|Deprecated After||Dec 1, 2021|
cos-85-13310-1260-8Date: May 03, 2021
- Upgraded dev-vcs/git to version 2.26.3. This resolves CVE-2021-21300.
cos-85-13310-1260-5Date: Apr 22, 2021
- Fixed an out-of-bounds write issue in the Linux kernel.
cos-85-13310-1260-1Date: Apr 13, 2021
- Updated the Linux kernel to v5.4.109.
- Updated glib to v2.66.7. This fixes CVE-2021-27218 and CVE-2021-27219.
- Updated the built-in kubectl/kubelet to v1.18.15.
- Fixed CVE-2020-28493 in dev-python/jinja.
- Fixed CVE-2020-13630,CVE-2020-9327,CVE-2020-13871, CVE-2020-11656,CVE-2020-11655,CVE-2020-15358, CVE-2020-13631,CVE-2020-13632,CVE-2020-13434,CVE-2020-9327,CVE-2020-13435 for dev-db/sqlite
- Upgraded docker to v19.03.15
- Upgraded net-misc/openssh to version 8.5_p1. This fixes CVE-2021-28041.
- Added cos-package-info.json file containing the installed packages as well as packages used during build time of COS image.
cos-85-13310-1209-29Date: Apr 12, 2021
- Updated openssh to version 8.5_p1. This resolves CVE-2021-28041.
- Upgraded openssl to version 1.1.1k. This resolves CVE-2021-3449 and CVE-2021-3450.
cos-85-13310-1209-24Date: Apr 05, 2021
- Updated openssl to version 1.1.1j. This resolves CVE-2021-23840 and CVE-2021-23841.
cos-85-13310-1209-17Date: Mar 01, 2021
- Upgraded libgcrypt to v1.9.1. This addresses CVE-2021-3345.
cos-85-13310-1209-12Date: Feb 22, 2021
- Fixed an issue where firewall initialization would fail because ip6tables was not waiting to claim the xtables lock.
cos-85-13310-1209-10Date: Feb 08, 2021
- Fixed 32 x truesize under-estimation for tiny skbs in the Linux kernel.
cos-85-13310-1209-7Date: Feb 01, 2021
- Upgraded app-admin/sudo to version 1.9.5_p2. This resolves CVE-2021-3156.
cos-85-13310-1209-3Date: Jan 25, 2021
- LTS Refresh Release.
- Updated cos-gpu-installer to v2.0.3 in cos-extensions. Fixed an issue in which installing GPU drivers was failing due to loading GPU kernel modules in incorrect order.
- Fixed an authenication error when using go-dbus to connect systemd.
- Updated Docker to v19.03.14.
- Updated the Linux kernel to upstream/v5.4.89.
- Updated the built-in kubectl/kubelet to v1.18.13.
- Added support for the bpf_get_netns_cookie eBPF helper.
- Updated containerd to v1.4.3.
cos-85-13310-1041-161Date: Jan 11, 2021
- Fixed CVE-2020-29661 in the Linux kernel.
- Fixed CVE-2020-29660 in the Linux kernel.
- Fixed an issue where sshd is restarted every minute if no oslogin users are returned by the metadata server.
cos-85-13310-1041-38Date: Dec 02, 2020
- Fixed CVE-2020-15257 in containerd.
cos-85-13310-1041-28Date: Nov 11, 2020
- cloud-init starts after network-online because cloud-init does not configure network for COS on GCP.
cos-85-13310-1041-24Date: Oct 19, 2020
- Backported INIT_STACK_ALL_ZERO to replace INIT_STACK_ALL.
- Fixed data corruption in network packet for gve-1.1.0.
cos-85-13310-1041-17Date: Oct 12, 2020
- Added PPP loadable modules back, which were removed in cos-rc-85-13310-1019-0.
- Moved Docker's "registry-mirrors" configuration to the dockerd command line to address Kubernetes cluster provisioning errors.
cos-85-13310-1041-14Date: Oct 08, 2020
- Moved the configuration of Docker's "registry-mirrors" option from the dockerd command line to /etc/docker/daemon.json. This should allow users to configure a custom registry mirror, which can be useful when responding to recent Docker Hub free tier changes.
cos-85-13310-1041-9 (vs Milestone 81)Date: Sep 24, 2020
- Upgraded kernel to upstream 5.4.
- Improved eBPF debug and tracing functionality by enabling:
- Compressed kernel headers.
- BTF (BPF Type Format) debug info.
- Improved security by enabling more Kernel Self Protection Project (KSPP) settings:
- Restrict dmesg access, prevent unprivileged users from viewing dmesg.
- Incorporate lockdown LSM.
- Enable Clang's stack initialization.
- Added XFS in preview mode.
- Added NVMe userspace utilities support sys-apps/nvm-cli.
- Added file system ACL userspace utilities sys-apps/acl.
- Added FUSE userspace utilities support sys-fs/fuse.
- Added cos-extensions userspace utilities support app-admin/extensions-manager.
- Added nfs utils packages.
- Added ext4 block bitmap prefetching feature.
- Made chrony the default NTP client.
- Made Python3 the default Python interpreter.
- Reduced user home directory permissions to 750.
- Disabled hung_on_panic by default.
- Enforced kernel module signature verification by default.
- Added the cos-extensions-manager package.
- Removed the metrics daemon.
Driver and package updates
- Upgraded KTD to its beta.
- Upgraded gVNIC driver to v1.1.0.
- Upgraded Nvidia GPU driver support to 450.51.06.
- Upgraded containerd to v1.4.1.
- Upgraded docker to v19.03.9.
- Upgraded the built-in kubectl/kubelet to v1.18.9.
- Upgraded docker-credential-gcr to v2.0.2.
- Upgraded cloud-init to v19.4.
- Upgraded node-problem-detector to v0.8.1.
- Upgraded cos-toolbox to 20200715-00.
- Upgraded oslogin to v20200507.00.
- Upgraded compute-image-packages to v20191210.
- Upgraded dump-capture-kernel to 4.19.
- Upgraded makedumpfile to v1.6.7.
- Upgraded Konlet to v0.11.0.
- Upgraded runc to v1.1.0-rc10.
- Upgraded openssl to 1.1.0l.
- Upgraded libseccomp to v2.4.2 to address CVE-2019-9893.
- Fixed a kernel bug where eBPF programs can cause softlockups.
- Removed size limit on /etc/ to fix cluster creation failure because of large number of addons.
- Enabled utmp in systemd to allow creation of utmp files.
- Made dioread_nolock non-default.
- Updated tcp_keepalive_time to 300 seconds.
- Updated toolbox base container image to include security patches.
- Fixed a bug that caused OS login to use excessive amounts of memory.
- Increased kdump memory reservation to 256M for 8G-16G instances.
- Added rsync back into the image, which was removed in cos-dev-77-12293-0-0.
- Added mount exec option to /var/lib/containerd.
- Disabled CONFIG_PPP to mitigate Linux Kernel CVE-2020-14416.
- Backported upstream patch 'perf_event: support for LSM and SELinux check'.
- Updated e2fsprogs to fix partition resize issue.
- Fixed Linux kernel vulnerability CVE-2020-14386.
- Enabled utmp in systemd to allow creation of utmp files.