Releases: microsoft/azurelinux
2.0.20220527
Add SELinux core config for SELinux Test
Add additional patches to selinux-policy for containers and kubernetes testing.
Add etcd 3.5.1 and coredns 1.8.6
Add gzip and sed back to base container image
Add msft-golang package for microsoft/go
Add quota package
Add sdbus-cpp package to Mariner
Add util-linux-devel into pkgggen_core
Change filesystem to add input handling for {forward,backward}-word
Change fluent-bit to compile with -DFLB_JEMALLOC=on
Change kernel aarch64 config, marketplace image console
Change kernel configs to bring down boot time for initrd
Change module_info.ld inclusion in LDFLAGS from mariner-rpm-macros to limit it's applicability
Change systemd to build in release mode
Change util-linux packaging to add a util-linux-libs RPM package with libraries
Disable unprivileged bpfs in kernel cmdline
Enable IFB config in kernel
Enable kickstart partition parsing in Mariner
Enable systemd hardening flags in logrotate
Fix cassandra package install and uninstall issues
Fix cri-o to use Mariner's systemD Macros
Fix duplicate packaging of libsvn_swig_perl.so
Fix installation paths with new version of Ruby.
Fix iotop python3-curses dependency
Fix leading spaces in /etc/nsswitch.conf
Fix mariadb-connector-c conflicts
Fix msopenjdk to download from production folder
Fix perl-Test-Synopsis: add an explicit BR on perl(blib) to enable ptest
Fix perl-Test-Portability-Files: add an explicit BR on perl(blib) to enable ptest
Fix perl-Class-ISA: add an explicit BR on perl(deprecate) to enable ptest
Fix perl-Test-FailWarnings: add an explict BR on perl(blib) to enable ptest
Fix perl-Pod-Markdown: add an explicit BR on perl(blib) to enable ptest
Fix perl-Package-Stash: add an explicit BR on perl(blib) to enable ptest
Fix perl-Package-Stash-XS: add an explicit BR on perl(blib) to enable ptest
Fix perl-File-Remove: add an explicit BR on perl(blib) to enable ptest
Fix perl-File-Find-Object: add an explicit BR on perl(blib) to enable ptest
Fix perl-Test-TrailingSpace: add an explicit BR on perl(blib) to enable ptest
Fix perl-Locale-Codes: add an explicit BR on perl(deprecate) to enable ptest
Fix perl-FreezeThaw: add an explict BR on perl(dumpvar.pl) to enable ptest
Fix perl-Test-Warn: add an explicit BR on perl(blib) to enable ptest
Fix python-mccabe: drop BR on pytest & pip install latest deps to enable ptest
Fix python-sniffio: use py.test instead of py.test-3 to enable ptest
Fix python-uamqp: drop BR on pytest, six & pip install deps to enable ptest
Fix python-justbytes: use py.test instead of py.test-3 to enable ptest
Fix python-into-dbus-python: pip install latest deps to enable ptest
Fix python-jwcrypto: add BR on pip to enable ptest
Fix python-flake8: pip install latest deps & fix check section to enable ptest
Fix python-hs-dbus-signature: drop BR on pytest & hypothesis to enable ptest
Fix python-winrm: drop BR on pytest and pip install deps to enable ptest
Fix python-requests-kerberos: use py.test instead of py.test-3 to enable ptest
Fix pyxattr: drop BR on pytest & pip install latest deps to enable ptest
Fix python-dbus-client-gen: drop BR on pytest & pip install latest deps to enable ptest
Fix python-dbus-python-client: use py.test instead of py.test-3 to enable ptest
Fix python-click: drop BR on pytest & pip install latest deps to enable ptest
Fix python-curio: build with tests & pip install latest deps to enable ptest
Fix python-uritemplate: pip install latest deps & fix check section to enable ptest
Fix scheduler to Include version info when printing unresolved dependencies
Fix selinux-policy for baremetal testing.
