A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * apparmor: 2.13.3-7ubuntu5.1 => 2.13.3-7ubuntu5.2 * apport: 2.20.11-0ubuntu27.25 => 2.20.11-0ubuntu27.26 * base-files: 11ubuntu5.6 => 11ubuntu5.7 * bind9: 1:9.16.1-0ubuntu2.12 => 1:9.16.1-0ubuntu2.14 * bolt: 0.9.1-2~ubuntu20.04.1 => 0.9.1-2~ubuntu20.04.2 * cloud-init: 22.4.2-0ubuntu0~20.04.2 => 23.1.1-0ubuntu0~20.04.1 * curl: 7.68.0-1ubuntu2.15 => 7.68.0-1ubuntu2.18 * distro-info-data: 0.43ubuntu1.11 => 0.43ubuntu1.12 * fwupd-signed: 1.27.1ubuntu7+1.2-2~20.04.1 => 1.51~20.04.1+1.2-3ubuntu0.2 * git: 1:2.25.1-1ubuntu3.8 => 1:2.25.1-1ubuntu3.10 * gnutls28: 3.6.13-2ubuntu1.7 => 3.6.13-2ubuntu1.8 * grub2-signed: 1.187.2~20.04.2+2.06-2ubuntu14 => 1.187.3~20.04.1+2.06-2ubuntu14.1 * grub2-unsigned: 2.06-2ubuntu14 => 2.06-2ubuntu14.1 * isc-dhcp: 4.4.1-2.1ubuntu5.20.04.4 => 4.4.1-2.1ubuntu5.20.04.5 * krb5: 1.17-6ubuntu4.2 => 1.17-6ubuntu4.3 * libunwind: 1.2.1-9build1 => 1.2.1-9ubuntu0.1 * libxml2: 2.9.10+dfsg-5ubuntu0.20.04.5 => 2.9.10+dfsg-5ubuntu0.20.04.6 * linux-meta: 5.4.0.139.137 => 5.4.0.147.145 * linux-signed: 5.4.0-139.156 => 5.4.0-147.164 * nss: 2:3.49.1-1ubuntu1.8 => 2:3.49.1-1ubuntu1.9 * python-apt: 2.0.1 => 2.0.1ubuntu0.20.04.1 * python3.8: 3.8.10-0ubuntu1~20.04.6 => 3.8.10-0ubuntu1~20.04.7 * rsync: 3.1.3-8ubuntu0.4 => 3.1.3-8ubuntu0.5 * shim-signed: 1.40.7+15.4-0ubuntu9 => 1.40.9+15.7-0ubuntu1 * software-properties: 0.99.9.10 => 0.99.9.11 * sudo: 1.8.31-1ubuntu1.4 => 1.8.31-1ubuntu1.5 * systemd: 245.4-4ubuntu3.19 => 245.4-4ubuntu3.21 * tar: 1.30+dfsg-7ubuntu0.20.04.2 => 1.30+dfsg-7ubuntu0.20.04.3 * tcpdump: 4.9.3-4ubuntu0.1 => 4.9.3-4ubuntu0.2 * tdb: 1.4.3-0ubuntu0.20.04.1 => 1.4.5-0ubuntu0.20.04.1 * tzdata: 2022g-0ubuntu0.20.04.1 => 2023c-0ubuntu0.20.04.0 * ubuntu-advantage-tools: 27.13.3~20.04.1 => 27.14.4~20.04 * ubuntu-release-upgrader: 1:20.04.40 => 1:20.04.41 * update-notifier: 3.192.30.16 => 3.192.30.17 * vim: 2:8.1.2269-1ubuntu5.11 => 2:8.1.2269-1ubuntu5.14 The following is a complete changelog for this image. new: {'linux-modules-5.4.0-147-generic': '5.4.0-147.164', 'linux-headers-5.4.0-147-generic': '5.4.0-147.164', 'linux-headers-5.4.0-147': '5.4.0-147.164'} removed: {'linux-headers-5.4.0-139': '5.4.0-139.156', 'linux-headers-5.4.0-139-generic': '5.4.0-139.156', 'linux-modules-5.4.0-139-generic': '5.4.0-139.156'} changed: ['apparmor', 'apport', 'base-files', 'bind9-dnsutils', 'bind9-host', 'bind9-libs:amd64', 'bolt', 'cloud-init', 'curl', 'distro-info-data', 'fwupd-signed', 'git', 'git-man', 'grub-efi-amd64-bin', 'grub-efi-amd64-signed', 'isc-dhcp-client', 'isc-dhcp-common', 'krb5-locales', 'libapparmor1:amd64', 'libcurl3-gnutls:amd64', 'libcurl4:amd64', 'libgnutls30:amd64', 'libgssapi-krb5-2:amd64', 'libk5crypto3:amd64', 'libkrb5-3:amd64', 'libkrb5support0:amd64', 'libnss-systemd:amd64', 'libnss3:amd64', 'libpam-systemd:amd64', 'libpython3.8-minimal:amd64', 'libpython3.8-stdlib:amd64', 'libpython3.8:amd64', 'libsystemd0:amd64', 'libtdb1:amd64', 'libudev1:amd64', 'libunwind8:amd64', 'libxml2:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.4.0-147-generic', 'linux-image-virtual', 'linux-virtual', 'motd-news-config', 'python-apt-common', 'python3-apport', 'python3-apt', 'python3-distupgrade', 'python3-problem-report', 'python3-software-properties', 'python3.8', 'python3.8-minimal', 'rsync', 'shim-signed', 'software-properties-common', 'sudo', 'systemd', 'systemd-sysv', 'systemd-timesyncd', 'tar', 'tcpdump', 'tzdata', 'ubuntu-advantage-tools', 'ubuntu-release-upgrader-core', 'udev', 'update-notifier-common', 'vim', 'vim-common', 'vim-runtime', 'vim-tiny', 'xxd'] new snaps: {} removed snaps: {} changed snaps: ['core20', 'snapd'] ==== apparmor: 2.13.3-7ubuntu5.1 => 2.13.3-7ubuntu5.2 ==== ==== apparmor libapparmor1:amd64 * Add capability upstream patches to fix LP: #1964636 - u/cap1-Generate-CAPABILITIES-in-a-script-due-to-make-4.3.patch: move code that generates a list of capabilities to a script in common/ - u/cap2-parser-Move-to-a-pre-generated-cap_names.h.patch: use a pre-generated list of capabilities so that all capabilities are supported even when building against older kernels. - u/cap3-parser-cleanup-capability_table-generation-by-droppi.patch: drop sys_log static declaration because it's already in the generated list. - u/cap4-parser-unify-capability-name-handling.patch: drop internal hardcoded capability table. - u/cap5-parser-Makefile-use-LC_ALL-C-when-invoking-sed.patch: use LC_ALL=C when invoking sed. - u/cap6-parser-Add-warning-to-capability_table-about-the-nee.patch: add warning to capability_table about the need to update the Makefile. - u/cap7-Add-CAP_BPF-and-CAP_PERFMON-to-severity.db.patch: add support for cap_bpf and cap_perfmon - u/cap8-parser-Makefile-fix-generated-cap-comparison-against.patch: fix generated cap comparison against known list * Add upstream patches for abi support. LP: #1728130 - u/abi1-parser-feature-abi-setup-parser-to-intersect-policy-.patch: add the ability to intersect parser and kernel features in the parser. - u/abi2-parser-add-basic-support-for-feature-abis.patch: add support to specify a feature abi. - u/abi3-pin-abi-2.13.patch: add and pin a policy abi for 2.13 - u/abi4-parser-fix-abi-rule-and-pinned-feature-file-interact.patch: fix abi rule and pinned feature file interaction - apparmor.install: add 2.13 abi file to be installed in /etc/apparmor.d/abi/ * Add mqueue patches. LP: #1993353 - u/mqueue1-parser-add-parser-support-for-message-queue-mediatio.patch: add parser support for mqueue mediation - u/mqueue2-tests-add-posix-message-queue-regression-tests.patch: add posix mqueue regression tests - u/mqueue3-utils-add-message-queue-rules-parsing-in-python-tool.patch: add support in python tools to parse mqueue rules - u/mqueue4-parser-add-parser-simple-tests-for-mqueue-rules.patch: add parser simple tests for mqueue - u/mqueue5-parser-place-perm-on-name-as-well-as-name-label-comb.patch: add permissions on name and also on name + label - u/mqueue6-libapparmor-add-support-for-requested-and-denied-on-.patch: add parsing support for "denied" and "requested" from audit logs - u/mqueue7-libapparmor-add-support-for-class-in-logparsing.patch: add parsing support for "class" from audit logs - u/mqueue8-utils-add-logparser-support-for-mqueue.patch: add logparser support for mqueue rules - u/mqueue9-tests-add-sysv-message-queue-regression-tests.patch: add sysv mqueue regression tests - u/mqueue10-parser-enable-mqueue-rules-when-abi-is-not-set.patch: override pinned features for mqueue rules when abi is not set in policy. - debian/rules: create mqueue testcase empty files for libapparmor tests. * Closes LP: #1994146 ==== apport: 2.20.11-0ubuntu27.25 => 2.20.11-0ubuntu27.26 ==== ==== apport python3-apport python3-problem-report * SECURITY UPDATE: viewing an apport-cli crash with default pager could escalate privilege (LP: #2016023) - apport/ui.py, apport/user_group.py, bin/apport-cli: drops privilege to users environment before execution (using sudo) - test/test_ui.py, test/test_user/group.py: Add test cases for new code - CVE-2023-1326 ==== base-files: 11ubuntu5.6 => 11ubuntu5.7 ==== ==== base-files motd-news-config * /etc/issue, /etc/issue.net, /etc/lsb-release, /etc/os-release: Bump version number to 20.04.6 in preparation of the extra point release ==== bind9: 1:9.16.1-0ubuntu2.12 => 1:9.16.1-0ubuntu2.14 ==== ==== bind9-dnsutils bind9-host bind9-libs:amd64 * d/bind9.named.service: restart the named service on failure. (LP: #2006054) * d/p/lp1997375-segfault-isc-nm-tcp-send.patch: Fix segfault on isc__nm_tcpdns_send by moving the tcpdns processing to another thread. (LP: #1997375) ==== bolt: 0.9.1-2~ubuntu20.04.1 => 0.9.1-2~ubuntu20.04.2 ==== ==== bolt * debian/patches/git_initialize_syspath.patch: - cherrypick an upstream that should help with some of the crashers which have been reported against 0.9 (lp: #1989971) ==== cloud-init: 22.4.2-0ubuntu0~20.04.2 => 23.1.1-0ubuntu0~20.04.1 ==== ==== cloud-init * d/patches/retain-netplan-world-readable.patch: - Retain original world-readable perms of /etc/netplan/50-cloud-init.yaml. Lunar made the config root read-only. * refresh patches: + debian/patches/expire-on-hashed-users.patch * Upstream snapshot based on 23.1.1. (LP: #2008230). List of changes from upstream can be found at https://raw.githubusercontent.com/canonical/cloud-init/23.1.1/ChangeLog ==== curl: 7.68.0-1ubuntu2.15 => 7.68.0-1ubuntu2.18 ==== ==== curl libcurl3-gnutls:amd64 libcurl4:amd64 * SECURITY UPDATE: TELNET option IAC injection - debian/patches/CVE-2023-27533.patch: only accept option arguments in ascii in lib/telnet.c. - CVE-2023-27533 * SECURITY UPDATE: SFTP path ~ resolving discrepancy - debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir ends with one in lib/curl_path.c. - debian/patches/CVE-2023-27534.patch: properly handle tilde character in lib/curl_path.c. - CVE-2023-27534 * SECURITY UPDATE: FTP too eager connection reuse - debian/patches/CVE-2023-27535-pre1.patch: add and use Curl_timestrcmp in lib/netrc.c, lib/strcase.c, lib/strcase.h, lib/url.c, lib/vauth/digest_sspi.c, lib/vtls/vtls.c. - debian/patches/CVE-2023-27535.patch: add more conditions for connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h. - CVE-2023-27535 * SECURITY UPDATE: GSS delegation too eager connection re-use - debian/patches/CVE-2023-27536.patch: only reuse connections with same GSS delegation in lib/url.c, lib/urldata.h. - CVE-2023-27536 * SECURITY UPDATE: SSH connection too eager reuse still - debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse check in lib/url.c. - CVE-2023-27538 * SECURITY UPDATE: HTTP multi-header compression denial of service - debian/patches/CVE-2023-23916.patch: do not reset stage counter for each header in lib/content_encoding.c, lib/urldata.h, tests/data/Makefile.inc, tests/data/test418. - CVE-2023-23916 ==== distro-info-data: 0.43ubuntu1.11 => 0.43ubuntu1.12 ==== ==== distro-info-data * Document Ubuntu ESM overlap period (LP: #2003949) ==== fwupd-signed: 1.27.1ubuntu7+1.2-2~20.04.1 => 1.51~20.04.1+1.2-3ubuntu0.2 ==== ==== fwupd-signed ==== git: 1:2.25.1-1ubuntu3.8 => 1:2.25.1-1ubuntu3.10 ==== ==== git git-man * SECURITY UPDATE: Overwritten path and using local