Skip to content

Releases: microsoft/azurelinux

1.0 CBL-Mariner September 2021 Update

05 Oct 03:32
@jslobodzian jslobodzian
1.0.20210928-1.0
beea501
Compare
Choose a tag to compare
1.0 CBL-Mariner September 2021 Update

General Changes:

  • Kernel: Update to 5.10.64.1
  • Kernel: Enable CONFIG_NET_VRF
  • Kernel: Add bpftool
  • Upgrade tzdata for 2021b
  • Add bazel 2.2.0
  • Add opensc 0.22.0
  • Add graphviz 2.42.4
  • Add glide 0.13
  • Add pwgen 2.08
  • Add helm: 3.4.1
  • Add lld 8.0.1
  • Add packer support for network transfer mechanism to ISO.
  • Remove omi.
  • Retired coredns 1.6.7, etcd 3.4.3
  • Enable systemd plug-in in fluent-bit to support journal reader
  • Enable omuxsock in rsyslog and add customized syslog-ng conf
  • Toolchain builds now use toolchain-sha256sums
  • Fix rsyslog.d and product_uuid permissions
  • Add ELF Header Tagging. Rudimentary information included in newly produced binaries. ELF header notes are added via LDFlags.

CVE Fixes:

-Golang dependency updates:

  • Bump ithub.com/klauspost/pgzip from 1.2.3 to 1.2.5 in /toolkit/tools
  • Bump github.com/bendahl/uinput from 1.4.0 to 1.4.1 in /toolkit/tools
Assets 2
Loading

1.0 CBL-Mariner August 2021 Update

09 Sep 19:13
@jslobodzian jslobodzian
1.0.20210901-1.0
6617e9d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.0 CBL-Mariner August 2021 Update

  • Update kernel to 5.10.60.1 to fix CVE's

  • ISO now published for public download. Added download instructions for ISO

  • Enable support for TLS 1 and TLS 1.1 in OpenSSL.

  • Update 'openvswitch' to version 2.15.1.

  • Use sha256sum for toolchain sources

  • Add etcd-tools

  • Add cockpit

  • Add aide

  • Add tini package

  • Add ca-certificates file and folder links to increase compatibility

  • Add fipscheck package

  • Add Automatic package update and Dnf-Automatic

  • Remove brp-strip-debug-symbols and brp-strip-unneeded

  • Removed ca-legacy script and its artifacts from ca-certificates.

  • Remove Dotnet and aspnetcore SPEC files from CBL-Mariner Repository. These packages are now built by the dotnet team and the binaries have been available in the new Microsoft Repo on Packages.Microsoft.Com since July 12, 2021.

  • Fix user ssh directory permissions when public keys empty

  • Update nodejs to fix CVEs

  • Fix broken openssl man page symlinks

  • Fix broken mysql package tests from previous months mysql upgrade.

  • Fix test for perl-CPAN-Meta-Check

  • Fix display update issues in ManualPartitionWidget

  • Add patch to fix VDSO in HyperV

  • Fix qt5-qtbase version number test issue

  • Move to golang 1.16.7 and bump dependencies for security findings.

