Releases: microsoft/azurelinux
CBL-Mariner 2.0 August 2022 Update 2
New Core Packages
containerized-data-importer
perl-XML-LibXML
KeysInUse-OpenSSL
Add rubygems required for building td-agent
Migrations from Extended to Core
bluez
libicall
libel
nss_wrapper
pam_wrapper
rubygem-asciidoctor
rubygem-rspec
socket_wrapper
uid_wrapper
New Extended packages
None
Package updates
update gnutls to 3.7.7
update nodejs to v16.16.0 to address cves
xterm: bump version to 372 to address CVE-2021-27135
zlib: patch CVE-2022-37434
Bump exempi release to rebuild with zlib's CVE-2022-37434 fix
Update ceph to v16.2.10 to address CVE-2022-0670
Update gnupg2 to 2.3.7 to resolve CVE-2022-34903
Update helm version 3.9.3
Upgrade cassandra version to 4.0.5
busybox: patch CVE-2022-30065
e2fsprogs: patch CVE-2022-1304
tzdata: update package to version 2022b.
unbound: bump version to 1.16.2 to address CVE-2022-30698
rsync: bump version to 3.2.5 to address CVE-2022-29154
sqlite: bump version to 3.39.2 to address CVE-2022-35737
libtiff: patch CVE-2022-34526
libtirpc: bump verison to 1.3.3 to address CVE-2021-46828
lldpd: bump version to 1.0.14 to address CVE-2020-27827
freetype: bump version to 2.12.1 to address CVE-2022-{27405,27406}
m2crypto: patch CVE-2020-25657
openssl: align release number with 2.0 state.
perl-DBD-SQLite: add BR on perl(Test::More) & perl(Digest::MD5) to fix ptest
perl-DBI: add BR on perl(blib) & perl(Test::More) to fix ptest
perl-DBIx-Simple: add BR on perl(Test::More) to fix ptest
perl-Exporter-Tiny: add BR on perl(Test::More) to fix ptest
perl-File-HomeDir: add BR on perl-{(ExtUtils::MakeMaker),(Test::More)} to enable ptest
perl-IO-Socket-SSL: add BR on perl(ExtUtils::MakeMaker) & check deps to enable ptest
perl-JSON-Any: add BR on perl(ExtUtils::MakeMaker) & cpan to enable ptest
perl-JSON-XS: add BR on perl(ExtUtils::MakeMaker) & perl(Test::*) to enable ptest
perl-Object-Accessor: add BR on perl(ExtUtils::MakeMaker) & check deps to enable ptest
perl-Path-Class: add BR on perl-{(Test),(Test::More),(Perl::OSType)} to enable ptest
perl-Pod-POM: add BR on perl(FindBin) to enable ptest
perl-Test-Deep: promote to SPECS to fix ptest for perl-CPAN-Meta-Check
perl-Test-Warnings: add BR on perl(Test::More) to enable ptest
perl-YAML-Tiny: add BR on perl(JSON::PP) & perl(Test::More) to fix ptest
perl-generators: add BR on perl(Fedora::VSP) to fix ptest build
perl-libintl: add BR on perl-{(ExtUtils::MakeMaker),(Test)} to enable ptest
python-pexpect: disable flaky spawn_uses_env test.
Other
Mariner RT kernel: enable CONFIG_PCI_PF_STUB and CONFIG_VFIO_NOIOMMU
Mariner kernel: enable CONFIG_SECURITY_LANDLOCK and CONFIG_BLK_DEV_ZONED for x86_64
toolchain: update steps to build with latest libarchive.
tools: safechroot: TestInitializeShouldCreateChroot: fix if condition
Building reaper only for x86_64 architecture
update cloud-init service to add sysinit.target dependency
fix cloud-init dependency issue
CBL-Mariner 1.0 August 2022 Update 2
Package updates:
- curl: update to version 7.84.0 to fix CVE-2022-32207.
