Releases: microsoft/azurelinux
1.0.20221119
What's Changed
Added prebuilt-ca-certificates and tzdata to the distroless minimal container.
Disabled running apparmor LSM at boot time.
Fixed python-twisted binaries conflicts.
Fixed package tests: python-execnet, python-six.
Mitigated CVE-2020-35505 by disabling qemu emulation for am53c974 devices.
Patched libtiff to fix CVE-2022-3597, CVE-2022-3598, CVE-2022-3599, CVE-2022-3626, and CVE-2022-3627.
Patched libtiff to fix CVE-2022-3970.
Patched sqlite to fix CVE-2022-35737.
Updated sudo to version 1.9.12p1 to fix CVE-2022-43995.
Updated sysstat to nopatch CVE-2022-39377.
Updated tzdata to version 2022f.
Upgrade bind to version 9.16.33.
Upgraded curl to version 7.86.0 to fix CVE-2022-42915.
Upgraded golang to 1.18.8 to fix CVE-2022-2879, CVE-2022-2880, CVE-2022-41715, CVE-2022-27664, CVE-2022-32190.
Upgraded httpd to version 2.4.54 to fix CVE-2022-28615 and CVE-2022-31813.
Upgraded kernel to version 5.10.153.1 to address: CVE-2022-3521, CVE-2022-3542, CVE-2022-3586, CVE-2022-3594, CVE-2022-41850, CVE-2022-43750.
Upgraded mysql to version 8.0.31 to fix 20 CVEs.
Upgraded python3-twisted to 22.10.0 to fix CVE-2022-39348.
Upgrades vim to version 9.0.0805 to fix CVE-2022-3705.
Full Changelog: 1.0.20221028-1.0...1.0.20221119-1.0
2.0.20221110
Add package glog version 0.3.5
Add patch to fix CVE-2022-39379 in rubygem-fluentd
Fix conntrack-tools service default configuration to prevent startup failures
Fix typo in CVE-2018-1000097 patch filename in sharutils to ensure detection by CVE tooling
Fix printing built RPMs from spec files
Freezing pytest deps in python-into-dbus-python
Upgrade tzdata to version 2022f
Updated rust test deps to include glibc-static
Upgrade blobfuse2 to preview 4
Upgrade golang to 1.18.8 to fix CVE-2022-2879, CVE-2022-2880, CVE-2022-41715, CVE-2022-27664, CVE-2022-32190
Upgrade bazel to version 4.2.3 to fix CVE-2022-3474
Upgrade helm to version 3.9.4 to fix CVE-2022-36055, CVE-2022-36049
Upgrade vim to version 9.0.0805 to fix CVE-2022-3705
Upgrade Kernel to version 5.15.77.1
Upgrade curl to version 7.86.0
Upgrade httpd to version 2.4.54
Upgrade python-twisted to version 22.10.0
Remove libc dependency from toolkit (CGO_ENABLED=0)
2.0.20221029
Add Instruction to filter gpg-pubkey from rpm cmd's output.
Add Microsoft GPG keys to installer env
Add cairomm package version 1.12.0
Add cpptest package version 1.1.2
Add dbus package provides for dbus-x11 & drop metapackage
Add github check-in action to warn about bumping package versions dependent on glibc-static
Add k-exec-tools to marketplace image
Add kernel-drivers-gpu package
Add krb5.conf to resolve pam_krb5 ptest failure
Add libcroco package version 0.6.13
Add libyang2 to mariner SPECs
Add logrotate conf entry for rsyslog to prevent logs growing too large
Add obsoletes between qemu-common, qemu-virtiofsd
Add python package python-google-auth-oauthlib and move its extended dependencies to the core
Add sgx-backwards-compatability package to marketplace images
Adding sriov-network-device-plugin spec file
Automatic upgrade of tzdata to 2022e
Bump toolkit/tools' cgmanifest.json's listing for ulikunitz/xz to v0.5.10 to match the go.mod version.
Clear libtar CVE-2021-33644 and CVE-2021-33646 (both fixed by earlier patch file)
Create missing systemd accounts
Enable modules for TCP Congestion Algorithms
Fix 4 Python ptests to use a set version of pytest.
Fix 4 rubygem-* packages to obsolete older versions of ruby.
Fix SPEC file import information from CentOS as MIT
Fix perl-CGI, python-pytest-benchmark, and python-requests tests.
