Skip to content

Releases: microsoft/azurelinux

1.0 CBL-Mariner November 2021 Update

17 Dec 21:06
@jslobodzian jslobodzian
1.0.20211207-1.0
92b8ff5
Compare
Choose a tag to compare
1.0 CBL-Mariner November 2021 Update

Upgrade Kernel to 5.10.78.1 to fix Critical CVE.
Enable CONFIG_COMPAT kernel configs

Upgrade cppunit to 1.15.1
Upgrade dnf to 4.10
Upgrade harfbuzz to 2.6.4
Upgrade libdnf to 0.65.0
Upgrade libmodulemd to 2.13
Upgrade librepo to 1.14.2
Upgrade libsolv to 0.7.20
Upgrade ostree to 20201.4
Upgrade rpm-ostree to 2020.4
Upgrade Trusted Root Certs

Changed 'grpc' to build with our default C++
Patch for glibc pthread_cond_signal failed to wake up pthread_cond_wait
Disabled provides bundled(simclist) pcsc-lite-ccid to avoid build issue.
Removed checked-in binaries from bond.
Removed vendored grpc packages re2 and abseil. Fixed dependency and added abseil-cpp.
Remove (ba)sh dependency from icu, glibc and krb5
Fix missing runtime requires for ansible

Upgrade c-ares to 1.18.1 to fix CVE-2021-3672
Upgrade pgbouncer to 1.16.1 to fix CVE-2021-3935
Upgrade vim to 8.2.3668 to fix CVE-2021-3903, 3968, 3973, 3974
Upgrade mc to 4.8.27 to fix CVE-2021-36370
Upgrade nodejs to v14.18.1 to fix several CVEs and cryptography bugs
Upgrade mysql version to 8.0.27
Upgrade golang to 1.16.10 to fix CVE-2021-38297, CVE-2021-39293
Upgrade libgd to 2.3.3 to address CVEs CVE-2021-38115, CVE-2021-40145, CVE-2021-40812

Patched gmp to fix CVE-2021-43618.
Patched uclibc-ng to fix CVE-2021-43523.
Patched libgcrypt for CVE-2021-33560
Patched ncurses for CVE-2021-39537
Patched strongswan for CVE-2021-41990, CVE-2021-41991
Patched babel for CVE-2021-42771
Patched qemu-kvm CVE-2020-35506, CVE-2021-3545

Assets 2
Loading

1.0 CBL-Mariner October 2021 Update

03 Nov 18:38
@jslobodzian jslobodzian
1.0.20211027-1.0
a87a3ac
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.0 CBL-Mariner October 2021 Update
  • Upgrade kernel to 5.10.74
  • Upgrade opensc to 1.3.2
  • Upgraded selinux-policy to 2.20210203
  • Fix grpc-devel file conflict
  • shadow-utils: Update SELinux and loginuid session entries.
  • Add specfile for DataStax Cassandra CPP driver
  • Add dwarves package
  • Fix openscap buildrequires issue for dbus
  • Fix python-distro package test
  • Fix gd package test (gd builds without fontconfig support now)
  • Reduced core image size (Remove python-2 from images)
  • Fix issue where PAM did not bundle selinux related binaries
  • Patch libacvp to support additional openssl tests
  • Add libdivsufsort package
  • Add cloud-init-azure-kvp subpackage and include in Azure defaults
  • Fixed ISO bug where wala agent was automatically installed in error
  • Fix: libusb and perl-generators tests
  • Fix post-install script args in imageconfig being ignored
  • Fix partition search ordering for part init
  • Push nvidia-container library updates to 1.0
  • Updating libnvidia-container version, nvidia-modprobe + signatures
  • Upgrade openssh to 8.8p1 to fix CVE-2021-41617, CVE-2016-20012
  • Upgrade cloud-init to 21.3 to fix CVE-2018-10896
  • Upgrade httpd to 2.4.51 to fix CVE-2021-41773, CVE-2021-41524
  • ca-certificates: removing Mozilla CAs in favour of Microsoft ones
  • Upgrade wget to 1.21.1 to fix CVE-2021-31879
  • Upgrade krb5 to 1.18.4 to fix CVE-2019-14844, CVE-2020-28196, CVE-2021-36222, CVE CVE-2021-37750,
  • Fix CVE for ansible CVE-2021-3583, CVE-2021-20228
  • Upgrade redis to fix CVE-2021-32761, CVE-2021-32672, CVE-2021-32626,CVE-2021-32627, CVE-2021-32628, CVE-2021-32675, CVE-2021-32687, CVE-2021-32762, CVE-2021-41099
  • Fix moby-engine CVE-2021-41089, CVE-2021-41091
  • Fix moby-containerd CVE-2021-41103
  • Fix atftp CVE-2021-41054
  • Fix vim CVE-2021-3778, CVE-2021-3796
Assets 2
Loading

