Security fixes
- Linux (CVE-2021-37576)
- expat (CVE-2013-0340)
Bug fixes
- Set the cilium_vxlan interface to be not managed by networkd's default setup with DHCP as it's managed by Cilium. (init#43)
- Disabled SELinux by default on
dockerdwrapper script (coreos-overlay#1149) - Fixed the network-cleanup service race in the initramfs which resulted in a failure being reported
- GCE: Granted CAP_NET_ADMIN to set routes for the TCP LB when starting oem-gce.service (coreos-overlay#1146)
Changes
- Switched the arm64 kernel to use a 4k page size instead of 64k
- Switched dm-verity corruption detection to issue a kernel panic (a panic results in a reboot after 1 minute, this was the case before already) instead of merely failing certain syscalls that try to use the corrupted data
- Support BTRFS in OEM and /usr partitions, but only used it for the OEM partition for now. Ignition configurations that refer to the OEM partition will work with any filesystem format specified, a mismatch is not resulting in a boot error. (coreos-overlay#1106)
- Enabled zstd compression for the initramfs and for amd64 also for the kernel because we hit the vmlinuz size limit on the /boot partition
- Deleted the unused kernel+initramfs vmlinuz file from the /usr partition
- devcontainer: added support to run on arm64 by switching to an architecture-agnostic partition UUID
- Enabled ARM64 SDK bootstrap (scripts#134)
Updates
- Linux (5.10.55)
- Linux Firmware (20210716)
- expat (2.4.1)
- libarchive (3.5.1)
- xz-utils (5.2.5)
- cryptsetup (2.3.6)
Note: Please note that ARM images remain experimental for now.