Release Notes: Milestone 81

Current Status

Image Family cos-81-lts
Deprecated After Jun 24, 2021
Kernel COS-4.19.188
Kubernetes v1.17.17
Docker v19.03.15
Containerd v1.3.9

Changelog

cos-81-12871-1290-12

Date: Jun 08, 2021
  • Updated runc to v1.0.0_rc95. This resolves CVE-2021-30465.

cos-81-12871-1290-11

Date: Jun 07, 2021
  • Fixed CVE-2019-25044 in the Linux kernel.

cos-81-12871-1290-8

Date: Jun 01, 2021
  • Updated docker to v19.03.15. This fixed CVE-2021-21285.

cos-81-12871-1290-2

Date: Apr 27, 2021
  • LTS Refresh Release.
  • Fixed an authentication error when using go-dbus to connect systemd.
  • Addressed CVE-2020-12049 in dbus.
  • Updated the Linux kernel to v4.19.188.
  • Fixed CVE-2021-23840 and CVE-2021-23841 in openssl.
  • Updated the built-in kubectl/kubelet to 1.17.17.
  • Updated glib to v2.66.7. This resolved CVE-2021-27218 and CVE-2021-27219.
  • Updated curl to v7.74.0. This resolved CVE-2020-8177, CVE-2020-8169,
  • CVE-2020-8285, CVE-2020-8284 and CVE-2020-8286.
  • Upgraded tar to 1.34.
  • Upgraded libgcrypt to v1.9.1. This addresses CVE-2021-3345.

cos-81-12871-1245-24

Date: Apr 22, 2021
  • Fixed an out-of-bounds write issue in the Linux kernel.

cos-81-12871-1245-19

Date: Apr 05, 2021
  • Updated sqlite to version 3.33.0. This resolves the following CVEs:
    • CVE-2020-13630
    • CVE-2020-9327
    • CVE-2020-13871
    • CVE-2020-11656
    • CVE-2020-11655
    • CVE-2020-15358
    • CVE-2020-13631
    • CVE-2020-13632
    • CVE-2020-13434
    • CVE-2020-9327
    • CVE-2020-13435

cos-81-12871-1245-15

Date: Mar 01, 2021
  • Upgraded libgcrypt to v1.9.1. This addresses CVE-2021-3345.

cos-81-12871-1245-10

Date: Feb 22, 2021
  • Fixed an issue where firewall initialization would fail because ip6tables was not waiting to claim the xtables lock.

cos-81-12871-1245-7

Date: Feb 08, 2021
  • Fixed 32x truesize under-estimation for tiny skbs in the Linux kernel.

cos-81-12871-1245-6

Date: Feb 01, 2021
  • Upgraded app-admin/sudo to version 1.9.5_p2. This resolves CVE-2021-3156.

cos-81-12871-1245-2

Date: Jan 25, 2021
  • LTS Refresh Release.
  • Updated Docker to v19.03.14.
  • Updated the Linux kernel to upstream/v4.19.167.
  • Updated containerd to v1.3.9.
  • Updated the built-in kubectl/kubelet to v1.17.15.

cos-81-12871-1230-3

Date: Jan 11, 2021
  • Created /var/lib/chrony for chrony to work accurately.
  • Fixed CVE-2020-29660 in the Linux kernel.
  • Fixed CVE-2020-29661 in the Linux kernel.

cos-81-12871-1226-0

Date: Dec 02, 2020
  • Fixed CVE-2020-15257 in containerd.

cos-81-12871-1218-0

Date: Oct 26, 2020
  • Updated the Linux kernel to v4.19.150.

cos-81-12871-1216-0

Date: Oct 19, 2020
  • Fixed CVE-2020-14356.

cos-81-12871-1210-0

Date: Oct 12, 2020
  • Added PPP loadable modules back, which were removed in cos-81-12871-1185-0.
  • Moved Docker's "registry-mirrors" configuration to the dockerd command line to address Kubernetes cluster provisioning errors.

cos-81-12871-1207-0

Date: Oct 08, 2020
  • Fixed an issue in containerd that can cause the Kubelet on master VMs to fail to restart containers in static pods.
  • Moved the configuration of Docker's "registry-mirrors" option from the dockerd command line to /etc/docker/daemon.json. This should allow users to configure a custom registry mirror, which can be useful when responding to recent Docker Hub free tier changes.

cos-81-12871-1196-0

Date: Sep 05, 2020
  • Fixed Linux kernel vulnerability CVE-2020-14386 by fixing an integer overflow issue in tpacket_rcv.

