Memperbaiki kerentanan kernel Linux CVE-2020-14386 dengan memperbaiki masalah integer overflow di tpacket_rcv.
cos-73-11647-600-0
Tanggal: 13 Juli 2020
Memindahkan sumber Kernel ke cos.googlesource.com.
Memasang /var/lib/containerd dengan opsi exec.
Memperbaiki bprm->vma_pages yang salah mencegah pengambilan semua halaman stack.
cos-73-11647-534-0
Tanggal: 7 Mei 2020
Pembuatan ulang image untuk mengatasi masalah infrastruktur. Tidak ada perubahan gambar.
cos-73-11647-510-0
Tanggal: 13 April 2020
Menonaktifkan `accept_ra` di semua antarmuka secara default.
OpenSSH telah diupgrade ke 7.9_p1 untuk memperbaiki CVE-2018-15473.
cos-73-11647-501-0
Tanggal: 05 Apr 2020
Mengupgrade kernel Linux ke v4.14.174.
Patch systemd ba0d56f55 telah di-backport untuk mengatasi masalah yang menyebabkan unit pemasangan bocor.
cos-73-11647-459-0
Tanggal: 21 Februari 2020
Memperbaiki bug skb TCP kosong di akhir antrean tulis dalam kernel.
Mengupgrade kernel Linux ke v4.14.171.
cos-73-11647-449-0
Tanggal: 12 Februari 2020
Mengupgrade runc ke 1.0.0-rc10. Perubahan ini mengatasi CVE-2019-19921.
Mengupgrade kernel Linux ke v4.14.170.
cos-73-11647-415-0
Tanggal: 07 Januari 2020
Masalah pembatasan kuota CFS telah diperbaiki.
Tingkatkan sysctl net.ipv4.tcp_limit_output_bytes menjadi 1048576.
Mengupgrade kernel Linux ke v4.14.160.
cos-73-11647-348-0
Tanggal: 28 Oktober 2019
Mengupgrade kernel Linux ke v4.14.150.
Memperbaiki pembuatan dua slice pengujian terpisah yang tidak perlu (sehingga menghasilkan total 4 pesan log systemd + overhead runtime) untuk setiap eksekusi runc.
Memperbaiki regresi performa di scheduler yang sepenuhnya adil (CFS).
cos-73-11647-338-0
Tanggal: 21 Oktober 2019
Memperbaiki masalah di systemd yang menyebabkan konsumsi CPU yang tidak perlu.
Memperbaiki masalah di runc yang menyebabkan konsumsi CPU yang tidak perlu.
cos-73-11647-329-0
Tanggal: 8 Oktober 2019
Mengupgrade kernel Linux ke 4.14.145.
Melakukan backport patch kernel untuk memastikan rasio kuota/periode cgroup cfs
selalu sama. Hal ini mengatasi masalah Kubernetes yang menyebabkan cgroup pod dapat berubah menjadi status yang tidak konsisten.
cos-73-11647-293-0
Tanggal: 4 September 2019
Mengupgrade containerd ke v1.2.8.
Kernel Linux telah diupgrade ke versi 4.14.138.
Melakukan backport patch writeback upstream untuk memperbaiki masalah softlockup.
cos-73-11647-267-0
Tanggal: 8 Agustus 2019
Mengupgrade kernel Linux ke v4.14.137. Update ini menyelesaikan CVE-2019-1125.
cos-73-11647-239-0
Tanggal: 12 Juli 2019
Docker telah diupgrade ke versi 18.09.7. Perubahan ini mengatasi CVE-2018-15664.
Mengupgrade runc ke versi 1.0.0_rc8.
Mengupgrade docker-proxy ke versi 0.8.0_p20190513.
cos-73-11647-231-0
Tanggal: 02 Juli 2019
Mengupgrade containerd ke v1.2.7.
Kernel telah diupdate ke versi v4.14.131.
Memperbaiki kerentanan di app-arch/bzip2 (CVE-2019-12900).
Memperbaiki masalah yang diperkenalkan oleh perbaikan NFLX-2019-001.
cos-73-11647-217-0
Tanggal: 19 Juni 2019
Memperbarui kernel Linux ke versi 4.14.127 untuk mengatasi kerentanan SACK TCP NFLX-2019-001.
cos-73-11647-214-0
Tanggal: 17 Juni 2019
Kernel telah diupdate ke versi v4.14.124.
