Security fixes:
- Linux - (CVE-2020-27673, CVE-2020-27675)
- Go - (CVE-2020-28362, CVE-2020-28367, CVE-2020-28366)
- glib (CVE-2019-12450)
- open-iscsi (CVE-2017-17840)
- samba (CVE-2019-10197, CVE-2020-10704, CVE-2020-10745, CVE-2019-3880, CVE-2019-10218)
- shadow (CVE-2019-19882)
- sssd (CVE-2018-16883, CVE-2019-3811, CVE-2018-16838)
- trousers (CVE-2020-24330, CVE-2020-24331)
- cifs-utils (CVE-2020-14342)
- ntp (CVE-2020-11868, CVE-2020-13817, CVE-2018-8956, CVE-2020-15025)
- bzip2 (CVE-2019-12900)
Bug fixes:
- network: Restore KeepConfiguration=dhcp-on-stop (kinvolk/init#30)
- Make the automatic filesystem resizing more robust against a race and add more logging (kinvolk/init#31)
- Default again to waiting only for one network interface to be ready with systemd-networkd-wait-online which was missing in the initial systemd 246 update
- Default again to disabling IP Forwarding in systemd which was missing in the initial systemd 246 update
- Make systemd detect updates again when the /usr partition changes which was missing in the initial systemd 246 update
- Default again to set DefaultTasksMax=100% in systemd which was missing in the initial systemd 246 update
- Default again to disable SELinux permissions checks in systemd which was missing in the initial systemd 246 update
Changes:
- The zstd tools were added (version 1.4.4)
- The kernel config CONFIG_PSI was set to support Pressure Stall Information, more information also under https://facebookmicrosites.github.io/psi/docs/overview (Flatcar#162)
- The kernel config CONFIG_BPF_JIT_ALWAYS_ON was set to use the BPF just-in-time compiler by default for faster execution
- The kernel config CONFIG_DEBUG_INFO_BTF was set to support BTF metadata (BPF Type Format), one important piece for portability of BPF programs (CO-RE: Compile Once - Run Everywhere) through relocation
- The kernel config CONFIG_POWER_SUPPLY was set
- The kernel configs CONFIG_OVERLAY_FS_METACOPY and CONFIG_OVERLAY_FS_REDIRECT_DIR were set. With the first overlayfs will only copy up metadata when a metadata-specific operation like chown/chmod is performed. The full file will be copied up later when the file is opened for write operations. With the second, which is equivalent to setting "redirect_dir=on" in the kernel command-line, overlayfs will copy up the directory first before the actual content (Flatcar#170).
Updates:
- Linux (5.9.8)
- Linux firmware (20200918)
- systemd (246.6)
- bzip2 (1.0.8)
- cifs-utils (6.11)
- dbus-glib (0.110)
- elfutils (0.178)
- glib (2.64.5)
- ntp (4.2.8_p15)
- open-iscsi (2.1.2)
- samba (4.11.13)
- shadow (4.8)
- sssd (2.3.1)
- strace (5.9)
- talloc (2.3.1)
- tdb (1.4.3)
- tevent (0.10.2)
- SDK/developer container: GCC (9.3.0), binutils (2.35), gdb (9.2)
- SDK: Go (1.15.5)
- VMware: open-vm-tools (11.2.0)