kinvolk/manifest v2605.9.0

on GitHub

Security fixes:

• containerd (CVE-2020-15257)
• glibc (CVE-2019-9169, CVE-2019-6488, CVE-2019-7309, CVE-2020-10029, CVE-2020-1751, CVE-2020-6096, CVE-2018-20796)
• Linux (CVE-2020-28941, CVE-2020-4788, CVE-2020-25669, CVE-2020-14351)
• glib (CVE-2019-12450)
• open-iscsi (CVE-2017-17840)
• samba (CVE-2019-10197, CVE-2020-10704, CVE-2020-10745, CVE-2019-3880, CVE-2019-10218)
• shadow (CVE-2019-19882)
• sssd (CVE-2018-16883, CVE-2019-3811, CVE-2018-16838)
• trousers (CVE-2020-24330, CVE-2020-24331)
• cifs-utils (CVE-2020-14342)
• ntp (CVE-2020-11868, CVE-2020-13817, CVE-2018-8956, CVE-2020-15025)
• bzip2 (CVE-2019-12900)
• c-ares (CVE-2017-1000381)
• file (CVE-2019-18218)
• json-c (CVE-2020-12762)
• jq (CVE-2015-8863, CVE-2016-4074)
• libuv (CVE-2020-8252)
• libxml2 (CVE-2019-20388, CVE-2020-7595)
• re2c (CVE-2020-11958)
• tar (CVE-2019-9923)
• sqlite (CVE-2020-11656, CVE-2020-9327, CVE-2020-11655, CVE-2020-13630, CVE-2020-13435, CVE-2020-13434, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358)
• tcpdump and pcap (CVE-2018-10103, CVE-2018-10105, CVE-2019-15163, CVE-2018-14461, CVE-2018-14462, CVE-2018-14463, CVE-2018-14464, CVE-2018-14465, CVE-2018-14466, CVE-2018-14467, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14880, CVE-2018-14881, CVE-2018-14882, CVE-2018-16227, CVE-2018-16228, CVE-2018-16229, CVE-2018-16230, CVE-2018-16300, CVE-2018-16451, CVE-2018-16452, CVE-2019-15166, CVE-2018-14879, CVE-2017-16808, CVE-2018-19519, CVE-2019-15161, CVE-2019-15165, CVE-2019-15164, CVE-2019-1010220)
• libbsd (CVE-2019-20367)
• rsync and zlib (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)

Bug fixes

• Added systemd-tmpfiles directives for /opt and /opt/bin to ensure that the folders have correct permissions even when /opt/ was once created by containerd (Flatcar#279)
• Make the automatic filesystem resizing more robust against a race and add more logging (kinvolk/init#31)
• Allow inactive network interfaces to be bound to a bonding interface, by encoding additional configuration for systemd-networkd-wait-online (afterburn PR #10)
• Do not configure ccache in Jenkins (scripts PR #100)
• Azure: Exclude bonded SR-IOV network interfaces with newer drivers from networkd (in addition to the old drivers) to prevent them being configured instead of just the bond interface (init PR#29, bootengine PR#19)

Changes:

• Update-engine now detects rollbacks and reports them as errors to the update server (PR#6)
• The zstd tools were added (version 1.4.4)
• The kernel config CONFIG_PSI was set to support Pressure Stall Information, more information also under https://facebookmicrosites.github.io/psi/docs/overview (Flatcar#162)
• The kernel config CONFIG_BPF_JIT_ALWAYS_ON was set to use the BPF just-in-time compiler by default for faster execution
• The kernel config CONFIG_POWER_SUPPLY was set
• The kernel configs CONFIG_OVERLAY_FS_METACOPY and CONFIG_OVERLAY_FS_REDIRECT_DIR were set. With the first overlayfs will only copy up metadata when a metadata-specific operation like chown/chmod is performed. The full file will be copied up later when the file is opened for write operations. With the second, which is equivalent to setting "redirect_dir=on" in the kernel command-line, overlayfs will copy up the directory first before the actual content (Flatcar#170).
• Remove unnecessary kernel module nf-conntrack-ipv4 (overlay PR#649)
• Compress kernel modules with xz (overlay PR#628)
• Add containerd-runc-shim-v* binaries required by kubelet custom CRI endpoints (overlay PR#623)
• Equinix Metal (Packet): Exclude unused network interfaces from networkd, disregard the state of the bonded interfaces for the network-online.target and only require the bond interface itself to have at least one active link instead of routable which requires both links to be active (afterburn PR#10)
• QEMU: Use flatcar.autologin kernel command line parameter for auto login on the console (Flatcar #71)

Updates:

• Linux (5.4.81)
• Linux firmware (20200918)
• systemd (246.6)
• glibc (2.32)
• Docker (19.03.14)
• containerd (1.4.3)
• tini (0.18)
• libseccomp (2.5.0)
• audit (2.8.5)
• bzip2 (1.0.8)
• c-ares (1.61.1)
• cryptsetup (2.3.2)
• cifs-utils (6.11)
• dbus-glib (0.110)
• dracut (050)
• elfutils (0.178)
• glib (2.64.5)
• json-c (0.15)
• jq (1.6)
• libuv (1.39.0)
• libxml2 (2.9.10)
• ntp (4.2.8_p15)
• open-iscsi (2.1.2)
• samba (4.11.13)
• shadow (4.8)
• sssd (2.3.1)
• strace (5.9)
• talloc (2.3.1)
• tar (1.32)
• tdb (1.4.3)
• tevent (0.10.2)
• SDK/developer container: GCC (9.3.0), binutils (2.35), gdb (9.2)
• Go (1.15.5, 1.12.17) (only in SDK)
• Rust (1.46.0) (only in SDK)
• file (5.39) (only in SDK)
• gdbus-codegen (2.64.5) (only in SDK)
• meson (0.55.3) (only in SDK)
• re2c (2.0.3) (only in SDK)
• VMware: open-vm-tools (11.2.0)