- freetype: update to version 2.12.1 to fix CVE-2022-27405 and CVE-2022-27406.
- kernel: nopatch CVE-2022-1012.
- libarchive: update to version 3.6.1 to fix CVE-2021-36976.
- mariner-release: bump 'Release' tag for August Update 2.
- tzdata: update to latest version 2022b.
- vim: update version to 9.0.0181 to fix CVE-2022-2522, CVE-2022-2571, CVE-2022-2580, CVE-2022-2581.
- zlib: patch CVE-2022-37434.
CBL-Mariner 2.0 August 2022 Update
New core packages
ctags
knem
mlnx-ofa_kernel
mlx-bootctl
mlx-tools
ofed-scripts
pam_krb5
perftest
python-botocore
python-cassandra-driver
python-retrying
skopeo
xxhash
Migrations from extended to core
authd
freeipmi
iptraf
ksh
libreswan
lldpd
nfs4-acl-tools
postfix
symlinks
ucx
New extended packages
umoci
Package updates
blobfuse: update version to 1.4.4
ca-certificates: June 2022 (2022-08-02) release of Microsoft trusted root CAs
fluent-bit: update version to 1.9.6.
grub2: remove provides from unsigned grub2
k3s: fix install to allow VHDX integration.
kernel: upgrade to version 5.15.57.1
ldns: handle current CVEs
openssl: fix test failure
perl-CGI: add BR on cpan & perl(Test::*) to enable ptest
perl-Crypt-SSLeay: add BR on perl(Test::More) & perl(Bytes::Random::Secure) to enable ptest
perl-File-Find-Object-Rule: add BR on perl(blib) to enable ptest
perl-File-Which: add BR on perl-{(Env),(ExtUtils::MakeMaker),(Test::More)} to enable ptest
perl-Object-Deadly: add an explicit BR on perl(English) to enable ptest
python-click: migrate to 'SPECS' folder and bump version to 8.0.4.
python-requests-mock: switch to tox for testing
python-testscenarios: add BR on pip to enable ptest
python-whoosh: pip install wheel in %check section to enable ptest
sysbench: fixe ptest issue.
Other
Fix network access check during package repo file generation
CBL-Mariner 1.0 August 2022 Update
Package updates:
ca-certificates: June 2022 (2022-08-02) release of Microsoft trusted root CAs
clang: add clang-libs subpackage
kernel: update to 5.10.131.1
selinux: backport changes for interactive container use, fds manipulation and minor fixes
mariner-repos: add source repos for base, update, ui, preview and preview-ui
vim: update version from 8.2.5172 to 9.0.0050
CVES
libtiff CVEs: 2022-2056, 2022-2057, 2022-2058
nodejs: upgrade to v14.20.0 to fix CVEs 2022-32213, 2022-32214, 2022-32215
postgresql: upgrade to v12.8 to fix CVE-2021-3677
python-jinja2: update to v2.11.3 to fix CVE-2020-28493
python2: patch CVE-2022-3733
kernel: CVE-2022-32296, CVE-2022-1652, CVE-2022-1786, CVE-2022-0854, CVE-2021-20194, CVE-2021-32078, CVE-2021-37159
CBL-Mariner 2.0 July 2022 Update 2
be406f6
PawelWMS
Pawel Winogrodzki
New packages: cpupower, turbostat, kernel-tools, kubevirt, libgdiplus, giflib, libexif, fio, nbd, libnbd, sysbench.
Add ability to build quickly by packing a subset of RPMs
Add missing dependencies to rpm-build
Add network configuration for unattended ISO install
Add nopatch for mcpp CVE-2019-14274
Add patch to libsafec to fix getenv_s error handler calling behavior
Add second grub efi binary without specifying the prefix directory
Add upstream patch to python-attrs to fix mypy tests
Add source and debuginfo repos for base and extended packages
Add apache maven SPEC to Mariner.
