A new release of the Ubuntu Cloud Images for stable Ubuntu release 22.04 (Jammy Jellyfish) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * cloud-init: 23.1.1-0ubuntu0~22.04.1 => 23.1.2-0ubuntu0~22.04.1 * linux-meta: 5.15.0.70.68 => 5.15.0.71.69 * linux-signed: 5.15.0-70.77 => 5.15.0-71.78 * openssl: 3.0.2-0ubuntu1.8 => 3.0.2-0ubuntu1.9 * tzdata: 2023c-0ubuntu0.22.04.0 => 2023c-0ubuntu0.22.04.1 The following is a complete changelog for this image. new: {'linux-modules-5.15.0-71-generic': '5.15.0-71.78', 'linux-headers-5.15.0-71': '5.15.0-71.78', 'linux-headers-5.15.0-71-generic': '5.15.0-71.78'} removed: {'linux-headers-5.15.0-70-generic': '5.15.0-70.77', 'linux-headers-5.15.0-70': '5.15.0-70.77', 'linux-modules-5.15.0-70-generic': '5.15.0-70.77'} changed: ['cloud-init', 'libssl3:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.15.0-71-generic', 'linux-image-virtual', 'linux-virtual', 'openssl', 'tzdata'] new snaps: {} removed snaps: {} changed snaps: [] ==== cloud-init: 23.1.1-0ubuntu0~22.04.1 => 23.1.2-0ubuntu0~22.04.1 ==== ==== cloud-init * SECURITY UPDATE: Make user/vendor data sensitive and remove log permissions Because user data and vendor data may contain sensitive information, this commit ensures that any user data or vendor data written to instance-data.json gets redacted and is only available to root user. Also, modify the permissions of cloud-init.log to be 640, so that sensitive data leaked to the log isn't world readable. Additionally, remove the logging of user data and vendor data to cloud-init.log from the Vultr datasource. This is based on upstream snapshot of 23.1.2 [(LP: #2013967)] - d/cloud-init.postinst: postinst fixes for LP: #2013967 Redact sensitive keys from world-readable instance-data.json on upgrade. Set perms 640 for /var/log/cloud-init.log on pkg upgrade. Redact sensitive Vultr messages from /var/log/cloud-init.log - (CVE-2023-1786) ==== linux-meta: 5.15.0.70.68 => 5.15.0.71.69 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.15.0-71 ==== linux-signed: 5.15.0-70.77 => 5.15.0-71.78 ==== ==== linux-image-5.15.0-71-generic * Master version: 5.15.0-71.78 * Miscellaneous Ubuntu changes - debian/tracking-bug -- update from master ==== openssl: 3.0.2-0ubuntu1.8 => 3.0.2-0ubuntu1.9 ==== ==== libssl3:amd64 openssl * SECURITY UPDATE: double locking when processing X.509 certificate policy constraints - debian/patches/CVE-2022-3996-1.patch: revert commit 9aa4be69 and remove redundant flag setting. - debian/patches/CVE-2022-3996-2.patch: add test case for reported deadlock. - CVE-2022-3996 * SECURITY UPDATE: excessive resource use when verifying policy constraints - debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created in a policy tree (the default limit is set to 1000 nodes). - debian/patches/CVE-2023-0464-2.patch: add test cases for the policy resource overuse. - debian/patches/CVE-2023-0464-3.patch: disable the policy tree exponential growth test conditionally. - CVE-2023-0464 * SECURITY UPDATE: invalid certificate policies ignored in leaf certificates - debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs. - debian/patches/CVE-2023-0465-2.patch: generate some certificates with the certificatePolicies extension. - debian/patches/CVE-2023-0465-3.patch: add a certificate policies test. - CVE-2023-0466 * SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy not enabled as documented - debian/patches/CVE-2023-0466.patch: fix documentation of X509_VERIFY_PARAM_add0_policy(). - CVE-2023-0466 ==== tzdata: 2023c-0ubuntu0.22.04.0 => 2023c-0ubuntu0.22.04.1 ==== ==== tzdata * Build timezones that differ pre-1970 (LP: #2003797) * Add autopkgtest test case for pre-1970 timestamps * Update debconf template and translations -- [1] http://cloud-images.ubuntu.com/releases/jammy/release-20230427/ [2] http://cloud-images.ubuntu.com/releases/jammy/release-20230424/