Backport set perubahan afinitas untuk napi-tx.
cos-73-11647-192-0
Tanggal: 28 Mei 2019
Mengupgrade curl ke v7.64.1 untuk memperbaiki CVE-2018-16890.
Mengupgrade containerd ke versi 1.2.6.
Tetapkan skor OOM ke -999 untuk docker.service dan containerd.service guna meningkatkan keandalan daemon sistem inti.
Menambahkan kebijakan mulai ulang di containerd.service, dan memperbaiki dependensi docker.service pada containerd.service untuk memungkinkan containerd pulih dari error.
Mengubah afinitas yang di-backport untuk mendukung napi-tx di COS.
Memilih patch upstream https://patchwork.kernel.org/patch/10951403/ di kernel untuk memperbaiki
bug di lockd yang diperkenalkan oleh commit 01b79d20008d "lockd: Show pid of lockd for remote locks"
di kernel Linux v4.14.105.
Kunci yang dirotasi yang digunakan oleh Booting Aman UEFI untuk menandatangani dan memverifikasi jalur booting UEFI.
cos-73-11647-182-0
Tanggal: 16 Mei 2019
Kernel Stabil Linux 'v4.14.119' yang digabungkan untuk menyelesaikan
Kerentanan Microarchitectural Data Sampling (MDS)
(CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091).
Mengurangi masalah hang pemasangan di kernel Linux.
cos-73-11647-163-0
Tanggal: 19 Apr 2019
Menetapkan LimitNOFILE ke 1048576 di containerd.service untuk memperbaiki masalah saat batas deskriptor file tidak diterapkan dengan benar ke containerd.
cos-73-11647-121-0
Tanggal: 01 Apr 2019
Alat performa disertakan dalam gambar.
Memperbaiki bug yang menyebabkan dockerd dapat memulai containerd meskipun
containerd.service ada.
Memperbaiki masalah saat Docker tidak mempertahankan UID/GID proses init pada exec.
cos-73-11647-112-0 (vs Milestone 69)
Tanggal: 25 Maret 2019
Fitur baru
Menambahkan dukungan untuk mengumpulkan dump error memori kernel.
Menambahkan dukungan untuk RAID dan LVM.
Menambahkan dukungan untuk IPv6.
Menambahkan dukungan untuk iscsi dan multipath di kernel.
Menambahkan dukungan untuk penandatanganan modul kernel.
Mengaktifkan update otomatis pada Shielded VM yang belum pernah di-boot dalam mode booting aman. Update otomatis masih dinonaktifkan di Shielded VM yang sebelumnya melakukan booting dalam mode booting aman.
Menonaktifkan opsi konfigurasi CONFIG_DEVMEM di kernel
untuk membatasi akses yang memiliki hak istimewa ke memori sistem.
Menambahkan perilaku untuk mencatat informasi proses debug lainnya ke konsol
serial selama booting.
Perbaikan bug
Memperbaiki
masalah yang diamati dalam pemeriksaan keaktifan Kubernetes.
Mengonfigurasi docker.service agar selalu memulai ulang Docker setelah 10 detik.
Memperbaiki masalah saat kondisi persaingan antara Docker dan containerd
mengakibatkan kegagalan pemulihan langsung Docker.
Meningkatkan fs.inotify.max_user_instances menjadi 1024.
Mengonfigurasi containerd agar berjalan sebagai layanan systemd mandiri.
Update paket
Mengupgrade kubelet bawaan ke v1.13.3.
Mengupgrade containerd ke v1.2.5.
Mengupgrade openssl ke 1.0.2q.
Mengupgrade Docker ke 18.09.3.