Add sed as a post install requirement in the vim spec
Fixed CVE-2022-1852 and CVE-2022-2078
Fixed curl CVE-2022-32207
Fixed libtiff CVEs: 2022-2056, 2022-2057, 2022-2058
Fixed opensc non-check build by disabling unit tests
Fixed podman installation and feature functionality issues
Kernel upgrade to version 5.15.55.1
maven: Fix aarch64 builds by including 1.0 maven aarch64 rpm also sources in spec file.
e2fsprogs: running tests in a single thread to make them more consistent.
perl-Sys-Virt, pyproject-rpm-macros, and python-flit: fixed ptests.
git: upgraded to 2.33.4 to address CVE-2022-29187
vim: upgraded version to 9.0.0050 to fix CVEs: 2022-2257, 2022-2264, 2022-2284, 2022-2285, 2022-2286, 2022-2287
argparse-manpage: pip install latest deps to enable ptest
cloud-init: pip install test-requirements.txt to enable ptest
coreutils: Fix env-signal-handler test
kernel config: Add configs needed by eBPF tracers.
kernel: nopatch CVE-2022-34494, -34495
lua: patch CVE-2022-33099
mc, python3, vim: fix unversioned python shebangs
opensc: remove Fedora-specific test modifications
python-pytest-subtests: drop BR on pytest & pip install latest deps to enable ptest
python-pytest-timeout: drop BR on pytest and install latest deps to enable ptest
python-requests-toolbelt: pip install latest deps to enable ptest
selinux-policy: fixes for interactive container use.
selinux-policy: minor fixes for groupadd, systemd-cgroups, hv_utils.
unbound: build with libevent to fix libreswan
grub2: resolved CVE-2021-3981
protobuf-c: resolved CVE-2022-33070
Set default SOURCE_URL in Makefile
README: Add 2.0 quickstart workflow badge
Do not print a warning when image config file is explicitly defined as empty
CBL-Mariner 2.0 July 2022 Update
Added DELTA_BUILD toolkit variable.
Added Github CLI gh.
Added MBR Partitioning Support in Mariner.
Added azcopy, dcos-cli, cf-cli, intel-ipsec-mb, intel-pf-bb-config, libhugetlbfs, and msgpack.
Added retry logic in runliveinstaller to ensure network access during pxe boot.
Added swap partition entry to /etc/fstab.
Added patch to fix compilation with ncurses 6.3 for hunspell and liboping.
Bug fix for ResolveCompetingPackages when building on RPM-based distro.
Build turbostat and cpupower for the x86_64 platform.
Updated kernel to version 5.15.48.1 to fix CVE-2022-33981.
Initial KeysInUse Integration.
Introduced mariner_rpmspec function for GitHub PR check scripts.
K3s uninstall fix and exclusivity for x86_64.
Mark mcpp CVE-2019-14274 as fixed.
Migrate FabricBot Tasks to Config-as-Code.
Move su from shadow-utils to util-linux.
Running git as repo owner in Mariner's toolkit.
Switch to HTTPS source for autoconf213.
Updated Ubuntu version to 22.04 for CGmanifest checks.
Updated vim to 8.2.5172 to fix CVE-2022-2175, CVE-2022-2182.
Updated fish to 3.5.0 to resolve CVE-2022-20001.
Updated fakeroot to version 1.29 to fix a ptest.
ca-certificates: May 2022 (2022-06-28) release of Microsoft trusted root CAs.
abseil-cpp: removing GTest workarounds.
libftdi: disabling docs building to stabilize the build.
prebuilt-ca-certificates*: adding Conflicts: ca-certificates-shared.
python-sphinxcontrib-*: fixing 3 failing ptests.
usrsctp: nopatch CVE-2019-20503.
cloud-init: patch for CVE-2022-2084.
coreutils: Build arch binary.
gd: fix test.
kernel: enable virtio config, add vmlinuz symlink, enable verbose log, nopatch CVE-2022-1652, CVE-2022-32981.
msopenjdk-11: Upgrade to 11.0.15+10-LTS-1.
python3: Remove Windows executables, add add'l provides.
qemu: fix build break on aarch64, ship missing efi*rom & pxe*rom romfiles.
