Releases: microsoft/azurelinux
1.0.20221028
Add logrotate conf entry for rsyslog to prevent logs growing too large
Add support to build Mariner 1.0 on Mariner 2.0 host
Clear CVE-2021-33644 and CVE-2021-33646 for libtar.
Clear CVE-2022-26354 from qemu (this version not impacted)
Fix manifest checks with RPM 4.18
Overwrite 99-dhcp-en.network for marketplace img
Patch libtasn1 to fix CVE-2021-46848
Patch libtiff to fix CVE-2022-3570
Patch redis to fix CVE-2022-3647 .
Patch sos to fix CVE-2022-2806.
Remove autodetected Go modules in toolkit/tools/cgmanifest.json
Removed ARCHIVE_TOOL from toolkit for extraction because tar can figure out what to use on its own. Removal of this argument also allows decompression of archives created through simple packing of already compressed packages, greatly reducing archive creation time.
Update tzdata to 2022e
Upgrade Kernel to 5.10.149.1 to fix or clear CVE-2022-3541, CVE-2022-3543, CVE-2022-3544, CVE-2022-3595 CVE-2022-0171 CVE-2022-3303 CVE-2022-42720 CVE-2022-42721 CVE-2022-42722 CVE-2022-41674 CVE-2022-42719 CVE-2022-42703
Upgrade expat to version 2.5.0 to fix CVE-2022-43680
Upgrade nginx to 1.22.1 to fix CVE-2022-41741, CVE-2022-41742, CVE-2022-3638
Upgrade openssh to 8.9p1 to fix CVE-2021-36368
2.0.20221026-2.0
What's Changed
- Fixed GPG key import during worker chroot creation.
- Patched
libtiffCVE-2022-3570. - Updated 4
rubygem-*packages to obsolete older versions ofruby. - Upgraded 'libtasn1' to 4.19.0 to fix CVE-2021-46848.
- Upgraded
nodejsto version 16.17.1 to fix CVE-2022-32213.
New Contributors
- @liulanze made their first contribution in #3786
- @lukebarone made their first contribution in #3859
- @gapra-msft made their first contribution in #3890
Contributors
Assets 2
CBL-Mariner 2.0 October 2022 Release
PawelWMS
Pawel Winogrodzki
2f2540f
PawelWMS
Pawel Winogrodzki
Important update in glibc: all of the statically-linked libraries have been moved to a separate glibc-static package. Every package depending on these static binaries will now require to include a BuildRequires: glibc-static line in their spec files.
Add automation for generating livepatch packages.
Add csi-driver-lvm.
Add git-lfs and move rubygem-ronn dependencies to SPECS
Add initial support for finalizeImage
Add large file support to unzip
Add option to build a package for a specific architecture
Add python-absl-py package to Mariner
Add python-astunparse package to Mariner
Add support for blobfuse2
Add UEFI support in Mariner partition parser
Fix kernel CVE-2022-3303
Fix moby-engine CVE-2022-24769
Fix python-jwt CVE-2022-39227
Update ca-certificates: September 2022 (2022-10-05) release of Microsoft trusted root CAs
Update csi-driver-lvm by splitting binaries to two packages.
Update dracut, systemd, systemtap: fix log file paths.
Update generate_source_tarball script(s) so they interface with auto-upgrade tool
Update iana-etc: move documents to own subpackage to reduce size of base package
Update kata : add patch to avoid memory hotplug timeout, fix systemd service
Update perl-XML-SAX tarball generation script so it can be used by autopugrade tool
Update rpm to ensure rpm-* ABI compatibility
Update systemd: gpt-auto fixes for backing device detection
Update tzdata to version 2022d.
Upgrade bpftrace version to 0.16.0
Upgrade cassandra to 4.0.6
Upgrade kernel to 5.15.70.1
Upgrade kernel-hci to 5.15.70.1 and other updates from main kernel package
Upgrade libbpf version to 1.0.1
Upgrade vim version 9.0.0614
Upgrade wayland to 1.21.0 to fix CVE-2021-3782
1.0.20221007
Add runtime requirement on iana-etc to fping
Patch gnutls to fix CVE-2021-4209
Patch libvirt to fix CVE-2021-3975
Patch libtiff to fix CVE 2022 2953
Patch mlocate test to adjust deep heirarchy ptest for Mariner
Patch python2 and python3 to fix CVE-2015-20107 (this removes mailcap functionality)
Patch python-mako to fix CVE-2022-40023.