Menginstal paket pigz untuk mendownload image Docker lebih cepat.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[[["\u003cp\u003eThis image family, cos-73-lts, was deprecated after June 19, 2020, and runs on Linux kernel 4.14.174, Kubernetes v1.13.3, and Docker v18.09.7.\u003c/p\u003e\n"],["\u003cp\u003eNumerous updates were implemented, including kernel upgrades, security fixes for various CVEs, and enhancements to system components like runc, containerd, and Docker.\u003c/p\u003e\n"],["\u003cp\u003eThe image received several bug fixes, including resolutions for issues in the kernel, systemd, runc, and Docker, as well as improvements to stability and performance, such as resolving CFS quota throttling.\u003c/p\u003e\n"],["\u003cp\u003eNew features were introduced, including kernel memory crash dump collection, RAID and LVM support, IPv6 support, iscsi/multipath kernel support, and kernel module signing, in addition to enhancing the logging of debugging information during boot.\u003c/p\u003e\n"],["\u003cp\u003eSeveral vulnerability fixes have been implemented for issues such as CVE-2020-14386, CVE-2018-15473, CVE-2019-19921, CVE-2019-1125, CVE-2018-15664, CVE-2019-12900, CVE-2018-16890, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091.\u003c/p\u003e\n"]]],[],null,["# Release Notes: Milestone 73\n\nCurrent Status\n--------------\n\nChangelog\n---------\n\n### cos-73-11647-656-0\n\n*Date: Sep 05, 2020*\n\n- Fixed Linux kernel vulnerability CVE-2020-14386 by fixing an integer overflow issue in tpacket_rcv.\n\n### cos-73-11647-600-0\n\n*Date: July 13, 2020*\n\n- Moved Kernel source to cos.googlesource.com.\n- Mounted /var/lib/containerd with exec option.\n- Fixed incorrect bprm-\\\u003evma_pages prevent capturing all stack pages.\n\n### cos-73-11647-534-0\n\n*Date: May 07, 2020*\n\n- Image rebuild to address an infrastructure issue. No image changes.\n\n### cos-73-11647-510-0\n\n*Date: Apr 13, 2020*\n\n- Disabled \\`accept_ra\\` on all interfaces by default.\n- Upgraded OpenSSH to 7.9_p1 to fix CVE-2018-15473.\n\n### cos-73-11647-501-0\n\n*Date: Apr 05, 2020*\n\n- Upgraded the Linux kernel to v4.14.174.\n- Backported systemd patch ba0d56f55 to address an issue that resulted in leaked mount units.\n\n### cos-73-11647-459-0\n\n*Date: Feb 21, 2020*\n\n- Fixed TCP empty skb at the tail of the write queue bug in kernel.\n- Upgraded the Linux kernel to v4.14.171.\n\n### cos-73-11647-449-0\n\n*Date: Feb 12, 2020*\n\n- Upgraded runc to 1.0.0-rc10. This resolves CVE-2019-19921.\n- Upgraded the Linux kernel to v4.14.170.\n\n### cos-73-11647-415-0\n\n*Date: Jan 07, 2020*\n\n- Fixed CFS quota throttling issue.\n- Increase sysctl net.ipv4.tcp_limit_output_bytes to 1048576.\n- Upgraded the Linux kernel to v4.14.160.\n\n### cos-73-11647-348-0\n\n*Date: Oct 28, 2019*\n\n- Upgraded the Linux kernel to v4.14.150.\n- Fixed the unnecessary creation of two separate test slices (resulting in 4 systemd log messages total + runtime overhead) for every runc execution.\n- Fixed a performance regression in completely fair scheduler (CFS).\n\n### cos-73-11647-338-0\n\n*Date: Oct 21, 2019*\n\n- Fixed an issue in systemd that resulted in unnecessary CPU consumption.\n- Fixed an issue in runc that resulted in unnecessary CPU consumption.\n\n### cos-73-11647-329-0\n\n*Date: Oct 08, 2019*\n\n- Upgraded the Linux kernel to 4.14.145.\n- Backported a kernel patch to ensure the cfs cgroup quota/period ratio always stays the same. This addresses a Kubernetes issue where the pod cgroup could be changed into an inconsistent state.\n\n### cos-73-11647-293-0\n\n*Date: Sep 04, 2019*\n\n- Upgraded containerd to v1.2.8.\n- Upgraded the Linux kernel to version 4.14.138.\n- Backported upstream writeback patches to fix a softlockup issue.