Releases: microsoft/azurelinux
3.0.20241101
Generic Kernel version-release: kernel-6.6.57.1-2
Add stable release maintainers to CODEOWNERS
Add SymCrypt-debuginfo package
Add missing flock calls for Toolkit
Add fedora SBAT entries to grub2
Add directory check before cleaning-up the RPM caches
Bump dracut to rebuild with latest systemd
Change rm to use find to avoid deleting cache directory during snapshot cleanup
Disable liblastlog2 for util-linux in raw toolchain build
Disable flaky mem tests for Valkey
Enable Arm FF-A Support
Enable Intel IFS
Enable x86_amd_platform_device builtin
Fix Kernel CVE-2024-46863 CVE-2024-26596 CVE-2024-27017 CVE-2024-27012 CVE-2024-36478 CVE-2024-46710
Fix apache-commons-io for CVE-2024-47554
Fix partition initialization bug
Fix pytest by adding python-iniconfig dependency
Fix kubevirt for CVE-2023-48795
Fix giflib for CVE-2022-28506 and CVE-2023-48161
Fix gdb 13.2 for CVE-2023-39128, CVE-2023-39129, CVE-2023-39130
Fix influxdb for CVE-2023-45288
Fix python-gevent for CVE-2024-25629
Fix unbound for CVE-2024-43167 and CVE-2024-8508
Fix dcos-cli and kubernetes for CVE-2024-28180
Fix libcxx for CVE-2024-31852
Fix curl for CVE-2024-8096
Fix fluent-bit for CVE-2024-34250, CVE-2024-25629, CVE-2024-28182
Fix Avahi forCVE-2023-1981, add %check section
Fix oath-toolkit for CVE-2024-47191
Fix expat for CVE-2024-50602
Fix vim to resolve CVE-2024-43802
Fix bluez for CVE-2023-45866
Fix pam for CVE-2024-22365
Fix ISO customization, partition creation on Ubuntu build hosts and verity docs on Image Customizer
Fix gnutls for CVE-2024-28834, CVE-2024-2883
Generate log files for raw toolchain builds
Increase build verbosity in kernel-mshv
Make pytorch vendor generation script executable
Make tpm2-tss an optional dependency of systemd-pcrphase in dracut
Re-enable installonlypkgs on tdnf for Azure Linux 3.0
Remove Amateur Radio X.25 PLP Rose for CVE-2022-2961
Remove noxsaves parameter from cmdline in kernel-uki
Support v1.22 and v1.23 golang
Switch mysql to use AZL's version of protobuf to fix CVE-2024-2410
Upgrade nvidia repo instructions with the appropriate 3.0 repofile
Upgrade OpenIPMI to 2.0.36 to fix CVE-2024-42934
Upgrade libpcap version to 1.10.5 to fix CVE-2024-8006
Upgrade vim to 9.1.0791 to fix CVE-2024-47814 and remove older unnecessary patches
Upgrade nvidia-container-toolkit to fix CVE-2024-0132 CVE-2024-0133
Upgrade python-pip to fix CVE-2024-6345
Upgrade mysql to 8.0.40 Fix multiple CVEs
Upgrade apr version 1.7.4 -> 1.7.5 to address CVE-2023-49582
Upgrade clamav 1.0.6 -> 1.0.7
Upgrade cloud-init to 24.3.1
Upgrade php to 8.3.12 to fix CVE-2024-8927, CVE-2024-8925
Upgrade mdadm from 4.2 to 4.3
Upgrade symcrypt to 103.5.1
Upgrade libarchive to 3.7.7 to fix CVE-2024-48957, CVE-2024-48958, CVE-2024-20696
kata-containers: Use build recipes from sources for kata-containers, only build for x86_64
kata-containers: only build for x86_64
Image Customizer: Make verity API a list.
Image Customizer: Move resetPartitionsUuidsType into storage.
Image Customizer: Remove "sudo" calls.
Image Customizer: Restore CODEOWNERS rules.
Image Customizer: Set VHDX block-size to 2 MiB.
Image Customizer: Support string mountPoint
Image Customizer: Service and Overlay recommendations for Verity-enabled images.
