A new release of the Ubuntu Cloud Images for stable Ubuntu release 16.04 LTS (Xenial Xerus) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * apport: 2.20.1-0ubuntu2.28 => 2.20.1-0ubuntu2.30 * bind9: 1:9.10.3.dfsg.P4-8ubuntu1.17 => 1:9.10.3.dfsg.P4-8ubuntu1.18 * ca-certificates: 20201027ubuntu0.16.04.1 => 20210119~16.04.1 * linux-meta: 4.4.0.201.207 => 4.4.0.203.209 * linux-signed: 4.4.0-201.233 => 4.4.0-203.235 * openldap: 2.4.42+dfsg-2ubuntu3.11 => 2.4.42+dfsg-2ubuntu3.13 * openssl: 1.0.2g-1ubuntu4.18 => 1.0.2g-1ubuntu4.19 * snapd: 2.48 => 2.48.3 * tzdata: 2020f-0ubuntu0.16.04 => 2021a-0ubuntu0.16.04 The following is a complete changelog for this image. new: {'linux-headers-4.4.0-203': '4.4.0-203.235', 'linux-modules-4.4.0-203-generic': '4.4.0-203.235', 'linux-headers-4.4.0-203-generic': '4.4.0-203.235'} removed: {'linux-headers-4.4.0-201': '4.4.0-201.233', 'linux-headers-4.4.0-201-generic': '4.4.0-201.233', 'linux-modules-4.4.0-201-generic': '4.4.0-201.233'} changed: ['apport', 'bind9-host', 'ca-certificates', 'dnsutils', 'libbind9-140:amd64', 'libdns-export162', 'libdns162:amd64', 'libisc-export160', 'libisc160:amd64', 'libisccc140:amd64', 'libisccfg140:amd64', 'libldap-2.4-2:amd64', 'liblwres141:amd64', 'libssl1.0.0:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-4.4.0-203-generic', 'linux-image-virtual', 'linux-virtual', 'openssl', 'python3-apport', 'python3-problem-report', 'snapd', 'tzdata', 'ubuntu-core-launcher'] new snaps: {} removed snaps: {} changed snaps: [] ==== apport: 2.20.1-0ubuntu2.28 => 2.20.1-0ubuntu2.30 ==== ==== apport python3-apport python3-problem-report * SECURITY UPDATE: multiple security issues (LP: #1912326) - CVE-2021-25682: error parsing /proc/pid/status - CVE-2021-25683: error parsing /proc/pid/stat - CVE-2021-25684: stuck reading fifo - data/apport: make sure existing report is a regular file. - apport/fileutils.py: move some logic here to skip over manipulated process names and filenames. - test/test_fileutils.py: added some parsing tests. ==== bind9: 1:9.10.3.dfsg.P4-8ubuntu1.17 => 1:9.10.3.dfsg.P4-8ubuntu1.18 ==== ==== bind9-host dnsutils libbind9-140:amd64 libdns-export162 libdns162:amd64 libisc-export160 libisc160:amd64 libisccc140:amd64 libisccfg140:amd64 liblwres141:amd64 * SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation - debian/patches/CVE-2020-8625.patch: properly calculate length in lib/dns/spnego.c. - CVE-2020-8625 ==== ca-certificates: 20201027ubuntu0.16.04.1 => 20210119~16.04.1 ==== ==== ca-certificates * Update ca-certificates database to 20210119 (LP: #1914064): - mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.46. - backport certain changes from the Ubuntu 20.10 20210119 package ==== linux-meta: 4.4.0.201.207 => 4.4.0.203.209 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 4.4.0-203 * Bump ABI 4.4.0-202 ==== linux-signed: 4.4.0-201.233 => 4.4.0-203.235 ==== ==== linux-image-4.4.0-203-generic * Master version: 4.4.0-203.235 * Master version: 4.4.0-202.234 ==== openldap: 2.4.42+dfsg-2ubuntu3.11 => 2.4.42+dfsg-2ubuntu3.13 ==== ==== libldap-2.4-2:amd64 * SECURITY UPDATE: DoS via malicious packet - debian/patches/CVE-2021-27212.patch: fix issuerAndThisUpdateCheck in servers/slapd/schema_init.c. - CVE-2021-27212 * SECURITY UPDATE: integer underflow in Certificate Exact Assertion processing - debian/patches/CVE-2020-36221-1.patch: fix serialNumberAndIssuerCheck in servers/slapd/schema_init.c. - debian/patches/CVE-2020-36221-2.patch: fix serialNumberAndIssuerCheck in servers/slapd/schema_init.c. - CVE-2020-36221 * SECURITY UPDATE: assert failure in saslAuthzTo validation - debian/patches/CVE-2020-36222-1.patch: remove saslauthz asserts in servers/slapd/saslauthz.c. - debian/patches/CVE-2020-36222-2.patch: fix debug msg in servers/slapd/saslauthz.c. - CVE-2020-36222 * SECURITY UPDATE: crash in Values Return Filter control handling - debian/patches/CVE-2020-36223.patch: fix vrfilter double-free in servers/slapd/controls.c. - CVE-2020-36223 * SECURITY UPDATE: DoS in saslAuthzTo processing - debian/patches/CVE-2020-36224-1.patch: use ch_free on normalized DN in servers/slapd/saslauthz.c. - debian/patches/CVE-2020-36224-2.patch: use slap_sl_free in prev commit in servers/slapd/saslauthz.c. - CVE-2020-36224 * SECURITY UPDATE: DoS in saslAuthzTo processing - debian/patches/CVE-2020-36225.patch: fix AVA_Sort on invalid RDN in servers/slapd/dn.c. - CVE-2020-36225 * SECURITY UPDATE: DoS in saslAuthzTo processing - debian/patches/CVE-2020-36226.patch: fix slap_parse_user in servers/slapd/saslauthz.c. - CVE-2020-36226 * SECURITY UPDATE: infinite loop in cancel_extop Cancel operation - debian/patches/CVE-2020-36227.patch: fix cancel exop in servers/slapd/cancel.c. - CVE-2020-36227 * SECURITY UPDATE: DoS in Certificate List Exact Assertion processing - debian/patches/CVE-2020-36228.patch: fix issuerAndThisUpdateCheck in servers/slapd/schema_init.c. - CVE-2020-36228 * SECURITY UPDATE: DoS in X.509 DN parsing in ad_keystring - debian/patches/CVE-2020-36229.patch: add more checks to ldap_X509dn2bv in libraries/libldap/tls2.c. - CVE-2020-36229 * SECURITY UPDATE: DoS in X.509 DN parsing in ber_next_element - debian/patches/CVE-2020-36230.patch: check for invalid BER after RDN count in libraries/libldap/tls2.c. - CVE-2020-36230 ==== openssl: 1.0.2g-1ubuntu4.18 => 1.0.2g-1ubuntu4.19 ==== ==== libssl1.0.0:amd64 openssl * SECURITY UPDATE: Integer overflow in CipherUpdate - debian/patches/CVE-2021-23840-pre1.patch: add new EVP error codes in crypto/evp/evp_err.c, crypto/evp/evp.h. - debian/patches/CVE-2021-23840-pre2.patch: add a new EVP error code in crypto/evp/evp_err.c, crypto/evp/evp.h. - debian/patches/CVE-2021-23840.patch: don't overflow the output length in EVP_CipherUpdate calls in crypto/evp/evp_enc.c, crypto/evp/evp_err.c, crypto/evp/evp.h. - CVE-2021-23840 * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash() - debian/patches/CVE-2021-23841.patch: fix Null pointer deref in crypto/x509/x509_cmp.c. - CVE-2021-23841 ==== snapd: 2.48 => 2.48.3 ==== ==== snapd ubuntu-core-launcher * SECURITY UPDATE: sandbox escape vulnerability for containers (LP: #1910456) - many: add Delegate=true to generated systemd units for special interfaces - interfaces/greengrass-support: back-port interface changes to 2.48 - CVE-2020-27352 * interfaces/builtin/docker-support: allow /run/containerd/s/... - This is a new path that docker 19.03.14 (with a new version of containerd) uses to avoid containerd CVE issues around the unix socket. See also CVE-2020-15257. * New upstream release, LP: #1906690 - tests: sign new nested-18|20* models to allow for generic serials - secboot: add extra paranoia when waiting for that fde-reveal-key - tests: backport netplan workarounds from #9785 - secboot: add workaround for snapcore/core-initrd issue #13 - devicestate: log checkEncryption errors via logger.Noticef - tests: add nested spread end-to-end test for fde-hooks - devicestate: implement checkFDEFeatures() - boot: tweak resealing with fde-setup hooks - sysconfig/cloudinit.go: add "manual_cache_clean: true" to cloud- init restrict file - secboot: add new LockSealedKeys() that uses either TPM or fde-reveal-key - gadget: use "sealed-keys" to determine what method to use for reseal - boot: add sealKeyToModeenvUsingFdeSetupHook() - secboot: use `fde-reveal-key` if available to unseal key - cmd/snap-update-ns: fix sorting of overname mount entries wrt other entries - o/devicestate: save model with serial in the device save db - devicestate: add runFDESetupHook() helper - secboot,devicestate: add scaffoling for "fde-reveal-key" support - hookstate: add new HookManager.EphemeralRunHook() - update-pot: fix typo in plural keyword spec - store,cmd/snap-repair: increase initial expontential time intervals - o/devicestate,daemon: fix reboot system action to not require a system label - github: run nested suite when commit is pushed to release branch - tests: reset fakestore unit status - tests: fix uc20-create-parition-* tests for updated gadget - hookstate: implement snapctl fde-setup-{request,result} - devicestate: make checkEncryption fde-setup hook aware - client,snapctl: add naive support for "stdin" - devicestate: support "storage-safety" defaults during install - snap: use the boot-base for kernel hooks - vendor: update secboot repo to avoid including secboot.test binary * New upstream release, LP: #1906690 - gadget: disable ubuntu-boot role validation check ==== tzdata: 2020f-0ubuntu0.16.04 => 2021a-0ubuntu0.16.04 ==== ==== tzdata * New upstream version (LP: #1913482), affecting the following future timestamp: - South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. -- [1] http://cloud-images.ubuntu.com/releases/xenial/release-20210224/ [2] http://cloud-images.ubuntu.com/releases/xenial/release-20210128/