A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with:
   'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'.

The following packages have been updated. Please see the full changelogs
for a complete listing of changes:
 * ca-certificates: 20211016~20.04.1 => 20211016ubuntu0.20.04.1 
 * cloud-init: 22.3.4-0ubuntu1~20.04.1 => 22.4.2-0ubuntu0~20.04.2 
 * heimdal: 7.7.0+dfsg-1ubuntu1.1 => 7.7.0+dfsg-1ubuntu1.2 
 * libxml2: 2.9.10+dfsg-5ubuntu0.20.04.4 => 2.9.10+dfsg-5ubuntu0.20.04.5 
 * python3.8: 3.8.10-0ubuntu1~20.04.5 => 3.8.10-0ubuntu1~20.04.6 
 * tzdata: 2022f-0ubuntu0.20.04.1 => 2022g-0ubuntu0.20.04.1 
 * ubuntu-advantage-tools: 27.11.3~20.04.1 => 27.12~20.04.1 


The following is a complete changelog for this image.
new: {}
removed: {}
changed: ['ca-certificates', 'cloud-init', 'libasn1-8-heimdal:amd64', 'libgssapi3-heimdal:amd64', 'libhcrypto4-heimdal:amd64', 'libheimbase1-heimdal:amd64', 'libheimntlm0-heimdal:amd64', 'libhx509-5-heimdal:amd64', 'libkrb5-26-heimdal:amd64', 'libpython3.8-minimal:amd64', 'libpython3.8-stdlib:amd64', 'libpython3.8:amd64', 'libroken18-heimdal:amd64', 'libwind0-heimdal:amd64', 'libxml2:amd64', 'python3.8', 'python3.8-minimal', 'tzdata', 'ubuntu-advantage-tools']
new snaps: {}
removed snaps: {}
changed snaps: ['core20', 'lxd']
==== ca-certificates: 20211016~20.04.1 => 20211016ubuntu0.20.04.1 ====
====     ca-certificates
  * Add Trustcor root certificates to mozilla/blacklist.txt: (LP: #1998785)
    - "TrustCor RootCert CA-1"
    - "TrustCor RootCert CA-2"
    - "TrustCor ECA-1"
==== cloud-init: 22.3.4-0ubuntu1~20.04.1 => 22.4.2-0ubuntu0~20.04.2 ====
====     cloud-init
  * d/compat & d/control: revert bump debhelper-comat to v10. Avoid
    service restarts across package upgrade (LP: #1999159)
    - d/compat: replaced with compat level 9
    - d/control: Build-Depends: revert to debhelper >= 9
  * Upstream snapshot based on 22.4.2 upstream release. (LP: #1996645)
    - List of changes from upstream can be found at
      https://raw.githubusercontent.com/canonical/cloud-init/22.4.2/ChangeLog
    - Includes (LP: #1997559, #1844191) not present in 22.4.0.
  * d/control: drop python3-httpretty from Build-Depends
  * d/cloud-init.templates: Add NWCS to datasource list
  * refresh patches:
    + debian/patches/expire-on-hashed-users.patch
  * Upstream snapshot based on 22.4 upstream release. (LP: #1996645)
    List of changes from upstream can be found at
    https://raw.githubusercontent.com/canonical/cloud-init/22.4/ChangeLog
==== heimdal: 7.7.0+dfsg-1ubuntu1.1 => 7.7.0+dfsg-1ubuntu1.2 ====
====     libasn1-8-heimdal:amd64 libgssapi3-heimdal:amd64 libhcrypto4-heimdal:amd64 libheimbase1-heimdal:amd64 libheimntlm0-heimdal:amd64 libhx509-5-heimdal:amd64 libkrb5-26-heimdal:amd64 libroken18-heimdal:amd64 libwind0-heimdal:amd64
  * SECURITY UPDATE: out-of-bounds memory access
    - debian/patches/CVE-2022-41916.patch: move variable assignment and
      increment to be done later in time to prevent unintended read in
      find_composition() in lib/wind/normalize.c.
    - CVE-2022-41916
==== libxml2: 2.9.10+dfsg-5ubuntu0.20.04.4 => 2.9.10+dfsg-5ubuntu0.20.04.5 ====
====     libxml2:amd64
  * SECURITY UPDATE: NULL pointer dereference
    - debian/patches/CVE-2022-2309.patch: reset nsNr in
      xmlCtxReset in parser.c (LP: #1996494).
    - CVE-2022-2309
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2022-40303.patch: fix integer overflows
      with XML_PARSE_HUGE in parser.c.
    - CVE-2022-40303
  * SECURITY UPDATE: Double-free
    - debian/patches/CVE-2022-40304.patch: fix dict
      corruption caused by entity ref cycles in
      entities.c.
    - CVE-2022-40304
==== python3.8: 3.8.10-0ubuntu1~20.04.5 => 3.8.10-0ubuntu1~20.04.6 ====
====     libpython3.8-minimal:amd64 libpython3.8-stdlib:amd64 libpython3.8:amd64 python3.8 python3.8-minimal
  * SECURITY UPDATE: Buffer overflow
    - debian/patches/CVE-2022-37454.patch: fixes buffer overflow in
      Modules/_sha3/kcp/KeccakSponge.inc.
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2022-45061.patch: fix quadratic time idna
      decoding in Lib/encodings/idna.py.
==== tzdata: 2022f-0ubuntu0.20.04.1 => 2022g-0ubuntu0.20.04.1 ====
====     tzdata
  * Update the ICU timezone data to 2022g (LP: #1998321)
  * Point Vcs-Browser/Git to Launchpad
  * New upstream release (LP: #1998321)
    - The northern edge of Chihuahua changes to US timekeeping.
    - Much of Greenland stops changing clocks after March 2023.
    - Fix some pre-1996 timestamps in northern Canada.
  * No ICU data update yet as none is yet available upstream.
