|Deprecated After||Jun 24, 2021|
cos-81-12871-1245-15Date: Mar 01, 2021
- Upgraded libgcrypt to v1.9.1. This addresses CVE-2021-3345.
- Fixed an issue where firewall initialization would fail because ip6tables was not waiting to claim the xtables lock.
cos-81-12871-1245-7Date: Feb 08, 2021
- Fixed 32x truesize under-estimation for tiny skbs in the Linux kernel.
cos-81-12871-1245-6Date: Feb 01, 2021
- Upgraded app-admin/sudo to version 1.9.5_p2. This resolves CVE-2021-3156.
cos-81-12871-1245-2Date: Jan 25, 2021
- LTS Refresh Release.
- Updated Docker to v19.03.14.
- Updated the Linux kernel to upstream/v4.19.167.
- Updated containerd to v1.3.9.
- Updated the built-in kubectl/kubelet to v1.17.15.
cos-81-12871-1230-3Date: Jan 11, 2021
- Created /var/lib/chrony for chrony to work accurately.
- Fixed CVE-2020-29660 in the Linux kernel.
- Fixed CVE-2020-29661 in the Linux kernel.
cos-81-12871-1226-0Date: Dec 02, 2020
- Fixed CVE-2020-15257 in containerd.
cos-81-12871-1218-0Date: Oct 26, 2020
- Updated the Linux kernel to v4.19.150.
cos-81-12871-1216-0Date: Oct 19, 2020
- Fixed CVE-2020-14356.
cos-81-12871-1210-0Date: Oct 12, 2020
- Added PPP loadable modules back, which were removed in cos-81-12871-1185-0.
- Moved Docker's "registry-mirrors" configuration to the dockerd command line to address Kubernetes cluster provisioning errors.
cos-81-12871-1207-0Date: Oct 08, 2020
- Fixed an issue in containerd that can cause the Kubelet on master VMs to fail to restart containers in static pods.
- Moved the configuration of Docker's "registry-mirrors" option from the dockerd command line to /etc/docker/daemon.json. This should allow users to configure a custom registry mirror, which can be useful when responding to recent Docker Hub free tier changes.
cos-81-12871-1196-0Date: Sep 05, 2020
- Fixed Linux kernel vulnerability CVE-2020-14386 by fixing an integer overflow issue in tpacket_rcv.
cos-81-12871-1190-0Date: Aug 20, 2020
- Reverted the change that enforcing kernel modules must be signed.
- Removed cos-extensions utility. Users should use [cos-gpu-installer](https://github.com/GoogleCloudPlatform/cos-gpu-installer) to install GPU drivers on COS milestone 81.
- Enabled utmp in systemd to allow creation of utmp files.
- Upgraded default GPU driver version to 450.51.06.
cos-81-12871-1185-0Date: Aug 07, 2020
- Fixed CVE-2020-14308, CVE-2020-14311 and CVE-2020-15705 in grub.
- Disabled CONFIG_PPP to mitigate Linux Kernel CVE-2020-14416.
- Added the cos-extensions-manager package. Click here to learn more about cos-extensions.
- Updated docker-credential-gcr to v2.0.2.
cos-81-12871-1174-0Date: July 30, 2020
- Removed the metrics daemon to address an issue where it would periodically cause CPU usage spikes in some cases.
- Changed kernel command line to enforce kernel module must be signed.
cos-81-12871-1160-0Date: July 24, 2020
- Updated node problem detector to 0.8.1
cos-81-12871-181-0Date: July 13, 2020
- Added rsync back into the image, which was removed in cos-dev-77-12293-0-0.
- Mount /var/lib/containerd with exec option.
- Fixed CVE-2019-9169.
- Enabled support for Confidential VMs.
cos-81-12871-148-0Date: June 17, 2020
- Made dioread_nolock non-default.
cos-81-12871-146-0Date: June 16, 2020
- Updated toolbox base container image to include security patches.
cos-81-12871-130-0Date: June 16, 2020
- Updated the built-in kubectl/kubelet to v1.17.6 to fix a bug that could result in the inability to start a cluster.
cos-81-12871-119-0Date: May 28, 2020
- Fixed a few OS Login CVEs: CVE-2020-8903, CVE-2020-8907, CVE-2020-8933.
cos-81-12871-117-0Date: May 27, 2020
- Upgraded sys-libs/libseccomp to version 2.4.2-r1 to fix CVE-2019-9893.
cos-81-12871-103-0Date: May 07, 2020
- Added package sys-apps/acl.
cos-81-12871-96-0Date: Apr 29, 2020
- Fixed a kernel bug where eBPF programs can cause softlockups.
cos-81-12871-76-0Date: Apr 29, 2020
- Disabled `accept_ra` on all interfaces by default.
cos-81-12871-69-0Date: Apr 05, 2020
- Upgraded the Linux kernel to v4.19.112.
- Backported systemd patch ba0d56f55 to address an issue that resulted in leaked mount units.
- Upgraded dev-db/sqlite to 3.31.1.
- Moved kernel repository to cos.googlesource.com/third_party/kernel.
- Backported necessary ext4 patches and made dioread_nolock default.
cos-81-12871-59-0 (vs Milestone 77)
Date: Mar 27, 2020
- Added support for new Google Compute Engine virtual network interface (GVNIC).
- Added support for AMD's Secure Encrypted Virtualization.
- Added support to implement SCSI devices in user space.
- Added support for snapshotting any block device without massive copying.
- Enhanced security by reducing the predictability of the kernel slab allocator against heap overflows and providing a lightweight support for detecting buffer overflow.
- Added chrony package for time synchronization.
- Disabled multicast protocol LLMNR and MDNS by default.
- Upgraded docker to v19.03.6.
- Upgraded containerd to v1.3.2.
- Upgraded runc to v1.0.0.
- Upgraded docker-credential-gcr to v2.0.0.
- Upgraded the built-in kubectl/kubelet to v1.17.3.
- Upgraded node-problem-detector to v0.8.0.
- Upgraded cos-toolbox to 20191218-00.
- Upgraded openssl to 1.0.2u.
- Upgraded oslogin to v20190315.
- Upgraded compute-image-packages to v20190801.
- Changed the MTU of the default docker network to 1460 to make it consistent with Google Compute Engine's default MTU value.
- Fixed a regression that blocks user-level statically defined tracking probes (requires a semaphore) to work.
- Fixed vulnerability in glibc (CVE-2019-19126).