Security fixes
- Linux (CVE-2021-27365, CVE-2021-27364, CVE-2021-27363, CVE-2021-28038, CVE-2021-28039, CVE-2021-28375, CVE-2021-28660, CVE-2021-27218, CVE-2021-27219)
- Go (CVE-2021-27918, CVE-2021-27919)
- boost (CVE-2012-2677)
- glib (CVE-2021-28153, CVE-2021-27218, CVE-2021-27219)
- ncurses (CVE-2019-17594, CVE-2019-17595)
- openssl (CVE-2021-3449, CVE-2021-3450)
- zstd (CVE-2021-24032)
Bug Fixes
- GCE: The old interface name ens4v1 which was replaced by eth0 due to a broken udev rule was restored, but now as alternative interface name, and eth0 will stay the primary name for consistency across cloud environments. (init#38)
Changes
- The virtio network interfaces got predictable interface names as alternative interface names, and thus these names can also be used to match for a specific interface in case there is more than one and the eth0 and eth1 name assignment is not stable. (init#38)
- The pam_faillock PAM module was enabled as replacement for the removed pam_tally2 module and will temporarily lock an account if there were login attempts with a wrong password. The faillock command can be used to show the current state. With pam_tally2 there was no limit for wrong password login attempts but with faillock the default is already restricting the attempts. The default behavior was relaxed to allow 5 wrong passwords per two minutes, and a one minute account lock time. This does not apply to logins with an SSH key. (baselayout#17)
- The etcd and flannel services are now run with Docker and any rkt-based customizations of the etcd-member and flanneld services not supported anymore. Also, because the flanneld service relies on Docker and will restart Docker after applying the new configuration, it is not possible anymore to set Requires=flanneld.service for docker.service and instead it’s enough to have flanneld.service enabled. (coreos-overlay#857)
Updates
- Linux (5.10.25)
- Linux firmware (20210315)
- Go (1.15.10)
- boost (1.75.0)
- glib (2.66.8)
- ncurses (6.2)
- openssl (1.1.1k)
- open-iscsi (2.1.4)
- zstd (1.4.9)
Note: Please note that ARM images remain experimental for now.