clone optimization even when using a non-local transport - debian/patches/CVE_2023-22490_and_23946/0002-*.patch: adjust a mismatch data type in attr.c. - debian/patches/CVE_2023-22490_and_23946/0003-*.patch: demonstrate clone_local() with ambiguous transport in t/t5619-clone-local-ambiguous-transport.sh. - debian/patches/CVE_2023-22490_and_23946/0004-*.patch: delay picking a transport until after get_repo_path() in builtin/clone.c. - debian/patches/CVE_2023-22490_and_23946/0005-*.patch: prevent top-level symlinks without FOLLOW_SYMLINKS in dir-iterator, dir-iterator.h, t/t0066-dir-iterator.sh, t/t5604-clone-reference.sh. - debian/patches/CVE_2023-22490_and_23946/0006-*.patch: fix writing behind newly created symbolic links in apply.c, t/t4115-apply-symlink.sh. - CVE-2023-22490 - CVE-2023-23946 ==== gnutls28: 3.6.13-2ubuntu1.7 => 3.6.13-2ubuntu1.8 ==== ==== libgnutls30:amd64 * SECURITY UPDATE: timing sidechannel in RSA decryption - debian/patches/CVE-2023-0361-1.patch: side-step potential side-channel in lib/auth/rsa.c. - debian/patches/CVE-2023-0361-2.patch: remove dead code in lib/auth/rsa.c. - CVE-2023-0361 ==== grub2-signed: 1.187.2~20.04.2+2.06-2ubuntu14 => 1.187.3~20.04.1+2.06-2ubuntu14.1 ==== ==== grub-efi-amd64-signed ==== grub2-unsigned: 2.06-2ubuntu14 => 2.06-2ubuntu14.1 ==== ==== grub-efi-amd64-bin * Cherry-pick all memory patches from rhboot - Allocate initrd > 4 GB (LP: #1842320) - Allocate kernels as code, not data (needed for newer firmware) * ubuntu: Fix casts on i386-efi target * Cherry-pick all the 2.12 memory management changes (LP: #1842320) * Allocate executables as CODE, not DATA in chainloader and arm64 ==== isc-dhcp: 4.4.1-2.1ubuntu5.20.04.4 => 4.4.1-2.1ubuntu5.20.04.5 ==== ==== isc-dhcp-client isc-dhcp-common [ Mauricio Faria de Oliveira ] * Prevent race condition that might ignore DHCP OFFERs/ACKs when dhclient receives DHCP traffic noise. (LP: #1926139) The previous/racy behavior can be switched back on with the 'DHCP_FD_FLAGS_POKE=0' environment variable or the 'dhcp.fd_flags_poke=0' kernel cmdline option. - d/p/lp1926139-watch-socket-fd-later.patch: fix, switches. - d/apparmor/sbin.dhclient,usr.sbin.dhcpd: /proc/cmdline r. [ Steve Langasek ] * Include /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes in the initramfs. (LP: #1937110) - d/initramfs-tools/share/hooks/zz-dhclient: copy_exec it. ==== krb5: 1.17-6ubuntu4.2 => 1.17-6ubuntu4.3 ==== ==== krb5-locales libgssapi-krb5-2:amd64 libk5crypto3:amd64 libkrb5-3:amd64 libkrb5support0:amd64 * SECURITY UPDATE: Null pointer dereference issue - debian/patches/CVE-2021-36222.patch: Fix KDC null deref on bad encrypted challenge - debian/patches/CVE-2021-37750.patch: Fix KDC null deref on TGS inner body null server - CVE-2021-36222 - CVE-2021-37750 ==== libunwind: 1.2.1-9build1 => 1.2.1-9ubuntu0.1 ==== ==== libunwind8:amd64 * Manually enable C++ exception support only on i386 and amd64, it is known broken on several other architectures. Thanks to Bernhard belacker. (Closes: #923962) (LP: #1999104) ==== libxml2: 2.9.10+dfsg-5ubuntu0.20.04.5 => 2.9.10+dfsg-5ubuntu0.20.04.6 ==== ==== libxml2:amd64 * SECURITY UPDATE: Null dereference - debian/patches/CVE-2023-28484-*.patch: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK and xmlSchemaFixupComplexType when parsing (invalid) XML schemas in result/schemas/oss-fuzz-51295_0_0.err, test/schemas/oss-fuzz-51295_0.xml, test/schemas/oss-fuzz-51295_0.xsd, xmlschemas.c. - CVE-2023-28484 * SECURITY UPDATE: Logic or memory errors and double frees - debian/patches/CVE-2023-29469.patch: check namelen less equal zero in dict.c. - CVE-2023-29469 ==== linux-meta: 5.4.0.139.137 => 5.4.0.147.145 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.4.0-147 * Bump ABI 5.4.0-146 * Bump ABI 5.4.0-145 * Bump ABI 5.4.0-144 * Bump ABI 5.4.0-143 ==== linux-signed: 5.4.0-139.156 => 5.4.0-147.164 ==== ==== linux-image-5.4.0-147-generic * Master version: 5.4.0-147.164 * Miscellaneous Ubuntu changes - debian/tracking-bug -- update from master * Master version: 5.4.0-146.163 * Miscellaneous Ubuntu changes - debian/tracking-bug -- update from master * Master version: 5.4.0-145.162 * Miscellaneous Ubuntu changes - debian/tracking-bug -- update from master * Master version: 5.4.0-144.161 * Miscellaneous Ubuntu changes - debian/tracking-bug -- update from master * Master version: 5.4.0-143.160 * SIGNEDv3: add a linux-generate ancillary package (LP: #1989705) - [Packaging] convert to v3.1 autogen form * Miscellaneous Ubuntu changes - debian/tracking-bug -- update from master ==== nss: 2:3.49.1-1ubuntu1.8 => 2:3.49.1-1ubuntu1.9 ==== ==== libnss3:amd64 * SECURITY UPDATE: Arbitrary memory write via PKCS 12 in NSS - debian/patches/CVE-2023-0767.patch: improve handling of unknown PKCS#12 safe bag types in nss/lib/pkcs12/p12d.c, nss/lib/pkcs12/p12t.h, nss/lib/pkcs12/p12tmpl.c. - CVE-2023-0767 ==== python-apt: 2.0.1 => 2.0.1ubuntu0.20.04.1 ==== ==== python-apt-common python3-apt * Update mirror lists for Ubuntu and Debian ==== python3.8: 3.8.10-0ubuntu1~20.04.6 => 3.8.10-0ubuntu1~20.04.7 ==== ==== libpython3.8-minimal:amd64 libpython3.8-stdlib:amd64 libpython3.8:amd64 python3.8 python3.8-minimal * SECURITY UPDATE: Possible Bypass Blocklisting - debian/patches/CVE-2023-24329.patch: enforce that a scheme must begin with an alphabetical ASCII character in Lib/urllib/parse.py, Lib/test/test_urlparse.py. - CVE-2023-24329 ==== rsync: 3.1.3-8ubuntu0.4 => 3.1.3-8ubuntu0.5 ==== ==== rsync * SECURITY UPDATE: arbitrary file write via malicious remote servers - d/p/CVE-2022-29154-*.patch: backported patches to fix the issue. - d/p/avoid_quoting_of_tilde_when_its_a_destination_arg.patch: added additional patch to fix regression. - CVE-2022-29154 ==== shim-signed: 1.40.7+15.4-0ubuntu9 => 1.40.9+15.7-0ubuntu1 ==== ==== shim-signed [ dann frazier ] * Fix arm64 issues due to hardcoding "x64" as the EFI architecture. (LP: #2004208) * is-not-revoked: Support vmlinux.gz files as used on arm64. (LP: #2004201) * New upstream version 15.7 (LP: #1996503) - SBAT level: shim,3 - SBAT policy bumped to for grub,2 in previous and grub,3 in latest: SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n" * SECURITY FIX: Buffer overflow when loading crafted EFI images. - CVE-2022-28737 * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere) * Break fwupd-signed signed with old keys * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest * Install both previous and latest shim as alternatives. On secure boot systems, if the current kernel or any newer one is revoked, the previous shim will continue to be used until current kernel and all newer ones are signed with a non-revoked key. ==== software-properties: 0.99.9.10 => 0.99.9.11 ==== ==== python3-software-properties software-properties-common [ Nathan Pratta Teodosio ] * Disable the Ubuntu Pro UI with an explanation when not connected (lp: #2004634) * Catch exceptions to wait (lp: #2003996) * Initialize pin as empty string (lp: #2004245) ==== sudo: 1.8.31-1ubuntu1.4 => 1.8.31-1ubuntu1.5 ==== ==== sudo * SECURITY UPDATE: does not escape control characters - debian/patches/CVE-2023-2848x-1.patch: escape control characters in log messages and sudoreplay output in docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, include/sudo_compat.h, include/sudo_lbuf.h, lib/util/lbuf.c, lib/util/util.exp.in, plugins/sudoers/logging.c, plugins/sudoers/sudoreplay.c. - debian/patches/CVE-2023-2848x-2.patch: fix regression in plugins/sudoers/logging.c. - CVE-2023-28486 - CVE-2023-28487 ==== systemd: 245.4-4ubuntu3.19 => 245.4-4ubuntu3.21 ==== ==== libnss-systemd:amd64 libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv systemd-timesyncd udev * udev: avoid NIC renaming race with kernel (LP: #2002445) Files: - debian/patches/lp2002445-netlink-do-not-fail-when-new-interface-name-is-already-us.patch - debian/patches/lp2002445-netlink-introduce-rtnl_get-delete_link_alternative_names.patch - debian/patches/lp2002445-sd-netlink-restore-altname-on-error-in-rtnl_set_link_name.patch - debian/patches/lp2002445-udev-attempt-device-rename-even-if-interface-is-up.patch - debian/patches/lp2002445-udev-net-allow-new-link-name-as-an-altname-before-renamin.patch https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=69ab4a02e828e20ea0ddbd75179324df7a8d1175 * test-seccomp: accept ENOSYS from sysctl(2) too (LP: #1933090) Thanks to Roxana Nicolescu File: debian/patches/lp1933090-test-seccomp-accept-ENOSYS-from-sysctl-2-too.patch https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=adaddd1441370ebcdb8bc33d7406b95d85b744f9 * debian/test: ignore systemd-remount-fs.service failure in containers (LP: #1991285) File: debian/tests/boot-and-services https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=264bdc86f1e4dcd10e8d914d095581c54c33199a * SECURITY UPDATE: buffer overrun vulnerability in format_timespan() - debian/patches/CVE-2022-3821.patch: time-util: fix buffer-over-run - CVE-2022-3821 * SECURITY UPDATE: information leak vulnerability in systemd-coredump - debian/patches/CVE-2022-4415.patch: do not allow user to access coredumps with changed uid/gid/capabilities - CVE-2022-4415 ==== tar: 1.30+dfsg-7ubuntu0.20.04.2 => 1.30+dfsg-7ubuntu0.20.04.3 ==== ==== tar * SECURITY UPDATE: one-byte out of bounds - debian/patches/CVE-2022-48303.patch: check limit in src/list.c. - CVE-2022-48303 ==== tcpdump: 4.9.3-4ubuntu0.1 => 4.9.3-4ubuntu0.2 ==== ==== tcpdump * debian/usr.sbin.tcpdump: allow tcpdump printing to stdout/stderr when running from a container (LP: #1667016) ==== tdb: 1.4.3-0ubuntu0.20.04.1 => 1.4.5-0ubuntu0.20.04.1 ==== ==== libtdb1:amd64 * Updated to upstream 1.4.5 as required by Samba security update. - debian/libtdb1.symbols: updated for new version. ==== tzdata: 2022g-0ubuntu0.20.04.1 => 2023c-0ubuntu0.20.04.0 ==== ==== tzdata * New upstream release (LP: #2012599) - Egypt now uses DST again, from April through October. - This year Morocco springs forward April 23, not April 30. - Palestine delays the start of DST this year. - Much of Greenland still uses DST from 2024 on. * Update the ICU timezone data to 2023c * Test timezones using Python pytz module * Add autopkgtest test case for 2023c release * Add autopkgtest test case for ICU timezone data 2023a/2023c * Update debconf template and translations * Check that the old SystemV timezones are still available ==== ubuntu-advantage-tools: 27.13.3~20.04.1 => 27.14.4~20.04 ==== ==== ubuntu-advantage-tools * Backport new upstream release: (LP: #2011477) to focal * timer: disable update_contract_info job (LP: #2015302) * livepatch: prevent livepatch from auto-enabling and subsequently failing on non-amd64 systems (LP: #2015241) * livepatch: prevent livepatch from auto-enabling and subsequently failing on interim releases (LP: #2013409) * status: - always use dpkg instead of lscpu for fetching architecture information (LP: #2012735) * New upstream release 27.14.1 - apt: fix a configuration leak in the apt.get_pkg_candidate_version function (LP: #2012642) * d/ubuntu-advantage-tools.