Fix chroot cleanup scripts
Fix cloud-init mariner variant not set properly
Fix gpg key import in worker chroot
Fix manifest checks with RPM 4.18
Fix python crypt to work with FIPS
Fix rsyslog.logrotate signature
Fix subsequent Make iso calls from failing (handle space parsing)
Fix tooling to rebuild worker chroot rpm db only when necessary
Fix unbound CVE
Mitigated attended installation regression
Move wireless-regdb and iw to Mariner core repo to resolve failure to load regulatory.db
Patch aspell to fix CVE-2019-25051
Patch libtiff to fix CVE-2022-3570
Patch redis to fix CVE-2022-3647
Patched CVE-2022-34918 with livepatch-5.15.48.1-4.cm2.
Remove 'ming' from SPECS-EXTENDED
Remove autodetected Go modules in toolkit/tools/cgmanifest.json
Update documentation with 2.0 related information and misc. fixes
Update kernel-rt config to build with new glibc
Update maven.spec to use macro instead of hard-coded source URL.
Updated rpmops.sh: added a '/bin/sh' check.
Updated livepatch macros and template to preserve signatures.
Upgrade 'libtasn1' to 4.19.0 to fix CVE-2021-46848.
Upgrade PHP to verion 8.1.11 and promote from SPECS-EXTENDED to SPECS
Upgrade nodejs to version 16.17.1 to fix CVE-2022-32213.
Upgrade cassandra version to 4.0.7
Upgrade dbus to version 1.15.2 to fix CVE-2022-42010,CVE-2022-42011,CVE-2022-42012
Upgrade expat to version 2.5.0 to fix CVE-2022-43680
Upgrade kernel to version 5.15.74.1 to fix CVE-2022-3541, CVE-2022-3544, CVE-2022-41674, CVE-2022-42719, CVE-2022-42703, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722
Upgrade mod_wsgi to version 4.9.3 to fix CVE-2022-2255
Upgrade mysql to version 8.0.31 to fix CVE-2022-21592,CVE-2022-21594,CVE-2022-21599,CVE-2022-21604,CVE-2022-21608,CVE-2022-21611,CVE-2022-21617,CVE-2022-21625,CVE-2022-21632,CVE-2022-21633,CVE-2022-21635,CVE-2022-21637,CVE-2022-21638,CVE-2022-21640,CVE-2022-21641,CVE-2022-39400,CVE-2022-39402,CVE-2022-39403,CVE-2022-39408,CVE-2022-39410
Upgrade terraform to version 1.32.2 to CVE-2021-36230
Upgrade tidy to 5.8.0
Upgrade wireshark to version 3.4.16 to fix CVE-2022-3190
Upgraded nginx to version 1.22.1 to fix CVE-2022-3638
1.0.20221028
Add logrotate conf entry for rsyslog to prevent logs growing too large
Add support to build Mariner 1.0 on Mariner 2.0 host
Clear CVE-2021-33644 and CVE-2021-33646 for libtar.
Clear CVE-2022-26354 from qemu (this version not impacted)
Fix manifest checks with RPM 4.18
Overwrite 99-dhcp-en.network for marketplace img
Patch libtasn1 to fix CVE-2021-46848
Patch libtiff to fix CVE-2022-3570
Patch redis to fix CVE-2022-3647 .
Patch sos to fix CVE-2022-2806.
Remove autodetected Go modules in toolkit/tools/cgmanifest.json
Removed ARCHIVE_TOOL from toolkit for extraction because tar can figure out what to use on its own. Removal of this argument also allows decompression of archives created through simple packing of already compressed packages, greatly reducing archive creation time.
Update tzdata to 2022e
Upgrade Kernel to 5.10.149.1 to fix or clear CVE-2022-3541, CVE-2022-3543, CVE-2022-3544, CVE-2022-3595 CVE-2022-0171 CVE-2022-3303 CVE-2022-42720 CVE-2022-42721 CVE-2022-42722 CVE-2022-41674 CVE-2022-42719 CVE-2022-42703
Upgrade expat to version 2.5.0 to fix CVE-2022-43680
Upgrade nginx to 1.22.1 to fix CVE-2022-41741, CVE-2022-41742, CVE-2022-3638
Upgrade openssh to 8.9p1 to fix CVE-2021-36368
2.0.20221026-2.0
What's Changed
- Fixed GPG key import during worker chroot creation.
- Patched
libtiffCVE-2022-3570. - Updated 4
rubygem-*packages to obsolete older versions ofruby. - Upgraded 'libtasn1' to 4.19.0 to fix CVE-2021-46848.
- Upgraded
nodejsto version 16.17.1 to fix CVE-2022-32213.
New Contributors
- @liulanze made their first contribution in #3786
- @lukebarone made their first contribution in #3859
- @gapra-msft made their first contribution in #3890
Contributors
Assets 2
CBL-Mariner 2.0 October 2022 Release
PawelWMS
Pawel Winogrodzki
2f2540f
PawelWMS
Pawel Winogrodzki
Important update in glibc: all of the statically-linked libraries have been moved to a separate glibc-static package. Every package depending on these static binaries will now require to include a BuildRequires: glibc-static line in their spec files.
