Container-Optimized OS Release Notes: Milestone 113

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.

November 18, 2024

cos-113-18244-236-44

Kernel Docker Containerd GPU Drivers
COS-6.1.112 v24.0.9 v1.7.23 See List

Fixed CVE-2024-49952 in the Linux kernel.

Fixed CVE-2024-50095 in the Linux kernel.

Fixed CVE-2024-49946 in the Linux kernel.

Fixed CVE-2024-50010 in the Linux kernel.

Fixed CVE-2024-50138 in the Linux kernel.

Fixed CVE-2024-49959 in the Linux kernel.

Fixed CVE-2024-49954 in the Linux kernel.

Fixed CVE-2024-50110 in the Linux kernel.

Fixed CVE-2024-50115 in the Linux kernel.

Fixed CVE-2024-50131 in the Linux kernel.

November 11, 2024

cos-113-18244-236-35

Kernel Docker Containerd GPU Drivers
COS-6.1.112 v24.0.9 v1.7.23 See List

Updated runc to version 1.1.14. This fixes CVE-2024-45310, CVE-2024-9341, CVE-2024-9407, and CVE-2024-9675.

Fixed CVE-2024-50602 in dev-libs/expat.

Fixed KCTF-2e95c43 in the Linux kernel.

Fixed CVE-2024-50038 in the Linux kernel.

Fixed CVE-2024-50038 in the Linux kernel.

Fixed CVE-2024-50082 in the Linux kernel.

Fixed CVE-2024-50083 in the Linux kernel.

Fixed CVE-2024-50024 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812026 -> 812011

November 06, 2024

cos-113-18244-236-26

Kernel Docker Containerd GPU Drivers
COS-6.1.112 v24.0.9 v1.7.23 See List

Updated NVIDIA GPU drivers to v535.216.01 for default/R535 and v550.127.05 for R550 for all GPUs. This resolves CVE-2024-0126.

Fixed CVE-2024-50002 in the Linux kernel.

Fixed CVE-2024-49967 in the Linux kernel.

Fixed CVE-2024-50006 in the Linux kernel.

Fixed CVE-2024-49881 in the Linux kernel.

Fixed CVE-2024-49881 in the Linux kernel.

Fixed CVE-2024-47678 in the Linux kernel.

Fixed CVE-2024-47678 in the Linux kernel.

Fixed CVE-2024-47705 in the Linux kernel.

Fixed CVE-2024-47705 in the Linux kernel.

Fixed CVE-2024-50001 in the Linux kernel.

Fixed CVE-2024-50019 in the Linux kernel.

Fixed CVE-2024-49983 in the Linux kernel.

Fixed CVE-2024-49978 in the Linux kernel.

Fixed CVE-2024-49993 in the Linux kernel.

Fixed CVE-2024-49889 in the Linux kernel.

Fixed CVE-2024-47707 in the Linux kernel.

Fixed CVE-2024-49884 in the Linux kernel.

Fixed CVE-2024-49936 in the Linux kernel.

Fixed CVE-2024-50045 in the Linux kernel.

Fixed CVE-2024-47710 in the Linux kernel.

Fixed CVE-2024-49870 in the Linux kernel.

Fixed CVE-2024-50039 in the Linux kernel.

Fixed CVE-2024-50015 in the Linux kernel.

Fixed CVE-2024-49975 in the Linux kernel.

Fixed CVE-2024-49875 in the Linux kernel.

Fixed CVE-2024-50000 in the Linux kernel.

Fixed CVE-2024-50046 in the Linux kernel.

Fixed CVE-2024-49883 in the Linux kernel.

Fixed CVE-2024-47696 in the Linux kernel.

Fixed CVE-2024-47728 in the Linux kernel.

Fixed CVE-2024-47679 in the Linux kernel.

Fixed CVE-2024-50035 in the Linux kernel.

Fixed CVE-2024-49851 in the Linux kernel.

Fixed CVE-2024-47701 in the Linux kernel.

Fixed CVE-2024-47701 in the Linux kernel.

Fixed CVE-2024-50033 in the Linux kernel.

Fixed CVE-2024-49860 in the Linux kernel.

Fixed CVE-2024-47737 in the Linux kernel.

Fixed CVE-2024-47742 in the Linux kernel.

Fixed CVE-2024-47739 in the Linux kernel.

Fixed CVE-2024-47706 in the Linux kernel.

Fixed CVE-2024-49858 in the Linux kernel.

Fixed CVE-2024-47682 in the Linux kernel.

Fixed CVE-2024-47692 in the Linux kernel.

Fixed CVE-2024-47727 in the Linux kernel.

Fixed CVE-2024-47693 in the Linux kernel.

Fixed CVE-2024-47734 in the Linux kernel.

Fixed CVE-2024-47743 in the Linux kernel.

Fixed CVE-2024-47684 in the Linux kernel.

Fixed CVE-2024-49850 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812035 -> 812026

October 28, 2024

cos-113-18244-236-9

Date Kernel Docker Containerd GPU Drivers
Oct 28, 2024 COS-6.1.112 v24.0.9 v1.7.23 See List

Fixed CVE-2024-47685 in the Linux kernel.

Fixed CVE-2024-38632 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812026 -> 812035

October 21, 2024

cos-113-18244-236-5

Kernel Docker Containerd GPU Drivers
COS-6.1.112 v24.0.9 v1.7.23 See List

Updated app-containers/containerd to 1.7.23.

Upgraded app-containers/cni-plugins to v1.5.1.

Upgraded app-containers/docker-credential-helpers to v0.8.2.

Upgraded app-admin/google-guest-configs to v20240725.00.

Upgraded app-containers/docker-credential-gcr to v2.1.23.

Upgraded dev-python/jinja to v3.1.4.

Upgraded net-libs/libtirpc to v1.3.4-r3.

Upgraded sys-libs/libcap to v2.70.

Upgraded sys-process/procps to v4.0.4-r1.

Upgraded sys-fs/xfsprogs to v6.8.0.

