1.0 CBL-Mariner June 2021 Update

Kernel/System changes

• Upgraded kernel to 5.10.42.1
• New kernel configs enabled: CONFIG_CROSS_MEMORY_ATTACH / CONFIG_IOSCHED_BFQ / CONFIG_BFQ_GROUP_IOSCHED
• Kubernetes packages have been removed from CBL-Mariner, but are now available in the CBL-Mariner Extras repo at packages.microsoft.com
• Golang upgrade to 1.15.13 for CVE fixes
• New toolkit option: REBUILD_DEP_CHAINS
• grep now supports --perl-regexp option (-P)
• Remove nodejs-8 and rename nodejs-14 to nodejs
• Add: yajl
• Add: re2
• Add: collectd
• Add: node-problem-detector

CVE-2020-10701, CVE-2020-12403, CVE-2020-13950, CVE-2020-17541, CVE-2020-35452

CVE-2021-3527, CVE-2021-3565, CVE-2021-20181, CVE-2021-20221, CVE-2021-20266, CVE-2021-22897, CVE-2021-23017, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641, CVE-2021-32027, CVE-2021-33560

1.0 CBL-Mariner May 2021 Update-2

Same as May 2021 Update but includes fix for kernel boot issue on physical machines.

1.0 CBL-Mariner May 2021 Update

Kernel/System Changes

• Upgraded to 5.10.37.1
• Includes addition of key in keyring in support of CUDA
• Kernel Debug Support is available (must be enabled to use)
• Jitter entropy support
• Kernel Lockdown Integrity on by default (lockdown=integrity)
  Packages
• BinUtils Upgrade to 2.36.1 (for CVE issues)
• WALA Agent Upgraded to 2.2.54.2
• Azure IotEdge Upgrade to 1.1.2
• Add: SoSReport
• Add: Ceph
• Add: archivemount, fuse-zip, p7zip, and libzip
• Golang upgrade to 1.15.11 for CVE fixes

CVE-2018-25009, CVE-2018-25010, CVE-2018-25011, CVE-2018-25012, CVE-2018-25013, CVE-2018-25014

CVE-2020-8554, CVE-2020-14301, CVE-2020-35504, CVE-2020-36317, CVE-2020-36323, CVE-2020-36328, CVE-2020-36329, CVE-2020-36330, CVE-2020-36331, CVE-2020-36332

CVE-2021-2164, CVE-2021-2169, CVE-2021-2170, CVE-2021-2171, CVE-2021-2172, CVE-2021-2174, CVE-2021-2179, CVE-2021-2180, CVE-2021-2193, CVE-2021-2194, CVE-2021-2196, CVE-2021-2201, CVE-2021-2203, CVE-2021-2208, CVE-2021-2212, CVE-2021-2215, CVE-2021-2217, CVE-2021-2226, CVE-2021-2230, CVE-2021-2232, CVE-2021-2278, CVE-2021-2293, CVE-2021-2298, CVE-2021-2299, CVE-2021-2300, CVE-2021-2301, CVE-2021-2304, CVE-2021-2305, CVE-2021-2307, CVE-2021-2308, CVE-2021-3421, CVE-2021-3448, CVE-2021-3483, CVE-2021-3501, CVE-2021-3506, CVE-2021-3527, CVE-2021-3559, CVE-2021-3560, CVE-2021-20178, CVE-2021-20181, CVE-2021-20191, CVE-2021-20208, CVE-2021-20221, CVE-2021-20236, CVE-2021-22898, CVE-2021-22901, CVE-2021-23133, CVE-2021-23134, CVE-2021-25214, CVE-2021-25216, CVE-2021-25217, CVE-2021-26291, CVE-2021-27918, CVE-2021-28875, CVE-2021-28876, CVE-2021-28877, CVE-2021-28878, CVE-2021-28965, CVE-2021-29155, CVE-2021-31204, CVE-2021-31829, CVE-2021-31916, CVE-2021-32399, CVE-2021-33033, CVE-2021-33034

1.0 CBL-Mariner April Update 2021

Add bmake package
Add custom installkernel package
Add ESpeakUp Accessibility support in ISO.
Update Kubernetes

Configure /proc with hidepid by default and add doPseudoFsMount to addEntryToFstab

Enable CONFIG_CRYPTO_DRBG_HASH, CONFIG_CRYPTO_DRBG_CTR
Enable Secure Boot
Enable multiple CBL-Mariner branches to build publicly, update documentation to use blob-store for tar.gz files instead of SRPM files.