  • Bump github.com/sirupsen/logrus from 1.6.0 to 1.8.1

  • Bump github.com/gdamore/tcell from 1.3.0 to 1.4.0

  • Bump gonum.org/v1/gonum from 0.6.2 to 0.9.3

  • Bump github.com/stretchr/testify from 1.4.0 to 1.7.0

  • Bump github.com/muesli/crunchy from 0.3.0 to 0.4.0

  • Bump github.com/ulikunitz/xz from 0.5.8 to 0.5.10

  • Bump github.com/ulikunitz/xz from 0.5.7 to 0.5.8

  • Update swig to 4.0.2

  • Fix Httpd: CVE-2021-33193

  • Patch OpenSSL CVE-2021-3711 and CVE-2021-3712

  • Fix ctags CVE-2014-7204

  • Fix zstd CVE-2021-24031

  • Fix nettle CVE-2021-3580

  • Fix tpm2-tss CVE-2020-24455

  • Fix qemu-kvm CVE-2021-3682

  • Fix ruby CVE-2021-32066

  • Fix util-linux CVE 2021-37600

  • Update python-psutil to 5.6.7 to fix CVE-2019-1887, CVE-2021-28957

  • Fix qt5-qtbase CVE-2015-9541, CVE-2020-0570 and CVE-2020-13962

  • Update python-lxml to fix CVE-2018-19787, CVE-2020-27783,

  • Update rubygem-addressable to 2.8.0 to fix CVE-2021-3274

  • Fix glibc CVE-2021-35942

  • Update squashfs-tools to version 4.4 to address CVE 2015 4646

  • Upgrade python-twisted to 20.3.0 to fix CVE-2020-10108, CVE-2020-10109

  • Upgrade mysql to 8.0.26: CVE-2021-2339, CVE-2021-2340, CVE-2021-2352, CVE-2021-2354, CVE-2021-2356, CVE-2021-2357

Assets 2
Loading

1.0 CBL-Mariner July 2021 Update-2

27 Aug 14:40
@jslobodzian jslobodzian
1.0.20210819-1.0
f5936ee
Compare
Choose a tag to compare
1.0 CBL-Mariner July 2021 Update-2
Assets 2
Loading

1.0 CBL-Mariner July 2021 Update

17 Aug 14:00
@jslobodzian jslobodzian
1.0.20210807-1.0
948b95e
Compare
Choose a tag to compare
1.0 CBL-Mariner July 2021 Update

Update kernel to 5.10.52.1

  • Enable CONFIG_PROC_EVENTS
  • enable legacy /dev/mcelog
    Add new microsoft repo to images. DotNet Core now available in separate Microsoft "internal partner team" repo
    Add cronie and logrotate to images, add systemd timer
    Add SELinux (Permissive Mode supported, but not enabled by default)
    Add dpdk perl-App-cpanminus hyperscan and dependencies to Mariner OS

Fix FIPS LRNG concatenation bug in OpenSSL
Fix issue where selected disk not reflected correctly in partition edit screen of ISO Installer

Update moby-containerd to version 1.4.4
Update swig to 4.0.2

CVE-2015-9541
CVE-2018-19787
CVE-2019-18874
CVE-2020-0570
CVE-2020-10108
CVE-2020-10109
CVE-2020-13962
CVE-2020-27783
CVE-2021-28957
CVE-2021-3274
CVE-2021-3445
CVE-2021-3546
CVE-2021-22922
CVE-2021-22923
CVE-2021-22924
CVE-2021-22925
CVE-2021-32760
CVE-2021-33503
CVE-2021-33910
CVE-2021-35942
CVE-2021-32740
CVE-2021-36373
CVE-2021-36374

Assets 2
Loading

1.0 CBL-Mariner June 2021 Update

09 Jul 00:21
@anphel31 anphel31
1.0.20210628-1.0
097a24b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.0 CBL-Mariner June 2021 Update

Kernel/System changes

  • Upgraded kernel to 5.10.42.1
  • New kernel configs enabled: CONFIG_CROSS_MEMORY_ATTACH / CONFIG_IOSCHED_BFQ / CONFIG_BFQ_GROUP_IOSCHED
  • Kubernetes packages have been removed from CBL-Mariner, but are now available in the CBL-Mariner Extras repo at packages.microsoft.com
  • Golang upgrade to 1.15.13 for CVE fixes
  • New toolkit option: REBUILD_DEP_CHAINS
  • grep now supports --perl-regexp option (-P)
  • Remove nodejs-8 and rename nodejs-14 to nodejs
  • Add: yajl
  • Add: re2
  • Add: collectd
  • Add: node-problem-detector

CVE-2020-10701, CVE-2020-12403, CVE-2020-13950, CVE-2020-17541, CVE-2020-35452

CVE-2021-3527, CVE-2021-3565, CVE-2021-20181, CVE-2021-20221, CVE-2021-20266, CVE-2021-22897, CVE-2021-23017, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641, CVE-2021-32027, CVE-2021-33560

Assets 2
Loading

1.0 CBL-Mariner May 2021 Update-2

08 Jul 15:57
@jslobodzian jslobodzian
1.0.20210616-1.0
bfc1ba3
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.0 CBL-Mariner May 2021 Update-2

Same as May 2021 Update but includes fix for kernel boot issue on physical machines.