Only build crash-gcore-command on x86_64.
Use --no-clobber for toolchain downloads.
Bump Mariner 2.0 Release for July 2022 Update.
1.0.20220709
Add apparmor dependencies to moby-containerd
Add golang-1.17 for packages that break with v1.18
Added patch for CVE-2021-4206 to qemu-kvm
Build moby-containerd with mod=vendor and upgrade to version 1.6.6+azure to resolve CVE-2022-31030
Bump Mariner Release for Mariner 1.0 June Update 2
Fix bad interpreter error when run pip3
Fix openssl for ptest failure
Fixed spuriously failing defrag test in redis
Modify toolchain so it no longer consumes from the "toolchain" subfolder on source archive
Patch Kernel to fix CVE-2022-33981
Patch openssl to fix CVE-2022-2068
Patch ptfdisk & irqbalance to fix build with ncurses-6.3
Patch qemu-kvm for CVE-2021-3750
Refresh Mariner Release for July Update
Updated vim to 8.2.5172 to fix CVEs
Upgrade pygobject3 to fix ptest.
Upgrade ca-certificates to May 2022 (2022-06-28) release of Microsoft trusted root CAs
Upgrade Vim version to 8.2.5154 to fix CVEs
Upgrade libjpeg-turbo version 2.1.2 to fix CVE-2021-46822
Upgrade libtiff version to 4.4.0 to fix CVE-2022-0908
Upgrade libxml2 to 2.9.14 to fix CVE-2022-29824
Upgrade logrotate to 3.20.0 to fix CVE-2022-1348
Upgrade ncurses to 6.3 [patch 20220612] to fix CVE-2022-29458
Upgrade ncurses to 6.3 to fix CVE-2022-29458
Upgrade python-jwt to 2.4.0 to fix 2022-29217
Upgrade python3 to 3.7.13 to resolve CVE-2019-12900
Upgrade rubygem-elasticsearch to 8.2.2 to fix CVE-2022-23712.
Upgrade to moby-runc version 1.1.2 to fix CVE-2022-29162
Upgrade uclibc-ng to 1.0.41 to fix CVE-2022-30295
backported redis 6.2.7 to 1.0 to fix CVE-2021-24736
kernel: Update to 5.10.123.1
2.0.20220625
Add command line tool jx SPEC
Add less to git runtime Requires
Add libreswan to SPECS-EXTENDED
Enable Vgem driver in kernel
Fix /etc/my.cnf conflict from mariadb.
Fix link to documentation in readme
Fix util-linux buildrequires to include libcap-ng-devel
Patch libcdio to build with ncurses 6.3
Patch numatop to fix format-security errors caused by ncurses-6.3 upgrade
Patch openssl to fix CVE-2022-2068
Patch powertop to fix build errors caused by ncurses 6.3 upgrade.
Remove auditd requirement on base package from libs subpackage
Remove nspr, nss-libs from base container image
Toolchain: Add ability to partially rehydrate from upstream repos
Toolchain: Remove openssl-debuginfo from the worker chroot
Toolchain: Update Depsolver to print all unsolvable nodes blocking subgraph
Update baseurl in mariner-nvidia repo manifest to match the PMC nvidia repo url
Update rpm macros to use other macros
Upgrade clamav to 0.105.0
Upgrade curl to fix CVE-2022-27779, CVE-2022-27780, CVE-2022-27781, CVE-2022-30115, CVE-2022-27782, CVE-2022-27778
Upgrade dpkg to version 1.20.10 to address CVE-2022-1664
Upgrade ipstate to version 2.2.7 to fix build errors caused by ncurses 6.3 upgrade.