cos-81-12871-1190-0

Date: Aug 20, 2020
  • Reverted the change that enforcing kernel modules must be signed.
  • Removed cos-extensions utility. Users should use [cos-gpu-installer](https://github.com/GoogleCloudPlatform/cos-gpu-installer) to install GPU drivers on COS milestone 81.
  • Enabled utmp in systemd to allow creation of utmp files.
  • Upgraded default GPU driver version to 450.51.06.

cos-81-12871-1185-0

Date: Aug 07, 2020
  • Fixed CVE-2020-14308, CVE-2020-14311 and CVE-2020-15705 in grub.
  • Disabled CONFIG_PPP to mitigate Linux Kernel CVE-2020-14416.
  • Added the cos-extensions-manager package. Click here to learn more about cos-extensions.
  • Updated docker-credential-gcr to v2.0.2.

cos-81-12871-1174-0

Date: July 30, 2020
  • Removed the metrics daemon to address an issue where it would periodically cause CPU usage spikes in some cases.
  • Changed kernel command line to enforce kernel module must be signed.

cos-81-12871-1160-0

Date: July 24, 2020
  • Updated node problem detector to 0.8.1

cos-81-12871-181-0

Date: July 13, 2020
  • Added rsync back into the image, which was removed in cos-dev-77-12293-0-0.
  • Mount /var/lib/containerd with exec option.
  • Fixed CVE-2019-9169.
  • Enabled support for Confidential VMs.

cos-81-12871-148-0

Date: June 17, 2020
  • Made dioread_nolock non-default.

cos-81-12871-146-0

Date: June 16, 2020
  • Updated toolbox base container image to include security patches.

cos-81-12871-130-0

Date: June 16, 2020
  • Updated the built-in kubectl/kubelet to v1.17.6 to fix a bug that could result in the inability to start a cluster.

cos-81-12871-119-0

Date: May 28, 2020
  • Fixed a few OS Login CVEs: CVE-2020-8903, CVE-2020-8907, CVE-2020-8933.

cos-81-12871-117-0

Date: May 27, 2020
  • Upgraded sys-libs/libseccomp to version 2.4.2-r1 to fix CVE-2019-9893.

cos-81-12871-103-0

Date: May 07, 2020
  • Added package sys-apps/acl.

cos-81-12871-96-0

Date: Apr 29, 2020
  • Fixed a kernel bug where eBPF programs can cause softlockups.

cos-81-12871-76-0

Date: Apr 29, 2020
  • Disabled `accept_ra` on all interfaces by default.

cos-81-12871-69-0

Date: Apr 05, 2020
  • Upgraded the Linux kernel to v4.19.112.
  • Backported systemd patch ba0d56f55 to address an issue that resulted in leaked mount units.
  • Upgraded dev-db/sqlite to 3.31.1.
  • Moved kernel repository to cos.googlesource.com/third_party/kernel.
  • Backported necessary ext4 patches and made dioread_nolock default.

cos-81-12871-59-0 (vs Milestone 77)

Date: Mar 27, 2020

New features

  • Added support for new Google Compute Engine virtual network interface (GVNIC).
  • Added support for AMD's Secure Encrypted Virtualization.
  • Added support to implement SCSI devices in user space.
  • Added support for snapshotting any block device without massive copying.
  • Enhanced security by reducing the predictability of the kernel slab allocator against heap overflows and providing a lightweight support for detecting buffer overflow.
  • Added chrony package for time synchronization.
  • Disabled multicast protocol LLMNR and MDNS by default.

Package updates

  • Upgraded docker to v19.03.6.
  • Upgraded containerd to v1.3.2.
  • Upgraded runc to v1.0.0.
  • Upgraded docker-credential-gcr to v2.0.0.
  • Upgraded the built-in kubectl/kubelet to v1.17.3.
  • Upgraded node-problem-detector to v0.8.0.
  • Upgraded cos-toolbox to 20191218-00.
  • Upgraded openssl to 1.0.2u.
  • Upgraded oslogin to v20190315.
  • Upgraded compute-image-packages to v20190801.

Bug fixes

  • Changed the MTU of the default docker network to 1460 to make it consistent with Google Compute Engine's default MTU value.
  • Fixed a regression that blocks user-level statically defined tracking probes (requires a semaphore) to work.
  • Fixed vulnerability in glibc (CVE-2019-19126).