Upgraded dev-db/sqlite to v3.46.0.

Upgraded sys-libs/gdbm to v1.24.

Upgraded dev-libs/double-conversion to v3.3.0.

Upgraded app-arch/lz4 to v1.10.0-r1.

Upgraded app-arch/gzip to v1.13-r1.

Upgraded sys-apps/acl to v2.3.2-r1.

Upgraded sys-libs/libcap-ng to v0.8.5.

Added NVIDIA GPU drivers R560 branch - Updated the R560 and latest drivers to v560.35.03.

Updated the R550 and latest drivers to v550.90.12.

Identify GPU drivers before installation.

Updated app-arch/libarchive to version 3.7.6. This fixed CVE-2024-48957, CVE-2024-48958.

Fixed CVE-2024-44958 in the Linux kernel.

Fixed CVE-2024-43892 in the Linux kernel.

October 14, 2024

cos-113-18244-151-100

Kernel Docker Containerd GPU Drivers
COS-6.1.100 v24.0.9 v1.7.22 See List

Fixed CVE-2024-43853 in the Linux kernel.

Fixed CVE-2024-45003 in the Linux kernel.

Fixed CVE-2024-46855 in the Linux kernel.

Fixed CVE-2024-46848 in the Linux kernel.

Fixed CVE-2024-44965 in the Linux kernel.

Fixed CVE-2024-44970 in the Linux kernel.

Fixed CVE-2024-46829 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812030 -> 812026

October 07, 2024

cos-113-18244-151-96

Kernel Docker Containerd GPU Drivers
COS-6.1.100 v24.0.9 v1.7.22 See List

Update R535, default driver to v535.183.06.

Updated the GPU installer to v2.4.1.

Disabled MGLRU by default due to integration issues with Kubernetes.

Fixed CVE-2024-46744 in the Linux kernel.

Fixed CVE-2024-46750 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812026 -> 812030

September 30, 2024

cos-113-18244-151-88

Kernel Docker Containerd GPU Drivers
COS-6.1.100 v24.0.9 v1.7.22 See List

Upgraded app-admin/google-guest-configs to v20240725.00.

Fixed A3 Edge VM names in google guest agent configs.

Updated cos-gpu-installer to v2.4.0. It identifies GPU drivers before installation.

Fixed CVE-2024-46763 in the Linux kernel.

Fixed CVE-2024-46679 in the Linux kernel.

Fixed CVE-2024-46721 in the Linux kernel

Fixed CVE-2024-46800 in the Linux kernel

Fixed CVE-2024-46737 in the Linux kernel

Fixed CVE-2024-46743 in the Linux kernel

Fixed CVE-2024-46738 in the Linux kernel

September 23, 2024

cos-113-18244-151-80

Kernel Docker Containerd GPU Drivers
COS-6.1.100 v24.0.9 v1.7.22 See List

Updated app-containers/containerd to 1.7.22.

Updated net-misc/curl to 8.10.0.

Fixed CVE-2023-27043 in dev-lang/python.

Fixed CVE-2024-7592 in dev-lang/python.

Fixed CVE-2024-43817 in the Linux kernel

Fixed CVE-2024-44947 in the Linux kernel

Fixed CVE-2024-45025 in the Linux kernel

Fixed CVE-2024-44983 in the Linux kernel

Fixed CVE-2024-45022 in the Linux kernel

Fixed CVE-2024-45018 in the Linux kernel

Fixed CVE-2024-45021 in the Linux kernel

Fixed CVE-2024-41012 in the Linux kernel

Fixed CVE-2024-44940 in the Linux kernel

Fixed CVE-2024-46686 in the Linux kernel

Fixed CVE-2024-43893 in the Linux kernel

Fixed CVE-2024-43871 in the Linux kernel

Fixed CVE-2024-42307 in the Linux kernel

Fixed CVE-2024-43914 in the Linux kernel

Fixed CVE-2024-44952 in the Linux kernel

Fixed CVE-2024-44989 in the Linux kernel

Fixed CVE-2024-44990 in the Linux kernel

Fixed CVE-2024-45000 in the Linux kernel

Fixed CVE-2024-44944 in the Linux kernel

September 16, 2024

cos-113-18244-151-57

Kernel Docker Containerd GPU Drivers
COS-6.1.100 v24.0.9 v1.7.21 See List

Updated dev-lang/python to v3.8.19_p1. This fixes CVE-2007-4559.

Fixed CVE-2024-6232 in dev-lang/python.

Fixed CVE-2024-6119 in net-libs/openssl.

Updated dev-libs/expat to version v2.6.3. This fixed CVE-2024-45492, CVE-2024-45490, CVE-2024-45491.

Fixed CVE-2023-7256 in net-libs/libpcap.

Fixed CVE-2024-42302 in the Linux kernel

Fixed CVE-2024-44985 in the Linux kernel

Fixed CVE-2024-44987 in the Linux kernel

Fixed CVE-2024-43882 in the Linux kernel

Fixed CVE-2024-43873 in the Linux kernel

Fixed CVE-2024-44986 in the Linux kernel

Runtime sysctl changes:

  • Changed: fs.file-max: 812022 -> 812026

September 09, 2024

cos-113-18244-151-50

Kernel Docker Containerd GPU Drivers
COS-6.1.100 v24.0.9 v1.7.21 See List

Updated app-containers/containerd to 1.7.21.

Fixes CVE-2024-37370, CVE-2024-37371 in app-crypt/mit-krb5.

Fixes CVE-2024-42302 in the Linux kernel.

Fixes CVE-2024-41057 in the linux kernel.

Fixes CVE-2024-43837 in the Linux kernel.

Fixes CVE-2024-43855 in the Linux kernel.

Fixes CVE-2024-43889 in the Linux kernel.

Fixes CVE-2024-42316 in the Linux kernel.

Fixes CVE-2024-43828 in the Linux kernel.

Fixes CVE-2024-43856 in the Linux kernel.