Upgrade iptraf-ng to resolve -Werror=format-security compilation failures caused by ncurses 6.3 upgrade
Upgrade kernel to v5.15.48.1
Upgrade libinput to version 1.21.0 for CVE-2022-1215
Upgrade moby-containerd to version 1.6.6 to fix CVE-2022-31030
Upgrade mtr to version 0.95 to fix build errors caused by ncurses 6.3 upgrade.
Upgrade mysql to version 8.0.29 to fix 17 CVEs
Upgrade python3 to 3.9.13
Upgrade uclibc-ng to 1.0.41 to fix CVE-2022-30295
2.0.20220617
Add custom package repo definitions in image configuration
Add distroless manifest format to toolkit documentation
Add emacs SPEC to Mariner
Add explicit check/run-time dependencies on mariner-release in node-problem-detector to fix test
Add iana-etc as runtime dep for fping
Add missing e2fsprogs dep to cloud-init
Add missing signature for perl-Module-Install-Repository.
Add nopatch for 2022-1734
Add packer tool SPEC and remove packer symlink in cracklib-dicts conflicts with packer tool
Add Provides to prebuilt-ca-certificates for *-microsoft and *-mozilla.
Add pxe-boot support in Mariner installer
Add run-time dependencies for perl-Crypt-SSLeay.
Add usrsctp package
Add kpatch package.
Change selinux-policy to allow unconfined domains to manipulate their own fds.
Commonize toolchain rpm extract flows
Enabled LIVEPATCH option in the kernel config. (Note LivePatch not yet supported)
Fix (silence) kernel ptp_kvm failure error
Fix ARM64 buildah and edk2 blocked packages fix.
Fix clamav so freshclam works on first use and freshclam can store db download in /var/lib/clamav. Also create clamav user/group
Fix filesystem upgrade issue when upgrading filesystem in container
Fix hyperv-daemons/hypervkvpd.service service ordering
Fix ocaml-ctypes test by changing test dependencies to ounit2.
Fix openssl package test failure
Fix python-mutagen package test (dropped BR on pytest & pip install latests deps)
Fix signature of hypervkvpd.service
Fix util-linux source unpacking in raw toolchain
Fix zsh package install failure by fixing shebang lines in included scripts
Patch lua to fix CVE-2021-44647.
Patch openldap to fix CVE-2022-29155
Patch php to build with updated gd.
Patch qemu to fix CVE-2021-4206
Rely on makefile to place toolchain rpms
Remove bundled gems from ruby and added provides for default gems
Remove exlusivearch from cert-manager
Remove nspr package from toolchain.
Remove smack LSM support from kernel
Remove tarballs from the repository.
Require glibc-iconv for unixODBC
Update SymCrypt and SCOSSL SPEC files to latest
Upgrade bind to 9.16.29 to fix CVE-2021-25219.
Upgrade exiv2 to 0.27.5 to fix CVE-2019-13504 CVE-2019-17402 CVE-2019…
Upgrade gd to 2.3.3 to fix CVE-2021-38115 and CVE-2021-40812
Upgrade golang to 1.18.3 to address CVE-2022-24675 & CVE-2022-28327
Upgrade gonum to 0.11.0 to fix segfault in graph/iterator.(*mapIter).next
Upgrade hivex to 1.3.21 to fix CVE-2021-3504 and CVE-2021-3622
Upgrade kernel to 5.15.45.1; kernel-rt to 5.15.44.1
Upgrade krb5 to version 1.19.3 to address CVE-2021-37750
Upgrade libarchive to 3.6.1 to address CVE-2022-26280
Upgrade libtiff to 4.4.0 to address CVE-2022-1622 & CVE-2022-1623
Upgrade logrotate to 3.20.1 to address CVE-2022-1348
Upgrade moby-runc to 1.1.2 to fix CVE-2022-29162
Upgrade ncurses to 6.3 to fix CVE-2022-29458
Upgrade ntfs-3g to 2022.5.17 to fix CVE-2021-46790
Upgrade Opensc to 0.22.0 to fix CVE-2020-26570, CVE-2020-26571, CVE-2020-26572, CVE-2021-42778, CVE-2021-42779, CVE-2021-42780, CVE-2021-42781, CVE-2021-42782
Upgrade prometheus to 2.36.0 to fix CVE-2021-29622.
