A new release of the Ubuntu Cloud Images for stable Ubuntu release 16.04 LTS (Xenial Xerus) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * accountsservice: 0.6.40-2ubuntu11.3 => 0.6.40-2ubuntu11.6 * ca-certificates: 20190110~16.04.1 => 20201027ubuntu0.16.04.1 * distro-info-data: 0.28ubuntu0.14 => 0.28ubuntu0.16 * freetype: 2.6.1-0.1ubuntu2.4 => 2.6.1-0.1ubuntu2.5 * perl: 5.22.1-9ubuntu0.6 => 5.22.1-9ubuntu0.9 * python3.5: 3.5.2-2ubuntu0~16.04.11 => 3.5.2-2ubuntu0~16.04.12 * python-cryptography: 1.2.3-1ubuntu0.2 => 1.2.3-1ubuntu0.3 * snapd: 2.46.1 => 2.47.1 * tzdata: 2020a-0ubuntu0.16.04 => 2020d-0ubuntu0.16.04 * ubuntu-release-upgrader: 1:16.04.30 => 1:16.04.32 * vim: 2:7.4.1689-3ubuntu1.4 => 2:7.4.1689-3ubuntu1.5 The following is a complete changelog for this image. new: {} removed: {} changed: ['accountsservice', 'ca-certificates', 'distro-info-data', 'libaccountsservice0:amd64', 'libfreetype6:amd64', 'libperl5.22:amd64', 'libpython3.5-minimal:amd64', 'libpython3.5-stdlib:amd64', 'libpython3.5:amd64', 'perl', 'perl-base', 'perl-modules-5.22', 'python3-cryptography', 'python3-distupgrade', 'python3.5', 'python3.5-minimal', 'snapd', 'tzdata', 'ubuntu-core-launcher', 'ubuntu-release-upgrader-core', 'vim', 'vim-common', 'vim-runtime', 'vim-tiny'] new snaps: {} removed snaps: {} changed snaps: [] ==== accountsservice: 0.6.40-2ubuntu11.3 => 0.6.40-2ubuntu11.6 ==== ==== accountsservice libaccountsservice0:amd64 * SECURITY UPDATE: accountsservice drop privileges SIGSTOP DoS (LP: #1900255) - debian/patches/0010-set-language.patch: updated to not drop real uid and real gid in user_drop_privileges_to_user. - debian/patches/0009-language-tools.patch: updated to not reset effective uid. - CVE-2020-16126 * SECURITY UPDATE: directory traversal issue - debian/patches/CVE-2018-14036.patch: fix insufficient path prefix check in src/user.c. - CVE-2018-14036 ==== ca-certificates: 20190110~16.04.1 => 20201027ubuntu0.16.04.1 ==== ==== ca-certificates * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.44. (LP: #1900727) ==== distro-info-data: 0.28ubuntu0.14 => 0.28ubuntu0.16 ==== ==== distro-info-data * Add Ubuntu 21.04, Hirsute Hippo (LP: #1901361). ==== freetype: 2.6.1-0.1ubuntu2.4 => 2.6.1-0.1ubuntu2.5 ==== ==== libfreetype6:amd64 * SECURITY UPDATE: heap buffer overflow via integer truncation in Load_SBit_Png - debian/patches-freetype/CVE-2020-15999.patch: Update src/sfnt/pngshim.c to test and reject invalid bitmap size earlier in Load_SBit_Png. Based on upstream patch. - CVE-2020-15999 ==== perl: 5.22.1-9ubuntu0.6 => 5.22.1-9ubuntu0.9 ==== ==== libperl5.22:amd64 perl perl-base perl-modules-5.22 * SECURITY UPDATE: heap buffer overflow in regex compiler - debian/patches/fixes/CVE-2020-10543.patch: prevent integer overflow from nested regex quantifiers in regcomp.c. - CVE-2020-10543 * SECURITY UPDATE: regex intermediate language state corruption - debian/patches/fixes/CVE-2020-10878.patch: extract rck_elide_nothing in embed.fnc, embed.h, proto.h, regcomp.c. - CVE-2020-10878 * SECURITY UPDATE: regex intermediate language state corruption - debian/patches/fixes/CVE-2020-12723.patch: avoid mutating regexp program within GOSUB in embed.fnc, embed.h, proto.h, regcomp.c, t/re/pat.t. - CVE-2020-12723 * debian/patches/fixes/fix_test_2020.patch: fix FTBFS caused by test failing in the year 2020 in cpan/Time-Local/t/Local.t. ==== python-cryptography: 1.2.3-1ubuntu0.2 => 1.2.3-1ubuntu0.3 ==== ==== python3-cryptography * SECURITY UPDATE: Bleichenbacher timing oracle attack - debian/patches/CVE-2020-25659.patch: Attempt to mitigate Bleichenbacher attacks on RSA decryption docs/spelling_wordlist.txt, src/cryptography/hazmat/backends/openssl/rsa.py. - CVE-2020-25659 ==== python3.5: 