Security fixes:
- containerd (CVE-2020-15257)
- glibc (CVE-2019-9169, CVE-2019-6488, CVE-2019-7309, CVE-2020-10029, CVE-2020-1751, CVE-2020-6096, CVE-2018-20796)
- Linux (CVE-2020-28941, CVE-2020-4788, CVE-2020-25669, CVE-2020-14351)
- glib (CVE-2019-12450)
- open-iscsi (CVE-2017-17840)
- samba (CVE-2019-10197, CVE-2020-10704, CVE-2020-10745, CVE-2019-3880, CVE-2019-10218)
- shadow (CVE-2019-19882)
- sssd (CVE-2018-16883, CVE-2019-3811, CVE-2018-16838)
- trousers (CVE-2020-24330, CVE-2020-24331)
- cifs-utils (CVE-2020-14342)
- ntp (CVE-2020-11868, CVE-2020-13817, CVE-2018-8956, CVE-2020-15025)
- bzip2 (CVE-2019-12900)
- c-ares (CVE-2017-1000381)
- file (CVE-2019-18218)
- json-c (CVE-2020-12762)
- jq (CVE-2015-8863, CVE-2016-4074)
- libuv (CVE-2020-8252)
- libxml2 (CVE-2019-20388, CVE-2020-7595)
- re2c (CVE-2020-11958)
- tar (CVE-2019-9923)
- sqlite (CVE-2020-11656, CVE-2020-9327, CVE-2020-11655, CVE-2020-13630, CVE-2020-13435, CVE-2020-13434, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358)
- tcpdump and pcap (CVE-2018-10103, CVE-2018-10105, CVE-2019-15163, CVE-2018-14461, CVE-2018-14462, CVE-2018-14463, CVE-2018-14464, CVE-2018-14465, CVE-2018-14466, CVE-2018-14467, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14880, CVE-2018-14881, CVE-2018-14882, CVE-2018-16227, CVE-2018-16228, CVE-2018-16229, CVE-2018-16230, CVE-2018-16300, CVE-2018-16451, CVE-2018-16452, CVE-2019-15166, CVE-2018-14879, CVE-2017-16808, CVE-2018-19519, CVE-2019-15161, CVE-2019-15165, CVE-2019-15164, CVE-2019-1010220)
- libbsd (CVE-2019-20367)
- rsync and zlib (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)
Bug fixes
- Added systemd-tmpfiles directives for /opt and /opt/bin to ensure that the folders have correct permissions even when /opt/ was once created by containerd (Flatcar#279)
- Make the automatic filesystem resizing more robust against a race and add more logging (kinvolk/init#31)
- Allow inactive network interfaces to be bound to a bonding interface, by encoding additional configuration for systemd-networkd-wait-online (afterburn PR #10)
- Do not configure ccache in Jenkins (scripts PR #100)
- Azure: Exclude bonded SR-IOV network interfaces with newer drivers from networkd (in addition to the old drivers) to prevent them being configured instead of just the bond interface (init PR#29, bootengine PR#19)
Changes:
- Update-engine now detects rollbacks and reports them as errors to the update server (PR#6)
- The zstd tools were added (version 1.4.4)
- The kernel config CONFIG_PSI was set to support Pressure Stall Information, more information also under https://facebookmicrosites.github.io/psi/docs/overview (Flatcar#162)
- The kernel config CONFIG_BPF_JIT_ALWAYS_ON was set to use the BPF just-in-time compiler by default for faster execution
- The kernel config CONFIG_POWER_SUPPLY was set
- The kernel configs CONFIG_OVERLAY_FS_METACOPY and CONFIG_OVERLAY_FS_REDIRECT_DIR were set. With the first overlayfs will only copy up metadata when a metadata-specific operation like chown/chmod is performed. The full file will be copied up later when the file is opened for write operations. With the second, which is equivalent to setting "redirect_dir=on" in the kernel command-line, overlayfs will copy up the directory first before the actual content (Flatcar#170).
- Remove unnecessary kernel module nf-conntrack-ipv4 (overlay PR#649)
- Compress kernel modules with xz (overlay PR#628)
- Add containerd-runc-shim-v* binaries required by kubelet custom CRI endpoints (overlay PR#623)
- Equinix Metal (Packet): Exclude unused network interfaces from networkd, disregard the state of the bonded interfaces for the network-online.target and only require the bond interface itself to have at least one active link instead of routable which requires both links to be active (afterburn PR#10)
- QEMU: Use flatcar.autologin kernel command line parameter for auto login on the console (Flatcar #71)
Updates:
- Linux (5.4.81)
- Linux firmware (20200918)
- systemd (246.6)
- glibc (2.32)
- Docker (19.03.14)
- containerd (1.4.3)
- tini (0.18)
- libseccomp (2.5.0)
- audit (2.8.5)
- bzip2 (1.0.8)
- c-ares (1.61.1)
- cryptsetup (2.3.2)
- cifs-utils (6.11)
- dbus-glib (0.110)
- dracut (050)
- elfutils (0.178)
- glib (2.64.5)
- json-c (0.15)
- jq (1.6)
- libuv (1.39.0)
- libxml2 (2.9.10)
- ntp (4.2.8_p15)
- open-iscsi (2.1.2)
- samba (4.11.13)
- shadow (4.8)
- sssd (2.3.1)
- strace (5.9)
- talloc (2.3.1)
- tar (1.32)
- tdb (1.4.3)
- tevent (0.10.2)
- SDK/developer container: GCC (9.3.0), binutils (2.35), gdb (9.2)
- Go (1.15.5, 1.12.17) (only in SDK)
- Rust (1.46.0) (only in SDK)
- file (5.39) (only in SDK)
- gdbus-codegen (2.64.5) (only in SDK)
- meson (0.55.3) (only in SDK)
- re2c (2.0.3) (only in SDK)
- VMware: open-vm-tools (11.2.0)