Upgrade OpenSSL to 1.1.1k
Upgrade kernel to 5.10.28.1
Upgrade openvswitch to 2.12.3
Upgrade mariadb to 10.3.28
Upgrade cairo to 1.17.4
Upgrade moby-engine and moby-cli to version 19.10.15
Upgrade ClamAV to 0.103.2 to fix multiple CVEs
Upgrade sqlite to 3.34.1 to fix CVE-2021-20227
Upgrade Nettle to 3.7.2 for CVE-2021-20305
Upgrade OpenSSL to 1.1.1k
Upgrade curl to 7.76
Update license info for 'kubernetes' and 'coredns'.
Upgrade OpenJDK8 to patch 292 (address multiple CVEs)
Upgrade icu to 68.2.0.6
Upgrade tzdata to 2021a
Upgrade mysql to 8.0.24 to fix 30 CVEs
Upgrade dnsmasq to 2.85 to fix CVE-2021-3348
Upgrade git to 2.23.4 for CVE-2021-21300

Fix growpart disk-lock timeout issue (patched workaround)
Fix c-ares/grpc issue. Remove grpc vendoring of c-ares.
Fix python3 test_ssl tests
Fix ARM64 ISO Installer Boot issue (Disable CONFIG_EFI_DISABLE_PCI_DMA)
Fixed ABI incompatibility issue: 'keepalived' now links against latest 'net-snmp' library.
Fix installation and removal of atd.service

CVE-2020-27618, CVE-2020-35492, CVE-2020-36323, CVE-2020-36317

CVE-2021-1386, CVE-2021-1404, CVE-2021-1405, CVE-2021-2164, CVE-2021-2169, CVE-2021-2170, CVE-2021-2171, CVE-2021-2172, CVE-2021-2174, CVE-2021-2179, CVE-2021-2180, CVE-2021-2193, CVE-2021-2194, CVE-2021-2196, CVE-2021-2201, CVE-2021-2203, CVE-2021-2208, CVE-2021-2212, CVE-2021-2215, CVE-2021-2217, CVE-2021-2226, CVE-2021-2230, CVE-2021-2232, CVE-2021-2278, CVE-2021-2293, CVE-2021-2298, CVE-2021-2300, CVE-2021-2299, CVE-2021-2301, CVE-2021-2304, CVE-2021-2305, CVE-2021-2307, CVE-2021-2308, CVE-2021-3348, CVE-2021-3392, CVE-2021-3409, CVE-2021-3416, CVE-2021-3421, CVE-2021-3449, CVE-2021-3450, CVE-2021-3470, CVE-2021-20227, CVE-2021-20271, CVE-2021-20305, CVE-2021-21300, CVE-2021-22876, CVE-2021-22890, CVE-2021-27506, CVE-2020-27827, CVE-2021-27928, CVE-2021-28153, CVE-2021-28875, CVE-2021-28876, CVE-2021-28877, CVE-2021-28878, CVE-2021-28879, CVE-2021-29648, CVE-2021-30004

1.0 CBL-Mariner March 2021 Update

Reduce disk footprint in Mariner Core images
Community builds now share public blob-store for tar ball packages.
VSCode SSH remoting into Mariner works now.

Add bnx2x and qed firmware, WHENCE, and license files for linux firmware
Add sp800-56a rev3 compliance to OpenSSL
Add ntopng
Add Broadcom NetXtreme and msr driver moudule support to kernel
Add more robust handling of disk/partition operations, refactored partition detection, improved error logging
Add Text-To-Speech experience in the ISO installer.
Add speakup support to kernel
Add grpc to mariner and enable it to use system zlib and openssl support
Add ssh brute force protection rules (IpTables)

Fix Makefile nits: Improved toolchain download logs, silence extraction of toolchain RPMs, clean SRPM expansion and chroot creation console output
Fix issue with multiple empty mount validation
Fix SRPMPacker tool to use system cert pool
Fix toolchain build robustness: (Added retries to jdk8 tarball downloads)
Fix older toolkit builds. (Ignore 'BuildRequires' on pre-installed packages.)
Fix installutils to only return grub2-pc on amd64 install

Updating Microsoft trusted root CAs.
Update Grub2 to 2.06-rc1
Update Kubernetes packages for CVE fixes.
Update shadow-utils and td-agent
Update azure-iotedge to version 1.1.0
Update ARM64 ISO config with new EULA paths
Update default sshd_config to match other distros
Add ability to change GUI installer EULA
Updating 'update_manifests.sh' script to remove the UI repo
Upgraded c-ares to 1.17.1 to address CVE
Update to 5.10.21 kernel and

• enable CONFIG_FANOTIFY_ACCESS_PERMISSIONS and lockdown configs
• disallow unprivileged BPFs (Berkley Packet Filters)
• disable QAT kernel configs
  Update cloud-utils-growpart to 0.32 to fix kver parsing