Fix toolchain to rebuild audit with systemd-bootstrap-rpm-macros installed
Fix 99-dhcp-en.network so that it's overwritten in support of marketplace img
Reduce devel packages in core images from rpm-build/debugedit
Reduce package size of base RPM Package
Remove gtest package from toolchain (toolchain reduction)
Remove libpq package
Remove manual pkgconfig provides from non-toolchain specs
Remove mariner-release package from toolchain to support incremental image updates.
Remove multiboot_dma.bin from qemu x86_64 files during aarch64 builds
Remove python3 as a runtime dep for nodejs (nodejs container size reduction)
Remove vim default inclusion in marketplace mariner images
Remove wget from toolchain
Rename toolkit/tools module to enable go get
Restore RPM binaries in base container image.
Upgrade ca-certificates to latest
Upgrade crash to 8.0.1
Upgrade curl version to 7.83.0
Upgrade gdb to 11.2
Upgrade icu package to 68.2.0.9
Upgrade libepoxy to 1.5.10
Upgrade libwpe and wpebackend-fdo to 1.12.0
Upgrade perl-App-cpanminus to 1.7045
Upgrade perl-Archive-Zip to 1.68
Upgrade perl-CGI to 4.54
Upgrade perl-Canary-Stability to version 2013
Upgrade perl-Crypt-SSLeay to 0.73_06
Upgrade perl-DBD-SQLite to 1.70
Upgrade perl-DBI to 1.643
Upgrade perl-Exporter-Tiny to 1.002002
Upgrade perl-File-HomeDir to 1.006
Upgrade perl-File-Which to 1.27
Upgrade perl-IO-Socket-SSL to 2.074
Upgrade perl-JSON to 4.05
Upgrade perl-Module-Build to 0.4231
Upgrade perl-Module-ScanDeps to 1.31
Upgrade perl-Net-SSLeay to 1.92
Upgrade perl-Parse-PMFile to 0.43
Upgrade perl-Test-Warnings to 0.031
Upgrade perl-Text-Template to 1.60
Upgrade perl-YAML to 1.30
Upgrade perl-common-sense to 3.75
Upgrade perl-json-xs to 4.03
Upgrade perl-libintl-perl to 1.32
Upgrade perl-list-moreutils to 0.430
Upgrade Python to 3.9.12
Upgrade tzdata to 2022a
Patch busybox to fix CVE-2022-28391.
Patch libxslt to fix CVE-2021-30560
Patch lua to fix CVE-2022-28805
Patch nginx to fix CVE-2021-3618
Patch openssl to fix CVE-2022-1292
Patch qemu for CVE-2022-26353
Update kernel source to 5.15.41.1 to address CVE-2022-28893, CVE-2022-29581
Update libxml2 to 2.9.14 to address CVE-2022-29824
Update mariadb to v10.6.8 to address CVE-2022-27448, CVE-2022-27449, CVE-2022-27451, CVE-2022-27457, CVE-2022-27458
Update pcre2 to v10.40 to address CVE-2022-1586, CVE-2022-1587
Update rsyslog to v8.2204.1 to address CVE-2022-24903
Update vim to 8.2.4925 to address CVE-2022-1381, CVE-2022-1420, CVE-2022-1616, CVE-2022-1619, CVE-2022-1620, CVE-2022-1621, CVE-2022-1629
Update zsh to v5.9 to address CVE-2021-45444
Upgrade qemu to 6.2.0 to fix CVE 2022-26353, 2021-20255, 2021-20257, 2021-3638, 2021-3682, 2021-3713, 2021-3748, 2021-3930, 2021-3947, 2021-4145, 2022-1050, 2022-26354
1.0 CBL-Mariner May 2022 Update-2
Upgrade ca-certificates.