{postinst,postrm,preinst}: - migrate certain settings out of uaclient.conf to a new file managed by the pro config subcommand (LP: #2004280) * d/ubuntu-advantage-tools.postinst: - refactor PREVIOUS_PKG_VER as a global variable - simplify how we add notices * New upstream release 27.14 (LP: #2011477) - api: new u.unattended_upgrades.status.v1 endpoint for querying status of unattended upgrades - apt: + remove legacy apt-hook + deliver json apt-hook for interim releases + fix cloud identification logic in json apt-hook + make all calls to esm-cache isolated from system configuration (LP: #2008280) + only set up the esm cache on supported systems (LP: #2004018) - fix: + format the output to be more readable (LP: #1926182) + add option to attach during a fix without a token + verify if fixed version can be installed before trying (LP: #2006705) - livepatch: show warning if current kernel is not supported - locks: alert user about corrupted lock files (LP: #1996931) - logging: logs are now formatted as jsonlines - motd: remove esm-apps announcement - notices: new representation on disk as separate files (LP: #1987738) - realtime: remove ubuntu-realtime package on disablement - status: + removed contract info update check network call + no longer includes warnings about notices when non-root (LP: #2006138) + unattached status sends virt type to contract server for better resource availability calculation - timer jobs: add daily job to check for contract updates - yaml: always import distro-provided pyyaml (LP: #2007234, LP: #2007241) * apt-news: - make sure systems which never ran a pro command get the apt-news message displayed (LP: #2008814) * d/ubuntu-advantage-tools.postinst: - fix version for cleaning the esm-apps stale unauthenticated files (LP: #2006765) * d/ubuntu-advantage-tools.postinst: - remove stale esm-apps unauthenticated caches (LP: #2004193) * apt-hook: - Change esm-apps advertisement message on apt upgrade to make it clearer that the service is providing more upgrades and not restricting user to only get updates if esm-apps is enabled (LP: #2006510) * contract: - make code aware that the effective date is not a required field in the machine-token.json file (LP: #2006351) * esm_cache - do not fail if we cannot extract information from /etc/os-release file (LP: #2006508) * security-status: - consider packages without a candidate as 'unknown' (LP: #2006049) * status: - treat null effective contract dates as unknown/expired (LP: #2004650) * timer: - recycle invalid jobs-status.json file if we detect it is corrupted (LP: #2006261) * d/ubuntu-advantage-tools.preinst: (LP: #2004279) - correct second set of md5sums to continue avoiding a dpkg conf prompt if the only change to the original config file was to the apt_news flag - restore correct default uaclient.conf when upgrading from 27.13.X and the only conf change is apt_news * esm-cache.service: - Catch errors when esm.ubuntu.com is unreachable to avoid causing crash reports and degraded systemd status from this non-critical service (LP: #2004130) * d/ubuntu-advantage-tools.{postinst,postrm,preinst}: - avoid a dpkg conf prompt if the only change to the original config file was to the apt_news flag (LP: #2003977) * apt-hook: - only run the pro client pre-update hook services when the apt update is executed as root user (LP: #2004057) * apt: better isolate apt esm cache by only fetching necessary configuration from the system apt * d/bash-completion: - enable autocomplete for the 'pro' command (GH: #2280) * d/control: - update the package description * d/postinst: - remove unauthenticated esm repos from Xenial systems (LP: #1990378) * New upstream release 27.13 (LP: #2003018) - apt: + remove logic which added repositories and pinned them to 'never' to enable access to esm package lists + add functionality to create and update a local apt esm cache with the lists for esm-infra and esm-apps - apt-hook: update the cpp hook to use the local esm apt cache - apt-news: + fetch and display APT News in apt upgrade + show contract expiration notices in the apt news output - attach: support attaching without being able to install snapd (LP: #1997514) - cli: + do not show invalid subcommands in autocomplete (GH: #2279) + add support for attaching through the web portal, without a token - config: add apt_news_url option - docs: reorganize documentation and correct information - esm-apps: release the service as GA - jobs: + remove the update_status job + remove unused job which checks for the system EOL - messaging: do not fail if the apt-hook executable is not present (LP: #1994480) - motd: announce esm-apps as GA - security-status: + use the local esm cache to report updates when the services are disabled + redesign output to properly show support (LP: #2002407) - services: add new service to update the local esm caches - ros: release the service as GA - bug fixes: + report reboot_required even if 'livepatch status' fails + do not create unexpected environment variables when the autocomplete script runs + contract requests do not cause 'pro status' to fail + remove auto-attach motd message if any failure happens + log when 'cloud-id' fails + always honor the metering job timer config + write files atomically * New upstream release 27.12 (LP: #1996424): - auto-attach: + retry auto-attach for up to one month on Ubuntu Pro cloud instances + make a best effort to auto-attach when using the API - enable: show deduplicated list of supported arches (GH: #917) - fips: remove cloud package override logic from the client - messaging: verify contract expiration date on contract server before outputting expired message on MOTD - realtime-kernel: make service non-beta - reboot-required: + add API support to show if the system requires a reboot (u.pro.security.status.reboot_required.v1) + add cli command for the functionality (pro system reboot-required) - security-status: + add API support to report standard updates (u.pro.packages.updates.v1) + add API support to show CVEs patched by Livepatch (u.pro.security.status.livepatch_cves.v1) + add API support to show packages summary information (u.pro.packages.summary.v1) + list packages in oci manifest format (u.security.package_manifest.v1) - systemd: do not attempt to auto-attach if a machine-token is present * New upstream release 27.11.3: (LP: #1993006) - d/postinst: remove the Ubuntu Pro beta apt message and set up the configurable flag for "APT news" instead - collect-logs: do not fail if a file cannot be read (LP: #1991858) - config: add a flag to disable "APT news" (LP: 1992026) - messaging: add announcement of "APT news" to apt output - messaging: only show "APT news" when using apt binary (GH: #2288) - version: use /run instead of /tmp for version file (GH: #2294) * New upstream release 27.11.2: (LP: #1991173) - esm: add the --beta flag back to esm-apps - messaging: show Ubuntu Pro beta message in apt output - security-status: don't show esm-apps information when the service is not enabled - ros: add the --beta flag back to ros and ros-updates * New upstream release 27.11.1: (LP: #1990907) - Fix release upgrade when ESM packages are installed + d/postinst: remove series information from the APT preferences template + esm: remove series information from the APT preferences file * d/control: - Update VCS references * d/links: - add usr/bin/pro as an alias to ubuntu-advantage * d/postinst: - include root_mode parameter when creating UAConfig instances - change calls to add_notice to notice_file.add - create public machine-token file if it does not exist * New upstream release 27.11 (LP: #1989279) - api: + new `pro api` command to access the public client API + 'version' endpoint returning version information + 'should auto attach' endpoint informing if a system should run auto-attach on startup + 'full auto attach' endpoint performing auto-attach + 'magic attach' endpoints for the Magic Attach flow - auto-attach: + better errors for invalid pro images (GH: #2180, #1833) + don't detach on already auto-attached instances + no-op when ubuntu-advantage information is present on cloud-init userdata + change systemd unit to run after cloud-config - cli: + cli: better error message on unrecognized flags (GH: #672) - collect-logs: + can now be executed as a non-root user + is executed automatically and result is appended when using apport to report a bug - docs: now formatted to be built with sphinx, and published in readthedocs - enable: + new access-only flag for usecases where auto-install is undesired + fix apt auth line replacement (LP: #1985863) - esm-apps: generally available as non-beta as part of Ubuntu Pro - fix: check if livepatch has already fixed a CVE before attempting a fix - jobs: new timer job to check if the release reached end of support - pro: + Ubuntu Pro is released as a product + make `pro` the recommended executable for the client + client, apt and motd messages updated/rewritten to show Pro information + base URL changed from /advantage to /pro + ESM services renamed as part of Pro - ros: released as a non-beta entitlement - security-status + does not require the --format flag anymore + human readable output added based on ubuntu-security-status + machine readable output contains CVEs fixed by Livepatch + package counts include all esm-infra and esm-apps repositories - status: + don't show unavailable services by default (GH: #2156, #2159) + expiry date formatted based on timezone (GH: #695) + non-root users get the current status instead of a cached version + --wait flag now working for non-root users - version: warn about new available versions of the client in CLI command output and API calls * apt-hook: Fix missing import warning when compiling * d/control: - Drop golang dependencies * d/rules: - Only install APT hooks on LTS series * New upstream release 27.10 (LP: #1980990) - apt-hook: replace golang with cpp for json-hook - cli + properly sort services for detach/attach (GH: #1831) + collect-logs include rotated log files + display UA features directly on status - daemon: do not try enabling daemon during auto-attach (LP: #1980865) - fix: + update ua portal url when asking for attach + add --dry-run option - gcp-pro: better error message for metadata endpoint error - requests: Add default timeout for web requests - timer: log when job start running - security-status: include download size of package updates * d/rules - remove trusty specific code - remove ua-license-check.