Fixes CVE-2024-41073 in the Linux kernel.

Fixes CVE-2024-43854 in the Linux kernel.

Fixes CVE-2024-41058 in the Linux kernel.

Fixes CVE-2024-41098 in Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812039 -> 812022

September 03, 2024

cos-113-18244-151-33

Kernel Docker Containerd GPU Drivers
COS-6.1.100 v24.0.9 v1.7.19 See List

Updated app-editors/vim, app-editors/vim-core to version 9.1.0686. This fixed CVE-2024-41957, CVE-2024-41965.

Fixed CVE-2024-42270 in the Linux kernel.

Fixed CVE-2024-42285 in the Linux kernel.

Fixed CVE-2024-42269 in the Linux kernel.

Fixed CVE-2024-42268 in the Linux kernel.

Fixed CVE-2024-42283 in the Linux kernel.

Fixed CVE-2023-52889 in the Linux kernel.

Fixed KCTF-c07ff85 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812030 -> 812039

August 26, 2024

cos-113-18244-151-27

Kernel Docker Containerd GPU Drivers
COS-6.1.100 v24.0.9 v1.7.19 See List

Updated google-osconfig-agent to v20240822.00.

August 20, 2024

cos-113-18244-151-23

Kernel Docker Containerd GPU Drivers
COS-6.1.100 v24.0.9 v1.7.19 See List

Upgraded sys-apps/pv to v1.8.12.

Downgraded setuptools to v65.6.3. Cherry-picked upstream fix for CVE-2024-6345.

Fixed CVE-2024-6602 in dev-libs/nss

Runtime sysctl changes:

  • Added: vm.unprivileged_userfaultfd: 0
  • Changed: fs.file-max: 812026 -> 812045
  • Changed: net.ipv4.tcp_rto_min_us: 200000 -> 5000

August 12, 2024

cos-113-18244-151-14

Kernel Docker Containerd GPU Drivers
COS-6.1.100 v24.0.9 v1.7.19 v535.183.01(default),v550.90.07(latest),v470.256.02(R470 for compatibility with K80 GPUs)

Downgraded sys-apps/ethtool to v6.7.

Updated dev-libs/openssl to version 3.0.14 and added patch for CVE-2024-5535. This fixed CVE-2024-2511, CVE-2024-4603, CVE-2024-4741, CVE-2024-5535.

Updated net-misc/curl to version 8.9.1. This fixed CVE-2024-7264.

Fixed CVE-2024-39472 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812030 -> 812026

August 06, 2024

cos-113-18244-151-9

Kernel Docker Containerd GPU Drivers
COS-6.1.100 v24.0.9 v1.7.19 v535.183.01(default),v550.90.07(latest),v470.256.02(R470 for compatibility with K80 GPUs)

Upgraded app-admin/google-guest-configs to 20240607.00.

Upgraded app-containers/containerd to 1.7.19.

Upgraded net-misc/rsync to v3.2.7-r5.

Upgraded sys-apps/less to v661.

Enabled the feature to utilize the gpu_driver_versions proto file for controlling the specific GPU driver version to be installed for each GPU type.

Upgraded cos-gpu-installer to v2.3.5 - Improved error messaging for incompatible GPU driver input.

Removed crash-reporter KVM support.

Removed dev-go/grpc.

Upgraded curl to v8.9.0. This fixes CVE-2024-6197.

Upgraded dev-python/setuptools to v70.3.0. This fixes CVE-2024-6345.

Runtime sysctl changes:

  • Changed: fs.file-max: 812026 -> 812030

July 31, 2024

cos-113-18244-85-65

Kernel Docker Containerd GPU Drivers
COS-6.1.90 v24.0.9 v1.7.15 v535.183.01(default),v550.90.07(latest),v470.256.02(R470 for compatibility with K80 GPUs)

Runtime sysctl changes:

  • Changed: fs.file-max: 812041 -> 812026

July 22, 2024

cos-113-18244-85-64

Kernel Docker Containerd GPU Drivers
COS-6.1.90 v24.0.9 v1.7.15 v535.183.01(default),v550.90.07(latest),v470.256.02(R470 for compatibility with K80 GPUs)

Disable NVIDIA persistence mode with -no-verify flag

Fixed CVE-2024-39894 in net-misc/openssh.

Fixed CVE-2024-36891 in the Linux kernel

Fixed CVE-2024-38662 in the Linux kernel

Fixed CVE-2024-39482 in the Linux kernel

Fixed CVE-2024-39474 in the Linux kernel

Fixed CVE-2024-39476 in the Linux kernel

Runtime sysctl changes:

  • Changed: fs.file-max: 812036 -> 812041

July 15, 2024

cos-113-18244-85-54

Kernel Docker Containerd GPU Drivers
COS-6.1.90 v24.0.9 v1.7.15 v535.183.01(default),v550.90.07(latest),v470.256.02(R470 for compatibility with K80 GPUs)

Updated cos-gpu-installer to v2.3.5.

Added the package revision number to the SSH banner in net-misc/openssh.

Updated net-misc/wget to version 1.24.5. This fixed CVE-2024-38428.

Fixed CVE-2024-36978 in the Linux kernel.

July 01, 2024

cos-113-18244-85-49

Kernel Docker Containerd GPU Drivers
COS-6.1.90 v24.0.9 v1.7.15 v535.183.01(default),v550.90.07(latest),v470.256.02(R470 for compatibility with K80 GPUs)

Upgraded sys-apps/dmidecode to v3.6.

Upgraded dev-embedded/libftdi to v1.5-r7.

Upgraded app-admin/logrotate to v3.22.0.

Upgraded sys-apps/hwdata to v0.383.

Upgraded net-misc/curl to v8.8.0-r1.

Upgraded sys-apps/sed to v4.9-r1.

Upgraded dev-libs/libusb to v1.0.27-r1.

Upgraded sys-block/thin-provisioning-tools to v0.9.0-r4.

Upgraded sys-apps/ethtool to v6.9.

