A new release of the Ubuntu Cloud Images for stable Ubuntu release 16.04 LTS (Xenial Xerus) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with:
   'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'.

The following packages have been updated. Please see the full changelogs
for a complete listing of changes:
 * base-files: 9.4ubuntu4.12 => 9.4ubuntu4.13 
 * bind9: 1:9.10.3.dfsg.P4-8ubuntu1.16 => 1:9.10.3.dfsg.P4-8ubuntu1.17 
 * curl: 7.47.0-1ubuntu2.15 => 7.47.0-1ubuntu2.16 
 * grub2: 2.02~beta2-36ubuntu3.27 => 2.02~beta2-36ubuntu3.28 
 * grub2-signed: 1.66.27+2.02~beta2-36ubuntu3.27 => 1.66.28+2.02~beta2-36ubuntu3.28 
 * libx11: 2:1.6.3-1ubuntu2.1 => 2:1.6.3-1ubuntu2.2 
 * linux-meta: 4.4.0.187.193 => 4.4.0.189.195 
 * linux-signed: 4.4.0-187.217 => 4.4.0-189.219 
 * ubuntu-meta: 1.361.4 => 1.361.5 


The following is a complete changelog for this image.
new: {'linux-headers-4.4.0-189': '4.4.0-189.219', 'linux-headers-4.4.0-189-generic': '4.4.0-189.219', 'motd-news-config': '9.4ubuntu4.13', 'linux-modules-4.4.0-189-generic': '4.4.0-189.219'}
removed: {'linux-modules-4.4.0-187-generic': '4.4.0-187.217', 'linux-headers-4.4.0-187-generic': '4.4.0-187.217', 'linux-headers-4.4.0-187': '4.4.0-187.217'}
changed: ['base-files', 'bind9-host', 'curl', 'dnsutils', 'grub-common', 'grub-efi-amd64', 'grub-efi-amd64-bin', 'grub-efi-amd64-signed', 'grub-pc', 'grub-pc-bin', 'grub2-common', 'libbind9-140:amd64', 'libcurl3-gnutls:amd64', 'libdns-export162', 'libdns162:amd64', 'libisc-export160', 'libisc160:amd64', 'libisccc140:amd64', 'libisccfg140:amd64', 'liblwres141:amd64', 'libx11-6:amd64', 'libx11-data', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-4.4.0-189-generic', 'linux-image-virtual', 'linux-virtual', 'ubuntu-minimal', 'ubuntu-server', 'ubuntu-standard']
new snaps: {}
removed snaps: {}
changed snaps: []
==== base-files: 9.4ubuntu4.12 => 9.4ubuntu4.13 ====
====     base-files
  [ Andreas Hasenack ]
  * motd/50-motd-news: don't include uptime in the user-agent string
    (LP: #1886572)
  * Move the /etc/default/motd-news conffile to the motd-news-config
    package (LP: #1888575):
    - d/postinst.in, d/postrm, d/preinst: remove /etc/default/motd-news
      config file on base-files upgrade using dpkg-maintscript-helper
    - d/rules: install d/preinst
    - d/control: break on ubuntu-server << 1.361.5 to force an upgrade if
      it is installed, which will pull motd-news-config and the conffile
      back in
    - d/control: new motd-news-config package, carrying the
      configuration file for the /etc/update-motd.d/50-motd-news script.
    - d/motd-news-config.postinst:
      + handle the upgrade case where the motd-news config file was
        changed while it belonged to base-files
      + disable motd-news if the config file was removed by hand before
        the upgrade
    - d/postinst.in: signal the motd-news-config package if the
      motd-news config file was removed manually before the upgrade
    - d/conffiles: remove motd-news
    - d/rules, d/motd-news-config.conffiles: packaging motd-news-config
      without debhelper
  [ Steve Langasek ]
  * motd/50-motd-news: use wget instead of curl, since wget is standard but
    curl is optional (LP: #1888572):
    - This changes the timeout behavior slightly because wget does not have
      an exact equivalent to curl's --max-time argument, we are using
      --timeout instead.
==== bind9: 1:9.10.3.dfsg.P4-8ubuntu1.16 => 1:9.10.3.dfsg.P4-8ubuntu1.17 ====
====     bind9-host dnsutils libbind9-140:amd64 libdns-export162 libdns162:amd64 libisc-export160 libisc160:amd64 libisccc140:amd64 libisccfg140:amd64 liblwres141:amd64
