kinvolk/manifest v2697.0.0

on GitHub

Security fixes:

• Linux - (CVE-2020-27673, CVE-2020-27675)
• Go - (CVE-2020-28362, CVE-2020-28367, CVE-2020-28366)
• glib (CVE-2019-12450)
• open-iscsi (CVE-2017-17840)
• samba (CVE-2019-10197, CVE-2020-10704, CVE-2020-10745, CVE-2019-3880, CVE-2019-10218)
• shadow (CVE-2019-19882)
• sssd (CVE-2018-16883, CVE-2019-3811, CVE-2018-16838)
• trousers (CVE-2020-24330, CVE-2020-24331)
• cifs-utils (CVE-2020-14342)
• ntp (CVE-2020-11868, CVE-2020-13817, CVE-2018-8956, CVE-2020-15025)
• bzip2 (CVE-2019-12900)

Bug fixes:

• network: Restore KeepConfiguration=dhcp-on-stop (kinvolk/init#30)
• Make the automatic filesystem resizing more robust against a race and add more logging (kinvolk/init#31)
• Default again to waiting only for one network interface to be ready with systemd-networkd-wait-online which was missing in the initial systemd 246 update
• Default again to disabling IP Forwarding in systemd which was missing in the initial systemd 246 update
• Make systemd detect updates again when the /usr partition changes which was missing in the initial systemd 246 update
• Default again to set DefaultTasksMax=100% in systemd which was missing in the initial systemd 246 update
• Default again to disable SELinux permissions checks in systemd which was missing in the initial systemd 246 update

Changes:

• The zstd tools were added (version 1.4.4)
• The kernel config CONFIG_PSI was set to support Pressure Stall Information, more information also under https://facebookmicrosites.github.io/psi/docs/overview (Flatcar#162)
• The kernel config CONFIG_BPF_JIT_ALWAYS_ON was set to use the BPF just-in-time compiler by default for faster execution
• The kernel config CONFIG_DEBUG_INFO_BTF was set to support BTF metadata (BPF Type Format), one important piece for portability of BPF programs (CO-RE: Compile Once - Run Everywhere) through relocation
• The kernel config CONFIG_POWER_SUPPLY was set
• The kernel configs CONFIG_OVERLAY_FS_METACOPY and CONFIG_OVERLAY_FS_REDIRECT_DIR were set. With the first overlayfs will only copy up metadata when a metadata-specific operation like chown/chmod is performed. The full file will be copied up later when the file is opened for write operations. With the second, which is equivalent to setting "redirect_dir=on" in the kernel command-line, overlayfs will copy up the directory first before the actual content (Flatcar#170).

Updates:

• Linux (5.9.8)
• Linux firmware (20200918)
• systemd (246.6)
• bzip2 (1.0.8)
• cifs-utils (6.11)
• dbus-glib (0.110)
• elfutils (0.178)
• glib (2.64.5)
• ntp (4.2.8_p15)
• open-iscsi (2.1.2)
• samba (4.11.13)
• shadow (4.8)
• sssd (2.3.1)
• strace (5.9)
• talloc (2.3.1)
• tdb (1.4.3)
• tevent (0.10.2)
• SDK/developer container: GCC (9.3.0), binutils (2.35), gdb (9.2)
• SDK: Go (1.15.5)
• VMware: open-vm-tools (11.2.0)