Upgraded sys-apps/grep to v3.11-r1.

Upgraded sys-apps/pv to v1.8.10.

Added tcp_rto_min_us sysctl.

Upgraded dev-lang/go to v1.21.11. This fixes CVE-2024-24790 and CVE-2024-24789.

Fixed CVE-2024-35195 in dev-python/requests.

Fixed CVE-2024-36901 in the Linux kernel.

Runtime sysctl changes:

  • Added: net.ipv4.tcp_rto_min_us: 200000
  • Changed: fs.file-max: 812039 -> 812035

Fixed CVE-2024-6387 in net-misc/openssh.

June 24, 2024

cos-113-18244-85-39

Kernel Docker Containerd GPU Drivers
COS-6.1.90 v24.0.9 v1.7.15 v535.183.01(default),v550.90.07(latest),v470.256.02(R470 for compatibility with K80 GPUs)

Added support for TPU v6 devices.

Runtime sysctl changes:

  • Changed: fs.file-max: 812036 -> 812039

Fixed a crash in the Linux kernel.

June 18, 2024

cos-113-18244-85-36

Kernel Docker Containerd GPU Drivers
COS-6.1.90 v24.0.9 v1.7.15 v535.183.01(default),v550.90.07(latest),v470.256.02(R470 for compatibility with K80 GPUs)

Mount efivarfs fs by default on EFI-enabled systems.

Update R550, latest driver to v550.90.07.This fixes CVE‑2024‑0090, CVE‑2024‑0091, CVE‑2024‑0092 Update R535, default driver to v535.183.01.This fixes CVE‑2024‑0090, CVE‑2024‑0092 Update R470 to v470.256.02.This fixes CVE‑2024‑0090, CVE‑2024‑0092

Upgraded app-arch/lz4 to 1.9.4. Fixes CVE-2021-3520.

Upgraded app-arch/libarchive to version 3.7.4. Fixes CVE-2024-26256.

Fixes CVE-2024-36902 in the Linux kernel.

Fixes CVE-2024-36938 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812002 -> 812036

June 10, 2024

cos-beta-113-18244-85-29

Kernel Docker Containerd GPU Drivers
COS-6.1.90 v24.0.9 v1.7.15 v535.161.08(default),v550.54.15(latest),v470.239.06(R470 for compatibility with K80 GPUs)

Fixed frequent restarts in fluent-bit stackdriver plugin.

Updated cos-gpu-installer to v2.3.3. This resolves potential synchronization issues and ensures proper cleanup of mounts in GPU driver installation directory configuration.

Updated cos-gpu-installer to v2.3.4. This fixes CVEs: CVE-2023-29402, CVE-2023-29405, CVE-2023-29404, CVE-2023-24540, CVE-2023-24538, CVE-2022-41721, GHSA-m425-mq94-257g, CVE-2022-41715, CVE-2022-30633, CVE-2022-41724, CVE-2022-2880, CVE-2022-30631, CVE-2021-29923, CVE-2022-24675, CVE-2022-30580, CVE-2022-41723, CVE-2023-24534, CVE-2022-41725, CVE-2022-2879, CVE-2023-24539, CVE-2022-30635, CVE-2023-45285, CVE-2022-32149, CVE-2023-24537, CVE-2022-32189, CVE-2022-28131, CVE-2023-39323, CVE-2022-28327, CVE-2022-30630, CVE-2023-44487, CVE-2023-39325, CVE-2022-27664, CVE-2023-45287, CVE-2023-29400, CVE-2023-24536, CVE-2023-29403, CVE-2022-30632, CVE-2023-39318, CVE-2020-29511, CVE-2024-24786, CVE-2023-3978, CVE-2022-41717, CVE-2022-32148, CVE-2023-39326, CVE-2023-45288, CVE-2022-1962, CVE-2023-24532, CVE-2023-39319, CVE-2022-1705, CVE-2020-29509, CVE-2023-29406, CVE-2023-29409, CVE-2022-30629

Runtime sysctl changes:

  • Changed: fs.file-max: 812026 -> 812002

June 03, 2024

cos-113-18244-85-24

Kernel Docker Containerd GPU Drivers
COS-6.1.90 v24.0.9 v1.7.15 v535.161.08(default),v550.54.15(latest),v470.239.06(R470 for compatibility with K80 GPUs)

Updated cos-gpu-installer to v2.3.2.

Fixed CVE-2024-34459 in the libxml2 package.

Fixed a bug in auto update engine when confidential VMs are enabled.

May 28, 2024

cos-113-18244-85-17

Kernel Docker Containerd GPU Drivers
COS-6.1.90 v24.0.9 v1.7.15 v535.161.08(default),v550.54.15(latest),v470.239.06(R470 for compatibility with K80 GPUs)

Improved boot time on A3 machines by around 5 seconds.

Fixed CVE-2024-21626 in runc in kubelet.

Updated dev-vcs/git to v2.45.1. This resolves CVE-2024-32002, CVE-2024-32020, CVE-2024-32465, CVE-2024-32004, CVE-2024-32021.

Runtime sysctl changes:

  • Changed: fs.file-max: 812391 -> 812030

May 20, 2024

cos-113-18244-85-14

Kernel Docker Containerd GPU Drivers
COS-6.1.90 v24.0.9 v1.7.15 v535.161.08(default),v550.54.15(latest),v470.239.06(R470 for compatibility with K80 GPUs)

Updated cos-gpu-installer to v2.3.1.

Upgraded sys-apps/less to v643-r2.

Upgraded sys-libs/timezone-data to v2024a-r1.

Added support for nft_fib family of modules in the Linux kernel.

May 13, 2024

cos-113-18244-85-5

Kernel Docker Containerd GPU Drivers
COS-6.1.90 v24.0.9 v1.7.15 v535.161.08(default),v550.54.15(latest),v470.239.06(R470 for compatibility with K80 GPUs)

Upgraded app-admin/node-problem-detector to v0.8.18.

Upgraded app-admin/google-osconfig-agent to v20240501.00.