Image Customizer: MIC should clean-up cache and any system files after run
2.0.20241029
Generic Kernel version-release: kernel-5.15.167.1-2
Fix Kernel CVE-2024-38381 CVE-2024-42228 CVE-2024-38577 CVE-2024-41098 CVE-2024-42246 CVE-2024-43853 CVE-2024-43905 CVE-2024-43884 CVE-2024-44946 CVE-2024-44986 CVE-2024-44987 CVE-2024-44985 CVE-2024-44974 CVE-2024-43892 CVE-2024-43897 CVE-2024-44989 CVE-2024-44999 CVE-2024-44995 CVE-2024-44990 CVE-2024-45006 CVE-2024-41011 CVE-2024-44998 CVE-2024-44983 CVE-2024-46677 CVE-2024-45021 CVE-2024-46674 CVE-2024-45026 CVE-2024-45025 CVE-2024-46673 CVE-2024-45009 CVE-2024-45028 CVE-2024-45011 CVE-2024-45018 CVE-2024-45016 CVE-2024-46685 CVE-2024-44947 CVE-2024-38588 CVE-2024-42297 CVE-2024-43829 CVE-2024-46863
Fix Reaper for multiple CVEs
Fix apache-commons-io for CVE-2024-47554
Fix cni-plugins to resolve CVE-2023-3978
Fix curl for CVE-2024-8096
Fix dcos-cli CVE-2024-28180
Fix fluent-bit for CVE-2024-26455, CVE-2024-25629
Fix for CVE-2024-28180 by patching vendored go-jose
Fix gdb 11.2 for CVE-2023-39128, CVE-2023-39129, CVE-2023-39130
Fix gh for CVE-2022-32149
Fix giflib for CVE-2022-28506 and CVE-2023-48161
Fix heimdal for CVE-2022-3116
Fix kubernetes for CVE-2024-24786 and CVE-2024-28180
Fix libarchive for CVE-2024-48957, CVE-2024-48958, CVE-2024-20696, CVE-2024-4032
Fix libpcap for CVE-2024-8006
Fix nghttp2 for CVE-2024-28182
Fix oath-toolkit for CVE-2024-47191
Fix prometheus for CVE 2024 24786 and CVE 2022 41717
Fix qt5-qtbase for CVE-2022-25255
Fix reaper for CVE-2024-45590
Fix redis for CVE-2024-31449
Fix terraform to resolve CVE-2022-32149 & CVE-2023-4782
Fix unbound to fix CVE-2024-33655, CVE-2024-8508, and CVE-2024-43167
Fix vim to resolve CVE-2024-43802
Remove Amateur Radio X.25 PLP Rose for CVE-2022-2961
Remove version dependency of rubygem-protocol-http1
Upgrade OpenIPMI to 2.0.36 to fix CVE-2024-42934
Upgrade apr to 1.7.5 to address CVE-2023-49582
Upgrade gnutls 3.7.7 -> 3.7.11 to address CVE-2023-5981, CVE-2024-28835, CVE-2024-28834 & CVE-2024-0553
Upgrade msft-golang to 1.22.8 To fix CVE-2022-41717
Upgrade mysql to 8.0.40 to fix CVE-2024-21193, CVE-2024-21194, CVE-2024-21162, CVE-2024-21157, CVE-2024-21130, CVE-2024-20996, CVE-2024-21129, CVE-2024-21159, CVE-2024-21135, CVE-2024-21173, CVE-2024-21160, CVE-2024-21125, CVE-2024-21134,CVE-2024-21127, CVE-2024-21142, CVE-2024-21166, CVE-2024-21163, CVE-2024-21203, CVE-2024-21219, CVE-2024-21247, CVE-2024-21237, CVE-2024-21231, CVE-2024-21213, CVE-2024-21218, CVE-2024-21197, CVE-2024-21230, CVE-2024-21207, CVE-2024-21201, CVE-2024-21198, CVE-2024-21238, CVE-2024-21196, CVE-2024-21239, CVE-2024-21199, CVE-2024-21241, CVE-2024-21236, CVE-2024-21212, CVE-2024-21096, CVE-2024-21171, CVE-2024-21165, CVE-2023-46219
Upgrade nvidia-container-toolkit to 1.16.2 Critical vulnerability CVE-2024-0132, Medium vulnerability CVE-2024-0133
Upgrade php to 8.1.30 CVE-2024-8927, CVE-2024-8925
Upgrade redis to 6.2.16 to address CVE-2024-31228 and CVE-2024-31449
3.0.20241005
389-ds-base: init at v3.1.0
Add exclude snapshot repo option to virtual snapshot
Add host metadata to logs (Host distro & version and versions of dependencies)
add missing tags
add missing vendor and distribution tags in new specs
add missing vendor and distribution tags to core specs
Add Mosh to Extended packages
Add package libmd
Add package php-pecl-apcu v5.1.23
Add packages subunit and python-junitxml
add patch for edk2 CVE-2024-6119
Add patch to fix CVE-2024-43788 in python-tensorboard
Add patch to resolve CVE 2024 28085
add perl-Devel-Refcount
add perl-Match-Simple and perl-Sub-Infix
Add postgresql-service subpackage
Add REPO_SNAPSHOT_TIME to the toolkit for package and image build.