Added core-efi-selinux.json image config
Removed /usr/sbin/packer symlink in cracklib due to conflict
Altered Dockerfile for toolchain build to avoid build warning
Update toolkit gomod go version from 1.13 to 1.17
Fix invalid character encoding in p7zip changelog
Upgrade ansible to 2.9.27 to fix CVE-2021-3620
Upgrade rubygem-elasticsearch to v8.2.0 to resolve CVE-2021-22144, 2021-22134
Upgrade zlib to 1.2.12 to fix CVE-2018-25032
Upgrade kernel to 5.10.116.1 to fix CVE-2022-1048, CVE-2022-1353, CVE-2022-29582, CVE-2022-1195, CVE-2022-0494, CVE-2022-1015
Patch cifs-utils to fix cve-2022-29869, 2022-27239
Patch cockpit to fix CVE-2021-3660 and CVE-2021-3698
Patch freetype to fix CVE-2022-27404
Patch openssl to fix CVE-2022-1292
Patch qemu-kvm to fix CVE-2021-20257, CVE-2021-3638, CVE-2021-3748
CBL-Mariner 1.0 May 2022 Update
CBL-Mariner 1.0 May 2022 Update
shadow-utils: Add explicit run-time requirement on libpwquality
Add ptp_hyperv udev rule to systemd
Generate marketplace gen2 ARM image
Kernel: Remove harded coded config cert
Fix mariner.cfg symlink
Adding missing Obsoletes to systemd
selinux-policy: Additional policy fixes for enforcing core images
Upgraded ca-certificates to March 2022 (2022-04-01) release of Microsoft trusted root CAs
Upgrade kernel to 5.10.111.1 to address CVE-2022-0500, CVE-2022-0995, CVE-2022-1016, CVE-2022-1055, CVE-2022-27666, CVE-2022-0955, CVE-2021-44879
Upgrade vim to version 8.2.4774 to fix CVE-2022-1420, CVE-2022-1154, CVE-2022-1381
Upgrade mysql version to v8.0.29 to fix CVE-2022-21412, 21417, 21425, 21427, 21444, 21454, 21460, 21489
Upgrade rubygem-yajl-ruby to 1.4.2 for CVE-2022-24795
Upgrade vsftpd to 3.0.5 to fix CVE-2021-3618
Automatic update of the kubernetes dependency packages coredns and etcd.
Patch busybox to fix CVE-2022-28391
Patch curl CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776
Patch python-pip for CVE-2021-3572
Patch Golang CVE to fix CVE-2022-24675
Patch Grub2 to fix CVE-2021-3981
Patch lua to fix CVE-2022-28805
Patch nginx to fix CVE-2021-3618
Patch subversion to fix CVE-2021-28544,CVE-2022-24070
Patch util-linux for CVE-2022-0563
Patch xerces-c to fix CVE-2018-1311
2.0.20220426
Initial CBL-Mariner 2.0 Release
We’re pleased to announce the General Availability of Mariner 2.0, with generational updates to packages and feature improvements for Azure to build the most performant and secure services and Edge appliances. Thank you to all the teams and users in and around Microsoft who helped make this release successful!
With the release of Mariner 2.0, we will have roughly 7000 packages total in the distro across all repositories. Many of the 1.0 packages have been updated to current versions and are available in 2.0. The base and extended 2.0 packages are available on packages.microsoft.com.
Highlights
• Languages
o OpenJDK 11
o NodeJS 16.14.2 (Upstream LTS series v16)
o Python 3.9.10
o Ruby 3.1.2 (Latest upstream release)
o Golang 1.17.8 (Released upstream on 2022-03-03)
o Rust 1.59.0 (Released upstream on 2022-02-24)
o Glibc 2.35 (Current upstream stable release)
• Core components
o Systemd 250.3 (Upstream stable release)
o Kernel 5.15 (Most recent upstream LTS version)
o Moby-containerd 1.6.1
• RPM Database (Rpmdb)
o This release also marks the transition of the RPM Database from Berkeley DB to SQLite which provides a more robust database and make use of modern SQLite features.
o Because of the change in the rpmdb backend, this is considered a breaking change. Please do not attempt to update an existing instance directly from 1.0 to 2.0
Container Images
The Mariner 2.0 base container is reduced to ~67MB. Size reduction of the base image was achieved by removing additional packages and dependencies (e.g., rpm utility). Tdnf is present by default.