Upgraded app-admin/google-guest-agent to v20240314.00.

Upgraded app-containers/docker and app-containers/docker-cli to v24.0.9.

Upgraded app-admin/google-guest-configs to v20240307.00.

Upgraded sys-boot/grub-lakitu to the FC 39's current version.

Upgraded app-emulation/cloud-init to v23.4.4.

Added support for i6300 watchdog timer device.

Uprev GPU driver version to v470.239.06.

Fixed CVE-2021-36084, CVE-2021-36085, CVE-2021-36086, CVE-2021-36087 in sys-libs/libsepol.

Fixed CVE-2024-26900 in the Linux kernel.

Fixed CVE-2024-26809 in the Linux kernel.

Fixed CVE-2024-26882 in the Linux kernel.

Fixed CVE-2024-26884 in the Linux kernel.

Fixed CVE-2024-26885 in the Linux kernel.

Fixed CVE-2024-26883 in the Linux kernel.

Fixed CVE-2024-26907 in the Linux kernel.

Runtime sysctl changes:

  • Added: net.core.mem_pcpu_rsv: 256
  • Changed: fs.epoll.max_user_watches: 1809474 -> 1809452
  • Changed: fs.file-max: 812400 -> 812391
  • Changed: kernel.threads-max: 63504 -> 63503
  • Changed: net.ipv4.tcp_mem: 94068 125424 188136 -> 94065 125423 188130
  • Changed: net.ipv4.udp_mem: 188136 250848 376272 -> 188133 250847 376266
  • Changed: user.max_cgroup_namespaces: 31752 -> 31751
  • Changed: user.max_ipc_namespaces: 31752 -> 31751
  • Changed: user.max_mnt_namespaces: 31752 -> 31751
  • Changed: user.max_net_namespaces: 31752 -> 31751
  • Changed: user.max_pid_namespaces: 31752 -> 31751
  • Changed: user.max_time_namespaces: 31752 -> 31751
  • Changed: user.max_user_namespaces: 31752 -> 31751
  • Changed: user.max_uts_namespaces: 31752 -> 31751

Fixed issues with the SRSO vulnerability mitigation (CVE-2023-20569). This fix might negatively impact the performance of your workloads on AMD machine types.

May 06, 2024

cos-113-18244-1-65

Kernel Docker Containerd GPU Drivers
COS-6.1.77 v24.0.9 v1.7.15 v535.161.08(default),v550.54.15(latest),v470.239.06(R470 for compatibility with K80 GPUs)

Upgraded sys-apps/makedumpfile to v1.7.5.

Upgraded app-admin/sosreport to v4.7.1.

Updated cos-gpu-installer to v2.3.0.

Fixed CVE-2023-52620 in Linux kernel.

May 01, 2024

cos-113-18244-1-61

Kernel Docker Containerd GPU Drivers
COS-6.1.77 v24.0.9 v1.7.15 v535.161.08(default),v550.54.15(latest),v470.239.06(R470 for compatibility with K80 GPUs)

Updated Konlet to v.0.12.0. This fixes an iptables compatibility issue.

Fixed CVE-2023-4641 in sys-apps/shadow.

Fixed CVE-2023-50387, CVE-2023-50868 in sys-apps/systemd.

Fixed CVE-2023-0687, CVE-2024-2961, CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 in sys-libs/glibc.

Fixed CVE-2023-32681 in dev-python/requests.

Fixed CVE-2024-3772 in dev-python/pydantic.

Fixed CVE-2023-5388 in dev-libs/nss.

Updated net-dns/c-ares to version 1.27. This fixes CVE-2024-25629.

Updated dev-python/pyyaml to version 6.0.1. This fixes CVE-2017-18342, CVE-2019-20477, CVE-2020-14343, CVE-2020-1747.

Updated dev-vcs/git to version VERSION. This fixes CVE-2023-22490, CVE-2023-23946, CVE-2023-25652, CVE-2023-25815, CVE-2023-29007.

Updated net-misc/curl to version 8.7.1. This fixes CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466.

Updated dev-libs/expat to version 2.6.2. This fixes CVE-2024-28757.

Fixed CVE-2024-28182 in net-libs/nghttp2.

Fixed CVE-2024-26602 in the Linux kernel.

Fixed CVE-2024-26603 in the Linux kernel.

Fixed CVE-2024-26601 in the Linux kernel.

April 23, 2024

cos-beta-113-18244-1-44

Kernel Docker Containerd GPU Drivers
COS-6.1.77 v24.0.9 v1.7.15 v535.161.08(default),v550.54.15(latest),v470.239.06(R470 for compatibility with K80 GPUs)

Updated app-containers/containerd to v1.7.15.

Fixed CVE-2024-26642 in the Linux kernel.

Fixed CVE-2024-26642, CVE-2024-26643 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812399 -> 812400
  • Changed: kernel.threads-max: 63503 -> 63504
  • Changed: user.max_cgroup_namespaces: 31751 -> 31752
  • Changed: user.max_ipc_namespaces: 31751 -> 31752
  • Changed: user.max_mnt_namespaces: 31751 -> 31752
  • Changed: user.max_net_namespaces: 31751 -> 31752
  • Changed: user.max_pid_namespaces: 31751 -> 31752
  • Changed: user.max_time_namespaces: 31751 -> 31752
  • Changed: user.max_user_namespaces: 31751 -> 31752
  • Changed: user.max_uts_namespaces: 31751 -> 31752

April 15, 2024

cos-113-18244-1-37

Kernel Docker Containerd GPU Drivers
COS-6.1.77 v24.0.9 v1.7.10 v535.161.08(default),v550.54.15(latest),v470.239.06(R470 for compatibility with K80 GPUs)

Fixed integrity-fs dm-crypt creation flakiness.

Updated NVIDIA GPU drivers to v550.54.15. Fixed a potential corruption when launching kernels on H100 GPUs, which is more likely to occur when the GPU is shared between multiple processes.