3.5.2-2ubuntu0~16.04.11 => 3.5.2-2ubuntu0~16.04.12 ==== ==== libpython3.5-minimal:amd64 libpython3.5-stdlib:amd64 libpython3.5:amd64 python3.5 python3.5-minimal * SECURITY UPDATE: CRLF injection - debian/patches/CVE-2020-26116.patch: prevent header injection in http methods in Lib/httplib.py, Lib/test/test_httlib.py. - CVE-2020-26116 * debian/patches/skipping_broken_test_httphandlertest.patch: - skipping Lib/test/test_logging.py was hanging during building time causing the building to be killed after 150 minutes of hang. ==== snapd: 2.46.1 => 2.47.1 ==== ==== snapd ubuntu-core-launcher * New upstream release, LP: #1895929 - o/configstate: create /etc/sysctl.d when applying early config defaults - cmd/snap-bootstrap/initramfs-mounts: also copy /etc/machine-id for same IP addr - packaging/{ubuntu,debian}: add liblzo2-dev as a dependency for building snapd - cmd/snap: allow snap help vs --all to diverge purposefully - snap: snap help output refresh * New upstream release, LP: #1895929 - tests: fix nested core20 shellcheck bug - many/apparmor: adjust rule for reading apparmor profile for new kernel - snap-repair: add uc20 support - cmd/snap/auto-import: stop importing system user assertions from initramfs mnts - cmd/s-b/initramfs-mounts: use ConfigureTargetSystem for install, recover modes - gadget: resolve device mapper devices for fallback device lookup - secboot: add boot manager profile to pcr protection profile - sysconfig,o/devicestate: mv DisableNoCloud to DisableAfterLocalDatasourcesRun - tests: make gadget-reseal more robust - tests: skip nested images pre-configuration by default - tests: fix for basic20 test running on external backend and rpi - tests: improve kernel reseal test - boot: adjust comments, naming, log success around reseal - tests/nested, fakestore: changes necessary to run nested uc20 signed/secured tests - tests: add nested core20 gadget reseal test - boot/modeenv: track unknown keys in Read and put back into modeenv during Write - interfaces/process-control: add sched_setattr to seccomp - boot: with unasserted kernels reseal if there's a hint modeenv changed - client: bump the default request timeout to 120s - configcore: do not error in console-conf.disable for install mode - boot: streamline bootstate20.go reseal and tests changes - boot: reseal when changing kernel - cmd/snap/model: specify grade in the model command output - tests: simplify repack_snapd_snap_with_deb_content_and_run_mode_first_boot_tweaks - test: improve logging in nested tests - nested: add support to telnet to serial port in nested VM - secboot: use the snapcore/secboot native recovery key type - tests/lib/nested.sh: use more focused cloud-init config for uc20 - tests/lib/nested.sh: wait for the tpm socket to exist - spread.yaml, tests/nested: misc changes - tests: add more checks to disk space awareness spread test - tests: disk space awareness spread test - boot: make MockUC20Device use a model and MockDevice more realistic - boot,many: reseal only when meaningful and necessary - tests/nested/core20/kernel-failover: add test for failed refresh of uc20 kernel - tests: fix nested to work with qemu and kvm - boot: reseal when updating boot assets - tests: fix snap-routime-portal-info test - boot: verify boot chain file in seal and reseal tests - tests: use full path to test-snapd-refresh.version binary - boot: store boot chains during install, helper for checking whether reseal is needed - boot: add call to reseal an existing key - boot: consider boot chains with unrevisioned kernels incomparable - overlord: assorted typos and miscellaneous changes - boot: group SealKeyModelParams by model, improve testing - secboot: adjust parameters to buildPCRProtectionProfile - strutil: add SortedListsUniqueMergefrom the doc comment: - snap/naming: upgrade TODO to TODO:UC20 - secboot: add call to reseal an existing key - boot: in seal.go adjust error message and function names - o/snapstate: check available disk space in RemoveMany - boot: build bootchains data for sealing - tests: remove "set -e" from function only shell libs - o/snapstate: disk space check on UpdateMany - o/snapstate: disk space check with snap update - snap: implement new `snap reboot` command - boot: do not reorder boot assets when generating predictable boot chains and other small tweaks - tests: some fixes and improvements for nested execution - tests/core/uc20-recovery: fix check for at least specific calls to mock-shutdown - boot: be consistent using bootloader.Role* consts instead of strings - boot: helper for generating secboot load chains from a given boot asset sequence - boot: tweak boot chains to support a list of kernel command lines, keep track of model and kernel boot file - boot,secboot: switch to expose and use snapcore/secboot load event trees - tests: use `nested_exec` in core{20,}-early-config test - devicestate: enable cloud-init on uc20 for grade signed and secured - boot: add "rootdir" to baseBootenvSuite and use in tests - tests/lib/cla_check.py: don't allow users.noreply.github.com commits to pass CLA - boot: represent boot chains, helpers for marshalling and equivalence checks - boot: mark successful with boot assets - client, api: handle insufficient space error - o/snapstate: disk space check with single snap install - configcore: "service.console-conf.disable" is gadget defaults only - packaging/opensuse: fix for /usr/libexec on TW, do not hardcode AppArmor profile path - tests: skip udp protocol in nfs-support test on ubuntu-20.10 - packaging/debian-sid: tweak code preparing _build tree - many: move seal code from gadget/install to boot - tests: remove workaround for cups on ubuntu-20.10 - client: implement RebootToSystem - many: seed.Model panics now if called before LoadAssertions - daemon: add /v2/systems "reboot" action API - github: run tests also on push to release branches - interfaces/bluez: let slot access audio streams - seed,c/snap-bootstrap: simplify snap-bootstrap seed reading with new seed.ReadSystemEssential - interfaces: allow snap-update-ns to read /proc/cmdline - tests: new organization for nested tests - o/snapstate, features: add feature flags for disk space awareness - tests: workaround for cups issue on 20.10 where default printer is not configured. - interfaces: update cups-control and add cups for providing snaps - boot: keep track of the original asset when observing updates - tests: simplify and fix tests for disk space checks on snap remove - sysconfig/cloudinit.go: add AllowCloudInit and use GadgetDir for cloud.conf - tests/main: mv core specific tests to core suite - tests/lib/nested.sh: reset the TPM when we create the uc20 vm - devicestate: rename "mockLogger" to "logbuf" - many: introduce ContentChange for tracking gadget content in observers - many: fix partion vs partition typo - bootloader: retrieve boot chains from bootloader - devicestate: add tests around logging in RequestSystemAction - boot: handle canceled update - bootloader: tweak doc comments (thanks Samuele) - seed/seedwriter: test local asserted snaps with UC20 grade signed - sysconfig/cloudinit.go: add DisableNoCloud to CloudInitRestrictOptions - many: use BootFile type in load sequences - boot,bootloader: clarifications after the changes to introduce bootloader.Options.Role - boot,bootloader,gadget: apply new bootloader.Options.Role - o/snapstate, features: add feature flag for disk space check on remove - testutil: add checkers for symbolic