Base container
• mcr.microsoft.com/cbl-mariner/base/core:2.0
Distroless containers
• mcr.microsoft.com/cbl-mariner/distroless/base:2.0
• mcr.microsoft.com/cbl-mariner/distroless/debug:2.0
• mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0
Marketplace VMs
• Gen1: MicrosoftCBLMariner:cbl-mariner:cbl-mariner-2:latest
• Gen2: MicrosoftCBLMariner:cbl-mariner:cbl-mariner-2-gen2:latest
ISO Download
• https://aka.ms/mariner-2.0-x86_64-iso
NODEJS
• mcr.microsoft.com/cbl-mariner/base/nodejs:16
Kernel Updates
• Mariner 2.0 utilizes the latest Microsoft LSG 5.15 kernel. 5.15 is the latest upstream Long-Term Support (LTS) kernel version, as decided by the upstream Linux kernel release maintainer.
• Mariner 2.0 brings full-featured eBPF support to Mariner, allowing for greater observability, debug for Kubernetes environments, as well as other tooling.
Security
• Major package version upgrades, removing any packages that have reached end of life and are no longer being maintained by upstream contributors
• Mariner 2.0 features improved SELinux support, allowing for better MAC security in managed environments.
• Hardening: Built additional packages with RELRO and Stack Canary enabled.
• Mariner 2.0 Kernel: improved security around ebpf: We disable the bpf interpreter and unprivileged bpfs
Improving developer experience
• Improved developer experience when rebuilding packages by skipping chroot recreation. Useful to speed up build time when iterating on a package. Can invoked with new “REFRESH_WORKER_CHROOT=n” argument
Removed Packages
• Python 2
• NodeJS 14
• .NET 5.0 and 3.1.
New Repository Structure
The Mariner 2.0 release contains several repositories broken out by purpose.
| Repository Name | Purpose and Intent |
|---|---|
| Base | Open Source packages released with Mariner 2.0 and their updates. |
| Extended | Mariner 2.0 packages not considered part of core. Generally, view this as experimental or for development purposes. |
| Microsoft | Open Source packages built by other Microsoft teams. |
| NVIDIA | Proprietary packages required to support Nvidia hardware and CUDA. |
| Extras | Mariner 2.0 packages built by Microsoft (either Mariner or other Microsoft teams) considered closed source or have proprietary licensing. |
What does this mean for Mariner 1.0?
Mariner 1.0 will continue to be maintained for ~6 months following Mariner 2.0’s GA.
1.0 CBL-Mariner March 2022 Update 3
Backport systemd dhcp fix and enable netplan
Backport SELinux policy updates and SELinux size reduction for policy base
Add libselinux build requirements to coreutils/findutils to enable SELinux support (ls -Z and find -context)
Port cloud-init ovf_is_accessible DataSourceAzure.py fix
Disable kernel fw loader fallback
Automatic tzdata update.
Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 in /toolkit/tools
Patch kernel to address CVE-2022-1016
Upgrade powershell to 7.2.2 to resolve CVE-2020-8927
Upgrade vim to 8.2.4563 to fix CVE-2022-0943
Upgrade python to 3.7.11 to fix CVE-2021-3737
Upgrade golang to 1.16.15 to address CVE-2022-24921
Upgrade httpd to 2.4.53 to fix CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943
Patch libvirt for CVE-2021-3631 & CVE-2021-3667
Patch libtiff to fix CVE-2022-0561, CVE-2022-0562 & CVE-2022-0891
Upgrade bind to 9.16.27 to address CVE-2021-25220 & CVE-2022-0396
Patch qemu-kvm to fix CVE-2021-3607, 3608, 3930, 3947, 4145
1.0 CBL-Mariner March 2022 Update 2
Restart containerd service 10 sec after crash
Upgrade Ruby to 2.6.9 to fix CVE-2021-41817, CVE-2021-41819
Patch postgresql: patch CVE-2021-23222
Patch openssl to fix CVE-2022-0778.