Add Valkey to 3.0
Adding swtpmtools to list of required packages for kubevirt
Azurelinux-rpm-macros: include release in elf module version
Azurelinux-sysinfo: add rpm as a requirement
Blobfuse2: upgrade to 2.3.2 to fix CVE-2024-35255
Build Break: Bump dracut to rebuild with latest systemd
Build mpt2sas and mpt3sas drivers, and pata_legacy as modules
Bump Go Version to 1.22.7-1
ccache: remove dangling link to host-cc
cmake: Fix CVE-2024-6197, CVE-2024-6874, and CVE-2024-8096
cmake: Update to 3.30.3 to fix CVE-2024-24806
cni: address CVE-2022-32149
Creating Busybox SBOM by not deleting the rpm db
Disable xen debugfs, and I2C Baytrail configs
edk2: Deprecate hvloader; introduce edk2-hvloader
Enable building mokutil for aarch64
Enable CET, IBT, and Paravirt spinlocks
Enable check section for glibc
Enable check section in python-platformdirs
Enable iptables by default
Enable nfsd v4 security label
Enable usb hiddev and serial ch341
Enable virtio console by default and build e1000 drivers as modules
Enabled ccache and set ptest retries to 1 for PR checks (CP: #8503, #10133)
Enabled circular deps PR check for fast-track PRs.
Extended spec PR check to validate the Distribution and Vendor tags.
Filter out debuginfo packages when running sodiff
Fix bad interactions between timeouts and build retires
Fix CVE-2024-6104 in cert-manager by patching vendor gomodules
Fix CVE-2024-6345 in setuptools
Fix for Azure Linux 3.0 Arm64 ISO OS installation issue
Fix for CVE-2024-39908 in rubygem-rexml
Fix nfs-utils to build rsc.svcgssd and provide the missing rpc-gssd
Fix ocaml test issues
Fix use static search path for toolchain GPG keys during validation
Fixed nbdkit test-time dependency on /sbin/ss.
Fixed nghttp2 test-time dependency on CUnit.
Fixed numpy ptests. Added python3-pyproject-metadata.
Fixed tdnf provides parsing to recognize epochs in package names.
Fixed spec entanglement PR check
Fixed toolchain tests blocking non-toolchain packages' tests.
Fixed toolkit's handling of RPMs with epoch values in their name
GitHub actions: Update version of actions/upload-artifact task
golang: bump Go version to 1.22.7-3
haproxy: upgrade to 2.9.11 to fix CVE-2024-45506
ig: Bump to v0.32.0.
Image Customizer: Add doc for 'sshPublicKeys'.
Image Customizer: Add doc for cloning an RPM repo.
Image Customizer: Add support for 'vfat' filesystem.
Image Customizer: Add tests for Azure Linux 3.0.
Image Customizer: Allow omitting disk maxSize and partition start.
Image Customizer: Allow verity partitions to be specified by 'id'.
Image Customizer: Bump version to v0.7
Image Customizer: Change additionalFiles to a list.
Image Customizer: Fix 'TestCustomizeImagePartitionsSizeOnly' test.
Image Customizer: Fix merge conflict.
Image Customizer: Functional tests for kernel modules API.
Image Customizer: Rename 'fileSystems' to 'filesystems'.
Image Customizer: Rename 'isRootfsOverlay' to 'isInitrdOverlay'.
Image Customizer: Rename additionDirs fields.
Image Customizer: Support filesystem-less partitions.
ImageCustomizer: Implement new MIC Overlays APIs.