Upgrade python-jwt to version 2.4.0 to fix CVE-2022-29217.
Upgrade Python-twisted to version 22.4.0 to fix CVE-2022-24801
Upgrade redis to 6.2.7 to address CVE-2022-24736
Upgrade rsync to 3.2.4
Upgrade subversion to 1.14.2 to fix CVE-2021-28544.
Upgrade telegraf to 1.23.0
Upgrade terraform version to 1.2.2
Upgrade usbredir to version 0.12.0 to fix CVE-2021-3700.
Upgrade util-linux to 2.37.4 to fix CVE-2022-0563.
Upgrade vim to 8.2.5064 for CVE-2022-1619, CVE-2022-1621, CVE-2022-1629, CVE-2022-1616, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1620, CVE-2022-1674, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796 CVE-2022-1851, CVE-2022-1886, CVE-2022-1898
Upgrade wireshark 3.4.14 to fix CVE-2021-4181 CVE-2021-4182 CVE-2021-4184 CVE-2021-4185 CVE-2021-4186 CVE-2021-4190 CVE-2021-22207 CVE-2021-22222 CVE-2021-22235 CVE-2021-39920 CVE-2021-39921 CVE-2021-39922 CVE-2021-39923 CVE-2021-39924 CVE-2021-39925 CVE-2021-39926 CVE-2021-39928 CVE-2021-39929 CVE-2022-0581 CVE-2022-0582 CVE-2022-0583 CVE-2022-0585 CVE-2022-0586
1.0.20220608
Toolkit now requires golang 1.17 to build
td-agent: Bump ruby version requirement
prebuilt-ca-certificates: adding Provides for *-microsoft and *-mozilla.
selinux-policy: (backport) additional container/kubernetes patches + fixes from baremetal testing.
dnf-plugins-core: Add patch to fix wrong boot time
Disable kernel config CONFIG_SECURITY_SMACK
Patch libxslt to fix CVE-2021-30560
Patch pcre2 to fix CVE-2022-1586, CVE-2022-1587
Patch rsyslog to fix CVE-2022-24903
Upgrade clamav to 0.103.6 to fix CVE-2022-20770, CVE-2022-20771, CVE-2022-20785, CVE-2022-20792, CVE-2022-20796
Upgrade golang to 1.18.3
Upgrade kernel to version 5.10.117.1-2 to fix CVE-2022-1734, CVE-2022-28893, CVE-2022-29581
Upgrade mariadb to 10.3.35 to fix CVE-2021-46669 CVE-2022-21427 CVE-2022-27376 CVE-2022-27377 CVE-2022-27378 CVE-2022-27379 CVE-2022-27380 CVE-2022-27381 CVE-2022-27383 CVE-2022-27384 CVE-2022-27385 CVE-2022-27386 CVE-2022-27387 CVE-2022-27445 CVE-2022-27447 CVE-2022-27448 CVE-2022-27449 CVE-2022-27456 CVE-2022-27458 CVE-2022-31621 CVE-2022-31622 CVE-2022-31623 CVE-2022-31624
Upgrade moby-containerd to 1.6.6+azure to fix CVE-2022-31030
Upgrade python-twisted to version Patch CVE-2022-24801
Upgrade ruby to 2.6.10 to fix CVE-2022-28739
Upgrade vim to version 8.2.5064 to fix CVE-2022-1616 CVE-2022-1619 CVE-2022-1620 CVE-2022-1621 CVE-2022-1629 CVE-2022-1674 CVE-2022-1733 CVE-2022-1735 CVE-2022-1769 CVE-2022-1771 CVE-2022-1785 CVE-2022-1796 CVE-2022-1851 CVE-2022-1886 CVE-2022-1898