  * d/watch: Switch from failing ftp to https
  * debian/tzdata.templates: Add Ciudad_Juarez
==== ubuntu-advantage-tools: 27.11.3~20.04.1 => 27.12~20.04.1 ====
====     ubuntu-advantage-tools
  * Backport new upstream release: (LP: #1996424) to focal
  * New upstream release 27.12 (LP: #1996424):
    - auto-attach:
      + retry auto-attach for up to one month on Ubuntu Pro cloud instances
      + make a best effort to auto-attach when using the API
    - enable: show deduplicated list of supported arches (GH: #917)
    - fips: remove cloud package override logic from the client
    - messaging: verify contract expiration date on contract server before
      outputting expired message on MOTD
    - realtime-kernel: make service non-beta
    - reboot-required:
      + add API support to show if the system requires a reboot
        (u.pro.security.status.reboot_required.v1)
      + add cli command for the functionality (pro system reboot-required)
    - security-status:
      + add API support to report standard updates (u.pro.packages.updates.v1)
      + add API support to show CVEs patched by Livepatch
        (u.pro.security.status.livepatch_cves.v1)
      + add API support to show packages summary information
        (u.pro.packages.summary.v1)
      + list packages in oci manifest format (u.security.package_manifest.v1)
    - systemd: do not attempt to auto-attach if a machine-token is present
  * New upstream release 27.11.3: (LP: #1993006)
    - d/postinst: remove the Ubuntu Pro beta apt message and set up the
      configurable flag for "APT news" instead
    - collect-logs: do not fail if a file cannot be read (LP: #1991858)
    - config: add a flag to disable "APT news" (LP: 1992026)
    - messaging: add announcement of "APT news" to apt output
    - messaging: only show "APT news" when using apt binary (GH: #2288)
    - version: use /run instead of /tmp for version file (GH: #2294)
  * New upstream release 27.11.2: (LP: #1991173)
    - esm: add the --beta flag back to esm-apps
    - messaging: show Ubuntu Pro beta message in apt output
    - security-status: don't show esm-apps information when the service is not
      enabled
    - ros: add the --beta flag back to ros and ros-updates
  * New upstream release 27.11.1: (LP: #1990907)
    - Fix release upgrade when ESM packages are installed
      + d/postinst: remove series information from the APT preferences template
      + esm: remove series information from the APT preferences file
  * d/control:
    - Update VCS references
  * d/links:
    - add usr/bin/pro as an alias to ubuntu-advantage
  * d/postinst:
    - include root_mode parameter when creating UAConfig instances
    - change calls to add_notice to notice_file.add
    - create public machine-token file if it does not exist
  * New upstream release 27.11 (LP: #1989279)
    - api:
      + new `pro api` command to access the public client API
      + 'version' endpoint returning version information
      + 'should auto attach' endpoint informing if a system should run
        auto-attach on startup
      + 'full auto attach' endpoint performing auto-attach
      + 'magic attach' endpoints for the Magic Attach flow
    - auto-attach:
      + better errors for invalid pro images (GH: #2180, #1833)
      + don't detach on already auto-attached instances
      + no-op when ubuntu-advantage information is present on cloud-init
        userdata
      + change systemd unit to run after cloud-config
    - cli:
      + cli: better error message on unrecognized flags (GH: #672)
    - collect-logs:
      + can now be executed as a non-root user
      + is executed automatically and result is appended when using apport to
        report a bug
    - docs: now formatted to be built with sphinx, and published in readthedocs
    - enable:
      + new access-only flag for usecases where auto-install is undesired
      + fix apt auth line replacement (LP: #1985863)
    - esm-apps: generally available as non-beta as part of Ubuntu Pro
    - fix: check if livepatch has already fixed a CVE before attempting a fix
    - jobs: new timer job to check if the release reached end of support
    - pro:
      + Ubuntu Pro is released as a product
      + make `pro` the recommended executable for the client
      + client, apt and motd messages updated/rewritten to show Pro 
        information
      + base URL changed from /advantage to /pro
      + ESM services renamed as part of Pro
    - ros: released as a non-beta entitlement
    - security-status
      + does not require the --format flag anymore
      + human readable output added based on ubuntu-security-status
      + machine readable output contains CVEs fixed by Livepatch
      + package counts include all esm-infra and esm-apps repositories
    - status:
      + don't show unavailable services by default (GH: #2156, #2159)
      + expiry date formatted based on timezone (GH: #695)
      + non-root users get the current status instead of a cached version
      + --wait flag now working for non-root users
    - version: warn about new available versions of the client in CLI command
      output and API calls
  * apt-hook: Fix missing import warning when compiling
  * d/control:
    - Drop golang dependencies
  * d/rules:
    - Only install APT hooks on LTS series
  * New upstream release 27.10 (LP: #1980990)
    - apt-hook: replace golang with cpp for json-hook
    - cli
      + properly sort services for detach/attach (GH: #1831)
      + collect-logs include rotated log files
      + display UA features directly on status
    - daemon: do not try enabling daemon during auto-attach (LP: #1980865)
    - fix:
      + update ua portal url when asking for attach
      + add --dry-run option
    - gcp-pro: better error message for metadata endpoint error
    - requests: Add default timeout for web requests
    - timer: log when job start running
    - security-status: include download size of package updates
  * d/rules
    - remove trusty specific code
    - remove ua-license-check.{timer,service,path}
    - install ubuntu-advantage.service
    - only on xenial: install ubuntu-advantage-cloud-id-shim.service
  * d/tools.preinst: remove old config field to avoid warnings in logs
  * d/tools.postinst
    - remove trusty specific code
    - print warnings if /etc/os-release doesn't have required fields
    - hardcode service list instead of exec-ing python3 for old migration
    - refactor python to avoid instantiating UAConfig extra times
    - refactor python to always use messages module for strings
    - rm the old marker file that triggered ua-license-check.path
    - remove unnecessary deb-systemd-helper check in ua-messaging cleanup
    - clean up old ua-license-check state
    - run new cloud-id-shim script
  * d/tools/postrm
    - clean up ubuntu-advantage-daemon log files
  * New upstream release 27.9 (LP: #1973099)
    - cli:
      + for json formatted output, include additional_info for some errors
      + new subcommand `ua refresh messages` to update motd and apt messages
    - daemon:
      + replace ua-license-check timer with ubuntu-advantage.service daemon
      + detects on-boot if pro license was added and runs auto-attach
      + only runs on gcp and does not continuously long-poll by default for now
    - enable:
      + fix error message on wrong service name when unattached
    - fips:
      + allow enabling generic fips kernel on azure by default
      + clean up fips reboot message (LP: #1972026)
    - fix:
      + handle errors during attach process
      + fix bug where enable or detach during a fix failed (LP: #1969809)
      + fix bug where attempting to fix some CVEs would never finish
    - performance:
      + remove unnecessary UAConfig object instantiation (also cleans up logs)