Upgrade cryptsetup to version 2.3.7 to fix CVE-2021-4122
Upgrade Kernel to 5.10.145.1 to fix CVE-2022-1204, CVE-2022-1882, CVE-2022-1973, CVE-2022-2503, CVE-2022-2785, CVE-2022-2873, CVE-2022-2991, CVE-2022-33743, CVE-2022-33744, CVE-2022-36946 CVE-2022-39842
Upgrade mariadb to version 10.3.36 to fix CVE-2022-32091, CVE-2022-38791, CVE-2018-25032 -
Upgrade nghttp2 to version 1.50.0
Upgrade nodejs to version 14.20.1 to fix CVE-2022-32213, CVE-2022-32214, CVE-2022-32215
Upgrade postgresql to version 12.12 to fix CVE-2022-1552
Upgrade vim to version 9.0.0614 to fix multiple CVE's
Update ca-certificates to September 2022 (2022-10-05) release of Microsoft trusted root CAs
2.0.20221004 September monthly 2.0 release
New Core Packages
Add emacs-filesystem subpackage
Add k3s version 1.23.8
Add k3s version 1.25.0
Add kata-containers
Add kube-vip-cloud-provider
Add local-path-provisioner
Add mstflint
Add multus version v3.8
Migrations from Extended to Core
nss_nis
yp-tools
ypbind
New Extended packages
none
Package updates
binutils: fix CVE-2022-38533
cloud-hypervisor: update to v26.0
fribidi: upgrade to version 1.0.12
k3s: bump version v1.23.6 -> v1.24.3
kernel: update to 5.15.67.1
kernel: fix CVE-2021-4155 CVE-2022-2938
kubevirt: upgrade to version 0.55.1
lasso: bump version to 2.8.0 to fix ptest
libbpf: bump version to 1.0.0
libjpeg-turbo: update to 2.1.4 to fix CVE-2020-35538
libnvidia-container: update to v1.11.0
libtiff: Patch CVE-2022-2953
mariadb: update to v10.6.9 to fix CVE-2022-32091, CVE-2022-32081
msft-golang - upgrade to 1.19.1-1
ncurses: update to 6.3 [patch 20220612] to fix CVE-2022-29458
nvidia-container-runtime: update to v3.11.0
nvidia-container-toolkit: update to v1.11.0
openblas: upgrade to 0.3.21 to fix CVE-2021-4048
postgresql: upgrade to version 14.5
pyflakes: bump version to 2.5.0 to fix ptest
python3: update to 3.9.14 to fix CVE-2020-10735
python-mako: version update CVE-2022-40023
python-tornado: bump version to 6.2.0
rpm: Upgrade to 4.18.0-rc1 to resolve CVE-2021-3521, CVE-2021-35938 and CVE-2021-35939
rpm: ensure rpm subpackage ABI compatability
rust: update to v1.62.1
rubygem-faraday: update to v.2.5.2
sos: update to 4.4
virglrenderer: patch CVE-2022-0175
xmlsec1: update to 1.2.34 to fix openscap build break
Other
audiofile: disable %check section to fix ptest pipeline break
ccache: add symlinks to ccache
clamav: Add preinstall/postuninstall requirement on shadow-utils
cppcheck: fix testrunner binary path to enable ptest
[fedramp]: Security changes to meet Azure security baseline
flac: bump version to 1.3.4 & run %check as non-root to fix ptest
grub2: add patch for reseting grub_errno
kata-containers: Generate initrd for guest on reload
kata-containers: Match Guest and Host cgroup setup and expose required devices from kata
kata-containers: set DEFSANDBOXCGROUPONLY to false
KeysInUse-OpenSSL: fix permission & simplify package install
kernel: Add 32bit time syscall support
kernel: Add SCSI logging facility
kernel: enable CONFIG_VFAT_FS
kernel: Enable kernel config CONFIG_NETFILTER_XT_TARGET_TRACE as a module
kernel: initial kernel config changes for criu
kernel: adjust crashkernel param based on available ram
libsemanage: Do not ignore /root.
livepatching: add package for livepatches management. make exclusive to x86_64.
mariadb - fix upgrade by adding shadow-utils pre/postun requirement
mock: add BR on python3-pip & drop un-needed deps to enable ptest
node-problem-detector: added arm64 support which is needed to support ARM64 AKS
perl-Config-IniFiles: add BR on perl(blib) to enable ptest
perl-Fedora-VSP: add BR on perl(Test::More) to fix ptest
perl-List-MoreUtils: add BR on perl-{(Math::Trig),(Test::More),(Tie::Array)} to enable ptest
perl-Module-Build: add BR on perl-{(ExtUtils::*),(CPAN::*)} to enable ptest
perl-Module-ScanDeps: add BR on perl-{(CPAN::*),(FindBin),(Test::More)} to enable ptest
perl-Net-SSLeay: add missing BRs & skip two failing tests
perl-NetAddr-IP: add BR on perl-{(Autoloader),(Test::More)} to enable ptest
perl-Try-Tiny: add BR on perl(Test::More) to fix ptest build
perl-Unicode-LineBreak: add BR on perl(FindBin) to fix ptest build
perl-YAML: add BR on perl(ExtUtils::MakeMaker) & cpan to enable ptest
perl-namespace-clean: add BR on perl-debugger to enable ptest
python-kdcproxy: add BR on python-pip and drop BR on pytest to enable ptest
python-ntlm-auth: add BR on pip & drop BR on pytest to enable ptest
python-suds: add BR on python3-pip & drop python3-pytest to enable ptest
reaper: fix install errors
rust: build as a stable release and disable unstable features
selinux-policy: Fix issue with preinst on systems that do not have selinux-policy. Various updates.
systemd: sysusers fsync patch
toolkit: Enable package repo generation and network config for non-kickstart like ISO installation
toolkit: added RPMs snapshots.
toolkit: Skip compression on rpm/srpm archives
toolkit: Fix networkconfig test case
toolkit: Added an additional chrony config with updated version
toolkit: Adding grubenv file by default.
xdelta: run %check section via a non-root user to fix ptest build
1.0.20220926
Patch rpm to fix CVE-2021-3521
Patch python-mako to fix CVE-2022-40023.