\n\n### cos-73-11647-267-0\n\n*Date: Aug 08, 2019*\n\nUpgraded the Linux kernel to v4.14.137. This resolves CVE-2019-1125.\n\n### cos-73-11647-239-0\n\n*Date: Jul 12, 2019*\n\n- Upgraded Docker to version 18.09.7. This resolves CVE-2018-15664.\n- Upgraded runc to version 1.0.0_rc8.\n- Upgraded docker-proxy to version 0.8.0_p20190513.\n\n### cos-73-11647-231-0\n\n*Date: Jul 02, 2019*\n\n- Upgraded containerd to v1.2.7.\n- Updated kernel to version v4.14.131.\n- Fixed vulnerability in app-arch/bzip2 (CVE-2019-12900).\n- Fixed an issue introduced by NFLX-2019-001 fixes.\n\n### cos-73-11647-217-0\n\n*Date: Jun 19, 2019*\n\n- Updated the Linux kernel to version 4.14.127 to resolve the NFLX-2019-001 TCP SACK vulnerabilities.\n\n### cos-73-11647-214-0\n\n*Date: Jun 17, 2019*\n\n- Updated kernel to version v4.14.124.\n- Backported affinity change-set for napi-tx.\n\n### cos-73-11647-192-0\n\n*Date: May 28, 2019*\n\n- Upgraded curl to v7.64.1 to fix CVE-2018-16890.\n- Upgraded containerd to version 1.2.6.\n- Set OOM score to -999 for docker.service and containerd.service to enhance the reliability of core system daemons.\n- Add restart policy in containerd.service, and corrected docker.service's dependency on containerd.service to allow containerd to recover from crashes.\n- Backported affinity changes to support napi-tx in COS.\n- Cherry-picked upstream patch https://patchwork.kernel.org/patch/10951403/ in kernel to fix a bug in lockd introduced by commit 01b79d20008d \"lockd: Show pid of lockd for remote locks\" in Linux kernel v4.14.105.\n- Rotated keys used by UEFI Secure Boot for signing and verifying the UEFI boot path.\n\n### cos-73-11647-182-0\n\n*Date: May 16, 2019*\n\n- Merged Linux Stable Kernel 'v4.14.119' for resolving Microarchitectural Data Sampling (MDS) vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091).\n- Mitigated a mount hang issue in the Linux kernel.\n\n### cos-73-11647-163-0\n\n*Date: Apr 19, 2019*\n\n- Set LimitNOFILE to 1048576 in containerd.service to fix an issue where the file descriptor limit was not being properly applied to containerd.\n\n### cos-73-11647-121-0\n\n*Date: Apr 01, 2019*\n\n- Included perf tool in the image.\n- Fixed a bug that dockerd may start containerd even if containerd.service exists.\n- Fixed an issue where Docker did not preserve the UIDs/GIDs of the init process on exec.\n\n### cos-73-11647-112-0 (vs Milestone 69)\n\n*Date: Mar 25, 2019*\n\n#### New features\n\n- Added support for collecting kernel memory crash dumps.\n- Added support for RAID and LVM.\n- Added support for IPv6.\n- Added support for iscsi and multipath in the kernel.\n- Added support for kernel module signing.\n- Enabled auto updates on Shielded VMs that have never booted in secure boot mode. Auto update is still disabled on Shielded VMs that have previously booted in secure boot mode.\n- Disabled the CONFIG_DEVMEM configuration option in the kernel to restrict privileged access to system memory.\n- Added behavior for logging more debugging information to the serial console during boot.\n\n#### Bug fixes\n\n- Fixed an [issue](https://github.com/opencontainers/runc/issues/1884) observed in Kubernetes liveness probes.\n- Configured docker.service to always restart Docker after 10 seconds.\n- Fixed an issue where a race condition between Docker and containerd resulted in a Docker live restore failure.\n- Increased fs.inotify.max_user_instances to 1024.\n- Configured containerd to run as a standalone systemd service.\n\n#### Package updates\n\n- Upgraded the built-in kubelet to v1.13.3.\n- Upgraded containerd to v1.2.5.\n- Upgraded openssl to 1.0.2q.\n- Upgraded Docker to 18.09.3.\n- Installed the pigz package for faster Docker image downloads.\n- Installed the keyutils package.\n- Installed the sosreport package."]]