A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with:
'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'.
The following packages have been updated. Please see the full changelogs
for a complete listing of changes:
* apport: 2.20.11-0ubuntu27.24 => 2.20.11-0ubuntu27.25
* expat: 2.2.9-1ubuntu0.4 => 2.2.9-1ubuntu0.6
* linux-meta: 5.4.0.132.132 => 5.4.0.135.133
* linux-signed: 5.4.0-132.148 => 5.4.0-135.152
* multipath-tools: 0.8.3-1ubuntu2 => 0.8.3-1ubuntu2.1
* shadow: 1:4.8.1-1ubuntu5.20.04.2 => 1:4.8.1-1ubuntu5.20.04.4
* snapd: 2.57.5+20.04 => 2.57.5+20.04ubuntu0.1
* systemd: 245.4-4ubuntu3.18 => 245.4-4ubuntu3.19
The following is a complete changelog for this image.
new: {'linux-headers-5.4.0-135-generic': '5.4.0-135.152', 'linux-headers-5.4.0-135': '5.4.0-135.152', 'linux-modules-5.4.0-135-generic': '5.4.0-135.152'}
removed: {'linux-headers-5.4.0-132': '5.4.0-132.148', 'linux-headers-5.4.0-132-generic': '5.4.0-132.148', 'linux-modules-5.4.0-132-generic': '5.4.0-132.148'}
changed: ['apport', 'kpartx', 'libexpat1:amd64', 'libnss-systemd:amd64', 'libpam-systemd:amd64', 'libsystemd0:amd64', 'libudev1:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.4.0-135-generic', 'linux-image-virtual', 'linux-virtual', 'login', 'multipath-tools', 'passwd', 'python3-apport', 'python3-problem-report', 'snapd', 'systemd', 'systemd-sysv', 'systemd-timesyncd', 'udev']
new snaps: {}
removed snaps: {}
changed snaps: ['lxd', 'snapd']
==== apport: 2.20.11-0ubuntu27.24 => 2.20.11-0ubuntu27.25 ====
==== apport python3-apport python3-problem-report
* Point Vcs-* URIs to git
* whoopsie-upload-all: Catch FileNotFoundError during process_report
(LP: #1867204)
* Grab a slice of JournalErrors around the crash time (LP: #1962454)
* data/apport:
- Initialize error log as first step (LP: #1989467)
- Fix PermissionError for setuid programs inside container (LP: #1982487)
- Fix reading from stdin inside containers (LP: #1982555)
* Fix autopkgtest test case failures (LP: #1989467):
- Mark autopkgtest with isolation-container restriction
- Fix failure if kernel module isofs is not installed
- Do not check recommended dependencies
- Skip UI test if kernel thread is not found
- Fix race in test_crash_system_slice
- Fix check for not running test executable
- Use shadow in *_different_binary_source
- Mock kernel package version in UI test
- Fix test_kerneloops_nodetails if kernel is not installed
- Drop broken test_crash_setuid_drop_and_kill
- Expect linux-signed on arm64/s390x as well
- Skip SegvAnalysis for non x86 architectures
- Use unlimited core ulimit for SIGQUIT test
- Fix race with progress window in GTK UI tests
- Use sleep instead of yes for tests
- Fix test_add_gdb_info_script on armhf
- Fix wrong Ubuntu archive URI on ports
- Fix KeyError in test_install_packages_unversioned
- Depend on python3-systemd for container tests
- Depend on psmisc for killall binary
- Replace missing oxideqt-codecs
- Drop broken test_install_packages_from_launchpad
- Fix test_install_packages_permanent_sandbox* for s390x
==== expat: 2.2.9-1ubuntu0.4 => 2.2.9-1ubuntu0.6 ====
==== libexpat1:amd64
* SECURITY UPDATE: use-after-free
- debian/patches/CVE-2022-43680-1.patch: adds tests to cover
DTD destruction in XML_ExternalEntityParserCreate in
expat/tests/runtests.c.
- debian/patches/CVE-2022-43680-2.patch: fix overeager DTD
destruction in XML_ExternalEntityParserCreate in
expat/lib/xmlparse.c.
- CVE-2022-43680
* SECURITY UPDATE: Use-after-free in doContent
- debian/patches/CVE-2022-40674.patch: ensure storeRawNames()
is always called in func internalEntityProcessor if handling
unbalanced tags in expat/lib/xmlparse.c.