      + cache "apt-cache policy" output to avoid unnecessary subp calls
    - proxy:
      + apt_http(s)_proxy renamed to global_apt_http(s)_proxy
      + apt_http(s)_proxy config var names will still work
      + new ua_apt_http(s)_proxy for only ua-related apt traffic (LP: #1956764)
      + global_apt_http(s)_proxy and ua_apt_http(s)_proxy cannot be set at the
        same time
    - realtime: adjust warning to clarify that a manual revert is possible
    - refresh: a normal `ua refresh` will also update motd and apt messages
    - security-status: add counts of packages from each archive component
    - status: check if contract has updated and notify user to run "ua refresh"
  * New upstream release 27.8 (LP: #1969125)
    - entitlements: apply overrides from the contract response
    - fips:
      + unhold fips packages when enabling fips-updates
      + Automatically disable fips service before enabling fips-updates
      + unhold more packages when enabling fips
    - lib: fix upgrade script for unsupported releases (LP: #1968067)
    - realtime: add support for realtime kernel beta service on Jammy
  * fips:
    - make fips service incompatible with fips-updates
    - unhold more packages when enabling fips
  * d/changelog:
    - fix changelog trailer line for 27.4.1
  * d/logrotate:
    - make new logs world readable
  * d/tools.postinst:
    - refactor to catch exception from entitlement_factory
    - no longer always set log file to only root readable
    - when creating log file for the first time, make world readable
    - adapt postinst for new messages module
  * New upstream release 27.7 (LP: #1964028)
    - attach: --attach-config option for customizing auto-enabled services
      and supplying token via a file
    - auto-attach: fix bug where auto-attach caused a manually attached
      machine to detach
    - cli:
      + support --format=json for attach
      + support --format=json for detach
      + support --format=json for enable
      + support --format=json for disable
    - contract: include activity info when updating contract
    - detach: no longer contacts contract server on detach
    - fips: allow fips on containers
    - fix: support USNs that don't have related CVEs
    - logs: make all newly created logs world-readable
    - security-status:
      + show already installed esm package counts
      + include APT origin for each potential update
      + bump schema version to "0.1"
      + remove previously required --beta flag
    - status:
      + include blocked_by information in service status when format=json
      + --simulate-with-token now reports expired tokens as errors
      + --simulate-with-token now returns errors in the specified format
  * New upstream release 27.6 (LP: #1958556)
    - cli: only request available resources from contract server when needed
    - fips:
      + allow enabling FIPS on focal clouds
      + update prompt messages
    - jobs: disable license-check job on GCP after attach
    - message: fix how apt and motd messages are updated after ua commands
  * d/control:
    - Update homepage URL
  * d/tools.postinst:
    - Refactor to use valid_services
  * d/tools.postrm:
    - Use a wildcard to remove ua related gpg files
  * New upstream release 27.5 (LP: #1956456)
    - aws: add support for the IPv6 metadata endpoint
    - cis: update URL for the documentation
    - cli:
      + add endpoint to simulate the status using a specific contract token
      + fix return code when attaching an already attached machine (GH: #1867)
      + fix security-status to consider all possible origins to show updates
      + include cloud build.info in the collect-logs tarball
      + only show services which exist in the contracts server in ua status
    - docs: fix typos and wrong/outdated information
    - livepatch: always use the full path in livepatch calls (LP: #1951954)
    - logs:
      + improve rules to redact sensitive information from all log files
      + redact sensitive information from older unredacted log files
      + log errors from external software execution, for debugging purposes
    - usg:
      + support the presentedAs affordance from the contract server, showing
        services in the CLI with the appropriate names
      + replace the CIS entitlement by USG on Focal and onwards
  * d/tools.postinst:
    - Fix check_service_is_enabled function when the machine is
      unattached (LP: #1951705)
  * jobs: do not run the status job for unattached users
  * d/rules:
    - Remove conftest file from the package
  * d/tools.postinst:
    - hardcode python binary to run python scripts (LP: #1930121)
    - undo unnecessary log file creation
  * d/tools.prerm:
    - hardcode python binary to run python scripts (LP: #1930121)
  * New upstream release 27.4 (LP: #1949634)
    - cc-eal: remove beta flag
    - cli:
      + attach will save machine-id during operation
      + detach won't ask unnecessary questions
      + new security-status subcommand lists potentially available
        security and ESM updates (beta)
    - fix:
      + exit 0 when fix is successfully applied and completed
      + exit 1 when fix cannot be applied
      + exit 2 when fix requires a reboot to complete
      + check reboot-required.pkgs for better reboot suggestions
    - livepatch: allow livepatch and fips-updates at the same time
    - metering:
      + update how activity info is parsed
      + update contract response structure
      + enable job by default
    - proxy: no_proxy defaults for link-local IMDS routes
    - util:
      + cache get_platform_info calls
      + fix machine-id fallback path on get_machine_id
  * d/tools.postinst:
    - consider cloud to be "none" on any cloud-id error
    - purge old ua-messaging.timer/service files
    - keep ua-timer.timer disabled if ua-messaging.timer was disabled by
      the user
    - properly configure both ubuntu-advantage-timer and
      ubuntu-advantage-licence-check logs
  * d/tools.postrm:
    - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs
      during purge
  * systemd:
    - remove ua-messaging.timer/service
    - add new ua-timer.timer that runs every 6 hours
    - add new ua-license_check.timer that runs every 5 minutes only if
      activated by ua-license-check.path
  * New upstream release 27.3 (LP: #1942929)
    - ros:
      + add beta support to enable ros and ros-updates
      + add support for "required services" so that esm-infra and esm-apps
        get auto-enabled when enabling ros or ros-updates
      + add support for "dependent services" so that user gets prompted to
        disable ros/ros-updates if they disable esm-infra/esm-apps
    - fips:
      + allow fips on GCP bionic now that optimized kernel is ready
      + disallow enabling fips on focal on clouds until cloud-optimized focal
        fips-certified kernel is ready (LP: #1939449, LP: #1939932)
      + print warning about generic fips kernel if cloud-id fails
    - cloud:
      + rely only on cloud-id to determine cloud type (LP: #1940131)
      + catch errors when determining cloud type
        (LP: #1938207, LP: #1944676) (GH: #1541)
    - azure:
      + bump IMDS API version to support Azure published images
    - cli:
      + collect-logs command that creates a tar file with debug-relevant logs
        and status info (GH: #463)
      + clean locks on exceptions more thoroughly to avoid false "Operation in
        progress" status messages
      + retain past service state after detach
      + shows better error message when a port value in a proxy is invalid
    - non-unicode locale support:
      + remove unicode-only characters from help file
      + don't print unicode-only characters in ua fix if non-utf8 locale
        (GH: #1463)
    - logrotate:
      + add logrotate functionality for ubuntu-advantage-timer.log.