Add automation for generating livepatch packages.
Add csi-driver-lvm.
Add git-lfs and move rubygem-ronn dependencies to SPECS
Add initial support for finalizeImage
Add large file support to unzip
Add option to build a package for a specific architecture
Add python-absl-py package to Mariner
Add python-astunparse package to Mariner
Add support for blobfuse2
Add UEFI support in Mariner partition parser
Fix kernel CVE-2022-3303
Fix moby-engine CVE-2022-24769
Fix python-jwt CVE-2022-39227
Update ca-certificates: September 2022 (2022-10-05) release of Microsoft trusted root CAs
Update csi-driver-lvm by splitting binaries to two packages.
Update dracut, systemd, systemtap: fix log file paths.
Update generate_source_tarball script(s) so they interface with auto-upgrade tool
Update iana-etc: move documents to own subpackage to reduce size of base package
Update kata : add patch to avoid memory hotplug timeout, fix systemd service
Update perl-XML-SAX tarball generation script so it can be used by autopugrade tool
Update rpm to ensure rpm-* ABI compatibility
Update systemd: gpt-auto fixes for backing device detection
Update tzdata to version 2022d.
Upgrade bpftrace version to 0.16.0
Upgrade cassandra to 4.0.6
Upgrade kernel to 5.15.70.1
Upgrade kernel-hci to 5.15.70.1 and other updates from main kernel package
Upgrade libbpf version to 1.0.1
Upgrade vim version 9.0.0614
Upgrade wayland to 1.21.0 to fix CVE-2021-3782
1.0.20221007
Add runtime requirement on iana-etc to fping
Patch gnutls to fix CVE-2021-4209
Patch libvirt to fix CVE-2021-3975
Patch libtiff to fix CVE 2022 2953
Patch mlocate test to adjust deep heirarchy ptest for Mariner
Patch python2 and python3 to fix CVE-2015-20107 (this removes mailcap functionality)
Patch python-mako to fix CVE-2022-40023.
Upgrade cryptsetup to version 2.3.7 to fix CVE-2021-4122
Upgrade Kernel to 5.10.145.1 to fix CVE-2022-1204, CVE-2022-1882, CVE-2022-1973, CVE-2022-2503, CVE-2022-2785, CVE-2022-2873, CVE-2022-2991, CVE-2022-33743, CVE-2022-33744, CVE-2022-36946 CVE-2022-39842
Upgrade mariadb to version 10.3.36 to fix CVE-2022-32091, CVE-2022-38791, CVE-2018-25032 -
Upgrade nghttp2 to version 1.50.0
Upgrade nodejs to version 14.20.1 to fix CVE-2022-32213, CVE-2022-32214, CVE-2022-32215
Upgrade postgresql to version 12.12 to fix CVE-2022-1552
Upgrade vim to version 9.0.0614 to fix multiple CVE's
Update ca-certificates to September 2022 (2022-10-05) release of Microsoft trusted root CAs
2.0.20221004 September monthly 2.0 release
New Core Packages
Add emacs-filesystem subpackage
Add k3s version 1.23.8
Add k3s version 1.25.0
Add kata-containers
Add kube-vip-cloud-provider
Add local-path-provisioner
Add mstflint
Add multus version v3.8
Migrations from Extended to Core
nss_nis
yp-tools
ypbind
New Extended packages
none
Package updates
binutils: fix CVE-2022-38533
cloud-hypervisor: update to v26.0
fribidi: upgrade to version 1.0.12
k3s: bump version v1.23.6 -> v1.24.3
kernel: update to 5.15.67.1
kernel: fix CVE-2021-4155 CVE-2022-2938
kubevirt: upgrade to version 0.55.1
lasso: bump version to 2.8.0 to fix ptest
libbpf: bump version to 1.0.0
libjpeg-turbo: update to 2.1.4 to fix CVE-2020-35538
libnvidia-container: update to v1.11.0
libtiff: Patch CVE-2022-2953
mariadb: update to v10.6.9 to fix CVE-2022-32091, CVE-2022-32081
msft-golang - upgrade to 1.19.1-1
ncurses: update to 6.3 [patch 20220612] to fix CVE-2022-29458
nvidia-container-runtime: update to v3.11.0
nvidia-container-toolkit: update to v1.11.0
openblas: upgrade to 0.3.21 to fix CVE-2021-4048
postgresql: upgrade to version 14.5
pyflakes: bump version to 2.5.0 to fix ptest
python3: update to 3.9.14 to fix CVE-2020-10735
python-mako: version update CVE-2022-40023
python-tornado: bump version to 6.2.0
rpm: Upgrade to 4.18.0-rc1 to resolve CVE-2021-3521, CVE-2021-35938 and CVE-2021-35939
rpm: ensure rpm subpackage ABI compatability
rust: update to v1.62.1
rubygem-faraday: update to v.2.5.2
sos: update to 4.4
virglrenderer: patch CVE-2022-0175
xmlsec1: update to 1.2.34 to fix openscap build break
Other
audiofile: disable %check section to fix ptest pipeline break
ccache: add symlinks to ccache
clamav: Add preinstall/postuninstall requirement on shadow-utils
cppcheck: fix testrunner binary path to enable ptest
[fedramp]: Security changes to meet Azure security baseline
flac: bump version to 1.3.4 & run %check as non-root to fix ptest
grub2: add patch for reseting grub_errno
kata-containers: Generate initrd for guest on reload
kata-containers: Match Guest and Host cgroup setup and expose required devices from kata
kata-containers: set DEFSANDBOXCGROUPONLY to false
KeysInUse-OpenSSL: fix permission & simplify package install
kernel: Add 32bit time syscall support
kernel: Add SCSI logging facility
kernel: enable CONFIG_VFAT_FS
kernel: Enable kernel config CONFIG_NETFILTER_XT_TARGET_TRACE as a module
kernel: initial kernel config changes for criu
kernel: adjust crashkernel param based on available ram
libsemanage: Do not ignore /root.
