kinvolk/manifest v2905.2.0

on GitHub

Changes since Beta 2905.1.0

Security Fixes

• containerd (CVE-2021-32760)
• curl (CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22926)
• linux (CVE-2020-26541, CVE-2021-35039, CVE-2021-22543, CVE-2021-3609, CVE-2021-3655, CVE-2021-33909)

Updates

• Linux (5.10.52)
• curl (7.78)
• containerd (1.5.4)

Changes since Stable 2765.2.6

Security Fixes:

• Linux (CVE-2020-26541, CVE-2021-35039, CVE-2021-22543, CVE-2021-3609, CVE-2021-3655, CVE-2021-33909, CVE-2021-34693, CVE-2021-33624)
• containerd (CVE-2021-32760)
• curl (CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22926)
• boost (CVE-2012-2677)
• Docker (CVE-2021-21285, CVE-2021-21284)
• c-ares (CVE-2020-8277)
• coreutils (CVE-2017-7476)
• dbus (CVE-2020-35512)
• dnsmasq (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687)
• git (CVE-2021-21300)
• glib (CVE-2021-28153, CVE-2021-27218, CVE-2021-27219)
• gnutls (CVE-2021-20231, CVE-2021-20232)
• intel-microcode (CVE-2020-8696, CVE-2020-8698)
• libxml2 (CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3541)
• ncurses (CVE-2019-17594, CVE-2019-17595)
• openldap (CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230)
• samba (CVE-2020-14318, CVE-2020-14323, CVE-2020-14383)
• sqlite (CVE-2021-20227)
• binutils (CVE-2021-20197,CVE-2021-3487)

Bug Fixes:

• passwd: use correct GID for tss (baselayout#15)
• flatcar-eks: add missing mkdir and update to latest versions (coreos-overlay#817)
• gmerge: Stop installing gmerge script (coreos-overlay#828)
• Add explicit path to the binary call in the coreos-metadata unit file (Issue #360)
• Fix the patch to update DefaultTasksMax in systemd (coreos-overlay#971)

Changes

• Docker: disabled SELinux support in the Docker daemon
• The pam_faillock PAM module was enabled as replacement for the removed pam_tally2 module and will temporarily lock an account if there were login attempts with a wrong password. The faillock command can be used to show the current state. With pam_tally2 there was no limit for wrong password login attempts but with faillock the default is already restricting the attempts. The default behavior was relaxed to allow 5 wrong passwords per two minutes, and a one minute account lock time. This does not apply to logins with an SSH key. (baselayout#17)
• The etcd and flannel services are now run with Docker and any rkt-based customizations of the etcd-member and flanneld services not supported anymore. Also, because the flanneld service relies on Docker and will restart Docker after applying the new configuration, it is not possible anymore to set Requires=flanneld.service for docker.service and instead it’s enough to have flanneld.service enabled. (coreos-overlay#857)
• toolbox: replace rkt with docker (coreos-overlay#881)
• flatcar-install: add parameters to make wget more resilient (init#35)
• flatcar-install: Add -D flag to only download the image file (Flatcar#248)
• flatcar-install: Detect device mapper (e.g., LVM/LUKS) usage when searching for free drives with the -s flag (Flatcar#332)
• motd: Add OEM information to motd output (init#34)
• open-iscsi: Command substitution in iscsi-init system service (coreos-overlay#801)
• sshd: use secure crypto algos only (kinvolk/coreos-overlay#852)
• kernel: enable kernel config CONFIG_BPF_LSM (kinvolk/coreos-overlay#846)
• bootengine: set hostname for EC2 and OpenStack from metadata (kinvolk/coreos-overlay#848)
• Make the hostname setting units optional. Having the hostname units as required by the initrd.target meant that if the unit failed the machine wouldn’t start, disrupting the whole boot. (bootengine#23)
• Enable using iSCSI netroot devices on Flatcar (bootengine#22)
• systemd-networkd: Do not manage loopback network interface (bootengine#24 init#40)
• containerd: Removed the containerd-stress binary (coreos-overlay#858)
• dhcpcd: Removed the dhcpcd binary from the image, systemd-networkd is the only DHCP client (coreos-overlay#858)
• samba: Update to EAPI=7, add new USE flags and remove deps on icu (kinvolk/coreos-overlay#864)
• GCE: The oem-gce.service was ported to use systemd-nspawn instead of rkt. A one-time action is required to fetch the new service file because the OEM partition is not updated: sudo curl -s -S -f -L -o /etc/systemd/system/oem-gce.service https://raw.githubusercontent.com/kinvolk/coreos-overlay/fe7b0047ef5b634ebe04c9627bbf1ce3008ee5fa/coreos-base/oem-gce/files/units/oem-gce.service && sudo systemctl daemon-reload && sudo systemctl restart oem-gce.service
• SDK: update portage and related packages to newer versions (coreos-overlay#840)
• SDK: Drop jobs parameter in flatcar-scripts (flatcar-scripts#121)
• SDK: delete Go 1.6 (coreos-overlay#827)
• Update sys-apps/coreutils and make sure they have split-usr disabled for generic images (coreos-overlay#829)
• systemd: Fix unit installation (coreos-overlay#810)

Updates

• Linux (5.10.52)
• Linux firmware (20210511)
• boost (1.75.0)
• docker (19.03.15)
• c-ares (1.17.1)
• curl (7.78)
• containerd (1.5.4)
• coreutils (8.32)
• cri-tools (1.19.0)
• dbus (1.10.32)
• dnsmasq (2.83)
• go (1.16.5)
• git (2.26.3)
• glib (2.66.8)
• gnutls (3.7.1)
• intel-microcode (20210216)
• libxml2 (2.9.12)
• multipath-tools (0.8.5)
• ncurses (6.2)
• open-iscsi (2.1.4)
• openldap (2.4.58)
• openssh (8.6_p1)
• runc (1.0.0_rc95)
• samba (4.12.9)
• sqlite (3.34.1)
• systemd (247.6)
• zstd (1.4.9)
• SDK: Rust (1.52.1)
• SDK: QEMU (5.2.0)
• SDK: cmake (3.18.5)
• SDK: binutils (2.36.1)

Deprecation

• docker-1.12, rkt and kubelet-wrapper are deprecated and removed from Stable, also from subsequent channels in the future. Please read the removal announcement to know more