1.0 CBL-Mariner September 2021 Update

05 Oct 03:32
@jslobodzian jslobodzian
1.0.20210928-1.0
beea501
Compare
Choose a tag to compare
1.0 CBL-Mariner September 2021 Update

General Changes:

  • Kernel: Update to 5.10.64.1
  • Kernel: Enable CONFIG_NET_VRF
  • Kernel: Add bpftool
  • Upgrade tzdata for 2021b
  • Add bazel 2.2.0
  • Add opensc 0.22.0
  • Add graphviz 2.42.4
  • Add glide 0.13
  • Add pwgen 2.08
  • Add helm: 3.4.1
  • Add lld 8.0.1
  • Add packer support for network transfer mechanism to ISO.
  • Remove omi.
  • Retired coredns 1.6.7, etcd 3.4.3
  • Enable systemd plug-in in fluent-bit to support journal reader
  • Enable omuxsock in rsyslog and add customized syslog-ng conf
  • Toolchain builds now use toolchain-sha256sums
  • Fix rsyslog.d and product_uuid permissions
  • Add ELF Header Tagging. Rudimentary information included in newly produced binaries. ELF header notes are added via LDFlags.

CVE Fixes:

-Golang dependency updates:

  • Bump ithub.com/klauspost/pgzip from 1.2.3 to 1.2.5 in /toolkit/tools
  • Bump github.com/bendahl/uinput from 1.4.0 to 1.4.1 in /toolkit/tools
Assets 2
Loading

1.0 CBL-Mariner August 2021 Update

09 Sep 19:13
@jslobodzian jslobodzian
1.0.20210901-1.0
6617e9d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.0 CBL-Mariner August 2021 Update

  • Update kernel to 5.10.60.1 to fix CVE's

  • ISO now published for public download. Added download instructions for ISO

  • Enable support for TLS 1 and TLS 1.1 in OpenSSL.

  • Update 'openvswitch' to version 2.15.1.

  • Use sha256sum for toolchain sources

  • Add etcd-tools

  • Add cockpit

  • Add aide

  • Add tini package

  • Add ca-certificates file and folder links to increase compatibility

  • Add fipscheck package

  • Add Automatic package update and Dnf-Automatic

  • Remove brp-strip-debug-symbols and brp-strip-unneeded

  • Removed ca-legacy script and its artifacts from ca-certificates.

  • Remove Dotnet and aspnetcore SPEC files from CBL-Mariner Repository. These packages are now built by the dotnet team and the binaries have been available in the new Microsoft Repo on Packages.Microsoft.Com since July 12, 2021.

  • Fix user ssh directory permissions when public keys empty

  • Update nodejs to fix CVEs

  • Fix broken openssl man page symlinks

  • Fix broken mysql package tests from previous months mysql upgrade.

  • Fix test for perl-CPAN-Meta-Check

  • Fix display update issues in ManualPartitionWidget

  • Add patch to fix VDSO in HyperV

  • Fix qt5-qtbase version number test issue

  • Move to golang 1.16.7 and bump dependencies for security findings.