Updated NVIDIA GPU drivers to v535.161.08. Fixed a potential corruption when launching kernels on H100 GPUs.

Runtime sysctl changes:

  • Changed: fs.file-max: 812400 -> 812399
  • Changed: kernel.threads-max: 63504 -> 63503
  • Changed: user.max_cgroup_namespaces: 31752 -> 31751
  • Changed: user.max_ipc_namespaces: 31752 -> 31751
  • Changed: user.max_mnt_namespaces: 31752 -> 31751
  • Changed: user.max_net_namespaces: 31752 -> 31751
  • Changed: user.max_pid_namespaces: 31752 -> 31751
  • Changed: user.max_time_namespaces: 31752 -> 31751
  • Changed: user.max_user_namespaces: 31752 -> 31751
  • Changed: user.max_uts_namespaces: 31752 -> 31751

April 01, 2024

cos-beta-113-18244-1-33

Kernel Docker Containerd GPU Drivers
COS-6.1.77 v24.0.9 v1.7.10 v535.161.07(default),v550.54.14(latest),v470.239.06(R470 for compatibility with K80 GPUs)

Update app-containers/nvidia-container-toolkit to v1.14.6.

Added NVIDIA GPU drivers R550 branch and update latest to 550.54.14.

March 27, 2024

cos-beta-113-18244-1-31

Kernel Docker Containerd GPU Drivers
COS-6.1.77 v24.0.9 v1.7.10 v535.161.07(default, latest),v470.239.06(R470 for compatibility with K80 GPUs)

Upgraded app-admin/node-problem-detector to v0.8.17.

Upgraded localtoast to 1.1.7 and opted out of logging-service-running benchmark by default for cis-level2.

Upgraded app-admin/fluent-bit to v1.9.10.

Upgraded app-admin/sosreport to v4.7.0.

Upgraded app-admin/localtoast to v1.1.7.

Added infiniband and mlx5 device drivers.

Fixed bug in google-guest-agent service enablement.

Fixed CVE-2024-26584 in the Linux kernel.

Fixed CVE-2024-26585 in the Linux kernel.

Fixed CVE-2023-52434 in the Linux kernel.

Fixed CVE-2024-26583 in the Linux kernel.

Fixed CVE-2024-26582 in the Linux kernel.

Fixed CVE-2023-52435 in the Linux kernel.

March 25, 2024

cos-beta-113-18244-1-7

Kernel Docker Containerd GPU Drivers
COS-6.1.77 v24.0.9 v1.7.10 v535.154.05(default, latest),v470.223.02(R470 for compatibility with K80 GPUs)

Updates to Major Packages:

Updated cos-gpu-installer to v2.2.0. Some key features of this update include:

  • Switched precompiled driver and signature location to COS build artifacts for M109.
  • This fixes a permissions issue in the GPU driver install directory with OSS drivers.
  • Added major version specification for GPU driver installation.

Update default and latest NVIDIA GPU drivers to v535.154.05.

Updated sys-apps/systemd to v254.9.

Updated docker-credential-gcr to v2.1.22.

Updated app-containers/docker-cli to v24.0.5.

Updated app-emulation/kubernetes to v1.29.1.

Updated app-containers/containerd to v1.7.10.

Updated app-containers/runc to v1.1.12.

Upgraded app-emulation/cloud-init to v23.4.3.

Upgraded app-admin/oslogin to v20231004.00.

Upgraded app-admin/google-osconfig-agent to v20240126.00.

Upgraded app-admin/google-guest-agent to v20240213.00.

Upgraded app-admin/google-guest-configs to v20240122.00.

Updated app-admin/sosreport to v4.6.1.

Updated latest GPU driver to v535.104.05.

Updated GPU drivers to v535.54.03 (R535 LTSB NVIDIA branch).

Upgraded app-containers/docker-credential-helpers to v0.8.1.

Runtime sysctl changes:

  • Added: net.ipv4.tcp_backlog_ack_defer: 1
  • Changed: fs.epoll.max_user_watches: 1809920 -> 1809474
  • Changed: fs.fanotify.max_user_marks: 67577 -> 67560
  • Changed: fs.file-max: 812606 -> 812400
  • Changed: fs.inotify.max_user_watches: 63456 -> 63441
  • Changed: kernel.threads-max: 63520 -> 63504
  • Changed: net.core.optmem_max: 20480 -> 131072
  • Changed: net.ipv4.tcp_mem: 94092 125456 188184 -> 94068 125424 188136
  • Changed: net.ipv4.udp_mem: 188184 250912 376368 -> 188136 250848 376272
  • Changed: net.ipv6.route.max_size: 4096 -> 2147483647
  • Changed: user.max_cgroup_namespaces: 31760 -> 31752
  • Changed: user.max_fanotify_marks: 67577 -> 67560
  • Changed: user.max_inotify_watches: 63456 -> 63441
  • Changed: user.max_ipc_namespaces: 31760 -> 31752
  • Changed: user.max_mnt_namespaces: 31760 -> 31752
  • Changed: user.max_net_namespaces: 31760 -> 31752
  • Changed: user.max_pid_namespaces: 31760 -> 31752
  • Changed: user.max_time_namespaces: 31760 -> 31752
  • Changed: user.max_user_namespaces: 31760 -> 31752
  • Changed: user.max_uts_namespaces: 31760 -> 31752
  • Changed: vm.lowmem_reserve_ratio: 256 256 32 0 -> 256 256 32 0 0
  • Added: net.netfilter.nf_flowtable_tcp_timeout: 30
  • Added: net.netfilter.nf_flowtable_udp_timeout: 30
  • Changed: fs.file-max: 812608 -> 812606
  • Added: net.ipv4.tcp_shrink_window: 0
  • Added: net.ipv6.conf.all.accept_ra_min_lft: 0
  • Added: net.ipv6.conf.default.accept_ra_min_lft: 0
  • Added: net.ipv6.conf.docker0.accept_ra_min_lft: 0
  • Added: net.ipv6.conf.eth0.accept_ra_min_lft: 0
  • Added: net.ipv6.conf.lo.accept_ra_min_lft: 0
  • Added: kernel.io_uring_disabled: 0
  • Changed: fs.file-max: 812619 -> 812608
  • Changed: kernel.threads-max: 63519 -> 63520
  • Changed: net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd: 0 -> 3
  • Changed: net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent: 0 -> 3
  • Changed: user.max_cgroup_namespaces: 31759 -> 31760
  • Changed: user.max_ipc_namespaces: 31759 -> 31760
  • Changed: user.max_mnt_namespaces: 31759 -> 31760
  • Changed: user.max_net_namespaces: 31759 -> 31760
  • Changed: user.max_pid_namespaces: 31759 -> 31760
  • Changed: user.max_time_namespaces: 31759 -> 31760
  • Changed: user.max_user_namespaces: 31759 -> 31760
  • Changed: user.max_uts_namespaces: 31759 -> 31760
  • Changed: fs.epoll.max_user_watches: 1809474 -> 1809452
  • Changed: fs.file-max: 812400 -> 812392
  • Changed: kernel.threads-max: 63504 -> 63503
  • Changed: net.ipv4.tcp_mem: 94068 125424 188136 -> 94065 125423 188130
  • Changed: net.ipv4.udp_mem: 188136 250848 376272 -> 188133 250847 376266
  • Changed: user.max_cgroup_namespaces: 31752 -> 31751
  • Changed: user.max_ipc_namespaces: 31752 -> 31751
  • Changed: user.max_mnt_namespaces: 31752 -> 31751
  • Changed: user.max_net_namespaces: 31752 -> 31751
  • Changed: user.max_pid_namespaces: 31752 -> 31751
  • Changed: user.max_time_namespaces: 31752 -> 31751
  • Changed: user.max_user_namespaces: 31752 -> 31751
  • Changed: user.max_uts_namespaces: 31752 -> 31751
  • Changed: fs.file-max: 812620 -> 812619
  • Added: fs.overflowgid: 65534
  • Added: fs.overflowuid: 65534