Upgrade expat to 2.4.9 to fix CVE-2022-40674
Upgrade kernel to version 5.10.144.1 to fix CVE-2022-3028 CVE-2022-39188 CVE-2022-39190 CVE-2022-3202 CVE-2022-41222, CVE-2021-33655, CVE-2022-1263, CVE-2022-1508, CVE-2022-1976, CVE-2022-2905, CVE-2022-2977, CVE-2022-3077, CVE-2022-3078, CVE-2022-3170, CVE-2022-40307, CVE-2022-40476
Upgrade libjpeg-turbo version to 2.1.4 to fix CVE-2020-35538 CVE-2022-0850 CVE-2022-1043 CVE-2022-1198 CVE-2022-1199 CVE-2022-1205 CVE-2022-2153
Upgrade powershell to version 7.2.6
Upgrade tzdata to version 2022d.
Upgrade vim to version 9.0.0404
CBL-Mariner 2.0 September 2022 Update 3
New Core Packages
none
Migrations from Extended to Core
none
New Extended packages
none
Package updates
expat: fix CVE-2022-40674
mariner-release: update to 2.0.21
Other
None
CBL-Mariner 2.0 September 2022 Update 2
New Core Packages
none
Migrations from Extended to Core
none
New Extended packages
none
Package updates
cloud-init: update to 22.2-8 to resolve regressions seen with cloud-init version 22.2-7
mariner-release: update to 2.0.20
Other
None
CBL-Mariner 2.0 September 2022 Update
New Core Packages
none
Migrations from Extended to Core
none
New Extended packages
none
Package updates
cert-manager: update to 1.7.3
colord: CVE-2021-42523
dpkd: bump version to 21.11.2 to address CVE-2022-2132
go: update to 1.17.13, 1.18.5 to fix: CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-29526, CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30634, CVE-2022-30635, CVE-2022-32148, CVE-2022-32189
libtar: Pull misc Fedora patches, fix CVE-2021-33643, CVE-2021-33644, CVE-2021-33645, CVE-2021-33646
libxml2: fix CVE-2022-2309
python-lxml: fix CVE-2022-2309
nodejs: fix npm version
python3: fix CVE-2021-28861, CVE-2015-20107
qemu: fix CVE-2021-4158, CVE-2022-35414
rubygem-yajl-ruby: fix CVE 2022 24795
virglrenderer: fix CVE-2022-0135
vim: upgrade to 9.0.0325 to fix CVE-2022-2980, CVE-2022-2982, CVE-2022-2923, CVE-2022-2946
Other
None
1.0.20220909
Mariner 1.0 September 2022 Update
kernel: Add 32bit time syscall support
kernel: Address CVE-2021-4135 CVE-2022-2380 CVE-2022-1158
kernel: CVE-2022-36123 nopatch
Update tzdata to version 2022c.
Fix file mode on toolchain scripts
Fix freshclam db download for clamav
Patch dpdk for CVE-2022-2132
Patch glibc to fix CVE-2021-3999
Patch libtar to fix CVE-2021-33643, CVE-2021-33644, CVE-2021-33645, CVE-2021-33646
Patch libtirpc to fix CVE-2021-46828
Patch libxml2 and python-lxml to fix CVE-2022-2309
Patch openvswtich to fix CVE-2021-3905
Patch python3 to fix CVE-2021-28861
Patch qemu-kvm to fix CVE-2022-35414
Upgrade ceph to 16.2.10 to fix CVE-2022-0670
Upgrade go 1.17 to 1.17.13 to fix CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30634, CVE-2022-30635, CVE-2022-32148, CVE-2022-32189
Upgrade go 1.18 to 1.18.5 to fix CVE-2022-1705, CVE-2022-1962, CVE-2022-29526, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, CVE-2022-32148, CVE-2022-32189
Upgrade gzip version to 1.12 to fix CVE-2022-1271
Upgrade kernel to 5.10.134.1 to fix CVE-2021-3736, CVE-2022-3687
Upgrade libinput to 1.16.5 and patch for CVE-2022-1215 (in CBL-MarinerCoreUI Repo: microsoft/CBL-MarinerCoreUI#101)
Upgrade vim to 9.0.0360 to fix CVE-2022-2571, CVE-2022-2580, CVE-2022-2581, CVE-2022-2598, CVE-2022-2816, CVE-2022-2817,CVE-2022-2819, CVE-2022-3099, CVE-2022-2982, CVE-2022-2946, CVE-2022-3016, CVE-2022-3037