A new release of the Ubuntu Cloud Images for stable Ubuntu release 22.10 (Kinetic Kudu) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * curl: 7.85.0-1ubuntu0.2 => 7.85.0-1ubuntu0.3 * fwupd-signed: 1.44+1.2-3 => 1.51~22.10.1+1.2-3ubuntu0.2 * gnutls28: 3.7.7-2ubuntu2 => 3.7.7-2ubuntu2.1 * grub2-signed: 1.187.2+2.06-2ubuntu14 => 1.187.3+2.06-2ubuntu14.1 * grub2-unsigned: 2.06-2ubuntu14 => 2.06-2ubuntu14.1 * linux-meta: 5.19.0.31.28 => 5.19.0.35.32 * linux-signed: 5.19.0-31.32 => 5.19.0-35.36 * nss: 2:3.82-1 => 2:3.82-1ubuntu0.1 * shim-signed: 1.51+15.4-0ubuntu9 => 1.54+15.7-0ubuntu1 * tar: 1.34+dfsg-1build3 => 1.34+dfsg-1ubuntu0.1.22.10.1 The following is a complete changelog for this image. new: {'linux-modules-5.19.0-35-generic': '5.19.0-35.36', 'linux-headers-5.19.0-35': '5.19.0-35.36', 'linux-headers-5.19.0-35-generic': '5.19.0-35.36'} removed: {'linux-modules-5.19.0-31-generic': '5.19.0-31.32', 'linux-headers-5.19.0-31': '5.19.0-31.32', 'linux-headers-5.19.0-31-generic': '5.19.0-31.32'} changed: ['curl', 'fwupd-signed', 'grub-efi-amd64-bin', 'grub-efi-amd64-signed', 'libcurl3-gnutls:amd64', 'libcurl4:amd64', 'libgnutls30:amd64', 'libnss3:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.19.0-35-generic', 'linux-image-virtual', 'linux-virtual', 'shim-signed', 'tar'] new snaps: {} removed snaps: {} changed snaps: ['lxd', 'snapd'] ==== curl: 7.85.0-1ubuntu0.2 => 7.85.0-1ubuntu0.3 ==== ==== curl libcurl3-gnutls:amd64 libcurl4:amd64 * SECURITY UPDATE: multiple HSTS issues - debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3, docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c, lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c, lib/url.c, lib/urldata.h. - debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles in src/tool_operate.c. - debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host name again in lib/hsts.c. - debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl. - debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in tests/data/Makefile.inc, tests/data/test446. - CVE-2023-23914 - CVE-2023-23915 * SECURITY UPDATE: HTTP multi-header compression denial of service - debian/patches/CVE-2023-23916-pre1.patch: do CRLF replacements in tests/FILEFORMAT.md, tests/data/test1, tests/runtests.pl. - debian/patches/CVE-2023-23916.patch: do not reset stage counter for each header in lib/content_encoding.c, lib/urldata.h, tests/data/Makefile.inc, tests/data/test387, tests/data/test418. - CVE-2023-23916 ==== fwupd-signed: 1.44+1.2-3 => 1.51~22.10.1+1.2-3ubuntu0.2 ==== ==== fwupd-signed * Remove i386 and armhf from the architecture list * Check that we are signing the correct version of fwupd and it is not revoked [ Julian Andres Klode ] * Rebuild for 2022v1 resigning (LP: #2003365) [ Andy Whitcroft ] * Fix signing artifact download when faced with an authenticated archive pool. Switch to using common download-signed from grub2/kernel. ==== gnutls28: 3.7.7-2ubuntu2 => 3.7.7-2ubuntu2.1 ==== ==== libgnutls30:amd64 * SECURITY UPDATE: timing sidechannel in RSA decryption - debian/patches/CVE-2023-0361-1.patch: side-step potential side-channel in lib/auth/rsa.c. - debian/patches/CVE-2023-0361-2.patch: remove dead code in lib/auth/rsa.c. - CVE-2023-0361 ==== grub2-signed: 1.187.2+2.06-2ubuntu14 => 1.187.3+2.06-2ubuntu14.1 ==== ==== grub-efi-amd64-signed ==== grub2-unsigned: 2.06-2ubuntu14 => 2.06-2ubuntu14.1 ==== ==== grub-efi-amd64-bin * Cherry-pick all memory patches from rhboot - Allocate initrd > 4 GB (LP: #1842320) - Allocate kernels as code, not data (needed for newer firmware) * ubuntu: Fix casts on i386-efi target * Cherry-pick all the 2.12 memory management changes (LP: #1842320) * Allocate executables as CODE, not DATA in chainloader and arm64 ==== linux-meta: 5.19.0.31.28 => 5.19.0.35.32 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.19.0-35 * Bump ABI 5.19.0-34 ==== linux-signed: 5.19.0-31.32 => 5.19.0-35.36 ==== ==== linux-image-5.19.0-35-generic * Master version: 5.19.0-35.36 * Miscellaneous Ubuntu changes - debian/tracking-bug -- update from master * Master version: 5.19.0-34.35 * SIGNEDv3: add a linux-generate ancillary package (LP: #1989705) - [Packaging] convert to v3.1 autogen form * Miscellaneous Ubuntu changes - debian/tracking-bug -- update from master ==== nss: 2:3.82-1 => 2:3.82-1ubuntu0.1 ==== ==== libnss3:amd64 * SECURITY UPDATE: DoS when no client cert in database - debian/patches/CVE-2022-3479.patch: properly handle NULL lists in nss/lib/ssl/authcert.c. - CVE-2022-3479 * SECURITY UPDATE: Arbitrary memory write via PKCS 12 in NSS - debian/patches/CVE-2023-0767.patch: improve handling of unknown PKCS#12 safe bag types in nss/lib/pkcs12/p12d.c, nss/lib/pkcs12/p12t.h, nss/lib/pkcs12/p12tmpl.c. - CVE-2023-0767 ==== shim-signed: 1.51+15.4-0ubuntu9 => 1.54+15.7-0ubuntu1 ==== ==== shim-signed [ dann frazier ] * Fix arm64 issues due to hardcoding "x64" as the EFI architecture. (LP: #2004208) * is-not-revoked: Support vmlinux.gz files as used on arm64. (LP: #2004201) * New upstream version 15.7 (LP: #1996503) - SBAT level: shim,3 - SBAT policy bumped to for grub,2 in previous and grub,3 in latest: SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n" * SECURITY FIX: Buffer overflow when loading crafted EFI images. - CVE-2022-28737 * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere) * Break fwupd-signed signed with old keys * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest * Install both previous and latest shim as alternatives. On secure boot systems, if the current kernel or any newer one is revoked, the previous shim will continue to be used until current kernel and all newer ones are signed with a non-revoked key. ==== tar: 1.34+dfsg-1build3 => 1.34+dfsg-1ubuntu0.1.22.10.1 ==== ==== tar * SECURITY UPDATE: one-byte out of bounds - debian/patches/CVE-2022-48303.patch: check limit in src/list.c. - CVE-2022-48303 -- [1] http://cloud-images.ubuntu.com/releases/kinetic/release-20230302/ [2] http://cloud-images.ubuntu.com/releases/kinetic/release-20230215/