A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * accountsservice: 0.6.55-0ubuntu12~20.04.2 => 0.6.55-0ubuntu12~20.04.4 * alsa-lib: 1.2.2-2.1ubuntu2 => 1.2.2-2.1ubuntu2.1 * apport: 2.20.11-0ubuntu27.10 => 2.20.11-0ubuntu27.11 * linux-meta: 5.4.0.52.55 => 5.4.0.53.56 * linux-signed: 5.4.0-52.57 => 5.4.0-53.59 * netplan.io: 0.100-0ubuntu4~20.04.2 => 0.100-0ubuntu4~20.04.3 * openldap: 2.4.49+dfsg-2ubuntu1.3 => 2.4.49+dfsg-2ubuntu1.4 * plymouth: 0.9.4git20200323-0ubuntu6.1 => 0.9.4git20200323-0ubuntu6.2 * python-cryptography: 2.8-3 => 2.8-3ubuntu0.1 * systemd: 245.4-4ubuntu3.2 => 245.4-4ubuntu3.3 * tmux: 3.0a-2ubuntu0.1 => 3.0a-2ubuntu0.2 * zlib: 1:1.2.11.dfsg-2ubuntu1.1 => 1:1.2.11.dfsg-2ubuntu1.2 The following is a complete changelog for this image. new: {'linux-headers-5.4.0-53': '5.4.0-53.59', 'linux-headers-5.4.0-53-generic': '5.4.0-53.59', 'linux-modules-5.4.0-53-generic': '5.4.0-53.59'} removed: {'linux-headers-5.4.0-52': '5.4.0-52.57', 'linux-modules-5.4.0-52-generic': '5.4.0-52.57', 'linux-headers-5.4.0-52-generic': '5.4.0-52.57'} changed: ['accountsservice', 'apport', 'libaccountsservice0:amd64', 'libasound2-data', 'libasound2:amd64', 'libldap-2.4-2:amd64', 'libldap-common', 'libnetplan0:amd64', 'libnss-systemd:amd64', 'libpam-systemd:amd64', 'libplymouth5:amd64', 'libsystemd0:amd64', 'libudev1:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.4.0-53-generic', 'linux-image-virtual', 'linux-virtual', 'netplan.io', 'plymouth', 'plymouth-theme-ubuntu-text', 'python3-apport', 'python3-cryptography', 'python3-problem-report', 'systemd', 'systemd-sysv', 'systemd-timesyncd', 'tmux', 'udev', 'zlib1g:amd64'] new snaps: {} removed snaps: {} changed snaps: ['lxd'] ==== accountsservice: 0.6.55-0ubuntu12~20.04.2 => 0.6.55-0ubuntu12~20.04.4 ==== ==== accountsservice libaccountsservice0:amd64 * SECURITY UPDATE: accountsservice drop privileges SIGSTOP DoS (LP: #1900255) - debian/patches/0010-set-language.patch: updated to not drop real uid and real gid in user_drop_privileges_to_user. - debian/patches/0009-language-tools.patch: updated to not reset effective uid. - CVE-2020-16126 * SECURITY UPDATE: accountsservice .pam_environment infinite loop (LP: #1900255) - debian/patches/0010-set-language.patch: updated to use O_NOFOLLOW and limit the number of lines read from file. - CVE-2020-16127 ==== alsa-lib: 1.2.2-2.1ubuntu2 => 1.2.2-2.1ubuntu2.1 ==== ==== libasound2-data libasound2:amd64 * d/p/0001-ucm-add-a-check-for-the-empty-configuration.patch - Fix the failure on init the HDA-Intel sound card, because there is no init mixer values in the ucm, the alsa-lib should return error and then let alsautils init this sound card in the legacy HDA way. (LP: #1897934) ==== apport: 2.20.11-0ubuntu27.10 => 2.20.11-0ubuntu27.11 ==== ==== apport python3-apport python3-problem-report * data/apport: In the event that the crashing executable does not exist on disk any more the path name of the executable (passed by core) is appended with '(deleted)' because apport is currently using sys.argv for argument parsing there end up being too many arguments and apport crashes. This is fixed by adding handling for six arguments. (LP: #1899195) ==== linux-meta: 5.4.0.52.55 => 5.4.0.53.56 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.4.0-53 ==== linux-signed: 5.4.0-52.57 => 5.4.0-53.59 ==== ==== linux-image-5.4.0-53-generic * Master version: 5.4.0-53.59 ==== netplan.io: 0.100-0ubuntu4~20.04.2 => 0.100-0ubuntu4~20.04.3 ==== ==== libnetplan0:amd64 netplan.io * debian/control:netplan.io: Suggest openvswitch-switch runtime dependency - Do not suggest on riscv64, where OVS isn't available in Focal * Add d/p/0003-tests-tunnels-improve-WG-handshake-regex.patch and