  * SECURITY UPDATE: A truncated TSIG response can lead to an assertion
    failure
    - debian/patches/CVE-2020-8622.patch: move code in lib/dns/message.c.
    - CVE-2020-8622
  * SECURITY UPDATE: A flaw in native PKCS#11 code can lead to a remotely
    triggerable assertion failure
    - debian/patches/CVE-2020-8623.patch: add extra checks in
      lib/dns/pkcs11dh_link.c, lib/dns/pkcs11dsa_link.c,
      lib/dns/pkcs11rsa_link.c, lib/isc/include/pk11/internal.h,
      lib/isc/pk11.c.
    - CVE-2020-8623
==== curl: 7.47.0-1ubuntu2.15 => 7.47.0-1ubuntu2.16 ====
====     curl libcurl3-gnutls:amd64
  * SECURITY UPDATE: wrong connect-only connection
    - debian/patches/CVE-2020-8231.patch: remember last connection by id,
      not by pointer in lib/connect.c, lib/easy.c, lib/multi.c, lib/url.c,
      lib/urldata.h.
    - CVE-2020-8231
==== grub2: 2.02~beta2-36ubuntu3.27 => 2.02~beta2-36ubuntu3.28 ====
====     grub-common grub-efi-amd64 grub-efi-amd64-bin grub-pc grub-pc-bin grub2-common
  * debian/patches/ubuntu-flavour-order.patch:
    - Add a (hidden) GRUB_FLAVOUR_ORDER setting that can mark certain kernel
      flavours as preferred, and specify an order between those preferred
      flavours (LP: #1882663)
  * debian/patches/ubuntu-recovery-dis_ucode_ldr.patch:
    - Pass dis_ucode_ldr to kernel for recovery mode (LP: #1831789)
==== grub2-signed: 1.66.27+2.02~beta2-36ubuntu3.27 => 1.66.28+2.02~beta2-36ubuntu3.28 ====
====     grub-efi-amd64-signed
  * Rebuild against grub2 2.02~beta2-36ubuntu3.28.
==== libx11: 2:1.6.3-1ubuntu2.1 => 2:1.6.3-1ubuntu2.2 ====
====     libx11-6:amd64 libx11-data
  * SECURITY UPDATE: integer overflow and heap overflow in XIM client
    - debian/patches/CVE-2020-14344-1.patch: fix signed length values in
      modules/im/ximcp/imRmAttr.c.
    - debian/patches/CVE-2020-14344-2.patch: fix integer overflows in
      modules/im/ximcp/imRmAttr.c.
    - debian/patches/CVE-2020-14344-3.patch: fix more unchecked lengths in
      modules/im/ximcp/imRmAttr.c.
    - debian/patches/CVE-2020-14344-4.patch: zero out buffers in functions
      in modules/im/ximcp/imDefIc.c, modules/im/ximcp/imDefIm.c.
    - debian/patches/CVE-2020-14344-5.patch: change the data_len parameter
      to CARD16 in modules/im/ximcp/imRmAttr.c.
    - debian/patches/CVE-2020-14344-6.patch: fix size calculation in
      modules/im/ximcp/imRmAttr.c.
    - debian/patches/CVE-2020-14344-7.patch: fix input clients connecting
      to server in modules/im/ximcp/imRmAttr.c.
    - CVE-2020-14344
  * SECURITY UPDATE: integer overflow and double free in locale handling
    - debian/patches/CVE-2020-14363.patch: fix an integer overflow in
      modules/om/generic/omGeneric.c.
    - CVE-2020-14363
==== linux-meta: 4.4.0.187.193 => 4.4.0.189.195 ====
====     linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual
  * Bump ABI 4.4.0-189
  * Packaging resync (LP: #1786013)
    - [Packaging] resync debian/dkms-versions from main package
  * Build and ship a signed wireguard.ko (LP: #1861284)
    - [Packaging] update-version -- add dkms-versions data to sync list
    - [Packaging] expose versioned provides for contained dkms binaries
  * Bump ABI 4.4.0-188
==== linux-signed: 4.4.0-187.217 => 4.4.0-189.219 ====
====     linux-image-4.4.0-189-generic
  * Master version: 4.4.0-189.219
  * Master version: 4.4.0-188.218
==== ubuntu-meta: 1.361.4 => 1.361.5 ====
====     ubuntu-minimal ubuntu-server ubuntu-standard
  * d/control: ubuntu-server depends on motd-news-config
    (LP: #1888575)

--
[1] http://cloud-images.ubuntu.com/releases/xenial/release-20200904/
[2] http://cloud-images.ubuntu.com/releases/xenial/release-20200814/