{timer,service,path} - install ubuntu-advantage.service - only on xenial: install ubuntu-advantage-cloud-id-shim.service * d/tools.preinst: remove old config field to avoid warnings in logs * d/tools.postinst - remove trusty specific code - print warnings if /etc/os-release doesn't have required fields - hardcode service list instead of exec-ing python3 for old migration - refactor python to avoid instantiating UAConfig extra times - refactor python to always use messages module for strings - rm the old marker file that triggered ua-license-check.path - remove unnecessary deb-systemd-helper check in ua-messaging cleanup - clean up old ua-license-check state - run new cloud-id-shim script * d/tools/postrm - clean up ubuntu-advantage-daemon log files * New upstream release 27.9 (LP: #1973099) - cli: + for json formatted output, include additional_info for some errors + new subcommand `ua refresh messages` to update motd and apt messages - daemon: + replace ua-license-check timer with ubuntu-advantage.service daemon + detects on-boot if pro license was added and runs auto-attach + only runs on gcp and does not continuously long-poll by default for now - enable: + fix error message on wrong service name when unattached - fips: + allow enabling generic fips kernel on azure by default + clean up fips reboot message (LP: #1972026) - fix: + handle errors during attach process + fix bug where enable or detach during a fix failed (LP: #1969809) + fix bug where attempting to fix some CVEs would never finish - performance: + remove unnecessary UAConfig object instantiation (also cleans up logs) + cache "apt-cache policy" output to avoid unnecessary subp calls - proxy: + apt_http(s)_proxy renamed to global_apt_http(s)_proxy + apt_http(s)_proxy config var names will still work + new ua_apt_http(s)_proxy for only ua-related apt traffic (LP: #1956764) + global_apt_http(s)_proxy and ua_apt_http(s)_proxy cannot be set at the same time - realtime: adjust warning to clarify that a manual revert is possible - refresh: a normal `ua refresh` will also update motd and apt messages - security-status: add counts of packages from each archive component - status: check if contract has updated and notify user to run "ua refresh" * New upstream release 27.8 (LP: #1969125) - entitlements: apply overrides from the contract response - fips: + unhold fips packages when enabling fips-updates + Automatically disable fips service before enabling fips-updates + unhold more packages when enabling fips - lib: fix upgrade script for unsupported releases (LP: #1968067) - realtime: add support for realtime kernel beta service on Jammy * fips: - make fips service incompatible with fips-updates - unhold more packages when enabling fips * d/changelog: - fix changelog trailer line for 27.4.1 * d/logrotate: - make new logs world readable * d/tools.postinst: - refactor to catch exception from entitlement_factory - no longer always set log file to only root readable - when creating log file for the first time, make world readable - adapt postinst for new messages module * New upstream release 27.7 (LP: #1964028) - attach: --attach-config option for customizing auto-enabled services and supplying token via a file - auto-attach: fix bug where auto-attach caused a manually attached machine to detach - cli: + support --format=json for attach + support --format=json for detach + support --format=json for enable + support --format=json for disable - contract: include activity info when updating contract - detach: no longer contacts contract server on detach - fips: allow fips on containers - fix: support USNs that don't have related CVEs - logs: make all newly created logs world-readable - security-status: + show already installed esm package counts + include APT origin for each potential update + bump schema version to "0.1" + remove previously required --beta flag - status: + include blocked_by information in service status when format=json + --simulate-with-token now reports expired tokens as errors + --simulate-with-token now returns errors in the specified format * New upstream release 27.6 (LP: #1958556) - cli: only request available resources from contract server when needed - fips: + allow enabling FIPS on focal clouds + update prompt messages - jobs: disable license-check job on GCP after attach - message: fix how apt and motd messages are updated after ua commands * d/control: - Update homepage URL * d/tools.postinst: - Refactor to use valid_services * d/tools.postrm: - Use a wildcard to remove ua related gpg files * New upstream release 27.5 (LP: #1956456) - aws: add support for the IPv6 metadata endpoint - cis: update URL for the documentation - cli: + add endpoint to simulate the status using a specific contract token + fix return code when attaching an already attached machine (GH: #1867) + fix security-status to consider all possible origins to show updates + include cloud build.info in the collect-logs tarball + only show services which exist in the contracts server in ua status - docs: fix typos and wrong/outdated information - livepatch: always use the full path in livepatch calls (LP: #1951954) - logs: + improve rules to redact sensitive information from all log files + redact sensitive information from older unredacted log files + log errors from external software execution, for debugging purposes - usg: + support the presentedAs affordance from the contract server, showing services in the CLI with the appropriate names + replace the CIS entitlement by USG on Focal and onwards * d/tools.postinst: - Fix check_service_is_enabled function when the machine is unattached (LP: #1951705) * jobs: do not run the status job for unattached users * d/rules: - Remove conftest file from the package * d/tools.postinst: - hardcode python binary to run python scripts (LP: #1930121) - undo unnecessary log file creation * d/tools.prerm: - hardcode python binary to run python scripts (LP: #1930121) * New upstream release 27.4 (LP: #1949634) - cc-eal: remove beta flag - cli: + attach will save machine-id during operation + detach won't ask unnecessary questions + new security-status subcommand lists potentially available security and ESM updates (beta) - fix: + exit 0 when fix is successfully applied and completed + exit 1 when fix cannot be applied + exit 2 when fix requires a reboot to complete + check reboot-required.pkgs for better reboot suggestions - livepatch: allow livepatch and fips-updates at the same time - metering: + update how activity info is parsed + update contract response structure + enable job by default - proxy: no_proxy defaults for link-local IMDS routes - util: + cache get_platform_info calls + fix machine-id fallback path on get_machine_id * d/tools.postinst: - consider cloud to be "none" on any cloud-id error - purge old ua-messaging.timer/service files - keep ua-timer.timer disabled if ua-messaging.timer was disabled by the user - properly configure both ubuntu-advantage-timer and ubuntu-advantage-licence-check logs * d/tools.postrm: - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs during purge * systemd: - remove ua-messaging.timer/service - add new ua-timer.timer that runs every 6 hours - add new ua-license_check.timer that runs every 5 minutes only if activated by ua-license-check.path * New upstream release 27.3 (LP: #1942929) - ros: + add beta support to enable ros and ros-updates + add support for "required services" so that esm-infra and esm-apps get auto-enabled when enabling ros or ros-updates + add support for "dependent services" so that user gets prompted to disable ros/ros-updates if they disable esm-infra/esm-apps - fips: + allow fips on GCP bionic now that optimized kernel is ready + disallow enabling fips on focal on clouds until cloud-optimized focal fips-certified kernel is ready (LP: #1939449, LP: #1939932) + print warning about generic fips kernel if cloud-id fails - cloud: + rely only on cloud-id to determine cloud type (LP: #1940131) + catch errors when determining cloud type (LP: #1938207, LP: #1944676) (GH: #1541) - azure: + bump IMDS API version to support Azure published images - cli: + collect-logs command that creates a tar file with debug-relevant logs and status info (GH: #463) + clean locks on exceptions more thoroughly to avoid false "Operation in progress" status messages + retain past service state after detach + shows better error message when a port value in a proxy is invalid - non-unicode locale support: + remove unicode-only characters from help file + don't print unicode-only characters in ua fix if non-utf8 locale (GH: #1463) - logrotate: + add logrotate functionality for ubuntu-advantage-timer.log. + Fix root:root logrotate permissions. - ua-timer.timer: + introduce a single systemd timer to handle ua recurring jobs + timer runs every 2 hours to support most frequent timer job + recurring job intervals are configurable in uaclient.conf + individual jobs are disabled if their interval is set to 0 - status job: + update ua status every 12 hours - messaging job: + update APT/MOTD ESM messaging every 6 hours - metering job: + disabled until infrastructure is ready + for attached machines only, periodically update contract server with status information for proper contract metering - ua-license-check.timer: + only runs on LTS GCP instances that are not attached + runs every 5 minutes to check if gcp instance has license required to auto-attach - logs: + fixes duplicate logging (GH: #553) - tests and support: + remove groovy integration tests + various improvements to integration tests * d/tools.postinst: - Do not fail in postinst if cloud-init did not run. This fixes the regression introduced in 27.2.1. (LP: #1936833) * d/control: - remove unnecessary distro-info dependency from build-depends * d/rules: - pick right version of distro-info based on release * docs: + add information about proxy auth to manpage and readme * lib: + handle missing configStatus key in patch status json script * d/control: - add comments to explain complex build-depends - add version requirement to distro-info (LP: #1932028) * d/tools.postinst: - run status.json schema patch script to avoid non-root status errors * New upstream release 27.2: - attach: print contract server reason for 403 (GH: #1630) - cli: add ua config set, unset and show subcommands - config: + add default ua_config setting values + only allow some fields to be set by envvar + use defaults for contract and security url - docs: + add proxy config options to man page + add instructions to generate MOTD messages + add support matrix info + remove broken api link - enable: allow downgrading packages during enable (GH: #1659) - fips: + add focal test for fips-updates + alert if wrong fips package installed on gov clouds + install correct fips package on gov clouds + only install conditional_packages if necessary and available - logs: log env vars that affect config on cli runs - proxy: + add config options to set proxies + print message when setting proxy + support configuring apt proxies + support configuring snap and livepatch proxies + support setting proxy for web requests + validate urls before setting as proxies - refresh: support refreshing config and contract separately - status + add config info to json output + add env vars to json output + do not show unavailable services in json output + support yaml format with same content as json format + update account info in json output + update contract info in json output + update root level keys of json output - refactor: + remove side effects from can_enable (GH: #1654, #1571) + use DatetimeAwareJSONDecoder to parse date strings - tests: + add additional enable test for incompatible services + add flag to enable proposed pocket + add test to check and print version being tested + drop trusty specific tests * Cherrypick upstream pr #1681 to unbreak many migrations. LP: #1930741 * d/control: - specify debianutils min version * d/changelog: - fix lintian typos amend and redact incorrect 27.0 entry (GH: #1624) * lintian: - override ubuntu-advantage-pro wanted-by-target cloud-init - override xenial specific errors - rename package-specific overrides for pro vs tools * New upstream release 27.1: - apt-hook: + avoid segfault when comparing null Apt file origin to esm (LP: #1929123) + avoid wrapping static message formats at 80 chars + update go build flags based on lintian warnings (GH: #1626) + only add newlines for MOTD if message file length is non-zero - attach: do not print contract name if empty - autocomplete: Do not show beta services in autocomplete (GH: #1594) - cis: + make service non-beta + post enable message pointing to docs + update cis help url - docs: update releases.md per SRU review feedback on branch structuring - enable: correct messaging for beta service (GH: #1588) - errors: print a more helpful message when ssl fails (GH: #1618) - fips: + Block enabling fips if fips-updates once enabled (GH: #1600) + Update output of fips commands (GH: #1631) - livepatch: alert when snapd does not have wait cmd (LP: #1927329) - logging: remove tracebacks for UserFacingErrors (GH: #1586) - messaging: + Infra and Apps messaging is mutually exclusive (GH: #1573) + point to u.com/16-04 instead of u.com/advantage on ESM (GH: #1584) + separate _remove_msg_template. emit no warranty on infra disabled - pro: obtain AWS IMDSv2 API token before trying to grab pkcs7 doc (GH: #1608) - status: do not show info if not on contract (GH: #1592) - tests: + drop trusty specific tests + fix mock for handle_message_operations + fix motd message for bionic (GH: #1615) + integration tests for hirsute and groovy + manual test for trusty upgrade to xenial + reboot after dist-upgrade for upgrade test + test enabling CIS on focal (GH: #1582) + update messages in integration tests (GH: #1635) + use proposed pocket on xenial upgrade test - jenkins: + add pytest runs for xenial and bionic + run focal lxd integration tests * d/control: - order build-depends alternatives newer first (LP: #1926949) - apt-hook: do not attempt to package go APT JSON hook on some architectures (GH: #1603) (LP: #1927886, LP: #1927795) * Bug-fix release 27.0.2: build failures on riscv64 and powerpc - apt-hook: refactor json hook messaging to be dry - tests: fix subp ls error case for powerpc builds - jenkinsfile: add --resolve-alternatives for trusty builds - amend changelog: add omitted apt-hook message for 27.0.1 stanza * Add .gitignore and cleanup ignored directory .pytest_cache * apt-hook: mitigate failures with true * New upstream release 27.0: - [redacted: actually landed in 27.0.1] apt-hook: mitigate failures with true - messages: add optional (s) to apt messaging to include singular/plural pkgs - apt-hook: avoid reporting and counting duplicate package names (GH: #1578) - fix: don't say reboot required when unnecessary (LP: #1926183) - test: uncomment additional xenial upgrade tests * New upstream beta3 release: - config: avoid tracebacks on invalid features value in uaclient.conf (GH: #1564) - apt-hook: new json hook for security update counts - Remove redundant messaging from uaclient * d/control: - add distro-info dependency - add new debianutils dependency - add optional dh-systemd | debhelper (>= 13.3) to fallback on hirsute and later when dh-systemd is not present * d/rules: enable and start ua-messaging.timer on package install * d/postinst: - configure esm on any LTS release avoid beta services - configure esm-infra when is_active_esm and apps on LTS - xenial enable unauthenticated apt source for apps/infra * New upstream release 27.0~beta: - apt-hook: + adapt hook to process separate message templates + esm-apps and esm-infra pkg counts not mutually-exclusive + print static messages on apt upgrade/dist-upgrade (GH: #1546) - config: create settings_overrides on config (GH: #1507) - docs: add entry for uploading new version to ppa - esm: + add pin never when disabling esm-infra/apps on xenial + enable infra when EOL LTS and apps on all LTS (GH: #1558) - fips: add notice when installing over old fips - fix: + add links to ubuntu.com/gcp/aws in messaging when on non-PRO + add notice to reboot operation on ua fix + do not prompt user for beta services (GH: #1544) + notify users if reboot is required (GH: #1476) + update how the expired token logic works + wrap output greater than 80 chars (GH: #1487) - lib: fix notice handling on reboot script - messages + provide static message files for use in APT and MOTD + update_ua_messages on attach/detach/disable - mypy: add lib/ dir for coverage - status: do not remove notices on non-root call (GH: #1518) - subp: separate % format strings when logging (GH: #1520) - systemd: add ua-messaging.timer to update ua MOTD and APT msgs - update-motd.d: add conditional hooks for motd to source ua messages - util: add is_lts and is_active_esm funtions to support ESM - test + add integration tests asserting esm-apps setup due to postinst + manual test script for xenial upgrade + trusty and xenial infra and apps disabled in pkg install - behave: use unaltered cloud images unsetting UACLIENT_BEHAVE_PPA - jenkins: make lint and style stage run sequentially * d/*: prefix all the debhelper conf files with the package name * d/control: - add Rules-Requires-Root: no - bump Standards-Version to 4.5.1 - make ubuntu-advantage-pro Architecture: all * d/lintian-overrides: - override maintainer-script-calls-service - package-supports-alternative-init-but-no-init.d-script * d/postinst: move the u-a-pro note to a config script * d/ubuntu-advantage-tools.templates: suggest the use of apt * New upstream release 27.0~beta: - apt: add retry for apt-helper command (GH: #1431) - cli: drop subcommand repeated help output, fix enable & refresh (GH: #1440) - config: + allow parsing yaml delivered from env values + environment variable support for feature overrides (GH: #1395) + create config to add extra params to security url - docs: + add ppas and fix typos + use Ubuntu Pro not Ubuntu PRO + add stop "." punctuation to messages (GH: #1320) - fips: fix FIPS message when disable operation fails - fix: + add basic UASecurityClient to which queries CVE and USNs + add security_url to config + check if service is enabled during ua fix (GH: #1462) + closer representation of cve and usn responses + filter usns by cve details (GH: #1470) + fix regex to be more permissive and strict + get_cve_affected_source_packages_status won't list not-affected (GH: #1467) + handle other package status when running ua fix (GH: #1435) + improve error message for ua fix (GH: #1420) + install pkg fixes when they are on standard pocket (GH: #1401) + move timeout and retries to security client only + only prompt for subscription attach for UA-related pkg updates + parse all related USNS to a given CVE when fixing + parse full API responses for related CVEs and USNs + prefer USN.release_packages binary pkg versions to CVE src ver (GH: #1436) + prompt for new ua token when expired one is used (GH: #1475) + prompt to emit pro suggestion on pro_clouds if unattached (GH: #1386) + prompt to enable service during ua fix (GH: #1455) + provide related CVE URLs instead of USNs (GH: #1456) + raise errors when source_link is null or unexpected format + show packages that were not fixed in the output + update output for released packages in ua fix (GH: #1438) + update message for invalid issue in ua fix (GH: #1433) + use pocket values from USNs (GH: #1439) - logs: emit error response on API errors and redact sensitive logs (GH: #1424) - serviceclient: add 10 second timeout and two retries to API calls (GH: #1374) - util: + add error prompts on invalid selection + add timeout to readurl - tests: + Add disable_auto_attach config to all test PRO vms + add merge_usn_released_binary_package_versions tests + add unittest coverage for override_usn_release_package_status + drop traceback checks on fips integration tests + refactor integration tests for ua fix cmd + run status wait before detach in PRO tests + use ssh to run commands on lxd containers - jenkins: archiveArtifacts can only reference paths within workspace * d/control: add new debianutils dependency * New upstream release 26.3 - util: improve is_container check for chroot - cli: pass assume_yes param to services on detach (GH: #1530) * Drop dh-systemd build dependency. * status: show beta services in status if enabled (GH: #1410) * New upstream release 26.1 - contract: block detach call to contract if machine-id change - docs: add readme docs about mastering clean golden images - fips: add reboot notices for fips operations (GH: #1368) - livepatch: add retry when running canonical-livepatch status (GH: #1360) - util: use lru_cache to avoid re-reading os-release and machine-id (GH: #1329) - tests: + add disable_auto_attach config to all test PRO vms + add more log artifacts during failed integration test + check cloudinit status after launching image + mock leaking livepatch.application_status for fips test + retry package installs on apt exit 100 - jenkins: parameterize build stages to avoid parallel job collision * auto-attach: fix comparing numeric iid * New upstream release 26.0: - auto-attach: systemd unit to run before ua-reboot-cmds.service - config: remove_notice should remove notices.json when empty - fips: + add notice if running a deactivated FIPS kernel (GH: #1348) + block enabling FIPS on clouds using Xenial + block enabling fips on GCP instances + check /proc/sys/crypto/fips_enable to see if fips is enabled + override fips metapackage when on bionic cloud + update metapackage override logic on fips - notices: clear lock file and notice when encountering any exception (GH: #1326) - reboot_cmds: retry on lock held errors due to pro auto-attach - services: allow uaclient to disable services during enable - status: include beta services in json formatted output with --all (GH: #1341) - tests: + add FIPS tests to AWS and Azure bionic images + add GCP pro test for focal machine + add after_step collection of artifacts on failure + remove proc file check after disabling fips + pro: block auto-attach with cloud-config bootcmd + add validation of systemd unit ua-reboot-cmds.service + test enabling fips-updates when fips is enabled - jenkins: - add deb build stage to assert package builds - use series-specific sbuild --build-dir avoid races - use --append-to-version for each sbuild run to avoid races - presume success when no integration artifacts created * d/rules: - add --with systemd to allow reboot init script - do not remove lib/systemd/system folder * d/postinst: - create marker file when reboot script need to run: - enable livepatch across trusty to xenial upgrade - update fips on existing fips pro machines * New upstream release 26.0~beta: - gcp: add Google Cloud Platform support (GH #1269) - fips: + remove is_beta from fips sevices + fips pro: add upgrade support to require reboot to unmark held fips pkgs + update origin UbuntuFIPSUpdates - status: + add notice to tabular output + held locks emit notice about Operation in progress - cli: help sort output so trusty ordering matches xenial++ - cis: rename service from cis-audit - config: provide config notices and add_notice and remove_notice methods - contract: add resource-machine-access route and datapath - init: add init script to run commands on reboot - keys: add ubuntu-advantage-cis keyring - livepatch: make livepatch react to enableByDefault delta - log: log when we install pkgs because of contract delta - make: drop six testdeps target - pro: do not install pro debs on non-pro instances - services: Update beta info for services (GH #1220) - tools: add tox-lxd-runner, that execute the test command in a shell - tools: refresh-keyrings handles cis keys. drop series-specific keys - tests: + add GCE support for integration tests + add cis integration tests for unattached and pro + add pytest constraint for mypy tests + add unittests for reboot_cmds script + fix esm package messages for new update notifier version + pin importlib-metadata for mypy tests + repo tests for request_resource_machine_access + unit tests for config cache clearing and machine-access data - jenkins: + add basic Jenkinsfile for CI runs per PR + add jenkins parseable test results + add lxc cleanup stage on Jenkinsfile * Release version 25.0 * New upstream release 25.0~beta3: - upgrade-lts-conract: noop during do-release-upgrade on unattached (GH: #1255) - ua-auto-attach: order systemd unit before cloud-config.service - Update FIPSUpdates pin origin - fips: unmark held fips packages for ubuntu pro fips image support (GH: #1109) - repo: handle changes to additionalPackages contract deltas - repo: move package installation to install_packages method - pro: trigger auto-attach as soon as instance-data.json is available (GH: #1234) - Conditionally install packages when enabling FIPS - fips: allow disable (GH: #1168) - cli: add trailing newline to argparse errors (GH: #1236) - Install fips metapacking when enabling service - integration test improvements: + upgrade-test: fix upgrade path restart failures on trusty (GH: #1257) + Fix integration test setup scripts (GH: #1253) + strict checking for command success on behave + Update tests to use new pycloudlib LXD abstraction + Add upgrade scenario tests when FIPS is enabled + Improve FIPS tests for checking packages + Update esm-infra xenial lxd test + Fix vm tests as esm-apps is beta service + Fix azure generic integration testing + Update esm-apps check on staging_commands tests + Install pycloudlib for azure jobs only + Fix shell condition in run_azure_travis_integration_tests.sh + Update azure jobs on travis + Update travis url in README + Update travis scripts to use ppa only on master + Fix cron event type check on travis yaml * New upstream release 25.0~beta2: - help: update esm-infra help text (GH: #1212) - apt-hook: update apt cli messaging for UA Infra: ESM and UA Apps: ESM product names - help: update fips help docs (GH: #1213) - help: revert CIS help doc URL (GH: #1211) - help: add new fips help URLs to CLI help docs (GH: #1210) - Show error when enabling service with invalid repo [Lucas Moura] (GH: #954) - Update beta info for services (#1220) [Lucas Moura] (GH: #1216) - Do not enable fips when fips-updates is active [Lucas Moura] (GH: #1209) - Add vm test commands in tox.ini (#1204) [Lucas Moura] * Beta bug fix release - status: fix missing description_override key after upgrade from trusty (GH: #1201) - During contract delta processing use _check_application_status_on_cache instead of live service status * d/control: - add po-debconf dependency and fix lintian not-using-po-debconf and untranslatable-debconf-templates - add ${misc:Depends} dep to ubuntu-advantage-pro to fix lintian debhelper-but-no-misc-depends (GH: #1024) * d/rules: - drop --with systemd fix build-depends-on-obsolete-package - set fix lintian warning extra:Depends even if empty * d/postrm - Add more gpg keys to be deleted in postrm for Xenial+ support * d/postinst: - do not unconfigure non-trusty esm. no series in apt filenames (GH: #1170) - check if esm is already enabled (GH: #1095) * New upstream release 25.0: - Do not uninstall additionalPackages or livepatch when disabling services - check for issubclass on clean_apt_files - Add do-release-upgrade support for esm-infra and apps suites (GH: #1169) - Apply contract deltas during do-release-upgrade operations - cli: add ua help command - cli: status add blocking --wait param and lock files for config change - Fix livepatch behaviour on aws pro focal machine - travis: drop inapplicable workspaces from specific awsgeneric release jobs - Add possible reboot text after enabling/disabling services - apt-hook: package apt-hook and apt configuration files on all releases (GH: #1150) - Fix enable fail bug - Add uaclient.conf override mechanism for auto-attach, beta services and machine-token - Support ESM Apps [Brian Murray] (GH: #930) - Do not enable services if blocking services is active (GH: #1029) - contract: handle 401 on invalid token, 403 on expired (GH: #1335) - Hide beta services from default status output and enable/disable operations (GH: #1079) (GH: #1091) - fips: force apt noninteractive prompts during package installs (GH: #1084) - tests: add unit tests for aws-gov/aws-china cloud detection - Add AWS China and GovCloud partitions [Robert Jennings] - Disable beta services to be show/enabled without flag - Add missing build_pr command to environment - Use additionalPackages from service payload - Add integration testing for Travis runs [patriciadomin] (GH: #856) (GH: #857) (GH: #853) * New bug-fix-only release 24.4: - uaclient.version bump to 24.4 - fips: honor additionalPackage directive from contract for bionic (GH #1173) * New bug-fix-only release 24.3: - uaclient.version bump to 24.3 - fips: add conditional reboot message only if /var/run/reboot-required is present - fips: add apt repo key for FIPS and FIPS updates (GH #1026) * New bug-fix-only release 24.2: - uaclient.version bump to 24.2 - pro: Add AWS China and GovCloud partitions support (GH #1077) * New bug-fix-only release 24.1: - livepatch: run snap wait system snap.seeded before trying to install (GH: #1049) - version: return debian/changelog version when git describe fails to match upstream . tags for git-ubuntu workflow (GH: #1058) * bump version to 24.0 for new versioninig scheme * New upstream release 20.3: - ubuntu-pro: automatically reattach across instance id delta (LP: #1867573) - integration testing: + add behave tests ua subcommands for attached vm + add invalid token tests + add reuse_container test docs + refactor token parameter * d/templates: add a debconf note on upgrade from pre-ubuntu pro package * d/control: create a separate ubuntu-advantage-pro package which delivers the tooling and scripts necessary to auto-attach pro machines This change breaks/replaces ubuntu-advantage-tools <= 20.1 * d/maintscript: rm_conffile /etc/init/ua-auto-attach.conf from ua-tools pkg * d/postint: remove stale systemd symlinks which have migrated to ubuntu-pro * d/rules: only install the apt hook on trusty * d/rules: provide --no-start to debhelper to avoid auto-attach on pkg install * Release 20.2: - ubuntu-pro: + azure: fix detection of DatasourceAzureNet as azure on trusty + generalize identity_doc to return dict instead of string + auto-attach: any 4XX errors during auto-attach are the result of non-Pro + auto-attach: handle 403 errors raised by contract server for invalid vms - attach: persist any status config changes after attach failures - output: add messaging using a different subscription if attached * Release 20.1: - azure-pro, support for azure ubuntu pro auto-attach: + add azure auto-attach instance as valid cloud_instance_factory + add azure cloud instance module and tests + generalize request_aws_contract_token for multiple cloud_types + contract: request_auto_attach_contract_token takes an instance param - constraints: add constraint on pyyaml version in trusty - auto-attach: move duplicate invalid cloud_type check out of cli * d/postinst: only configure ESM on supported architectures (LP: #1851858) [Andreas Hasenack] * d/postinst: rename existing ubuntu-esm-precise.list file to trusty. This fixes the upgrade path from precise to trusty and to this client while esm is enabled (LP: #1850672) * Release 19.7: - aws: handle missing SYS_HYPERVISOR_PRODUCT_UUID - aws-pro: support for aws ubuntu pro auto-attach - pro: add cloud identity module and fix unit tests - pro: update systemd service and upstart boot scripts to auto-attach - pro: esm do not do apt pin never on disable on xenial or bionic - pro: esm-apps has origin UbuntuESMApps and esm-infra is UbuntuESM - status: dynamic status available now from refreshed machine-token - uaclient: update customer visible messages after UX review - esm-apps: allow unattended security upgrades for esm-apps - systemd: needs WantedBy=multi-user.target to get pulled into boot - cli: update docstring to describe errors raised from auto-attach - keyrings: update ubuntu-advantage-esm-apps.gpg with correct key - repo: match strict repo url in apt-policy to avoid esm substring matches - esm: don't disable_apt_auth_only for ESM entitlements - initial implementation of esm-apps - repo: don't raise exception in application_status if aptURL missing - entitlements: rely solely on contract server for repo_url - cli: exit 0 if already attached - cli: use decorators for action_attach and action_attach_premium - cli: add assert_not_attached decorator - status: custom descriptions for n/a service status * New upstream release. Main changes: - drop SSO interactive login support - d/control: no longer depend on pymacaroons, which was only needed for the SSO interactive login support - drop keyrings for services not supported in trusty: cc-eal, fips, fips-updates, cis audit - make sure /var/lib/ubuntu-advantage/private has 0700 perms - rename esm to esm-infra. Also handle upgrades - don't unecessarily remove config files that are already handled by dpkg - expand the apt related runtime dependencies - handle sources.list.d esm snippet when release upgrading from precise - ua status now reports availability of services even in unattached state - the "ua status" output was changed, including the json format option - drop "ua status" call in postinst as it now requires internet access and that is restricted in LP builders and test runners. - fix the d/t/usage DEP8 test that was also using status * d/t/usage: fix dep8 test ("entitlements" was renamed to "services") * New upstream release (LP: #1832757): - packaging: + d/control: depend on libapt-pkg to use pin-priority never + d/postinst: adjust logfile permissions + d/postinst: remove public files and generate status cache on upgrade + d/postinst: Remove the old CACHE_DIR in postinst + d/postrm: remove log files on package purge + d/postrm: remove the ESM pinning file on purge + trusty should remove v1 esm key if present after upgrade + keyrings: regenerate keyrings on a trusty host + refresh keyrings to match current production for fips and cc-eal - apt: + all repo entitlements now call apt-get update on enable + enable -updates if -updates from the Ubuntu archive is enabled + Add basic i18n (good enough for lang packs) + retry apt install and update commands 3 times simple backoff + write commented -updates lines instead of omitting them - attach/detach: + added --no-auto-enable option + suppress messages from inapplicable default entitlements + two-factor auth reprompt only two-factor auth on failed 2fa + honour enableByDefault obligations from contract server + livepatch: no auto-enable on attach for trusty + don't attempt to disable inapplicable entitlements during detach + check for root before checking for attach in assert_attached_root - status: + add --json cli formatting option + emit a SERVICE header in status output + redact technical support and expiry for free contracts + unentitled services will report n/a - cc-eal: + add a warning about download size before install + change cc to cc-eal in docs, parameters and commandline help - esm: + add esm-v2 gpg keyring, drop old keyring, ignore aptKey directive + and livepatch auto enabled on attach where supported + on upgrade do not install preferences to pin never if esm enabled + remove only the apt auth entry on disable, leaving sources.list + use Pin-Priority never apt preference file to disable esm initially - fips: + display as pending when linux-fips is not the running kernel + only install/upgrade optional packages that are already on the system - logs: + no longer redact secrets as logfile is root read-only + separate console log devel from logfile level + remove level from messages to the console - add subcommand to refresh all contract details - config: allow contract_url and sso_auth_url to have a trailing slash - docker: fix persisting generated uuid on images without machine-id files - environ: allow lowercase ua_ overrides - repo: un-comment ESM sources.list lines on repo disable - updated manpage and help docs * apt-hook: Add missing headers for APT 1.9 * Drop the self-test assert in the apt-hook, it's making the subiquity server install fail (LP: #1824523) * apt-hook: Do not crash/fail if we can't read /proc/self/status (LP: #1824523) * Ubuntu Advantage Tools rewrite in Python (LP: #1814157): - Allow attaching a system to a contract or account - More complete status output, dropping MOTD updates - Easily enable and disable services offered * Have ua status cope with the additional livepatch of running a kernel that is not supported for livepatches. * Have an option for enable-livepatch to install a compatible kernel if needed. [ Vineetha Kamath ] * Add support to common criteria EAL2 artifacts installation #144 * New upstream release - added enable-fips-updates command. This command enables the fips-updates repository to install updates to FIPS modules. The updated modules from fips-updates repository are non-certified. * d/t/update-motd-run: fix path to the esm motd (LP: #1757490) * Rename motd scripts so they are shown a bit earlier (LP: #1757171) * Move empty line placement in the livepatch motd to the beginning of the message to avoid double blank lines. * New upstream release: - repositories are only added after credentials are verified (LP: #1730361) - Livepatch MOTD script (LP: #1710976) - better "status" command output formatting (LP: #1719034) - sources.list.d files no longer contain credentials. The "auth.conf" facility is used instead. (LP: #1700611) - enabled Livepatch support for Bionic 18.04 LTS * New upstream release: - run tests during package build * New upstream release: - revert the latest name changes - instead of "advantage", add a "ua" symlink pointing at the ubuntu-advantage script. Likewise for its manpage. (LP: #1721272) * New upstream release: - rename the ubuntu-advantage script to advantage, including where it's mentioned in the documentation. Also provide symlinks pointing at the previous name. (LP: #1721272) - slightly reword some of the FIPS messages * New upstream release with FIPS support (LP: #1718291) * New upstream release: - call apt-get with the non-interactive frontend variable set, and tell dpkg to keep the old config file by default should there be any prompts about that. (LP: #1715012) - split the one big test file into multiple smaller files, for better maintainability. * Release to artful (LP: #1711369) * d/control: update package description * New release version 6. Main changes: - document return codes on the manpage (Fixes: #33) - new status command (Fixes: #40) - restrict esm to precise only (Fixes: #43) - drop the livepatch motd update, only esm has motd output now (Fixes: #44) - skip tests during package building (Fixes #49) * Only display apt output in the case of errors (Fixes #34). * Check running kernel version before enabling the Livepatch service (Fixes #30). * Add livepatch support: - New commands: + enable-livepatch + disable-livepatch + is-livepatch-enabled - new tests - new manpage - new help output - new README.md - new MOTD * ubuntu-advantage & /etc/update-motd.d/99-esm now build, run and are quiet on non-precise release. (LP: #1686183) * Add simple dep8 tests. * Also install ca-certificates (LP: #1690270) * Initial Release. LP: #1686183 ==== ubuntu-release-upgrader: 1:20.04.40 => 1:20.04.41 ==== ==== python3-distupgrade ubuntu-release-upgrader-core * Manually run utils/update_mirrors.py to update mirrors ==== update-notifier: 3.192.30.16 => 3.192.30.17 ==== ==== update-notifier-common * Isolate creation of the esm apt cache in apt-check (LP: #2008212) ==== vim: 