      + Fix root:root logrotate permissions.
    - ua-timer.timer:
      + introduce a single systemd timer to handle ua recurring jobs
      + timer runs every 2 hours to support most frequent timer job
      + recurring job intervals are configurable in uaclient.conf
      + individual jobs are disabled if their interval is set to 0
      - status job:
        + update ua status every 12 hours
      - messaging job:
        + update APT/MOTD ESM messaging every 6 hours
      - metering job:
        + disabled until infrastructure is ready
        + for attached machines only, periodically update contract server with
          status information for proper contract metering
    - ua-license-check.timer:
      + only runs on LTS GCP instances that are not attached
      + runs every 5 minutes to check if gcp instance has license required to
        auto-attach
    - logs:
      + fixes duplicate logging (GH: #553)
    - tests and support:
      + remove groovy integration tests
      + various improvements to integration tests
  * d/tools.postinst:
    - Do not fail in postinst if cloud-init did not run.
      This fixes the regression introduced in 27.2.1. (LP: #1936833)
  * d/control:
    - remove unnecessary distro-info dependency from build-depends
  * d/rules:
    - pick right version of distro-info based on release
  * docs:
    + add information about proxy auth to manpage and readme
  * lib:
    + handle missing configStatus key in patch status json script
  * d/control:
    - add comments to explain complex build-depends
    - add version requirement to distro-info (LP: #1932028)
  * d/tools.postinst:
    - run status.json schema patch script to avoid non-root status errors
  * New upstream release 27.2:
    - attach: print contract server reason for 403 (GH: #1630)
    - cli: add ua config set, unset and show subcommands
    - config:
      + add default ua_config setting values
      + only allow some fields to be set by envvar
      + use defaults for contract and security url
    - docs:
      + add proxy config options to man page
      + add instructions to generate MOTD messages
      + add support matrix info
      + remove broken api link
    - enable: allow downgrading packages during enable (GH: #1659)
    - fips:
      + add focal test for fips-updates
      + alert if wrong fips package installed on gov clouds
      + install correct fips package on gov clouds
      + only install conditional_packages if necessary and available
    - logs: log env vars that affect config on cli runs
    - proxy:
      + add config options to set proxies
      + print message when setting proxy
      + support configuring apt proxies
      + support configuring snap and livepatch proxies
      + support setting proxy for web requests
      + validate urls before setting as proxies
    - refresh: support refreshing config and contract separately
    - status
      + add config info to json output
      + add env vars to json output
      + do not show unavailable services in json output
      + support yaml format with same content as json format
      + update account info in json output
      + update contract info in json output
      + update root level keys of json output
    - refactor:
      + remove side effects from can_enable (GH: #1654, #1571)
      + use DatetimeAwareJSONDecoder to parse date strings
    - tests:
      + add additional enable test for incompatible services
      + add flag to enable proposed pocket
      + add test to check and print version being tested
      + drop trusty specific tests
  * Cherrypick upstream pr #1681 to unbreak many migrations. LP: #1930741
  * d/control:
    - specify debianutils min version
  * d/changelog:
    - fix lintian typos amend and redact incorrect 27.0 entry (GH: #1624)
  * lintian:
    - override ubuntu-advantage-pro wanted-by-target cloud-init
    - override xenial specific errors
    - rename package-specific overrides for pro vs tools
  * New upstream release 27.1:
    - apt-hook:
      + avoid segfault when comparing null Apt file origin to esm
        (LP: #1929123)
      + avoid wrapping static message formats at 80 chars
      + update go build flags based on lintian warnings (GH: #1626)
      + only add newlines for MOTD if message file length is non-zero
    - attach: do not print contract name if empty
    - autocomplete: Do not show beta services in autocomplete (GH: #1594)
    - cis:
      + make service non-beta
      + post enable message pointing to docs
      + update cis help url
    - docs: update releases.md per SRU review feedback on branch structuring
    - enable: correct messaging for beta service (GH: #1588)
    - errors: print a more helpful message when ssl fails (GH: #1618)
    - fips:
      + Block enabling fips if fips-updates once enabled (GH: #1600)
      + Update output of fips commands (GH: #1631)
    - livepatch: alert when snapd does not have wait cmd (LP: #1927329)
    - logging: remove tracebacks for UserFacingErrors (GH: #1586)
    - messaging:
      + Infra and Apps messaging is mutually exclusive (GH: #1573)
      + point to u.com/16-04 instead of u.com/advantage on ESM (GH: #1584)
      + separate _remove_msg_template. emit no warranty on infra disabled
    - pro: obtain AWS IMDSv2 API token before trying to grab pkcs7 doc
      (GH: #1608)
    - status: do not show info if not on contract (GH: #1592)
    - tests:
      + drop trusty specific tests
      + fix mock for handle_message_operations
      + fix motd message for bionic (GH: #1615)
      + integration tests for hirsute and groovy
      + manual test for trusty upgrade to xenial
      + reboot after dist-upgrade for upgrade test
      + test enabling CIS on focal (GH: #1582)
      + update messages in integration tests (GH: #1635)
      + use proposed pocket on xenial upgrade test
    - jenkins:
      + add pytest runs for xenial and bionic
      + run focal lxd integration tests
  * d/control:
    - order build-depends alternatives newer first (LP: #1926949)
    - apt-hook: do not attempt to package go APT JSON hook on some
      architectures (GH: #1603) (LP: #1927886, LP: #1927795)
  * Bug-fix release 27.0.2: build failures on riscv64 and powerpc
    - apt-hook: refactor json hook messaging to be dry
    - tests: fix subp ls error case for powerpc builds
    - jenkinsfile: add --resolve-alternatives for trusty builds
    - amend changelog: add omitted apt-hook message for 27.0.1 stanza