livepatching: add package for livepatches management. make exclusive to x86_64.
mariadb - fix upgrade by adding shadow-utils pre/postun requirement
mock: add BR on python3-pip & drop un-needed deps to enable ptest
node-problem-detector: added arm64 support which is needed to support ARM64 AKS
perl-Config-IniFiles: add BR on perl(blib) to enable ptest
perl-Fedora-VSP: add BR on perl(Test::More) to fix ptest
perl-List-MoreUtils: add BR on perl-{(Math::Trig),(Test::More),(Tie::Array)} to enable ptest
perl-Module-Build: add BR on perl-{(ExtUtils::*),(CPAN::*)} to enable ptest
perl-Module-ScanDeps: add BR on perl-{(CPAN::*),(FindBin),(Test::More)} to enable ptest
perl-Net-SSLeay: add missing BRs & skip two failing tests
perl-NetAddr-IP: add BR on perl-{(Autoloader),(Test::More)} to enable ptest
perl-Try-Tiny: add BR on perl(Test::More) to fix ptest build
perl-Unicode-LineBreak: add BR on perl(FindBin) to fix ptest build
perl-YAML: add BR on perl(ExtUtils::MakeMaker) & cpan to enable ptest
perl-namespace-clean: add BR on perl-debugger to enable ptest
python-kdcproxy: add BR on python-pip and drop BR on pytest to enable ptest
python-ntlm-auth: add BR on pip & drop BR on pytest to enable ptest
python-suds: add BR on python3-pip & drop python3-pytest to enable ptest
reaper: fix install errors
rust: build as a stable release and disable unstable features
selinux-policy: Fix issue with preinst on systems that do not have selinux-policy. Various updates.
systemd: sysusers fsync patch
toolkit: Enable package repo generation and network config for non-kickstart like ISO installation
toolkit: added RPMs snapshots.
toolkit: Skip compression on rpm/srpm archives
toolkit: Fix networkconfig test case
toolkit: Added an additional chrony config with updated version
toolkit: Adding grubenv file by default.
xdelta: run %check section via a non-root user to fix ptest build
1.0.20220926
Patch rpm to fix CVE-2021-3521
Patch python-mako to fix CVE-2022-40023.
Upgrade expat to 2.4.9 to fix CVE-2022-40674
Upgrade kernel to version 5.10.144.1 to fix CVE-2022-3028 CVE-2022-39188 CVE-2022-39190 CVE-2022-3202 CVE-2022-41222, CVE-2021-33655, CVE-2022-1263, CVE-2022-1508, CVE-2022-1976, CVE-2022-2905, CVE-2022-2977, CVE-2022-3077, CVE-2022-3078, CVE-2022-3170, CVE-2022-40307, CVE-2022-40476
Upgrade libjpeg-turbo version to 2.1.4 to fix CVE-2020-35538 CVE-2022-0850 CVE-2022-1043 CVE-2022-1198 CVE-2022-1199 CVE-2022-1205 CVE-2022-2153
Upgrade powershell to version 7.2.6
Upgrade tzdata to version 2022d.
Upgrade vim to version 9.0.0404
CBL-Mariner 2.0 September 2022 Update 3
New Core Packages
none
Migrations from Extended to Core
none
New Extended packages
none
Package updates
expat: fix CVE-2022-40674
mariner-release: update to 2.0.21
Other
None