d/p/0004-tests-ovs-fix-OVS-timeouts.patch - Improve stability of autopkgtests * Add d/p/0005-Fix-MAAS-OVS-first-boot-for-single-NIC-PXE-systems-1.patch - Setup OVS early in network-pre.target to avoid delays (LP: #1898997) ==== openldap: 2.4.49+dfsg-2ubuntu1.3 => 2.4.49+dfsg-2ubuntu1.4 ==== ==== libldap-2.4-2:amd64 libldap-common * SECURITY UPDATE: DoS via NULL pointer dereference - debian/patches/CVE-2020-25692.patch: skip normalization if there's no equality rule in servers/slapd/modrdn.c. - CVE-2020-25692 ==== plymouth: 0.9.4git20200323-0ubuntu6.1 => 0.9.4git20200323-0ubuntu6.2 ==== ==== libplymouth5:amd64 plymouth plymouth-theme-ubuntu-text * debian/patches/timeout-for-ping.patch: Raise the ping timeout from 2 to 30 seconds. Two seconds was way too short, - causing ping to randomly fail on some busy multi-monitor start-ups, - causing gdm to think no plymouthd is running, - causing gdm to never call 'plymouth deactivate', - causing plymouthd to retain ownership of the graphics hardware, - causing gdm's login screen to fail to start. (LP: #1872159) ==== python-cryptography: 2.8-3 => 2.8-3ubuntu0.1 ==== ==== python3-cryptography * SECURITY UPDATE: Bleichenbacher timing oracle attack - debian/patches/CVE-2020-25659.patch: Attempt to mitigate Bleichenbacher attacks on RSA decryption docs/spelling_wordlist.txt, src/cryptography/hazmat/backends/openssl/rsa.py. - CVE-2020-25659 ==== systemd: 245.4-4ubuntu3.2 => 245.4-4ubuntu3.3 ==== ==== libnss-systemd:amd64 libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv systemd-timesyncd udev [ Rafael David Tinoco ] * d/p/lp1861941-dont-generate-disk-byuuid-for-bcache-uuid.patch: Reworded and reintroduced patch to fully explain delta is NOT a fix to LP: #1861941 if the bcache-tools patch exists, but should be kept anyway as the change makes sense for a better experience to end user. (LP: #1861941) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f8f64b3b58a04a83b1c426818b9affc41e0bff6c [ Dan Streetman ] * d/p/lp1882596-man-fix-some-manvolnum.patch: - fix some man section references (LP: #1882596) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3959ec95eff78d38ec4409807f151572afe83fe9 * d/p/lp1895418-correct-resolved-conf-cache-default.patch: - fix resolved.conf default Cache= value (LP: #1895418) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ebe274a2b01658ee39b372d7033c35209510b028 * d/p/lp1897744-resolve-enable-RES_TRUSTAD-towards-the-127.0.0.53-st.patch: - add resolv.conf 'trust-ad' option (LP: #1897744) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f6acc8c620b80adab7b048352d85e722b5ba8214 * d/t/*: - Update tests to fix false negatives (LP: #1892358) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=cee6c31a6caec7888270c9fa8757105ab950ed0c https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=a1c1a2bb0ff27faf84fe94583631dfd0f1f4ed8f https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=9417ce996766c133c2a33d4102ce1494f3166774 ==== tmux: 3.0a-2ubuntu0.1 => 3.0a-2ubuntu0.2 ==== ==== tmux * SECURITY UPDATE: Stack buffer overflow - debian/patches/CVE-2020-27347.patch: avoid writes after the end of array and the stack when colon-separated SGR sequences contain empty arguments in input.c. - CVE-2020-27347 ==== zlib: 1:1.2.11.dfsg-2ubuntu1.1 => 1:1.2.11.dfsg-2ubuntu1.2 ==== ==== zlib1g:amd64 * Cherrypick update of s390x hw acceleration #410 pull request patch, which corrects inflateSyncPoint() return value to always gracefully fail when hw acceleration is in use. This fixes rsync failure with zlib compression on hw accelerated s390x. LP: #1899621 -- [1] http://cloud-images.ubuntu.com/releases/focal/release-20201111/ [2] http://cloud-images.ubuntu.com/releases/focal/release-20201102/