  • Bump github.com/sirupsen/logrus from 1.6.0 to 1.8.1

  • Bump github.com/gdamore/tcell from 1.3.0 to 1.4.0

  • Bump gonum.org/v1/gonum from 0.6.2 to 0.9.3

  • Bump github.com/stretchr/testify from 1.4.0 to 1.7.0

  • Bump github.com/muesli/crunchy from 0.3.0 to 0.4.0

  • Bump github.com/ulikunitz/xz from 0.5.8 to 0.5.10

  • Bump github.com/ulikunitz/xz from 0.5.7 to 0.5.8

  • Update swig to 4.0.2

  • Fix Httpd: CVE-2021-33193

  • Patch OpenSSL CVE-2021-3711 and CVE-2021-3712

  • Fix ctags CVE-2014-7204

  • Fix zstd CVE-2021-24031

  • Fix nettle CVE-2021-3580

  • Fix tpm2-tss CVE-2020-24455

  • Fix qemu-kvm CVE-2021-3682

  • Fix ruby CVE-2021-32066

  • Fix util-linux CVE 2021-37600

  • Update python-psutil to 5.6.7 to fix CVE-2019-1887, CVE-2021-28957

  • Fix qt5-qtbase CVE-2015-9541, CVE-2020-0570 and CVE-2020-13962

  • Update python-lxml to fix CVE-2018-19787, CVE-2020-27783,

  • Update rubygem-addressable to 2.8.0 to fix CVE-2021-3274

  • Fix glibc CVE-2021-35942

  • Update squashfs-tools to version 4.4 to address CVE 2015 4646

  • Upgrade python-twisted to 20.3.0 to fix CVE-2020-10108, CVE-2020-10109

  • Upgrade mysql to 8.0.26: CVE-2021-2339, CVE-2021-2340, CVE-2021-2352, CVE-2021-2354, CVE-2021-2356, CVE-2021-2357

Assets 2
Loading

1.0 CBL-Mariner July 2021 Update-2

27 Aug 14:40
@jslobodzian jslobodzian
1.0.20210819-1.0
f5936ee
Compare
Choose a tag to compare
1.0 CBL-Mariner July 2021 Update-2
Assets 2
Loading

1.0 CBL-Mariner July 2021 Update

17 Aug 14:00
@jslobodzian jslobodzian
1.0.20210807-1.0
948b95e
Compare
Choose a tag to compare
1.0 CBL-Mariner July 2021 Update

Update kernel to 5.10.52.1

  • Enable CONFIG_PROC_EVENTS
  • enable legacy /dev/mcelog
    Add new microsoft repo to images. DotNet Core now available in separate Microsoft "internal partner team" repo
    Add cronie and logrotate to images, add systemd timer
    Add SELinux (Permissive Mode supported, but not enabled by default)
    Add dpdk perl-App-cpanminus hyperscan and dependencies to Mariner OS

Fix FIPS LRNG concatenation bug in OpenSSL
Fix issue where selected disk not reflected correctly in partition edit screen of ISO Installer

Update moby-containerd to version 1.4.4
Update swig to 4.0.2

CVE-2015-9541
CVE-2018-19787
CVE-2019-18874
CVE-2020-0570
CVE-2020-10108
CVE-2020-10109
CVE-2020-13962
CVE-2020-27783
CVE-2021-28957
CVE-2021-3274
CVE-2021-3445
CVE-2021-3546
CVE-2021-22922
CVE-2021-22923
CVE-2021-22924
CVE-2021-22925
CVE-2021-32760
CVE-2021-33503
CVE-2021-33910
CVE-2021-35942
CVE-2021-32740
CVE-2021-36373
CVE-2021-36374

Assets 2
Loading

1.0 CBL-Mariner June 2021 Update

09 Jul 00:21
@anphel31 anphel31
1.0.20210628-1.0
097a24b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.0 CBL-Mariner June 2021 Update