2:8.1.2269-1ubuntu5.11 => 2:8.1.2269-1ubuntu5.14 ==== ==== vim vim-common vim-runtime vim-tiny xxd * SECURITY UPDATE: out-of-bound read vulnerability - debian/patches/CVE-2021-4166.patch: crash when clearing the argument list while using it - CVE-2021-4166 * SECURITY UPDATE: use-after-free when matching inside a visual selection - debian/patches/CVE-2021-4192.patch: get the line again after getvvcol(). - CVE-2021-4192 * SECURITY UPDATE: out-of-bounds read when processing data in visual mode - debian/patches/CVE-2021-4193.patch: check for valid column in getvcol(). - CVE-2021-4193 * SECURITY UPDATE: heap buffer overflow when processing long file names - debian/patches/CVE-2022-0213.patch: check length when appending a space. - CVE-2022-0213 * SECURITY UPDATE: heap-based buffer overflow when performing a block insert - debian/patches/CVE-2022-0261.patch: handle invalid byte better. Fix inserting the wrong text. - debian/patches/CVE-2022-0318-1.patch: for block insert only use the offset for correcting the length. - debian/patches/CVE-2022-0318-2.patch: adjust the expected output for utf8 block insert test. - CVE-2022-0261 - CVE-2022-0318 * SECURITY UPDATE: out-of-bounds read when exchanging windows in visual mode - debian/patches/CVE-2022-0319.patch: correct end of Visual area when entering another buffer. - CVE-2022-0319 * SECURITY UPDATE: stack pointer corruption when parsing too many brackets in expression - debian/patches/CVE-2022-0351.patch: limit recursion to 1000. - CVE-2022-0351 * SECURITY UPDATE: illegal memory access when processing large indent in ex mode - debian/patches/CVE-2022-0359.patch: allocate enough memory. - CVE-2022-0359 * SECURITY UPDATE: illegal memory access when copying lines in visual mode - debian/patches/CVE-2022-0361.patch: adjust the Visual position after copying lines. - CVE-2022-0361 * SECURITY UPDATE: illegal memory access when undo makes visual area invalid in visual mode - debian/patches/CVE-2022-0368.patch: correct the Visual area after undo. - CVE-2022-0368 * SECURITY UPDATE: stack corruption when looking for spelling suggestions - debian/patches/CVE-2022-0408.patch: prevent the depth increased too much. Add a five second time limit to finding suggestions. - CVE-2022-0408 * SECURITY UPDATE: use of freed memory when managing buffers - debian/patches/CVE-2022-0443.patch: do not use wiped out buffer. - CVE-2022-0443 * SECURITY UPDATE: heap buffer overflow when processing vim buffers - debian/patches/CVE-2022-0554.patch: when deleting the current buffer to not pick a quickfix buffer as the new current buffer. - CVE-2022-0554 * SECURITY UPDATE: heap buffer overflow when repeatedly using :retab - debian/patches/CVE-2022-0572.patch: bail out when the line is getting too long. - CVE-2022-0572 * SECURITY UPDATE: stack buffer overflow vulnerability - debian/patches/CVE-2022-0629.patch: crash when using many composing characters in error message - CVE-2022-0629 * SECURITY UPDATE: out-of-range pointer offset when using special multi-byte character - debian/patches/CVE-2022-0685.patch: don't use isalpha() for an arbitrary character. - CVE-2022-0685 * SECURITY UPDATE: heap buffer overflow when processing anomalous 'vartabstop' value - debian/patches/CVE-2022-0714.patch: check for running into the end of the line. - CVE-2022-0714 * SECURITY UPDATE: out-of-range pointer offset when processing specific regexp pattern and string - debian/patches/CVE-2022-0729.patch: stop at the start of the string. - CVE-2022-0729 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2022-2207.patch: adds a check to see if the cursor column is great than zero. - CVE-2022-2207 * SECURITY UPDATE: use after free - debian/patches/CVE-2022-0413.patch: make a copy of the substitute pattern that starts with "\=" in do_sub() in src/ex_cmds.c and free it at the end of the method and add test case Test_using_old_sub in src/testdir/test_CVE.vim. - debian/patches/CVE-2022-1796.patch: make a copy of the pattern to search for as it could get freed in do_window() in src/window.c and add test case Test_define_search in src/testdir/test_CVE.vim. - debian/patches/CVE-2022-1898.patch: make a copy of the string as it could get freed in nv_brackets() in src/normal.c, and add a test inside the Test_define_search test case in src/testdir/test_CVE.vim. - debian/patches/CVE-2022-1968.patch: mitigates the potential for a use after free scenario by making a copy of a buffer to use for future reference - debian/patches/CVE-2022-2946.patch: using freed memory when 'tagfunc' deletes the buffer - CVE-2022-0413 - CVE-2022-1796 - CVE-2022-1898 - CVE-2022-1968 - CVE-2022-2946 * SECURITY UPDATE: buffer over-read - debian/patches/CVE-2022-1629.patch: add a check for null after a backslash in find_next_quote() in src/search.c and add test case Test_string_html_objects in src/testdir/test_CVE.vim. - debian/patches/CVE-2022-1720.patch: reading past end of line with "gf" in Visual block mode - debian/patches/CVE-2022-1733.patch: add a check for null when checking for trailing ' in skip_string() in src/misc1.c and add test case Test_cindent_check_funcdecl in src/testdir/test_CVE.vim. - debian/patches/CVE-2022-1735.patch: add a new function, check_visual_pos in src/misc2.c and invoke it in src/change.c and src/edit.c. Add the new function header in src/proto/misc2.pro and add test case Test_visual_block_with_substitute in src/testdir/test_visual.vim. - debian/patches/CVE-2022-1851.patch: add a call to check_cursor() after formatting in op_format() in src/ops.c and add test case Test_correct_cursor_position in src/testdir/test_CVE.vim. - debian/patches/CVE-2022-1927.patch: cursor position may be invalid after "0;" range - debian/patches/CVE-2022-2845.patch: reading before the start of the line - CVE-2022-1629 - CVE-2022-1720 - CVE-2022-1733 - CVE-2022-1735 - CVE-2022-1851 - CVE-2022-1927 - CVE-2022-2845 * SECURITY UPDATE: crash when matching buffer with invalid pattern - debian/patches/CVE-2022-1674.patch: check for NULL regprog - CVE-2022-1674 * SECURITY UPDATE: buffer over-write - debian/patches/CVE-2022-1785.patch: add textlock flag to disallow changing text or switching window before calling vim_regsub_multi() in src/ex_cmds.c. - CVE-2022-1785 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2022-1942.patch: adds a control to disallow the opening of a command line window when text or buffer is locked. - debian/patches/CVE-2022-2344.patch: reading past end of completion with duplicate match - debian/patches/CVE-2022-2571.patch: reading past end of line with insert mode completion - debian/patches/CVE-2022-2849.patch: invalid memory access with for loop over NULL string - CVE-2022-1942 - CVE-2022-2344 - CVE-2022-2571 - CVE-2022-2849 * SECURITY UPDATE: searching for quotes may go over the end of the line - debian/patches/CVE-2022-2124.patch: check for running into the NULL - CVE-2022-2124 * SECURITY UPDATE: lisp indenting my run over the end of the line - debian/patches/CVE-2022-2125.patch: check for NULL earlier - CVE-2022-2125 * SECURITY UPDATE: using invalid index when looking for spell suggestions - debian/patches/CVE-2022-2126.patch: do not decrement the index when it is zero - CVE-2022-2126 * SECURITY UPDATE: out-of-bounds write - debian/patches/CVE-2022-2129.patch: prevents the editing of another file when either curbuf_lock or textlock is set. - CVE-2022-2129 * SECURITY UPDATE: invalid memory access when using an expression on the command line - debian/patches/CVE-2022-2175-1.patch: make sure the position does not go negative - debian/patches/CVE-2022-2175-2.patch: add missing #ifdef FEAT_EVAL - CVE-2022-2175 * SECURITY UPDATE: reading beyond the end of the line with lisp indenting - debian/patches/CVE-2022-2183.patch: avoid going over the NUL at the end of the line - CVE-2022-2183 * SECURITY UPDATE: accessing invalid memory after changing terminal size - debian/patches/CVE-2022-2206.patch: adjust cmdline_row and msg_row to the value of Rows - CVE-2022-2206 * SECURITY UPDATE: spell dump may go beyond end of an array - debian/patches/CVE-2022-2304.patch: limit the word length - CVE-2022-2304 * SECURITY UPDATE: using freed memory with recursive substitution - debian/patches/CVE-2022-2345.patch: always make a copy of reg_prev_sub - CVE-2022-2345 * SECURITY UPDATE: illegal memory access when pattern starts with illegal byte - debian/patches/CVE-2022-2581.patch: do not match a character with an illegal byte - CVE-2022-2581 * SECURITY UPDATE: null pointer dereference issue - debian/patches/CVE-2022-2923.patch: crash when using ":mkspell" with an empty .dic file - debian/patches/CVE-2022-2980.patch: crash with mouse click when not initialized - CVE-2022-2923 - CVE-2022-2980 * SECURITY UPDATE: NULL pointer dereference when creating blank mouse pointer - debian/patches/CVE-2022-47024.patch: only use the return value of XChangeGC() when it is not NULL. - CVE-2022-47024 * SECURITY UPDATE: invalid memory access with bad 'statusline' value - debian/patches/CVE-2023-0049.patch: avoid going over the NULL at the end of a statusline. - CVE-2023-0049 * SECURITY UPDATE: invalid memory access with recursive substitute expression - debian/patches/CVE-2023-0054.patch: check the return value of vim_regsub(). - CVE-2023-0054 * SECURITY UPDATE: invalid memory access with folding and using "L" - debian/patches/CVE-2023-0288.patch: prevent the cursor from moving to line zero. - CVE-2023-0288 * SECURITY UPDATE: reading past the end of a line when formatting text - debian/patches/CVE-2023-0433.patch: check for not going over the end of the line. - CVE-2023-0433 * SECURITY UPDATE: heap based buffer overflow vulnerability - debian/patches/CVE-2023-1170.patch: accessing invalid memory with put in Visual block mode - CVE-2023-1170 * SECURITY UPDATE: incorrect calculation of buffer size - debian/patches/CVE-2023-1175.patch: illegal memory access when using virtual editing - CVE-2023-1175 * SECURITY UPDATE: NULL pointer dereference vulnerability - debian/patches/CVE-2023-1264.patch: using NULL pointer with nested :open command - CVE-2023-1264 -- [1] http://cloud-images.ubuntu.com/releases/focal/release-20230420/ [2] http://cloud-images.ubuntu.com/releases/focal/release-20230209/