Install UKI and sd-boot binaries to ESP
jx: Add patch to resolve CVE-2023-45288
keda: upgrade to 2.14.1 to fix CVE-2024-35255
kernel-uki: drop dbus in initrd
kernel-uki: remove usrmount from initrd
kernel: enable MLX5 TC Offload
krb5: Add patch for fixing CVE-2024-26458 and CVE-2024-26461
libnbd: CVE-2024-7383 (azl 3)
libsafec: upgrade to 3.8.1
libsolv: enable zstd support to match createrepo_c
libzip: fix package tests
Makefile: fix typo clean-imggen
minimal-os image definition.
mock: upgrade and port from extended to core (including dependencies)
move perl strictures and bareword-filehandles
move perl-indirect from extended to core
multus: Add patch to resolve CVE-2023-3978
nginx: Address CVE-2024-7347
nss: Disable DBM backend.
openldap: enable slapd
Optimizing OverlayFS module with new IFS separator and new supported mode.
OSModifier: Add support for updating grub
OSModifier: allow two linux cmdline in grub.cfg
OSModifier: Read root device from grub.cfg
Patch CVE-2019-10906 in nodejs
Patch CVE-2024-29018 in moby-engine to fix
Patch CVE-2024-3651 for python-pip
Patch CVE-2024-43796 in python-tensorboard
Patch CVE-2024-45590 in python-tensorboard
Patch CVE-2024-6197 in curl
patch CVE-2024-6232 and CVE-2024-8088 for python3 3.0
Patch CVE-2024-6923 in python3
Patch gdk-pixbuf2 for CVE-2022-48622
Patch ruby for CVE-2024-41946 in bundled gem rexml
patch wget to prevent debug output from printing binary request bodies
perl-sub-name update to v0.27
port 3 perl packages from extended into core
port more perl packages from extended
port perl module from extended into core: part-3
port perl module from extended into core: part-4
port perl modules from extended into core - part 6
port perl modules from extended into core: part-7
port perl modules from extended to core
port perl-Algorithm-C3
port perl-Devel-GlobalDestruction
port perl-IO-String from extended into core
port perl-Sub-Exporter-Progressive
Prepare October 2024 Update
python-argcomplete: drop check dep BR fish to enable build
python-ldap: upgrade 3.4.0 -> 3.4.4
python-packaging: fix provides
pytorch: add patch for CVE-2024-27318, CVE-2022-1941
rabbitmq-server: upgrade to 3.13.7 to fix CVE-2023-50966
Remove exit 1 for glibc check section
remove unused source signature
remove unused source signature from extra-cmake-modules
remove unused source signature: plexus-utils
remove unused source signature: rabbitmq-server
Resolve CVE-2024-41946 by upgrading ruby to 3.3.5
selinux-policy: Add cloud-utils-growpart fix.
Set ptest retries to 1 for PR package build check. (CP: #10133)
swap fix-ssl-read-and-write-error-check.patch for a slightly different version from upstream
sysstat: upgrade 12.7.4 -> 12.7.6 to address CVE-2018-19416
tensorflow: CVE-2024-7592
tensorflow: patch for CVE-2024-6232, CVE-2024-8088, CVE-2024-3651
toolkit: pkgbld: add ccache option & switch QUICK_REBUILD_PACKAGES=y
toolkit: scripts: use '#!/usr/bin/env python3' instead of hardcoding interpreter
unbound: Add patch to resolve CVE-2024-33655
update clang llvm lld with fixes and add libcxx spec
Update MIC doc to reference overlay driver and fstab for overlay feature.
Update openssl to 3.3.2 under cloud-hypervisor-cvm in order to address CVE-2024-6119
Update virt_launcher.cil installation path in virt-handler container
update wget to fix potential infinite loop
update wget with patches from fedora
Updated raw toolchain source for 3.0 PR check ADO builds.
