Skip to content

1.0 CBL-Mariner March 2021 Update
Compare
Choose a tag to compare
@jslobodzian jslobodzian released this 07 Apr 03:47
· 1479 commits to 1.0 since this release
1.0.20210331-1.0
7277504
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Reduce disk footprint in Mariner Core images
Community builds now share public blob-store for tar ball packages.
VSCode SSH remoting into Mariner works now.

Add bnx2x and qed firmware, WHENCE, and license files for linux firmware
Add sp800-56a rev3 compliance to OpenSSL
Add ntopng
Add Broadcom NetXtreme and msr driver moudule support to kernel
Add more robust handling of disk/partition operations, refactored partition detection, improved error logging
Add Text-To-Speech experience in the ISO installer.
Add speakup support to kernel
Add grpc to mariner and enable it to use system zlib and openssl support
Add ssh brute force protection rules (IpTables)

Fix Makefile nits: Improved toolchain download logs, silence extraction of toolchain RPMs, clean SRPM expansion and chroot creation console output
Fix issue with multiple empty mount validation
Fix SRPMPacker tool to use system cert pool
Fix toolchain build robustness: (Added retries to jdk8 tarball downloads)
Fix older toolkit builds. (Ignore 'BuildRequires' on pre-installed packages.)
Fix installutils to only return grub2-pc on amd64 install

Updating Microsoft trusted root CAs.
Update Grub2 to 2.06-rc1
Update Kubernetes packages for CVE fixes.
Update shadow-utils and td-agent
Update azure-iotedge to version 1.1.0
Update ARM64 ISO config with new EULA paths
Update default sshd_config to match other distros
Add ability to change GUI installer EULA
Updating 'update_manifests.sh' script to remove the UI repo
Upgraded c-ares to 1.17.1 to address CVE
Update to 5.10.21 kernel and

  • enable CONFIG_FANOTIFY_ACCESS_PERMISSIONS and lockdown configs
  • disallow unprivileged BPFs (Berkley Packet Filters)
  • disable QAT kernel configs
    Update cloud-utils-growpart to 0.32 to fix kver parsing

CVE Fixes:
CVE-2019-13627

CVE-2020-8032, CVE-2020-8277, CVE-2020-8625, CVE-2020-17525, CVE-2020-35498, CVE-2020-35521, CVE-2020-35521, CVE-2020-35522, CVE-2020-35522, CVE-2020-35523, CVE-2020-35523, CVE-2020-35524

CVE-2021-0326, CVE-2021-3393, CVE-2021-3449, CVE-2021-3449, CVE-2021-3450, CVE-2021-20203, CVE-2021-20229, CVE-2021-20231, CVE-2021-20255, CVE-2021-20270, CVE-2021-21309, CVE-2021-23336, CVE-2021-27212, CVE-2021-27218, CVE-2021-27219, CVE-2021-27291, CVE-2021-27803, CVE-2021-28041, CVE-2021-28831, CVE_2021-20232

Test Fixes For
apparmor, espeak-ng, gdb, libpng, libxml2, net-snmp, perl-Crypt-SSLeay, python-distro, python-pycurl, python-requests, python-sqlalchemy, python-werkzeug, redis

Assets 2
Loading