Kernel/System changes

  • Upgraded kernel to 5.10.42.1
  • New kernel configs enabled: CONFIG_CROSS_MEMORY_ATTACH / CONFIG_IOSCHED_BFQ / CONFIG_BFQ_GROUP_IOSCHED
  • Kubernetes packages have been removed from CBL-Mariner, but are now available in the CBL-Mariner Extras repo at packages.microsoft.com
  • Golang upgrade to 1.15.13 for CVE fixes
  • New toolkit option: REBUILD_DEP_CHAINS
  • grep now supports --perl-regexp option (-P)
  • Remove nodejs-8 and rename nodejs-14 to nodejs
  • Add: yajl
  • Add: re2
  • Add: collectd
  • Add: node-problem-detector

CVE-2020-10701, CVE-2020-12403, CVE-2020-13950, CVE-2020-17541, CVE-2020-35452

CVE-2021-3527, CVE-2021-3565, CVE-2021-20181, CVE-2021-20221, CVE-2021-20266, CVE-2021-22897, CVE-2021-23017, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641, CVE-2021-32027, CVE-2021-33560

Assets 2
Loading

1.0 CBL-Mariner May 2021 Update-2

08 Jul 15:57
@jslobodzian jslobodzian
1.0.20210616-1.0
bfc1ba3
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.0 CBL-Mariner May 2021 Update-2

Same as May 2021 Update but includes fix for kernel boot issue on physical machines.

Assets 2
Loading

1.0 CBL-Mariner May 2021 Update

09 Jun 19:51
@jslobodzian jslobodzian
1.0.20210604-1.0
b130e22
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.0 CBL-Mariner May 2021 Update

Kernel/System Changes

  • Upgraded to 5.10.37.1
  • Includes addition of key in keyring in support of CUDA
  • Kernel Debug Support is available (must be enabled to use)
  • Jitter entropy support
  • Kernel Lockdown Integrity on by default (lockdown=integrity)
    Packages
  • BinUtils Upgrade to 2.36.1 (for CVE issues)
  • WALA Agent Upgraded to 2.2.54.2
  • Azure IotEdge Upgrade to 1.1.2
  • Add: SoSReport
  • Add: Ceph
  • Add: archivemount, fuse-zip, p7zip, and libzip
  • Golang upgrade to 1.15.11 for CVE fixes

CVE-2018-25009, CVE-2018-25010, CVE-2018-25011, CVE-2018-25012, CVE-2018-25013, CVE-2018-25014

CVE-2020-8554, CVE-2020-14301, CVE-2020-35504, CVE-2020-36317, CVE-2020-36323, CVE-2020-36328, CVE-2020-36329, CVE-2020-36330, CVE-2020-36331, CVE-2020-36332

CVE-2021-2164, CVE-2021-2169, CVE-2021-2170, CVE-2021-2171, CVE-2021-2172, CVE-2021-2174, CVE-2021-2179, CVE-2021-2180, CVE-2021-2193, CVE-2021-2194, CVE-2021-2196, CVE-2021-2201, CVE-2021-2203, CVE-2021-2208, CVE-2021-2212, CVE-2021-2215, CVE-2021-2217, CVE-2021-2226, CVE-2021-2230, CVE-2021-2232, CVE-2021-2278, CVE-2021-2293, CVE-2021-2298, CVE-2021-2299, CVE-2021-2300, CVE-2021-2301, CVE-2021-2304, CVE-2021-2305, CVE-2021-2307, CVE-2021-2308, CVE-2021-3421, CVE-2021-3448, CVE-2021-3483, CVE-2021-3501, CVE-2021-3506, CVE-2021-3527, CVE-2021-3559, CVE-2021-3560, CVE-2021-20178, CVE-2021-20181, CVE-2021-20191, CVE-2021-20208, CVE-2021-20221, CVE-2021-20236, CVE-2021-22898, CVE-2021-22901, CVE-2021-23133, CVE-2021-23134, CVE-2021-25214, CVE-2021-25216, CVE-2021-25217, CVE-2021-26291, CVE-2021-27918, CVE-2021-28875, CVE-2021-28876, CVE-2021-28877, CVE-2021-28878, CVE-2021-28965, CVE-2021-29155, CVE-2021-31204, CVE-2021-31829, CVE-2021-31916, CVE-2021-32399, CVE-2021-33033, CVE-2021-33034