Assets 2
Loading

1.0 CBL-Mariner May 2021 Update

09 Jun 19:51
@jslobodzian jslobodzian
1.0.20210604-1.0
b130e22
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.0 CBL-Mariner May 2021 Update

Kernel/System Changes

  • Upgraded to 5.10.37.1
  • Includes addition of key in keyring in support of CUDA
  • Kernel Debug Support is available (must be enabled to use)
  • Jitter entropy support
  • Kernel Lockdown Integrity on by default (lockdown=integrity)
    Packages
  • BinUtils Upgrade to 2.36.1 (for CVE issues)
  • WALA Agent Upgraded to 2.2.54.2
  • Azure IotEdge Upgrade to 1.1.2
  • Add: SoSReport
  • Add: Ceph
  • Add: archivemount, fuse-zip, p7zip, and libzip
  • Golang upgrade to 1.15.11 for CVE fixes

CVE-2018-25009, CVE-2018-25010, CVE-2018-25011, CVE-2018-25012, CVE-2018-25013, CVE-2018-25014

CVE-2020-8554, CVE-2020-14301, CVE-2020-35504, CVE-2020-36317, CVE-2020-36323, CVE-2020-36328, CVE-2020-36329, CVE-2020-36330, CVE-2020-36331, CVE-2020-36332

CVE-2021-2164, CVE-2021-2169, CVE-2021-2170, CVE-2021-2171, CVE-2021-2172, CVE-2021-2174, CVE-2021-2179, CVE-2021-2180, CVE-2021-2193, CVE-2021-2194, CVE-2021-2196, CVE-2021-2201, CVE-2021-2203, CVE-2021-2208, CVE-2021-2212, CVE-2021-2215, CVE-2021-2217, CVE-2021-2226, CVE-2021-2230, CVE-2021-2232, CVE-2021-2278, CVE-2021-2293, CVE-2021-2298, CVE-2021-2299, CVE-2021-2300, CVE-2021-2301, CVE-2021-2304, CVE-2021-2305, CVE-2021-2307, CVE-2021-2308, CVE-2021-3421, CVE-2021-3448, CVE-2021-3483, CVE-2021-3501, CVE-2021-3506, CVE-2021-3527, CVE-2021-3559, CVE-2021-3560, CVE-2021-20178, CVE-2021-20181, CVE-2021-20191, CVE-2021-20208, CVE-2021-20221, CVE-2021-20236, CVE-2021-22898, CVE-2021-22901, CVE-2021-23133, CVE-2021-23134, CVE-2021-25214, CVE-2021-25216, CVE-2021-25217, CVE-2021-26291, CVE-2021-27918, CVE-2021-28875, CVE-2021-28876, CVE-2021-28877, CVE-2021-28878, CVE-2021-28965, CVE-2021-29155, CVE-2021-31204, CVE-2021-31829, CVE-2021-31916, CVE-2021-32399, CVE-2021-33033, CVE-2021-33034

Assets 2
Loading

1.0 CBL-Mariner April Update 2021

07 May 07:36
@jslobodzian jslobodzian
1.0.20210430-1.0
340f9f8
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.0 CBL-Mariner April Update 2021

Add bmake package
Add custom installkernel package
Add ESpeakUp Accessibility support in ISO.
Update Kubernetes

Configure /proc with hidepid by default and add doPseudoFsMount to addEntryToFstab

Enable CONFIG_CRYPTO_DRBG_HASH, CONFIG_CRYPTO_DRBG_CTR
Enable Secure Boot
Enable multiple CBL-Mariner branches to build publicly, update documentation to use blob-store for tar.gz files instead of SRPM files.

