A new release of the Ubuntu Cloud Images for stable Ubuntu release 16.04 LTS (Xenial Xerus) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * apt: 1.2.32ubuntu0.1 => 1.2.32ubuntu0.2 * curl: 7.47.0-1ubuntu2.16 => 7.47.0-1ubuntu2.18 * openssl: 1.0.2g-1ubuntu4.17 => 1.0.2g-1ubuntu4.18 * python-apt: 1.1.0~beta1ubuntu0.16.04.9 => 1.1.0~beta1ubuntu0.16.04.10 The following is a complete changelog for this image. new: {'grub-efi-amd64-signed': '1.66.29+2.02~beta2-36ubuntu3.29', 'grub-efi-amd64': '2.02~beta2-36ubuntu3.29'} removed: {'grub-gfxpayload-lists': '0.7'} changed: ['apt', 'apt-transport-https', 'apt-utils', 'curl', 'libapt-inst2.0:amd64', 'libapt-pkg5.0:amd64', 'libcurl3-gnutls:amd64', 'libssl1.0.0:amd64', 'openssl', 'python-apt-common', 'python3-apt'] new snaps: {} removed snaps: {} changed snaps: [] ==== apt: 1.2.32ubuntu0.1 => 1.2.32ubuntu0.2 ==== ==== apt apt-transport-https apt-utils libapt-inst2.0:amd64 libapt-pkg5.0:amd64 * SECURITY UPDATE: Integer overflow in parsing (LP: #1899193) - apt-pkg/contrib/arfile.cc: add extra checks. - apt-pkg/contrib/tarfile.cc: limit tar item sizes to 128 GiB - apt-pkg/deb/debfile.cc: limit control file sizes to 64 MiB - test/*: add tests. - CVE-2020-27350 * Additional hardening: - apt-pkg/contrib/tarfile.cc: Limit size of long names and links to 1 MiB ==== curl: 7.47.0-1ubuntu2.16 => 7.47.0-1ubuntu2.18 ==== ==== curl libcurl3-gnutls:amd64 * SECURITY UPDATE: FTP redirect to malicious host via PASV response - debian/patches/CVE-2020-8284.patch: use CURLOPT_FTP_SKIP_PASV_IP by default in lib/url.c, src/tool_cfgable.c, docs/*, tests/data/*. - CVE-2020-8284 * SECURITY UPDATE: FTP wildcard stack buffer overflow in libcurl - debian/patches/CVE-2020-8285.patch: make wc_statemach loop instead of recurse in lib/ftp.c. - CVE-2020-8285 * SECURITY UPDATE: Inferior OCSP verification - debian/patches/CVE-2020-8286.patch: make the OCSP verification verify the certificate id in lib/vtls/openssl.c. - CVE-2020-8286 ==== openssl: 1.0.2g-1ubuntu4.17 => 1.0.2g-1ubuntu4.18 ==== ==== libssl1.0.0:amd64 openssl * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for DirectoryString in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE types don't use implicit tagging in crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, crypto/asn1/asn1.h. - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, crypto/asn1/tasn_enc.c, crypto/asn1/asn1.h. - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp in crypto/x509v3/v3nametest.c. - CVE-2020-1971 ==== python-apt: 1.1.0~beta1ubuntu0.16.04.9 => 1.1.0~beta1ubuntu0.16.04.10 ==== ==== python-apt-common python3-apt * SECURITY UPDATE: various memory and file descriptor leaks (LP: #1899193) - python/arfile.cc, python/generic.h, python/tag.cc, python/tarfile.cc: fix file descriptor and memory leaks - python/apt_instmodule.cc, python/apt_instmodule.h, python/arfile.h: Avoid reference cycle with control,data members in apt_inst.DebFile objects - tests/test_cve_2020_27351.py: Test cases for DebFile (others not easily testable) - CVE-2020-27351 * data/templates: Update mirror lists -- [1] http://cloud-images.ubuntu.com/releases/xenial/release-20201210/ [2] http://cloud-images.ubuntu.com/releases/xenial/release-20201202/