  * Add .gitignore and cleanup ignored directory .pytest_cache
  * apt-hook: mitigate failures with true
  * New upstream release 27.0:
    - [redacted: actually landed in 27.0.1] apt-hook: mitigate failures with
      true
    - messages: add optional (s) to apt messaging to include
      singular/plural pkgs
    - apt-hook: avoid reporting and counting duplicate package
      names (GH: #1578)
    - fix: don't say reboot required when unnecessary (LP: #1926183)
    - test: uncomment additional xenial upgrade tests
  * New upstream beta3 release:
    - config: avoid tracebacks on invalid features value in uaclient.conf
      (GH: #1564)
    - apt-hook: new json hook for security update counts
    - Remove redundant messaging from uaclient
  * d/control:
    - add distro-info dependency
    - add new debianutils dependency
    - add optional dh-systemd | debhelper (>= 13.3) to fallback on hirsute
      and later when dh-systemd is not present
  * d/rules: enable and start ua-messaging.timer on package install
  * d/postinst:
    - configure esm on any LTS release avoid beta services
    - configure esm-infra when is_active_esm and apps on LTS
    - xenial enable unauthenticated apt source for apps/infra
  * New upstream release 27.0~beta:
    - apt-hook:
      + adapt hook to process separate message templates
      + esm-apps and esm-infra pkg counts not mutually-exclusive
      + print static messages on apt upgrade/dist-upgrade (GH: #1546)
    - config: create settings_overrides on config (GH: #1507)
    - docs: add entry for uploading new version to ppa
    - esm:
      + add pin never when disabling esm-infra/apps on xenial
      + enable infra when EOL LTS and apps on all LTS (GH: #1558)
    - fips: add notice when installing over old fips
    - fix:
      + add links to ubuntu.com/gcp/aws in messaging when on non-PRO
      + add notice to reboot operation on ua fix
      + do not prompt user for beta services (GH: #1544)
      + notify users if reboot is required  (GH: #1476)
      + update how the expired token logic works
      + wrap output greater than 80 chars (GH: #1487)
    - lib: fix notice handling on reboot script
    - messages
      + provide static message files for use in APT and MOTD
      + update_ua_messages on attach/detach/disable
    - mypy: add lib/ dir for coverage
    - status: do not remove notices on non-root call (GH: #1518)
    - subp: separate % format strings when logging (GH: #1520)
    - systemd: add ua-messaging.timer to update ua MOTD and APT msgs
    - update-motd.d: add conditional hooks for motd to source ua messages
    - util: add is_lts and is_active_esm funtions to support ESM
    - test
      + add integration tests asserting esm-apps setup due to postinst
      + manual test script for xenial upgrade
      + trusty and xenial infra and apps disabled in pkg install
    - behave: use unaltered cloud images unsetting UACLIENT_BEHAVE_PPA
    - jenkins: make lint and style stage run sequentially
  * d/*: prefix all the debhelper conf files with the package name
  * d/control:
    - add Rules-Requires-Root: no
    - bump Standards-Version to 4.5.1
    - make ubuntu-advantage-pro Architecture: all
  * d/lintian-overrides:
    - override maintainer-script-calls-service
    - package-supports-alternative-init-but-no-init.d-script
  * d/postinst: move the u-a-pro note to a config script
  * d/ubuntu-advantage-tools.templates: suggest the use of apt
  * New upstream release 27.0~beta:
    - apt: add retry for apt-helper command (GH: #1431)
    - cli: drop subcommand repeated help output, fix enable & refresh
      (GH: #1440)
    - config:
      + allow parsing yaml delivered from env values
      + environment variable support for feature overrides (GH: #1395)
      + create config to add extra params to security url
    - docs:
      + add ppas and fix typos
      + use Ubuntu Pro not Ubuntu PRO
      + add stop "." punctuation to messages (GH: #1320)
    - fips: fix FIPS message when disable operation fails
    - fix:
      + add basic UASecurityClient to which queries CVE and USNs
      + add security_url to config
      + check if service is enabled during ua fix (GH: #1462)
      + closer representation of cve and usn responses
      + filter usns by cve details (GH: #1470)
      + fix regex to be more permissive and strict
      + get_cve_affected_source_packages_status won't list not-affected
        (GH: #1467)
      + handle other package status when running ua fix (GH: #1435)
      + improve error message for ua fix (GH: #1420)
      + install pkg fixes when they are on standard pocket (GH: #1401)
      + move timeout and retries to security client only
      + only prompt for subscription attach for UA-related pkg updates
      + parse all related USNS to a given CVE when fixing
      + parse full API responses for related CVEs and USNs
      + prefer USN.release_packages binary pkg versions to CVE src ver
        (GH: #1436)
      + prompt for new ua token when expired one is used (GH: #1475)
      + prompt to emit pro suggestion on pro_clouds if unattached (GH: #1386)
      + prompt to enable service during ua fix (GH: #1455)
      + provide related CVE URLs instead of USNs (GH: #1456)
      + raise errors when source_link is null or unexpected format
      + show packages that were not fixed in the output
      + update output for released packages in ua fix (GH: #1438)
      + update message for invalid issue in ua fix (GH: #1433)
      + use pocket values from USNs (GH: #1439)
    - logs: emit error response on API errors and redact sensitive logs
      (GH: #1424)
    - serviceclient: add 10 second timeout and two retries to API calls
      (GH: #1374)
    - util:
      + add error prompts on invalid selection
      + add timeout to readurl
    - tests:
      + Add disable_auto_attach config to all test PRO vms
      + add merge_usn_released_binary_package_versions tests
      + add unittest coverage for override_usn_release_package_status
      + drop traceback checks on fips integration tests
      + refactor integration tests for ua fix cmd
      + run status wait before detach in PRO tests
      + use ssh to run commands on lxd containers
    - jenkins: archiveArtifacts can only reference paths within workspace
  * d/control: add new debianutils dependency
  * New upstream release 26.3
    - util: improve is_container check for chroot
    - cli: pass assume_yes param to services on detach (GH: #1530)
  * Drop dh-systemd build dependency.