CVE Fixes:
CVE-2019-13627

CVE-2020-8032, CVE-2020-8277, CVE-2020-8625, CVE-2020-17525, CVE-2020-35498, CVE-2020-35521, CVE-2020-35521, CVE-2020-35522, CVE-2020-35522, CVE-2020-35523, CVE-2020-35523, CVE-2020-35524

CVE-2021-0326, CVE-2021-3393, CVE-2021-3449, CVE-2021-3449, CVE-2021-3450, CVE-2021-20203, CVE-2021-20229, CVE-2021-20231, CVE-2021-20255, CVE-2021-20270, CVE-2021-21309, CVE-2021-23336, CVE-2021-27212, CVE-2021-27218, CVE-2021-27219, CVE-2021-27291, CVE-2021-27803, CVE-2021-28041, CVE-2021-28831, CVE_2021-20232

Test Fixes For
apparmor, espeak-ng, gdb, libpng, libxml2, net-snmp, perl-Crypt-SSLeay, python-distro, python-pycurl, python-requests, python-sqlalchemy, python-werkzeug, redis

1.0 CBL-Mariner February 2021 Update

Add DmVerity Support
Add support for kernel crypto API in user space
Add kernel crypto configs to enable tcrypt in FIPS mode
Add several networking tools. Enable LLVM RTTI.
Add Libacvp Package
Add sha512hmac-openssl to kernel-hyperv source
Add CONFIG_CRYPTO_STATS line in kernel configs
Add FIPS-enabled core image
Add FIPS patches for OpenSSL
Add package "dracut-fips"
Add conntrack-tools, nmap, pigz, blobfuse
Add verity-read-only-root package to LICENSES-MAP
Add support for read-only-roots to Imager tool
Add read-only-root config for images
Add verity-read-only-root package
Add initramfs library to write new initramfs files
Add libconfini
Add Kubernetes Containers
- etcd
- coredns
- flannel
Add smartpqi to kernel (enabled CONFIG_SCSI_SMARTPQI)
Add reed solomon decode 8 bit to kernel (enable REED_SOLOMON_DEC8)
Add extras repo configuration package.
Add Overlay Based Difference Image creation to roast.
Enable lz4 compression in systemd
Add LibConfini, bmon, bpftrace, libconfuse, libmaxminddb, ntopng, vnstat

Upgrade mysql to 8.0.23
Upgrade golang to 1.15.7
Upgrade openldap to 2.4.57
Upgrade dnsmasq to 2.84
Upgrade pigz to 2.6

Fixed sudo config.
Fixed documentation for typos, clone instructions, and added reference to demo repo.
Fixed kernel crash dump issue by disabling CONFIG_GCC_PLUGIN_RANDSTRUCT
Fixed td-agent installation issue
Fix reliability of mount/unmount of disks in imagegen tools
Fix WALinuxAgent logging by removing symlink and allowing WALinuxAgent to write to /var/log/waagent.log directly.
Miscelleaneous fixes to spec files for changelogs, urls, linter findings

Security Fixes
CVE-2020-15358
CVE-2020-17380
CVE-2020-25683
CVE-2020-25686
CVE-2020-25687
CVE 2020-36242
CVE-2021-3156
CVE-2021-3177
CVE-2021-3326

Fix package self tests for acl, mercurial, nss, perl-IO-Socket-SSL, gnutls

1.0 CBL-Mariner January 2021 Update

Added Td Agent
Added i.MX8mq-evk board support
Added kernel patch to fix GUI installer crash due to mmap issue
Added Fedora 32 patch to make perl-WWW-Curl work with new version of curl
Added Minimal Distroless Mariner container
Added Kubernetes versions for 1.19.6, 1.18.14, 1.17.16
Added the following Kubernetes containers:

• kube-proxy
• kube-apiserver
• kube-controller-manager
• kube-scheduler
• kube-pause

Upgraded meson to version 0.56.0.
Upgraded p11-kit to 0.23.22
Upgraded ansible to version 2.9.12
Upgraded kernel sources to 5.4.91

Remove IDEA and EC2M source code/support from OpenSSL

Fixed Diskutils to include virtual disk devices in search
Fixed Minor Documentation issues
Including fix to prereqs.
Fixed Kubernetes
Hotfixes for 1.19.3, 1.18.10 and 1.17.13 and fix container script

Security Fixes
CVE-2019-5094, CVE-2019-5188, CVE-2019-11236, CVE-2019-25013

 CVE-2020-8169, CVE-2020-8564, CVE-2020-8565, CVE-2020-8566, CVE-2020-25659, CVE-2020-26137, CVE-2020-27777, CVE-2020-28374, CVE-2020-35493, CVE-2020-35494, CVE-2020-35495, CVE-2020-35496, CVE-2020-35507, CVE-2020-36158

 CVE-2021-3156.  