The default iptables implementation has been changed from iptables-legacy to iptables-nft.

New Features and Changes in the Linux Kernel:

Added additional option to existing kernel cmdline flag that moves protected stateful partition integrity tags to memory.

Fixed a kernel crash that occurred when running Postgres databases.

Enabled TDX Guest support in the Linux Kernel.

Updated the Linux kernel to v6.1.77.

New Features and Changes in the Image:

Changed default umask value for a user to 027.

Removed legacy logging agent (fluentd).

Fragmented nvidia-drivers and nvidia-drivers-open pkg into separate packages per major version.

Enhanced integrity-fs with disk resize and dm-clone.

Removed deprecated R525 NVIDIA GPU drivers.

Added support for dm-zero and dm-clone.

Sosreport now includes GPU Installer logs.

Fixed a performance issue that was observed in Postgres databases.

Fixed a container performance issue that occurred after running systemctl start cloud-audit-setup.

Updated NVIDIA GPU drivers.

Backported support for TCP RTO configuration in networkd.

Enable portmapper registration reporting for lsof. This also fixes an issue where lsof is missing from SOS reports.

Add compiler mitigations to mitigate memory corruption vulnerabilities.

Sequence named before nss-lookup.target.

Restore systemd-logind restart behavior when dbus restarts.

Fixed an issue where symlinks could not be moved.

Fixed an issue where IPv6 networking would fail under high CPU load.

Fixed an issue with NFS reconnects on GKE.

The get_metadata_value script will now retry if it experiences a connection error.

Enabled persistence mode with Nvidia GPU driver installation.

Fixed an issue in ip6tables where the -C option did not work correctly.

Simplified GPU driver installation by remounting driver installation path as executable from cos-extensions.

Added support for user.* xattr on tmpfs.

Added automatic generation of known modules list to image build process.

Include nvidia plugin into sosreport.

Added support for iSCSI targets and RAM block devices.

Fixed a time-to-login slowdown introduced by cloud-init changes.

CVE/Security Fixes:

Fixed CVE-2024-21626 in app-containers/runc.

Upgraded app-editors/vim to v9.0.2167 and app-editors/vim-core to v9.0.2167. This resolves CVE-2023-4733, CVE-2023-4734, CVE-2023-4735, CVE-2023-4736, CVE-2023-4738, CVE-2023-4750, CVE-2023-4752, CVE-2023-4781, CVE-2023-5344, CVE-2023-5441, CVE-2023-5535.

Updated dev-lang/go to v1.21.5. This fixes CVE-2023-45285 and CVE-2023-39326.

Upgraded dev-go/crypto to v0.17.0. This fixes CVE-2023-48795.

Upgraded sys-apps/dbus to v1.12.28. This fixes CVE-2023-34969.

Fixed CVE-2023-49083 in package dev-python/cryptography.

Fixed CVE-2023-6622, CVE-2023-5197, CVE-2023-42753, CVE-2023-4921, CVE-2023-4623, CVE-2023-4194, CVE-2024-23851, CVE-2024-26581 in the Linux kernel.

Updated net-libs/nghttp2 to v1.57.0. This resolves CVE-2023-44487 and CVE-2023-35945.

Updated dev-go/net to v0.17.0. This resolves CVE-2023-44487 and CVE-2023-39325.

Fixed CVE-2023-4911 in sys-libs/glibc.

Fixed CVE-2023-38039 in net-misc/curl.

Fixed CVE-2023-5345 and CVE-2023-42756 in COS kernel.

Fixed CVE-2023-32636, CVE-2023-29499, CVE-2023-32643, CVE-2023-32665, CVE-2023-32611 in glib and glib-utils.

Upgraded sys-fs/mdadm to v4.2. This resolves CVE-2023-28938 and CVE-2023-28736.

Fixed CVE-2023-4016 in sys-process/procps.

Updated dev-go/yaml to v3.0.1. This resolves CVE-2022-28948.

