Container-Optimized OS Release Notes: Milestone 81

cos-81-12871-1317-1

Date Kernel Kubernetes Docker Containerd
Jul 27, 2021 COS-4.19.197 v1.17.17 v19.03.15 v1.3.10

Updated docker to v19.03.15.

Updated containerd to v1.3.10.

Updated the Linux kernel to v4.19.197.

Updated runc to v1.0.0_rc95. This resolves CVE-2021-30465.

Fixed CVE-2021-3537 in libxml2.

Fixed CVE-2020-24977 in libxml2.

Upgraded dev-vcs/git to version 2.26.3. Resolves CVE-2021-21300.

cos-81-12871-1290-20

Date Kernel Kubernetes Docker Containerd
Jul 26, 2021 COS-4.19.188 v1.17.17 v19.03.15 v1.3.9

Fixed CVE-2021-33910 in systemd.

Fixed CVE-2021-3612 in the Linux kernel.

Fixed CVE-2021-33909 in the Linux kernel.

cos-81-12871-1290-12

Date Kernel Kubernetes Docker Containerd
Jun 08, 2021 COS-4.19.188 v1.17.17 v19.03.15 v1.3.9

Updated runc to v1.0.0_rc95. This resolves CVE-2021-30465.

cos-81-12871-1290-11

Date Kernel Kubernetes Docker Containerd
Jun 07, 2021 COS-4.19.188 v1.17.17 v19.03.15 v1.3.9

Fixed CVE-2019-25044 in the Linux kernel.

cos-81-12871-1290-8

Date Kernel Kubernetes Docker Containerd
Jun 01, 2021 COS-4.19.188 v1.17.17 v19.03.15 v1.3.9

Updated docker to v19.03.15. This fixed CVE-2021-21285.

cos-81-12871-1290-2

Date Kernel Kubernetes Docker Containerd
Apr 27, 2021 COS-4.19.188 v1.17.17 v19.03.14 v1.3.9

Fixed an authentication error when using go-dbus to connect systemd.

Addressed CVE-2020-12049 in dbus.

Fixed CVE-2021-23840 and CVE-2021-23841 in openssl.

Updated glib to v2.66.7. This resolved CVE-2021-27218 and CVE-2021-27219.

Updated curl to v7.74.0. This resolved CVE-2020-8177, CVE-2020-8169, CVE-2020-8285, CVE-2020-8284 and CVE-2020-8286.

Upgraded libgcrypt to v1.9.1. This addresses CVE-2021-3345.

Updated the Linux kernel to v4.19.188.

Updated the built-in kubectl/kubelet to 1.17.17.

Upgraded tar to 1.34.

cos-81-12871-1245-24

Date Kernel Kubernetes Docker Containerd
Apr 22, 2021 COS-4.19.167 v1.17.15 v19.03.14 v1.3.9

Fixed an out-of-bounds write issue in the Linux kernel.

cos-81-12871-1245-19

Date Kernel Kubernetes Docker
Apr 05, 2021 COS-4.19.167 v1.17.15 v19.03.14

Updated sqlite to version 3.33.0. This resolves the following CVEs: CVE-2020-13630, CVE-2020-9327, CVE-2020-13871, CVE-2020-11656, CVE-2020-11655, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-9327, CVE-2020-13435.

cos-81-12871-1245-15

Date Kernel Kubernetes Docker
Mar 01, 2021 COS-4.19.167 v1.17.15 v19.03.14

Upgraded libgcrypt to v1.9.1. This addresses CVE-2021-3345.

cos-81-12871-1245-10

Date Kernel Kubernetes Docker
Feb 22, 2021 COS-4.19.167 v1.17.15 v19.03.14

Fixed an issue where firewall initialization would fail because ip6tables was not waiting to claim the xtables lock.

cos-81-12871-1245-7

Date Kernel Kubernetes Docker
Feb 08, 2021 COS-4.19.167 v1.17.15 v19.03.14

Fixed 32x truesize under-estimation for tiny skbs in the Linux kernel.

cos-81-12871-1245-6

Date Kernel Kubernetes Docker
Feb 01, 2021 COS-4.19.167 v1.17.15 v19.03.14

Upgraded app-admin/sudo to version 1.9.5_p2. This resolves CVE-2021-3156.

cos-81-12871-1245-2

Date Kernel Kubernetes Docker
Jan 25, 2021 COS-4.19.167 v1.17.15 v19.03.14

Updated the Linux kernel to upstream/v4.19.167.