Fixed Package Self Tests For
coreutils, bc, swig, python-pycurl (removed unreliable memtest), cloud-init, chrony, ModemManager, mariadb, openssl, python-ecdsa tests, ruby, asciidoc, ipv6calc, strace python-attrs, libmodulemd, dracut, python-bcrypt, python-pynacl, librepo, libisoburn, grep, gawk, mozjs60, jna, openssh, gettest, libunistring, strongswan

1.0 CBL-Mariner December 2020 update

1. Fixed 14 CVEs:

   • curl: CVE-2020-8177 and CVE-2020-8231;
   • glib: CVE-2020-35457;
   • kernel: 7 CVEs fixed by the version update;
   • python-pip: CVE-2019-20916;
   • python-py: CVE-2020-29651;
   • qemu: CVE-2020-27821;
   • unbound: CVE-2020-28935.

2. Updated kernel to version 5.4.83.

3. Added an option to build distroless containers.

4. Enabled and/or fixed 10+ package build tests.

5. Added new versions of Kubernetes: 1.17, 1.18, and 1.19.

6. Switched the tooling and build instructions to use Go 1.15 instead of 1.13.

7. ARM64 ISOs and VHDXs can now be produced.

8. Updated documentation for build instructions + minor documentation fixes.

1.0 CBL-Mariner November 2020 Update

• Upgrade postgresql to 12.5
• Upgrade kernel to 5.4.72 to address kernel CVEs
• Upgrade clamav to 0.103.0.
• Python 3 upgraded to 3.7.9 to fix CVE-2019-20907, CVE-2020-26116, CVE-2019-18348, CVE-2020-14422, Patch CVE-2020-27619 (#358)
• Added libxcrypt, heimdal, ipvcalc, perl-JSON
• Multiple spec file fixes, removing legacy macros and missing dependency fixes
• Package test improvements for tdnf, tcsh, sysstat, svn and more.
• TLS certs added to ptest builds, networking enabled.
• Disable kernel config SLUB_DEBUG_ON due to tcp performance impact.
• Add support to build ARM64 ISOs.
• Enable Hyper-V daemons for ARM64 VHDX images
• Multiple CVE fixes, including QEMU, glibc, librepo, systemd, tcpdump and more.

CVE-2017-18207,

CVE-2018-12617, CVE-2018-19876, CVE-2018-19665

CVE-2019-3842, CVE-2019-3843, CVE-2019-3844, CVE-2019-6454, CVE-2019-9071, CVE-2019-9073, CVE-2019-9074, CVE-2019-12749, CVE-2019-12972, CVE-2019-14250, CVE-2019-14444, CVE-2019-17450, CVE-2019-17451, CVE-2019-19126, CVE-2019-20386, CVE-2019-20807, CVE-2019-20907, CVE-2019-20892

CVE-2020-1712, CVE-2020-8037, CVE-2020-8631, CVE-2020-8632, CVE-2020-8927, CVE-2020-11080, CVE-2020-13253, CVE-2020-13754, CVE-2020-13776, CVE-2020-13791, CVE-2020-13800, CVE-2020-14147, CVE-2020-14352, CVE-2020-14155 , CVE-2020-14364 , CVE-2020-15705, CVE-2020-15778, CVE-2020-24352, CVE-2020-24553, CVE-2020-24977, CVE-2020-25613, CVE-2020-25637, CVE-2020-26116, CVE-2020-27619

1.0 CBL-Mariner October 2020 Update

This is the October 2020 cumulative update for the CBL Mariner 1.0 release that includes tooling and CVE fixes.
Changes include:

• Ability to build Mariner Toolchain and Packages from the Preview Repository.
• Fixed issue where additionalfiles were improperly handled during iso image build
• Fix CVE-2020-14342 in cifs-utils
• Fix CVE-2020-26159 in oniguruma
• Fix CVE-2019-12735 in vim
• Patch lua CVE-2019-6706, CVE-2020-15888
• Patch unbound CVE-2020-12662 and CVE-2020-12663
• Patch gnutls CVE-2020-24659
• Upgrade ruby to 2.6.6 to resolve CVE-2019-16255, CVE-2019-16201, CVE-2020-10933, CVE-2020-5247, CVE-2019-15845, CVE-2019-16254
• Update fontconfig to 2.13.91
• Added several packages: gflags, rocksdb, syslog-ng, tinyxml2, toml11 tracelogging zipper mm-common libxml++ liblogging nlohmann-json msgpack span-lite telegraf jsonbuilder babeltrace2 lttng-consume pugixml rapidjson bond fluent-bit ivykis azure-storage omi ccache clamav auoms
• Enable QAT kernel configs in CBL-Mariner
• Fixed multiple SPEC files so %check sections are valid