  * status: show beta services in status if enabled (GH: #1410)
  *  New upstream release 26.1
     - contract: block detach call to contract if machine-id change
     - docs: add readme docs about mastering clean golden images
     - fips: add reboot notices for fips operations (GH: #1368)
     - livepatch: add retry when running canonical-livepatch status
       (GH: #1360)
     - util: use lru_cache to avoid re-reading os-release and machine-id
       (GH: #1329)
     - tests:
       + add disable_auto_attach config to all test PRO vms
       + add more log artifacts during failed integration test
       + check cloudinit status after launching image
       + mock leaking livepatch.application_status for fips test
       + retry package installs on apt exit 100
     - jenkins: parameterize build stages to avoid parallel job collision
  * auto-attach: fix comparing numeric iid
  * New upstream release 26.0:
    - auto-attach: systemd unit to run before ua-reboot-cmds.service
    - config: remove_notice should remove notices.json when empty
    - fips:
      + add notice if running a deactivated FIPS kernel (GH: #1348)
      + block enabling FIPS on clouds using Xenial
      + block enabling fips on GCP instances
      + check /proc/sys/crypto/fips_enable to see if fips is enabled
      + override fips metapackage when on bionic cloud
      + update metapackage override logic on fips
    - notices: clear lock file and notice when encountering any exception
      (GH: #1326)
    - reboot_cmds: retry on lock held errors due to pro auto-attach
    - services: allow uaclient to disable services during enable
    - status: include beta services in json formatted output with --all
      (GH: #1341)
    - tests:
      + add FIPS tests to AWS and Azure bionic images
      + add GCP pro test for focal machine
      + add after_step collection of artifacts on failure
      + remove proc file check after disabling fips
      + pro: block auto-attach with cloud-config bootcmd
      + add validation of systemd unit ua-reboot-cmds.service
      + test enabling fips-updates when fips is enabled
    - jenkins:
      - add deb build stage to assert package builds
      - use series-specific sbuild --build-dir avoid races
      - use --append-to-version for each sbuild run to avoid races
      - presume success when no integration artifacts created
  * d/rules:
    - add --with systemd to allow reboot init script
    - do not remove lib/systemd/system folder
  * d/postinst:
    - create marker file when reboot script need to run:
      - enable livepatch across trusty to xenial upgrade
      - update fips on existing fips pro machines
  * New upstream release 26.0~beta:
    - gcp: add Google Cloud Platform support (GH #1269)
    - fips:
      + remove is_beta from fips sevices
      + fips pro: add upgrade support to require reboot to unmark held fips pkgs
      + update origin UbuntuFIPSUpdates
    - status:
      + add notice to tabular output
      + held locks emit notice about Operation in progress
    - cli: help sort output so trusty ordering matches xenial++
    - cis: rename service from cis-audit
    - config: provide config notices and add_notice and remove_notice methods
    - contract: add resource-machine-access route and datapath
    - init: add init script to run commands on reboot
    - keys: add ubuntu-advantage-cis keyring
    - livepatch: make livepatch react to enableByDefault delta
    - log: log when we install pkgs because of contract delta
    - make: drop six testdeps target
    - pro: do not install pro debs on non-pro instances
    - services: Update beta info for services (GH #1220)
    - tools: add tox-lxd-runner, that execute the test command in a shell
    - tools: refresh-keyrings handles cis keys. drop series-specific keys
    - tests:
      + add GCE support for integration tests
      + add cis integration tests for unattached and pro
      + add pytest constraint for mypy tests
      + add unittests for reboot_cmds script
      + fix esm package messages for new update notifier version
      + pin importlib-metadata for mypy tests
      + repo tests for request_resource_machine_access
      + unit tests for config cache clearing and machine-access data
    - jenkins:
      + add basic Jenkinsfile for CI runs per PR
      + add jenkins parseable test results
      + add lxc cleanup stage on Jenkinsfile
  * Release version 25.0
  * New upstream release 25.0~beta3:
    - upgrade-lts-conract: noop during do-release-upgrade on unattached
      (GH: #1255)
    - ua-auto-attach: order systemd unit before cloud-config.service
    - Update FIPSUpdates pin origin
    - fips: unmark held fips packages for ubuntu pro fips image support
      (GH: #1109)
    - repo: handle changes to additionalPackages contract deltas
    - repo: move package installation to install_packages method
    - pro: trigger auto-attach as soon as instance-data.json is available
      (GH: #1234)
    - Conditionally install packages when enabling FIPS
    - fips: allow disable (GH: #1168)
    - cli: add trailing newline to argparse errors (GH: #1236)
    - Install fips metapacking when enabling service
    - integration test improvements:
      + upgrade-test: fix upgrade path restart failures on trusty (GH: #1257)
      + Fix integration test setup scripts (GH: #1253)
      + strict checking for command success on behave
      + Update tests to use new pycloudlib LXD abstraction
      + Add upgrade scenario tests when FIPS is enabled
      + Improve FIPS tests for checking packages
      + Update esm-infra xenial lxd test
      + Fix vm tests as esm-apps is beta service
      + Fix azure generic integration testing
      + Update esm-apps check on staging_commands tests
      + Install pycloudlib for azure jobs only
      + Fix shell condition in run_azure_travis_integration_tests.sh
      + Update azure jobs on travis
      + Update travis url in README
      + Update travis scripts to use ppa only on master
      + Fix cron event type check on travis yaml
  * New upstream release 25.0~beta2:
    - help: update esm-infra help text (GH: #1212)
    - apt-hook: update apt cli messaging for UA Infra: ESM and UA Apps: ESM
      product names
    - help: update fips help docs (GH: #1213)
    - help: revert CIS help doc URL (GH: #1211)
    - help: add new fips help URLs to CLI help docs (GH: #1210)
    - Show error when enabling service with invalid repo [Lucas Moura]
      (GH: #954)
    - Update beta info for services (#1220) [Lucas Moura] (GH: #1216)
    - Do not enable fips when fips-updates is active [Lucas Moura] (GH: #1209)
    - Add vm test commands in tox.ini (#1204) [Lucas Moura]
  * Beta bug fix release
    - status: fix missing description_override key after upgrade from
      trusty (GH: #1201)
    - During contract delta processing use _check_application_status_on_cache
      instead of live service status
  * d/control:
    - add po-debconf dependency and fix lintian not-using-po-debconf and
      untranslatable-debconf-templates
    - add ${misc:Depends} dep to ubuntu-advantage-pro to fix lintian
      debhelper-but-no-misc-depends (GH: #1024)
  * d/rules:
    - drop --with systemd fix build-depends-on-obsolete-package
    - set fix lintian warning extra:Depends even if empty
  * d/postrm
    - Add more gpg keys to be deleted in postrm for Xenial+ support
  * d/postinst:
    - do not unconfigure non-trusty esm. no series in apt filenames (GH: #1170)
    - check if esm is already enabled (GH: #1095)
  * New upstream release 25.0:
    - Do not uninstall additionalPackages or livepatch when disabling services
    - check for issubclass on clean_apt_files
    - Add do-release-upgrade support for esm-infra and apps suites (GH: #1169)
    - Apply contract deltas during do-release-upgrade operations
    - cli: add ua help command
    - cli: status add blocking --wait param and lock files for config change
    - Fix livepatch behaviour on aws pro focal machine
    - travis: drop inapplicable workspaces from specific awsgeneric release
      jobs
    - Add possible reboot text after enabling/disabling services
    - apt-hook: package apt-hook and apt configuration files on all releases
      (GH: #1150)
    - Fix enable fail bug
    - Add uaclient.conf override mechanism for auto-attach, beta services and
      machine-token
    - Support ESM Apps [Brian Murray] (GH: #930)
    - Do not enable services if blocking services is active (GH: #1029)
    - contract: handle 401 on invalid token, 403 on expired (GH: #1335)
    - Hide beta services from default status output and enable/disable
      operations (GH: #1079) (GH: #1091)
    - fips: force apt noninteractive prompts during package installs
      (GH: #1084)
    - tests: add unit tests for aws-gov/aws-china cloud detection
    - Add AWS China and GovCloud partitions [Robert Jennings]
    - Disable beta services to be show/enabled without flag
    - Add missing build_pr command to environment
    - Use additionalPackages from service payload
    - Add integration testing for Travis runs [patriciadomin] (GH: #856)
      (GH: #857)  (GH: #853)
  * New bug-fix-only release 24.4:
    - uaclient.version bump to 24.4
    - fips: honor additionalPackage directive from contract for bionic
      (GH #1173)
  * New bug-fix-only release 24.3:
    - uaclient.version bump to 24.3
    - fips: add conditional reboot message only if /var/run/reboot-required is
      present
    - fips: add apt repo key for FIPS and FIPS updates (GH #1026)
  * New bug-fix-only release 24.2:
    - uaclient.version bump to 24.2
    - pro: Add AWS China and GovCloud partitions support (GH #1077)
  * New bug-fix-only release 24.1:
    - livepatch: run snap wait system snap.seeded before trying to install
      (GH: #1049)
    - version: return debian/changelog version when git describe fails to
      match upstream <major>.<minor> tags for git-ubuntu workflow
      (GH: #1058)
  * bump version to 24.0 for new versioninig scheme
  * New upstream release 20.3:
    - ubuntu-pro: automatically reattach across instance id delta
      (LP: #1867573)
    - integration testing:
      + add behave tests ua subcommands for attached vm
      + add invalid token tests
      + add reuse_container test docs
      + refactor token parameter
  * d/templates: add a debconf note on upgrade from pre-ubuntu pro package
  * d/control: create a separate ubuntu-advantage-pro package which
      delivers the tooling and scripts necessary to auto-attach pro machines
      This change breaks/replaces ubuntu-advantage-tools <= 20.1
  * d/maintscript: rm_conffile /etc/init/ua-auto-attach.conf from ua-tools pkg
  * d/postint: remove stale systemd symlinks which have migrated to ubuntu-pro
  * d/rules: only install the apt hook on trusty
  * d/rules: provide --no-start to debhelper to avoid auto-attach on pkg install
  * Release 20.2:
    - ubuntu-pro:
      + azure: fix detection of DatasourceAzureNet as azure on trusty
      + generalize identity_doc to return dict instead of string
      + auto-attach: any 4XX errors during auto-attach are the result of non-Pro
      + auto-attach: handle 403 errors raised by contract server for invalid vms
    - attach: persist any status config changes after attach failures
    - output: add messaging using a different subscription if attached
  * Release 20.1:
    - azure-pro, support for azure ubuntu pro auto-attach:
      + add azure auto-attach instance as valid cloud_instance_factory
      + add azure cloud instance module and tests
      + generalize request_aws_contract_token for multiple cloud_types
      + contract: request_auto_attach_contract_token takes an instance param
    - constraints: add constraint on pyyaml version in trusty
    - auto-attach: move duplicate invalid cloud_type check out of cli
  * d/postinst: only configure ESM on supported architectures (LP: #1851858)
      [Andreas Hasenack]
  * d/postinst: rename existing ubuntu-esm-precise.list file to trusty.
    This fixes the upgrade path from precise to trusty and to this client
    while esm is enabled (LP: #1850672)
  * Release 19.7:
    - aws: handle missing SYS_HYPERVISOR_PRODUCT_UUID
    - aws-pro: support for aws ubuntu pro auto-attach
    - pro: add cloud identity module and fix unit tests
    - pro: update systemd service and upstart boot scripts to auto-attach
    - pro: esm do not do apt pin never on disable on xenial or bionic
    - pro: esm-apps has origin UbuntuESMApps and esm-infra is UbuntuESM
    - status: dynamic status available now from refreshed machine-token
    - uaclient: update customer visible messages after UX review
    - esm-apps: allow unattended security upgrades for esm-apps
    - systemd: needs WantedBy=multi-user.target to get pulled into boot
    - cli: update docstring to describe errors raised from auto-attach
    - keyrings: update ubuntu-advantage-esm-apps.gpg with correct key
    - repo: match strict repo url in apt-policy to avoid esm substring matches
    - esm: don't disable_apt_auth_only for ESM entitlements
    - initial implementation of esm-apps
    - repo: don't raise exception in application_status if aptURL missing
    - entitlements: rely solely on contract server for repo_url
    - cli: exit 0 if already attached
    - cli: use decorators for action_attach and action_attach_premium
    - cli: add assert_not_attached decorator
    - status: custom descriptions for n/a service status
  * New upstream release. Main changes:
    - drop SSO interactive login support
    - d/control: no longer depend on pymacaroons, which was only needed for
      the SSO interactive login support
    - drop keyrings for services not supported in trusty: cc-eal, fips,
      fips-updates, cis audit
    - make sure /var/lib/ubuntu-advantage/private has 0700 perms
    - rename esm to esm-infra. Also handle upgrades
    - don't unecessarily remove config files that are already handled by dpkg
    - expand the apt related runtime dependencies
    - handle sources.list.d esm snippet when release upgrading from precise
    - ua status now reports availability of services even in unattached state
    - the "ua status" output was changed, including the json format option
    - drop "ua status" call in postinst as it now requires internet access and
      that is restricted in LP builders and test runners.