Upgrade rust to 1.59.0 to fix CVE-2022-21658.
Upgrade cyrus-sasl to 2.1.28 to fix CVE-2022-24407
Upgrade freetype to 2.11.1 to fix CVE-2020-15999.
Upgrade libxml2 to version 2.9.13 to fix CVE-2022-23308.
Upgrade nodejs to version 14.18.3 to fix CVE-2021-44531.
Upgrade openjdk8 to fix CVE-2022-21282 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296 CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341 CVE-2022-21360 CVE-2022-21365
Modify toolkit to use local /run folder in chroot instead of mounted tmpfs
Enable SELinux by default on all images backport.
1.0 CBL-Mariner March 2022 Update
Upgrade kernel to 5.10.102.1 to address CVE-2021-3752, CVE-2021-3753, CVE-2021-4032, CVE-2021-20322, CVE-2021-45402, CVE-2022-0264, CVE-2022-0847 (Dirty Pipe CVE Fix), CVE-2022-24448, CVE-2022-24958, CVE-2022-24959, CVE-2022-25258, CVE-2022-25375
Upgrade Open JDK8 to fix CVE-2022-21282 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296 CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341 CVE-2022-21360 CVE-2022-21365
Upgrade vim to 8.2.4495 to fix CVE-2022-0729
Patch moby-contianerd to fix CVE-2022-23648
Upgrade clamav to fix CVE-2022-20698
Upgrade MariaDB to 10.3.34 to fix CVE-2021-46661, CVE-2021-46662, CVE-2021-46663, CVE-2021-46664, CVE-2021-46665, CVE-2021-46668
Enable Perl Compatible Regular Expression (pcre) JIT feature
Distroless containers now include rpm manifest to support Distroless Container CVE scanning by Qualys.
Fix python3 self test for compatibility with newer expat
1.0 CBL-Mariner February 2022 Update 2
Fix issue with quotes in os-release
Fix golang to inherit proxy settings
Add cloud-init patches to support preprovisioned VMs
Upgrade expat to fix CVE-2022-25313, CVE-2022-25314, CVE-2022-25315, CVE-2022-25235, CVE-2022-25236
Patch python-twisted for CVE-2022-21712
Upgrade vm to fix CVE-2022-0554
Upgrade zsh to fix CVE-2021-45444
Upgrade tcpdump to 4.99.1 to fix CVE-2018-16301
1.0 CBL-Mariner February 2022 Update
Add gcovr package
Add compressed firmware support
Fix _topdir variable in gen-ld-script.sh
Bump github.com/deckarep/golang-set in /toolkit/tools
Upgrade moby-containerd to 1.5.9
Patch StrongSwan for CVE-2021-45079
Patch glibc for CVE-2022-23218, CVE-2022-23219
Patch kernel for CVE-2022-0435
Upgrade Golang to 1.16.14 to fix 2022-23806, 2022-23773 2022-23772
Upgrade expat to v.2.4.4 to fix CVE-2022-23852
Upgrade vim to 8.2.4281 to fix CVE-2022-0443, 0417, 0413, 0408, 0407, 0393, 0392, 0368, 0361, 0359
Upgrade MariaDB to v10.3.32 for CVE-2021-46658, CVE-2021-46657, CVE-2021-46667
Upgrade kernel for CVE-2021-4083
1.0 CBL-Mariner January 2022 Update 2
Patch polkit for CVE-2021-4034
kernel: update to 5.10.93.1
Removed linker script settings from pkgconfig.