link target - many: refactor tpm seal parameter setting - boot/bootstate20: reboot to rollback to previous kernel - boot: add unit test helpers - boot: observe update & rollback of trusted assets - interfaces/utf: Add MIRKey to u2f devices - o/devicestate/devicestate_cloudinit_test.go: test cleanup for uc20 cloud-init tests - many: check that users of BaseTest don't forget to consume cleanups - tests/nested/core20/tpm: verify trusted boot assets tracking - github: run macOS job with Go 1.14 - many: misc doc-comment changes and typo fixes - o/snapstate: disk space check with InstallMany - many: cloud-init cleanups from previous PR's - tests: running tests on opensuse leap 15.2 - run-checks: check for dirty build tree too - vendor: run ./get-deps.sh to update the secboot hash - tests: update listing test for "-dirty" versions - overlord/devicestate: do not release the state lock when updating gadget assets - secboot: read kernel efi image from snap file - snap: add size to the random access file return interface - daemon: correctly parse Content-Type HTTP header. - tests: account for apt-get on core18 - cmd/snap-bootstrap/initramfs-mounts: compute string outside of loop - mkversion.sh: simple hack to include dirty in version if the tree is dirty - cgroup,snap: track hooks on system bus only - interfaces/systemd: compare dereferenced Service - run-checks: only check files in git for misspelling - osutil: add a package doc comment (via doc.go) - boot: complain about reused asset name during initial install - snapstate: installSize helper that calculates total size of snaps and their prerequisites - snapshots: export of snapshots - boot/initramfs_test.go: reset boot vars on the bootloader for each iteration ==== tzdata: 2020a-0ubuntu0.16.04 => 2020d-0ubuntu0.16.04 ==== ==== tzdata * New upstream version (LP: #1901020), affecting past and future timestamps: - Palestine ends DST earlier than predicted, on 2020-10-24. - Fiji starts DST later than usual, on 2020-12-20. - Revised predictions for Morocco's changes starting in 2023. - Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. - Macquarie Island has stayed in sync with Tasmania since 2011. - Casey, Antarctica is at +08 in winter and +11 in summer since 2018. * Restore old SystemV timezones. ==== ubuntu-release-upgrader: 1:16.04.30 => 1:16.04.32 ==== ==== python3-distupgrade ubuntu-release-upgrader-core [ Chad Smith ] * data/mirrors.cfg: add ubuntu advantage pro PPA url as valid mirror (LP: #1893717) * DistUpgrade/DistUpgradeController.py: release cache lock during runPostInstallScripts (LP: #1897778) * data/mirrors.cfg: add all ubuntu-advantage services as valid mirrors. This includes: fips, fips-updates, esm-infra, esm-apps and cc-eal. (LP: #1893717) ==== vim: 2:7.4.1689-3ubuntu1.4 => 2:7.4.1689-3ubuntu1.5 ==== ==== vim vim-common vim-runtime vim-tiny * SECURITY UPDATE: incorrect group ownership of .swp file - debian/patches/CVE-2017-17087.patch: use correct group in src/fileio.c. - CVE-2017-17087 * SECURITY UPDATE: rvim restricted mode circumvention - debian/patches/CVE-2019-20807-pre1.patch: add checks for restricted and secure in src/eval.c. - debian/patches/CVE-2019-20807-pre2.patch: update documentation in runtime/doc/starting.txt. - debian/patches/CVE-2019-20807-1.patch: disable using interfaces in restricted mode in runtime/doc/starting.txt, src/eval.c, src/ex_cmds.c, src/ex_docmd.c, src/if_perl.xs, src/testdir/Make_all.mak, src/testdir/test_restricted.vim. - debian/patches/CVE-2019-20807-2.patch: missing some changes for Ex commands in src/ex_cmds.h. - CVE-2019-20807 -- [1] http://cloud-images.ubuntu.com/releases/xenial/release-20201104/ [2] http://cloud-images.ubuntu.com/releases/xenial/release-20201014/