Updated Docker to v19.03.14.

Updated containerd to v1.3.9.

Updated the built-in kubectl/kubelet to v1.17.15.

cos-81-12871-1230-3

Date Kernel Kubernetes Docker
Jan 11, 2021 COS-4.19.150 v1.17.6 v19.03.6

Created /var/lib/chrony for chrony to work accurately.

Fixed CVE-2020-29660 in the Linux kernel.

Fixed CVE-2020-29661 in the Linux kernel.

cos-81-12871-1226-0

Date Kernel Kubernetes Docker
Dec 02, 2020 COS-4.19.150 v1.17.6 v19.03.6

Fixed CVE-2020-15257 in containerd.

cos-81-12871-1218-0

Date Kernel Kubernetes Docker
Oct 26, 2020 COS-4.19.150 v1.17.6 v19.03.6

Updated the Linux kernel to v4.19.150.

cos-81-12871-1216-0

Date Kernel Kubernetes Docker
Oct 19, 2020 COS-4.19.112 v1.17.6 v19.03.6

Fixed CVE-2020-14356.

cos-81-12871-1210-0

Date Kernel Kubernetes Docker
Oct 12, 2020 COS-4.19.112 v1.17.6 v19.03.6

Added PPP loadable modules back, which were removed in cos-81-12871-1185-0.

Moved Docker's "registry-mirrors" configuration to the dockerd command line to address Kubernetes cluster provisioning errors.

cos-81-12871-1207-0

Date Kernel Kubernetes Docker
Oct 08, 2020 COS-4.19.112 v1.17.6 v19.03.6

Fixed an issue in containerd that can cause the Kubelet on master VMs to fail to restart containers in static pods.

Fixed an issue in containerd that can cause the Kubelet on master VMs to fail to restart containers in static pods.

Moved the configuration of Docker's "registry-mirrors" option from the dockerd command line to /etc/docker/daemon.json. This should allow users to configure a custom registry mirror, which can be useful when responding to recent Docker Hub free tier changes.

cos-81-12871-1196-0

Date Kernel Kubernetes Docker
Sep 05, 2020 COS-4.19.112 v1.17.6 v19.03.6

Fixed Linux kernel vulnerability CVE-2020-14386 by fixing an integer overflow issue in tpacket_rcv.

cos-81-12871-1190-0

Date Kernel Kubernetes Docker
Aug 20, 2020 COS-4.19.112 v1.17.6 v19.03.6

Reverted the change that enforcing kernel modules must be signed.

Removed cos-extensions utility. Users should use cos-gpu-installer to install GPU drivers on COS milestone 81.

Enabled utmp in systemd to allow creation of utmp files.

Upgraded default GPU driver version to 450.51.06.

cos-81-12871-1185-0

Date Kernel Kubernetes Docker
Aug 07, 2020 COS-4.19.112 v1.17.6 v19.03.6

Fixed CVE-2020-14308, CVE-2020-14311 and CVE-2020-15705 in grub.

Disabled CONFIG_PPP to mitigate Linux Kernel CVE-2020-14416.

Added the cos-extensions-manager package. Click here to learn more about cos-extensions.

Updated docker-credential-gcr to v2.0.2.

cos-81-12871-1174-0

Date Kernel Kubernetes Docker
July 30, 2020 COS-4.19.112 v1.17.6 v19.03.6

Removed the metrics daemon to address an issue where it would periodically cause CPU usage spikes in some cases.