- CVE-2022-40674
==== linux-meta: 5.4.0.132.132 => 5.4.0.135.133 ====
==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual
* Bump ABI 5.4.0-135
==== linux-signed: 5.4.0-132.148 => 5.4.0-135.152 ====
==== linux-image-5.4.0-135-generic
* Master version: 5.4.0-135.152
==== multipath-tools: 0.8.3-1ubuntu2 => 0.8.3-1ubuntu2.1 ====
==== kpartx multipath-tools
* SECURITY UPDATE: symlink attack
- debian/patches/CVE-2022-41973.patch: use /run instead of /dev/shm in
.gitignore, Makefile.inc, libmultipath/defaults.h,
multipath/Makefile, multipath/multipath.rules.in,
multipath/tmpfiles.conf.in.
- debian/multipath-tools.install, debian/multipath-udeb.install:
install tmpfiles.d/multipath.conf.
- debian/rules: copy udev rule after build.
- CVE-2022-41973
* SECURITY UPDATE: authorization bypass
- debian/patches/CVE-2022-41974.patch: ignore duplicated multipathd
command keys in multipathd/main.c, multipathd/cli.c.
- CVE-2022-41974
==== shadow: 1:4.8.1-1ubuntu5.20.04.2 => 1:4.8.1-1ubuntu5.20.04.4 ====
==== login passwd
* SECURITY REGRESSION: useradd command does not copy all of /etc/skel
(LP: #1998169)
- debian/patches/CVE-2013-4235-pre1.patch: removed
- debian/patches/CVE-2013-4235-pre2.patch: removed
- debian/patches/CVE-2013-4235-1.patch: removed
- debian/patches/CVE-2013-4235-2.patch: removed
- debian/patches/CVE-2013-4235-3.patch: removed
- debian/patches/CVE-2013-4235-4.patch: removed
- debian/patches/CVE-2013-4235-5.patch: removed
- debian/patches/CVE-2013-4235-6.patch: removed
- debian/patches/CVE-2013-4235-7.patch: removed
- debian/patches/CVE-2013-4235-post1.patch: removed
- debian/patches/CVE-2013-4235-post2.patch: removed
- debian/patches/CVE-2013-4235-post3.patch: removed
* SECURITY UPDATE: race condition when copying and removing directory trees
- debian/patches/CVE-2013-4235-pre1.patch: add nofollow to opens.
- debian/patches/CVE-2013-4235-pre2.patch: prepare context for actual file
type (set_selinux_file_context).
- debian/patches/CVE-2013-4235-1.patch: avoid races in chown_tree().
- debian/patches/CVE-2013-4235-2.patch: avoid races in remove_tree().
- debian/patches/CVE-2013-4235-3.patch: require symlink support.
- debian/patches/CVE-2013-4235-4.patch: fail if regular file pre-exists in
copy_tree().
- debian/patches/CVE-2013-4235-5.patch: more robust file content copy in
copy_tree().
- debian/patches/CVE-2013-4235-6.patch: address minor compiler warnings.
- debian/patches/CVE-2013-4235-7.patch: avoid races in copy_tree().
- debian/patches/CVE-2013-4235-post1.patch: use fchmodat instead of chmod
(copy_tree).
- debian/patches/CVE-2013-4235-post2.patch: do not block on fifos
(copy_tree).
- debian/patches/CVE-2013-4235-post3.patch: carefully treat permissions
(copy_tree).
- CVE-2013-4235
==== snapd: 2.57.5+20.04 => 2.57.5+20.04ubuntu0.1 ====
==== snapd
* SECURITY UPDATE: Local privilege escalation
- snap-confine: Fix race condition in snap-confine when preparing a
private tmp mount namespace for a snap
- CVE-2022-3328
==== systemd: 245.4-4ubuntu3.18 => 245.4-4ubuntu3.19 ====
==== libnss-systemd:amd64 libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv systemd-timesyncd udev
[ dann frazier ]
* Add support for the v247 network naming scheme, but keep v245 as default
(LP: #1945225)
Author: dann frazier
Files:
- debian/patches/lp1945225/0001-udev-net_id-parse-_SUN-ACPI-index-as-a-signed-intege.patch
- debian/patches/lp1945225/0002-udev-net_id-don-t-generate-slot-based-names-if-multi.patch
- debian/patches/lp1945225/0003-net_id-fix-newly-added-naming-scheme-name.patch
- debian/patches/lp1945225/0004-Add-remaining-supported-schemes-as-options-for-defau.patch
- debian/rules
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f569231b5134a8e4901621ee5b2c33826184dae6
[ Dimitri John Ledkov ]
* test: fix test-execute autotest failure with kernel 5.15 (LP: #1975587)
File: debian/patches/test-make-test-execute-pass-on-Linux-5.15.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=7b3140ab5916269c020978ce678f06869a769f5c
--
[1] http://cloud-images.ubuntu.com/releases/focal/release-20221201/
[2] http://cloud-images.ubuntu.com/releases/focal/release-20221115.1/