Upgrade and build samba in 3.0
Upgrade cert-manager to 1.12.13 to get upstream patches for CVE-2024-25620 and CVE-2024-26147
Upgrade CharLS version 2.0.0 -> 2.4.2
Upgrade expat to 2.6.3 to fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492
Upgrade Kernel RT to version 6.6.44.1-rt39
Upgrade Kernel to version 6.6.51.1 to address CVE-2024-38381 CVE-2024-39472 CVE-2024-43884 CVE-2024-44946 CVE-2024-44985 CVE-2024-44974 CVE-2024-44987 CVE-2024-44986 CVE-2024-43891 CVE-2024-45006 CVE-2024-45000 CVE-2024-44990 CVE-2024-44999 CVE-2024-44989 CVE-2024-44998 CVE-2024-44995 CVE-2024-44997 CVE-2024-45002 CVE-2024-44983 CVE-2024-45029 CVE-2024-45028 CVE-2024-45022 CVE-2024-45020 CVE-2024-45009 CVE-2024-46677 CVE-2024-46674 CVE-2024-45025 CVE-2024-45030 CVE-2024-45016 CVE-2024-45021 CVE-2024-45018 CVE-2024-45015 CVE-2024-46673 CVE-2024-45011 CVE-2024-46672 CVE-2024-46693 CVE-2024-45010 CVE-2024-45026 CVE-2024-45012 CVE-2024-45019 CVE-2024-46692 CVE-2024-46686 CVE-2024-46687 CVE-2024-46685 CVE-2024-44947 CVE-2024-44996
Upgrade openssl to 3.3.2
Upgrade perl-sub-install to v0.929
Upgrade realmd version 0.16.3 -> 0.17.1
Upgrade tdnf to version 3.5.8 and Fix the ptests
Upgraded keepalived to 2.3.1 and patched CVE-2024-41184
Use build type RelWithDebInfo to generate debug info with sources
Use Toolchain RPMS when building Golden Container
util-linux: Upgrade from 2.39.2 to 2.40.2
vte291: patch CVE-2024-37535
2.0.20241006
Generic Kernel version-release: kernel-5.15.167.1-1
"Reverted" krb5 1.21.3 to 1.19.4. Epoch bumped for "upgrade" continuity (that is 1.21.3 upgrades to 1.19.4). This change was to resolve an issue with krb5 where powershell's ssh woiuld hang during authentication. These CVE's were also patched in the 1.19.4 version CVE-2024-37371 and CVE-2024-37370. Note that these were also fixed in the 1.21.3 version.
Add Azure marketplace ARM64 FIPS image definition
Add azure proxy agent to cloud-init
Add patch to cloud-init for PPS support of auzre-proxy-agent
Backport trace-cmd and dependencies from 3.0
Enable USB_TMC kernel module
Fix CVE-2022-32149 by backporting the fix as a patch file
Fix cloud-hypervisor-cvm to prevent crash when SEV-SNP guest queries ext. att. report
Fix nfs-utils to build rsc.svcgssd and provide the missing rpc-gssd service
Fixed Busybox SBOM creation by not deleting the rpm db
Patch application-gateway-kubernetes-ingress to fix CVE-2022-32149
Patch cdi to fix CVE-2022-41717, CVE-2022-32149, CVE-2024-28180
Patch cert-manager to fix CVE-2023-3978, CVE-2024-24786, CVE-2024-28180, CVE-2023-2253
Patch cmake for CVE-2023-27534
Patch cri-o to fix CVE-2022-32149
Patch curl for CVE-2024-6197
Patch edk2 for CVE-2022-36763, CVE-2022-36764, CVE-2022-36765, CVE-2023-45230, CVE-2023-45236, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45237
Patch gdk-pixbuf2 for CVE-2022-48622.
Patch influxdb to resolve CVE-2022-32149
Patch jasper to resolve CVE-2023-51257
Patch keda to address CVE-2022-32149
Patch krb5 to fix CVE-2024-26458 and CVE-2024-26461
Patch kubevirt to fix CVE-2022-32149 and CVE-2023-26484
Patch libcontainers-common for CVE-2024-3727
Patch libcontainers-common to fix CVE-2022-32149
Patch libnbd to resolve cve-2024-7383
Patch libsndfile to resolve CVE-2022-33065
Patch libxml2 to resolve CVE-2024-25062
Patch moby-engine for CVE-2024-29018
Patch multiple CVEs in moby-buildx package
Patch multus to resolve CVE-2023-3978
Patch nginx to fix CVE-2024-7347
Patch prometheus-adapter CVE-2022-32149 in
Patch python-wheel to fix CVE-2022-40898 for
Patch python3 to fix CVE-2024-6232 and CVE-2024-8088 for python3 2.0
Patch qemu to fix CVE-2024-24474
Patch reaper for CVE-2024-43796
Patch reaper to address CVE-2024-42459, CVE-2024-42460, CVE-2024-42461
Patch ruby for CVE-2024-41946
Patch rubygem-rexml for CVE-2024-41946
Patch telegraf to fix CVE-2024-24786 & CVE-2024-28180
Patch tpm2-tss to resolve CVE-2024-29040
Patch vim for CVE-2024-43374 CVE-2024-41957 & CVE-2024-41965
Patch vte291 for cve-2024-37535 (corrected patch)
Patch xorg-x11-server for CVE-2024-0229, CVE-2024-0409 & CVE-2024-21886
Patch xorg-x11-server for CVE-2024-31080, CVE-2024-31081, CVE-2024-31082 & CVE-2024-31083
Removed hotplug detach grace period patch from kubevirt
Separated toolchain tests from non-toolchain package builds.