Changed kernel command line to enforce kernel module must be signed.

cos-81-12871-1160-0

Date Kernel Kubernetes Docker
July 24, 2020 COS-4.19.112 v1.17.6 v19.03.6

Updated node problem detector to 0.8.1

cos-81-12871-181-0

Date Kernel Kubernetes Docker
July 13, 2020 COS-4.19.112 v1.17.6 v19.03.6

Added rsync back into the image, which was removed in cos-dev-77-12293-0-0.

Mount /var/lib/containerd with exec option.

Fixed CVE-2019-9169.

Enabled support for Confidential VMs.

cos-81-12871-148-0

Date Kernel Kubernetes Docker
Jun 17, 2020 COS-4.19.112 v1.17.6 v19.03.6

Made dioread_nolock non-default.

cos-81-12871-146-0

Date Kernel Kubernetes Docker
Jun 16, 2020 COS-4.19.112 v1.17.6 v19.03.6

Updated toolbox base container image to include security patches.

cos-81-12871-130-0

Date Kernel Kubernetes Docker
Jun 16, 2020 COS-4.19.112 v1.17.6 v19.03.6

Updated the built-in kubectl/kubelet to v1.17.6 to fix a bug that could result in the inability to start a cluster.

cos-81-12871-119-0

Date Kernel Kubernetes Docker
May 28, 2020 COS-4.19.112 v1.17.3 v19.03.6

Fixed a few OS Login CVEs: CVE-2020-8903, CVE-2020-8907, CVE-2020-8933.

cos-81-12871-117-0

Date Kernel Kubernetes Docker
May 27, 2020 COS-4.19.112 v1.17.3 v19.03.6

Upgraded sys-libs/libseccomp to version 2.4.2-r1 to fix CVE-2019-9893.

cos-81-12871-103-0

Date Kernel Kubernetes Docker
May 07, 2020 COS-4.19.112 v1.17.3 v19.03.6

Added package sys-apps/acl.

cos-81-12871-96-0

Date Kernel Kubernetes Docker
Apr 29, 2020 COS-4.19.112 v1.17.3 v19.03.6

Fixed a kernel bug where eBPF programs can cause softlockups.

cos-81-12871-76-0

Date Kernel Kubernetes Docker
Apr 29, 2020 COS-4.19.112 v1.17.3 v19.03.6

Disabled `accept_ra` on all interfaces by default.

cos-81-12871-69-0

Date Kernel Kubernetes Docker
Apr 05, 2020 COS-4.19.112 v1.17.3 v19.03.6

Upgraded the Linux kernel to v4.19.112.

Backported systemd patch ba0d56f55 to address an issue that resulted in leaked mount units.

Upgraded dev-db/sqlite to 3.31.1.

Moved kernel repository to cos.googlesource.com/third_party/kernel.

Backported necessary ext4 patches and made dioread_nolock default.

cos-81-12871-59-0 (vs Milestone 77)

Date Kernel Kubernetes Docker
Mar 27, 2020 ChromiumOS-4.19.112 v1.17.3 v19.03.6

Added support for new Google Compute Engine virtual network interface (GVNIC).

Added support for AMD's Secure Encrypted Virtualization.

Added support to implement SCSI devices in user space.

Added support for snapshotting any block device without massive copying.

Enhanced security by reducing the predictability of the kernel slab allocator against heap overflows and providing a lightweight support for detecting buffer overflow.

Added chrony package for time synchronization.

Disabled multicast protocol LLMNR and MDNS by default.

Upgraded docker to v19.03.6.

Upgraded containerd to v1.3.2.

Upgraded runc to v1.0.0.

Upgraded docker-credential-gcr to v2.0.0.

Upgraded the built-in kubectl/kubelet to v1.17.3.

Upgraded node-problem-detector to v0.8.0.

Upgraded cos-toolbox to 20191218-00.

Upgraded openssl to 1.0.2u.

Upgraded oslogin to v20190315.

Upgraded compute-image-packages to v20190801.

Changed the MTU of the default docker network to 1460 to make it consistent with Google Compute Engine's default MTU value.

Fixed a regression that blocks user-level statically defined tracking probes (requires a semaphore) to work.

Fixed vulnerability in glibc (CVE-2019-19126).