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure - debian/patches/CVE-2020-8623.patch: add extra checks in lib/dns/pkcs11dh_link.c, lib/dns/pkcs11dsa_link.c, lib/dns/pkcs11rsa_link.c, lib/isc/include/pk11/internal.h, lib/isc/pk11.c. - CVE-2020-8623 ==== curl: 7.47.0-1ubuntu2.15 => 7.47.0-1ubuntu2.16 ==== ==== curl libcurl3-gnutls:amd64 * SECURITY UPDATE: wrong connect-only connection - debian/patches/CVE-2020-8231.patch: remember last connection by id, not by pointer in lib/connect.c, lib/easy.c, lib/multi.c, lib/url.c, lib/urldata.h. - CVE-2020-8231 ==== grub2: 2.02~beta2-36ubuntu3.27 => 2.02~beta2-36ubuntu3.28 ==== ==== grub-common grub-efi-amd64 grub-efi-amd64-bin grub-pc grub-pc-bin grub2-common * debian/patches/ubuntu-flavour-order.patch: - Add a (hidden) GRUB_FLAVOUR_ORDER setting that can mark certain kernel flavours as preferred, and specify an order between those preferred flavours (LP: #1882663) * debian/patches/ubuntu-recovery-dis_ucode_ldr.patch: - Pass dis_ucode_ldr to kernel for recovery mode (LP: #1831789) ==== grub2-signed: 1.66.27+2.02~beta2-36ubuntu3.27 => 1.66.28+2.02~beta2-36ubuntu3.28 ==== ==== grub-efi-amd64-signed * Rebuild against grub2 2.02~beta2-36ubuntu3.28. ==== libx11: 2:1.6.3-1ubuntu2.1 => 2:1.6.3-1ubuntu2.2 ==== ==== libx11-6:amd64 libx11-data * SECURITY UPDATE: integer overflow and heap overflow in XIM client - debian/patches/CVE-2020-14344-1.patch: fix signed length values in modules/im/ximcp/imRmAttr.c. - debian/patches/CVE-2020-14344-2.patch: fix integer overflows in modules/im/ximcp/imRmAttr.c. - debian/patches/CVE-2020-14344-3.patch: fix more unchecked lengths in modules/im/ximcp/imRmAttr.c. - debian/patches/CVE-2020-14344-4.patch: zero out buffers in functions in modules/im/ximcp/imDefIc.c, modules/im/ximcp/imDefIm.c. - debian/patches/CVE-2020-14344-5.patch: change the data_len parameter to CARD16 in modules/im/ximcp/imRmAttr.c. - debian/patches/CVE-2020-14344-6.patch: fix size calculation in modules/im/ximcp/imRmAttr.c. - debian/patches/CVE-2020-14344-7.patch: fix input clients connecting to server in modules/im/ximcp/imRmAttr.c. - CVE-2020-14344 * SECURITY UPDATE: integer overflow and double free in locale handling - debian/patches/CVE-2020-14363.patch: fix an integer overflow in modules/om/generic/omGeneric.c. - CVE-2020-14363 ==== linux-meta: 4.4.0.187.193 => 4.4.0.189.195 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 4.4.0-189 * Packaging resync (LP: #1786013) - [Packaging] resync debian/dkms-versions from main package * Build and ship a signed wireguard.ko (LP: #1861284) - [Packaging] update-version -- add dkms-versions data to sync list - [Packaging] expose versioned provides for contained dkms binaries * Bump ABI 4.4.0-188 ==== linux-signed: 4.4.0-187.217 => 4.4.0-189.219 ==== ==== linux-image-4.4.0-189-generic * Master version: 4.4.0-189.219 * Master version: 4.4.0-188.218 ==== ubuntu-meta: 1.361.4 => 1.361.5 ==== ==== ubuntu-minimal ubuntu-server ubuntu-standard * d/control: ubuntu-server depends on motd-news-config (LP: #1888575) -- [1] http://cloud-images.ubuntu.com/releases/xenial/release-20200903/ [2] http://cloud-images.ubuntu.com/releases/xenial/release-20200814/