Update openssl to 3.3.2 under cloud-hypervisor-cvm in order to address CVE-2024-6119
Updated the upload-artifact GitHub Action to version 4.
Upgrade Kernel to 5.15.167.1 to address CVE-2024-43855 CVE-2024-42240 CVE-2024-39472 CVE-2024-42269 CVE-2024-42284 CVE-2024-42283 CVE-2023-52889 CVE-2024-42285 CVE-2024-42270 CVE-2024-42271 CVE-2024-43856 CVE-2024-43828 CVE-2024-42313 CVE-2024-43858 CVE-2024-43854 CVE-2024-42302 CVE-2024-42301 CVE-2024-42310 CVE-2024-43860 CVE-2024-42309 CVE-2024-43902 CVE-2024-43907 CVE-2024-44935 CVE-2024-43909 CVE-2024-42114 CVE-2024-43908 CVE-2024-44934 CVE-2024-43889
Upgrade expat to 2.6.3 to fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492
Upgrade msft-golang to 1.22.7 to address 3
Upgrade python-webob to 1.8.8 Fix CVE-2024-42353
Upgrade sysstat from version 12.7.1 -> 12.7.6 to address CVE-2018-19416
Upgraded keepalived to 2.3.1 and patch CVE-2024-41184.
2.0.20240829
Generic Kernel version-release: kernel-5.15.164.1-1
Add missing shadow-utils requirement to ceph
Add new package Mosh to spec-extended
Patch busybox to resolve CVE-2021-42380, CVE-2023-42363, CVE-2023-42364 & CVE-2023-42365
Patch cert-manager to address CVE-2024-25620 and CVE-2024-6104
Patch cmake for CVE-2023-28320
Patch cri-o to resolve CVE-2024-6104 (patched vendored gomodule)
Patch dhcp (bundled bind) for CVE-2024-1737 & CVE-2024-1975.
Patch influxdb to resolve CVE-2024-6104 (patched vendored gomodule)
Patch js-jquery to address CVE-2019-20149
Patch jx to resolve CVE-2023-45288
Patch keda to resolve CVE-2024-6104 (patched vendored gomodule)
Patch libcontainers-common to address CVE-2021-43565
Patch libtiff to resolve CVE-2023-6277 and CVE-2024-7006
Patch moby-cli to resolve CVE-2023-45288
Patch nginx to address CVE-2024-7347
Patch openldap to resolve CVE-2023-2953
Patch packer to resolve CVE-2024-6104 (patched vendored gomodule)
Patch prometheuus to resolve CVE-2024-6104 (patched vendored gomodule)
Patch protobuf to fix CVE-2022-1941
Patch python-twisted to address CVE-2024-41671 and CVE-2024-41810
Patch python3 to address CVE-2024-7592
Patch qt5-qtbase to resolve CVE-2024-39936.