    - fix the d/t/usage DEP8 test that was also using status
  * d/t/usage: fix dep8 test ("entitlements" was renamed to "services")
  * New upstream release (LP: #1832757):
    - packaging:
      + d/control: depend on libapt-pkg<ABI_VERSION> to use pin-priority never
      + d/postinst: adjust logfile permissions
      + d/postinst: remove public files and generate status cache on upgrade
      + d/postinst: Remove the old CACHE_DIR in postinst
      + d/postrm: remove log files on package purge
      + d/postrm: remove the ESM pinning file on purge
      + trusty should remove v1 esm key if present after upgrade
      + keyrings: regenerate keyrings on a trusty host
      + refresh keyrings to match current production for fips and cc-eal
    - apt:
      + all repo entitlements now call apt-get update on enable
      + enable -updates if -updates from the Ubuntu archive is enabled
      + Add basic i18n (good enough for lang packs)
      + retry apt install and update commands 3 times simple backoff
      + write commented -updates lines instead of omitting them
    - attach/detach:
      + added --no-auto-enable option
      + suppress messages from inapplicable default entitlements
      + two-factor auth reprompt only two-factor auth on failed 2fa
      + honour enableByDefault obligations from contract server
      + livepatch: no auto-enable on attach for trusty
      + don't attempt to disable inapplicable entitlements during detach
      + check for root before checking for attach in assert_attached_root
    - status:
      + add --json cli formatting option
      + emit a SERVICE header in status output
      + redact technical support and expiry for free contracts
      + unentitled services will report n/a
    - cc-eal:
      + add a warning about download size before install
      + change cc to cc-eal in docs, parameters and commandline help
    - esm:
      + add esm-v2 gpg keyring, drop old keyring, ignore aptKey directive
      + and livepatch auto enabled on attach where supported
      + on upgrade do not install preferences to pin never if esm enabled
      + remove only the apt auth entry on disable, leaving sources.list
      + use Pin-Priority never apt preference file to disable esm initially
    - fips:
      + display as pending when linux-fips is not the running kernel
      + only install/upgrade optional packages that are already on the system
    - logs:
      + no longer redact secrets as logfile is root read-only
      + separate console log devel from logfile level
      + remove level from messages to the console
    - add subcommand to refresh all contract details
    - config: allow contract_url and sso_auth_url to have a trailing slash
    - docker: fix persisting generated uuid on images without machine-id files
    - environ: allow lowercase ua_<config_option> overrides
    - repo: un-comment ESM sources.list lines on repo disable
    - updated manpage and help docs
  * apt-hook: Add missing headers for APT 1.9
  * Drop the self-test assert in the apt-hook, it's making the subiquity
    server install fail (LP: #1824523)
  * apt-hook: Do not crash/fail if we can't read /proc/self/status
    (LP: #1824523)
  * Ubuntu Advantage Tools rewrite in Python (LP: #1814157):
    - Allow attaching a system to a contract or account
    - More complete status output, dropping MOTD updates
    - Easily enable and disable services offered
  * Have ua status cope with the additional livepatch of running a kernel
    that is not supported for livepatches.
  * Have an option for enable-livepatch to install a compatible kernel if
    needed.
  [ Vineetha Kamath ]
  * Add support to common criteria EAL2 artifacts installation #144
  * New upstream release
    - added enable-fips-updates command. This command enables the fips-updates
      repository to install updates to FIPS modules. The updated modules from
      fips-updates repository are non-certified.
  * d/t/update-motd-run: fix path to the esm motd (LP: #1757490)
  * Rename motd scripts so they are shown a bit earlier (LP: #1757171)
  * Move empty line placement in the livepatch motd to the beginning of the
    message to avoid double blank lines.
  * New upstream release:
    - repositories are only added after credentials are verified
      (LP: #1730361)
    - Livepatch MOTD script (LP: #1710976)
    - better "status" command output formatting (LP: #1719034)
    - sources.list.d files no longer contain credentials. The "auth.conf"
      facility is used instead. (LP: #1700611)
    - enabled Livepatch support for Bionic 18.04 LTS
  * New upstream release:
    - run tests during package build
  * New upstream release:
    - revert the latest name changes
    - instead of "advantage", add a "ua" symlink pointing at the
      ubuntu-advantage script. Likewise for its manpage. (LP: #1721272)
  * New upstream release:
    - rename the ubuntu-advantage script to advantage, including where it's
      mentioned in the documentation. Also provide symlinks pointing at the
      previous name. (LP: #1721272)
    - slightly reword some of the FIPS messages
  * New upstream release with FIPS support (LP: #1718291)
  * New upstream release:
    - call apt-get with the non-interactive frontend variable set, and tell
      dpkg to keep the old config file by default should there be any prompts
      about that. (LP: #1715012)
    - split the one big test file into multiple smaller files, for better
      maintainability.
  * Release to artful (LP: #1711369)
  * d/control: update package description
  * New release version 6. Main changes:
    - document return codes on the manpage (Fixes: #33)
    - new status command (Fixes: #40)
    - restrict esm to precise only (Fixes: #43)
    - drop the livepatch motd update, only esm has motd output now
      (Fixes: #44)
    - skip tests during package building (Fixes #49)
  * Only display apt output in the case of errors (Fixes #34).
  * Check running kernel version before enabling the Livepatch service
    (Fixes #30).
  * Add livepatch support:
    - New commands:
      + enable-livepatch
      + disable-livepatch
      + is-livepatch-enabled
    - new tests
    - new manpage
    - new help output
    - new README.md
    - new MOTD
  * ubuntu-advantage & /etc/update-motd.d/99-esm now build, run and are quiet
    on non-precise release. (LP: #1686183)
  * Add simple dep8 tests.
  * Also install ca-certificates (LP: #1690270)
  * Initial Release. LP: #1686183

--
[1] http://cloud-images.ubuntu.com/releases/focal/release-20221213/
[2] http://cloud-images.ubuntu.com/releases/focal/release-20221201/