Fixed CVE-2022-40896 in pygments.

Fixed CVE-2023-24329 and CVE-2023-40217 in dev-lang/python.

Fixed ncurses upgrade to 6.4p20220423. This resolves CVE-2023-29491.

Upgraded dev-db/sqlite to v3.45.1-r1. This also fixes CVE-2023-7104.

Fixed CVE-2023-40546, CVE-2023-40548, CVE-2023-40549, CVE-2023-40551, CVE-2023-40547, and CVE-2023-40550 in sys-boot/shim.

Upgrade docker to v24.0.9. This fixes CVE-2024-24557.

Updated dev-libs/openssl to v3.0.13. This resolves CVE-2024-0727 and CVE-2023-6129.

Fixed CVE-2024-0684 in sys-apps/coreutils.

Upgraded net-misc/curl to version 8.6.0. This fixes CVE-2024-0853 and CVE-2023-38545.

Updated dev-libs/libxml2 to 2.11.7. This fixes CVE-2024-25062.

Updated default GPU driver to v470.199.02 and latest GPU driver to v525.125.06. This resolves CVE-2023-25515 and CVE-2023-25516.

Updates for Minor Packages:

Upgraded dev-libs/nss to v3.97.

Upgraded net-libs/gnutls to v3.8.3.

Upgraded dev-python/jinja to v3.1.3.

Upgraded app-admin/node-problem-detector to v0.8.15.

Upgraded app-eselect/eselect-iptables to v20220320.

Upgraded sys-libs/libcap-ng to v0.8.4-r1.

Upgraded net-misc/rsync to v3.2.7-r4.

Upgraded dev-python/netifaces to v0.11.0-r2.

Upgraded net-libs/libtirpc to v1.3.4-r1.

Upgraded app-admin/sudo to v1.9.15_p5.

Upgraded app-misc/jq to v1.7.1.

Upgraded sys-apps/pv to v1.8.5.

Upgraded sys-process/lsof to v4.99.3.

Upgraded dev-util/bsdiff to v4.3.1-r42.

Updated net-misc/openssh to v9.6_p1-r1.

Upgraded sys-apps/less to v643-r1.

Upgraded chromeos-base/mojo_service_manager to v0.0.1-r271.

Upgraded net-misc/socat to v1.8.0.0.

Upgraded dev-python/jsonpatch to v1.33.

Upgraded dev-python/pyyaml to v6.0.1-r1.

Upgraded dev-lang/python-exec to v2.4.10.

Upgraded dev-python/six to v1.16.0-r1.

Upgraded dev-python/configobj to v5.0.8.

Upgraded dev-python/nose to v1.3.7_p20221026.

Upgraded dev-python/mock to v5.1.0.

Upgraded dev-python/pyserial to v3.5-r2.

Upgraded sys-apps/hwdata to v0.376.

Upgraded sys-fs/xfsprogs to v6.5.0.

Upgraded dev-python/pygobject to v3.46.0.

Upgraded sys-devel/libtool to v2.4.6-r7.

Upgraded dev-libs/double-conversion to v3.2.1.

Upgraded net-fs/cifs-utils to v7.0-r1, Upgraded sys-libs/talloc to v2.4.1.

Upgraded app-arch/unzip to v6.0_p27-r1.

Upgraded sys-apps/dmidecode to v3.5-r3.

Upgraded dev-util/gn to v2121.

Upgraded chromeos-base/chromeos-dbus-bindings to v0.0.1-r2787.

Updated dev-embedded/libftdi to v1.5-r5.

Upgraded sys-apps/coreutils to v9.4.

Upgraded sys-process/procps to v4.0.4.

Updated dev-go/go-tools to v0.11.1_p20230712.

Upgraded app-arch/pigz to v2.8.

Upgraded sys-block/thin-provisioning-tools to v0.9.0-r2.

Upgraded app-arch/tar to v1.35.

Upgraded app-arch/xz-utils to v5.4.6-r1.

Upgraded app-misc/ca-certificates to v20230311.3.97.

Upgraded net-dns/c-ares to v1.26.0.

Upgraded net-dns/libidn2 to v2.3.7.

Upgraded sys-apps/attr to v2.5.2-r1.

Upgraded sys-apps/ethtool to v6.7.

Upgraded sys-apps/file to v5.45-r4.

Upgraded sys-libs/libcap to v2.69-r1.

Upgraded sys-libs/timezone-data to v2024a.

Upgraded sys-libs/zlib to v1.3.1-r1.

Upgraded dev-libs/libusb to v1.0.27.

Upgraded dev-libs/expat to v2.6.0.

Upgraded sys-apps/acl to v2.3.2.

Updated gzip to v1.13.

Upgraded sys-auth/pambase to v20240128.

Upgraded net-misc/chrony to v4.5.

Upgraded app-containers/cni-plugins to v1.4.0.

Upgraded sys-apps/makedumpfile to v1.7.4.

Upgraded chromeos-base/system_api to v0.0.1-r5643.

Upgraded chromeos-base/update_engine-client to v0.0.1-r2385.

Upgraded chromeos-base/hiberman-client to v0.0.1-r455.

Upgraded chromeos-base/power_manager-client to v0.0.1-r2859.

Upgraded chromeos-base/dlcservice-client to v0.0.1-r884.

Upgraded chromeos-base/vm_protos to v0.0.1-r552.

Upgraded chromeos-base/shill-client to v0.0.1-r4325.

Upgraded chromeos-base/minijail to v18-r135.

Upgraded chromeos-base/debugd-client to v0.0.1-r2641.

Upgraded chromeos-base/session_manager-client to v0.0.1-r2722.

Upgraded chromeos-base/chromeos-common-script to v0.0.1-r601.

Upgraded chromeos-base/google-breakpad to v2024.01.16.190249-r226.

Upgraded dev-util/puffin to v1.0.0-r450.

Upgraded sys-fs/squashfs-tools to v4.6.1.

Upgraded sys-apps/sandbox to v2.29-r1.