Upgrade OpenSSL to 1.1.1k
Upgrade kernel to 5.10.28.1
Upgrade openvswitch to 2.12.3
Upgrade mariadb to 10.3.28
Upgrade cairo to 1.17.4
Upgrade moby-engine and moby-cli to version 19.10.15
Upgrade ClamAV to 0.103.2 to fix multiple CVEs
Upgrade sqlite to 3.34.1 to fix CVE-2021-20227
Upgrade Nettle to 3.7.2 for CVE-2021-20305
Upgrade OpenSSL to 1.1.1k
Upgrade curl to 7.76
Update license info for 'kubernetes' and 'coredns'.
Upgrade OpenJDK8 to patch 292 (address multiple CVEs)
Upgrade icu to 68.2.0.6
Upgrade tzdata to 2021a
Upgrade mysql to 8.0.24 to fix 30 CVEs
Upgrade dnsmasq to 2.85 to fix CVE-2021-3348
Upgrade git to 2.23.4 for CVE-2021-21300

Fix growpart disk-lock timeout issue (patched workaround)
Fix c-ares/grpc issue. Remove grpc vendoring of c-ares.
Fix python3 test_ssl tests
Fix ARM64 ISO Installer Boot issue (Disable CONFIG_EFI_DISABLE_PCI_DMA)
Fixed ABI incompatibility issue: 'keepalived' now links against latest 'net-snmp' library.
Fix installation and removal of atd.service

CVE-2020-27618, CVE-2020-35492, CVE-2020-36323, CVE-2020-36317

CVE-2021-1386, CVE-2021-1404, CVE-2021-1405, CVE-2021-2164, CVE-2021-2169, CVE-2021-2170, CVE-2021-2171, CVE-2021-2172, CVE-2021-2174, CVE-2021-2179, CVE-2021-2180, CVE-2021-2193, CVE-2021-2194, CVE-2021-2196, CVE-2021-2201, CVE-2021-2203, CVE-2021-2208, CVE-2021-2212, CVE-2021-2215, CVE-2021-2217, CVE-2021-2226, CVE-2021-2230, CVE-2021-2232, CVE-2021-2278, CVE-2021-2293, CVE-2021-2298, CVE-2021-2300, CVE-2021-2299, CVE-2021-2301, CVE-2021-2304, CVE-2021-2305, CVE-2021-2307, CVE-2021-2308, CVE-2021-3348, CVE-2021-3392, CVE-2021-3409, CVE-2021-3416, CVE-2021-3421, CVE-2021-3449, CVE-2021-3450, CVE-2021-3470, CVE-2021-20227, CVE-2021-20271, CVE-2021-20305, CVE-2021-21300, CVE-2021-22876, CVE-2021-22890, CVE-2021-27506, CVE-2020-27827, CVE-2021-27928, CVE-2021-28153, CVE-2021-28875, CVE-2021-28876, CVE-2021-28877, CVE-2021-28878, CVE-2021-28879, CVE-2021-29648, CVE-2021-30004

Assets 2
Loading

1.0 CBL-Mariner March 2021 Update

07 Apr 03:47
@jslobodzian jslobodzian
1.0.20210331-1.0
7277504
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.0 CBL-Mariner March 2021 Update

Reduce disk footprint in Mariner Core images
Community builds now share public blob-store for tar ball packages.
VSCode SSH remoting into Mariner works now.

Add bnx2x and qed firmware, WHENCE, and license files for linux firmware
Add sp800-56a rev3 compliance to OpenSSL
Add ntopng
Add Broadcom NetXtreme and msr driver moudule support to kernel
Add more robust handling of disk/partition operations, refactored partition detection, improved error logging
Add Text-To-Speech experience in the ISO installer.
Add speakup support to kernel
Add grpc to mariner and enable it to use system zlib and openssl support
Add ssh brute force protection rules (IpTables)

Fix Makefile nits: Improved toolchain download logs, silence extraction of toolchain RPMs, clean SRPM expansion and chroot creation console output
Fix issue with multiple empty mount validation
Fix SRPMPacker tool to use system cert pool
Fix toolchain build robustness: (Added retries to jdk8 tarball downloads)
Fix older toolkit builds. (Ignore 'BuildRequires' on pre-installed packages.)
Fix installutils to only return grub2-pc on amd64 install