Assets 2
Loading

1.0 CBL-Mariner April Update 2021

07 May 07:36
@jslobodzian jslobodzian
1.0.20210430-1.0
340f9f8
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.0 CBL-Mariner April Update 2021

Add bmake package
Add custom installkernel package
Add ESpeakUp Accessibility support in ISO.
Update Kubernetes

Configure /proc with hidepid by default and add doPseudoFsMount to addEntryToFstab

Enable CONFIG_CRYPTO_DRBG_HASH, CONFIG_CRYPTO_DRBG_CTR
Enable Secure Boot
Enable multiple CBL-Mariner branches to build publicly, update documentation to use blob-store for tar.gz files instead of SRPM files.

Upgrade OpenSSL to 1.1.1k
Upgrade kernel to 5.10.28.1
Upgrade openvswitch to 2.12.3
Upgrade mariadb to 10.3.28
Upgrade cairo to 1.17.4
Upgrade moby-engine and moby-cli to version 19.10.15
Upgrade ClamAV to 0.103.2 to fix multiple CVEs
Upgrade sqlite to 3.34.1 to fix CVE-2021-20227
Upgrade Nettle to 3.7.2 for CVE-2021-20305
Upgrade OpenSSL to 1.1.1k
Upgrade curl to 7.76
Update license info for 'kubernetes' and 'coredns'.
Upgrade OpenJDK8 to patch 292 (address multiple CVEs)
Upgrade icu to 68.2.0.6
Upgrade tzdata to 2021a
Upgrade mysql to 8.0.24 to fix 30 CVEs
Upgrade dnsmasq to 2.85 to fix CVE-2021-3348
Upgrade git to 2.23.4 for CVE-2021-21300

Fix growpart disk-lock timeout issue (patched workaround)
Fix c-ares/grpc issue. Remove grpc vendoring of c-ares.
Fix python3 test_ssl tests
Fix ARM64 ISO Installer Boot issue (Disable CONFIG_EFI_DISABLE_PCI_DMA)
Fixed ABI incompatibility issue: 'keepalived' now links against latest 'net-snmp' library.
Fix installation and removal of atd.service

CVE-2020-27618, CVE-2020-35492, CVE-2020-36323, CVE-2020-36317

CVE-2021-1386, CVE-2021-1404, CVE-2021-1405, CVE-2021-2164, CVE-2021-2169, CVE-2021-2170, CVE-2021-2171, CVE-2021-2172, CVE-2021-2174, CVE-2021-2179, CVE-2021-2180, CVE-2021-2193, CVE-2021-2194, CVE-2021-2196, CVE-2021-2201, CVE-2021-2203, CVE-2021-2208, CVE-2021-2212, CVE-2021-2215, CVE-2021-2217, CVE-2021-2226, CVE-2021-2230, CVE-2021-2232, CVE-2021-2278, CVE-2021-2293, CVE-2021-2298, CVE-2021-2300, CVE-2021-2299, CVE-2021-2301, CVE-2021-2304, CVE-2021-2305, CVE-2021-2307, CVE-2021-2308, CVE-2021-3348, CVE-2021-3392, CVE-2021-3409, CVE-2021-3416, CVE-2021-3421, CVE-2021-3449, CVE-2021-3450, CVE-2021-3470, CVE-2021-20227, CVE-2021-20271, CVE-2021-20305, CVE-2021-21300, CVE-2021-22876, CVE-2021-22890, CVE-2021-27506, CVE-2020-27827, CVE-2021-27928, CVE-2021-28153, CVE-2021-28875, CVE-2021-28876, CVE-2021-28877, CVE-2021-28878, CVE-2021-28879, CVE-2021-29648, CVE-2021-30004

Assets 2
Loading