Updating Microsoft trusted root CAs.
Update Grub2 to 2.06-rc1
Update Kubernetes packages for CVE fixes.
Update shadow-utils and td-agent
Update azure-iotedge to version 1.1.0
Update ARM64 ISO config with new EULA paths
Update default sshd_config to match other distros
Add ability to change GUI installer EULA
Updating 'update_manifests.sh' script to remove the UI repo
Upgraded c-ares to 1.17.1 to address CVE
Update to 5.10.21 kernel and

  • enable CONFIG_FANOTIFY_ACCESS_PERMISSIONS and lockdown configs
  • disallow unprivileged BPFs (Berkley Packet Filters)
  • disable QAT kernel configs
    Update cloud-utils-growpart to 0.32 to fix kver parsing

CVE Fixes:
CVE-2019-13627

CVE-2020-8032, CVE-2020-8277, CVE-2020-8625, CVE-2020-17525, CVE-2020-35498, CVE-2020-35521, CVE-2020-35521, CVE-2020-35522, CVE-2020-35522, CVE-2020-35523, CVE-2020-35523, CVE-2020-35524

CVE-2021-0326, CVE-2021-3393, CVE-2021-3449, CVE-2021-3449, CVE-2021-3450, CVE-2021-20203, CVE-2021-20229, CVE-2021-20231, CVE-2021-20255, CVE-2021-20270, CVE-2021-21309, CVE-2021-23336, CVE-2021-27212, CVE-2021-27218, CVE-2021-27219, CVE-2021-27291, CVE-2021-27803, CVE-2021-28041, CVE-2021-28831, CVE_2021-20232

Test Fixes For
apparmor, espeak-ng, gdb, libpng, libxml2, net-snmp, perl-Crypt-SSLeay, python-distro, python-pycurl, python-requests, python-sqlalchemy, python-werkzeug, redis

Assets 2
Loading

1.0 CBL-Mariner February 2021 Update

03 Mar 03:20
@jslobodzian jslobodzian
1.0.20210224.0531-1.0
27b2a5b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.0 CBL-Mariner February 2021 Update

Add DmVerity Support
Add support for kernel crypto API in user space
Add kernel crypto configs to enable tcrypt in FIPS mode
Add several networking tools. Enable LLVM RTTI.
Add Libacvp Package
Add sha512hmac-openssl to kernel-hyperv source
Add CONFIG_CRYPTO_STATS line in kernel configs
Add FIPS-enabled core image
Add FIPS patches for OpenSSL
Add package "dracut-fips"
Add conntrack-tools, nmap, pigz, blobfuse
Add verity-read-only-root package to LICENSES-MAP
Add support for read-only-roots to Imager tool
Add read-only-root config for images
Add verity-read-only-root package
Add initramfs library to write new initramfs files
Add libconfini
Add Kubernetes Containers
- etcd
- coredns
- flannel
Add smartpqi to kernel (enabled CONFIG_SCSI_SMARTPQI)
Add reed solomon decode 8 bit to kernel (enable REED_SOLOMON_DEC8)
Add extras repo configuration package.
Add Overlay Based Difference Image creation to roast.
Enable lz4 compression in systemd
Add LibConfini, bmon, bpftrace, libconfuse, libmaxminddb, ntopng, vnstat

Upgrade mysql to 8.0.23
Upgrade golang to 1.15.7
Upgrade openldap to 2.4.57
Upgrade dnsmasq to 2.84
Upgrade pigz to 2.6

Fixed sudo config.
Fixed documentation for typos, clone instructions, and added reference to demo repo.
Fixed kernel crash dump issue by disabling CONFIG_GCC_PLUGIN_RANDSTRUCT
Fixed td-agent installation issue
Fix reliability of mount/unmount of disks in imagegen tools
Fix WALinuxAgent logging by removing symlink and allowing WALinuxAgent to write to /var/log/waagent.log directly.
Miscelleaneous fixes to spec files for changelogs, urls, linter findings

Security Fixes
CVE-2020-15358
CVE-2020-17380
CVE-2020-25683
CVE-2020-25686
CVE-2020-25687
CVE 2020-36242
CVE-2021-3156
CVE-2021-3177
CVE-2021-3326

Fix package self tests for acl, mercurial, nss, perl-IO-Socket-SSL, gnutls

Assets 2
Loading