Patch reaper to address reaper CVE-2024-42459, CVE-2024-42460, CVE-2024-42461
Patch rook to resolve CVE-2024-6104 (patched vendored gomodule)
Patch rpm-ostree to resolve CVE-2023-26964 in vendored h2 sources
Patch rust for CVE-2024-31852 and CVE-2024-32884
Patch tensorflow to resolve CVE-2023-33976
Patch unbound for CVE-2024-43168
Patch waagent.conf to add firewall rules
Upgrade azcopy version to 10.25.1 to fix CVE-2024-35255
Upgrade bind to version 9.16.50 to resolve CVE-2024-1737, CVE-2024-1975 & CVE-2024-4076
Upgrade ca-certificates Msft cert change
Upgrade frr to 8.5.5 to fix CVE-2024-31950, CVE-2024-31951, CVE-2024-44070
Upgrade kernel to version 5.15.164.1 to fix CVE-2024-36901, CVE-2024-26900, CVE-2024-39473, CVE-2024-39474, CVE-2024-39483, CVE-2024-39485, CVE-2024-41007, CVE-2024-41009, CVE-2024-42071, CVE-2024-42072, CVE-2024-42073, CVE-2024-42074, CVE-2024-42075, CVE-2024-42078, CVE-2024-42083, CVE-2024-42152, CVE-2024-42153, CVE-2024-42154, CVE-2024-42157, CVE-2024-42161, CVE-2024-42223, CVE-2024-42224, CVE-2024-42225, CVE-2024-42229, CVE-2024-42232, CVE-2024-42236, CVE-2024-42237, CVE-2024-42244, CVE-2024-42247, CVE-2022-48788, CVE-2022-48841, CVE-2023-52340
Upgrade kernel-mos to 5.15.164.1
Upgrade postgresql to 14.13 to fix CVE-2024-7348
Toolkit: Update gonum to v0.15.0
3.0.20240824
Generic Kernel version-release: kernel-6.6.47.1-1
Add Virtual Repo Snapshot support through patch to TDNF
Add automatic mode for DAILY_BUILD_ID
Add cdi tools binaries to cdi package build (cdi 1.57)
Add dracut setup script to WaLinuxAgent
Add drivers for DMI and EROFS, dm-verity verification
Add libnvidia-nscq to NVIDIA GPU driver container image
Add missing runtime dependencies for automake.
Add missing runtime dependencies to python-poetry-core.
Add new license validator tool
Add package cpufrequtils
Add package mtr
Add package sysfsutils
Add priorities to local repos
Add requires for shadow-utils in postgresql
Add systemd service to postgresql
Add xorg-x11-server-Xwayland v24.1.1
Change default binary install location for cloud-init
Change edk2 to not apply warning suppress patch
Changed selected kernel configs to modules on aarch64
Disabled PR check debug mode by default.
Don't include epoch in rpm name when resolving conflicts
Drop disable-xattr dracut patch, introduce config to optionally enable it Drop dracut multiple confdirs patch
Enable CONFIG_RT_GROUP_SCHED in kernel-rt
Enable EVM
Enable FS_VERITY and SECURITY_IPE LSM
Enable MPTCP
Enable USB_TMC as module
Enable xattr and acl support in coreutils.
Explaining package usage order.
Fix ABI compatibiity errors between abseil-cpp and dependent packages.
Fix Tensorflow Golden Container Smoke test
Fix bash package tests
Fix bfq patch to select "none" scheduler as default
Fix dracut for initrd not showing prompt when root device is locked
Fix duplicate file issues in harfbuzz, cyrus-sasl and rrdtool
Fix e2fsprogs ptest
Fix gdb package test
Fix libldb build failure by upgrading to build with Python 3.12 in 3.0
Fix libtdb build issue by upgrading to build with Python 3.12 in 3.0
Fix package tests for make
Fix path issue for compiler-rt
Fix perl(AutoLoader) capitalization for perl-NetAddr-IP BR
Fix tests for perl-HTTP-Message, python-pytest-mock, upgrade pyOpenSSL
Fix unnecessary Requires:libselinux from coreutils to fix Circular dependency
Fixed openssh ptests.
Move grub2-rpm-macros to azurelinux-rpm-macros package
Onboard NVIDIA Driver Container to PublishContainer script
Patch CVE-2024-32884 and CVE-2024-31852 in rust
Patch CVE-2024-7006 in libtiff
Patch Prometheus for Fix CVE-2024-6104
Patch busybox for CVE-2021-42380, CVE-2023-42363, CVE-2023-42364 & CVE-2023-42365
Patch cert-manager for CVE-2024-25620
Patch cf-cli for CVE-2023-39325
Patch coreutils to address CVE-2024-0684
Patch gtk2 and gtk3 for CVE-2024-6655
Patch influxdb for CVE-2024-6104.
Patch js-jquery for CVE-2019-20149
Patch keda for CVE-2024-6104 in by patching vendor gomodule
Patch libcontainers-common for CVE-2024-6104
Patch libsndfile to resolve CVE-2022-33065
Patch libtiff to resolve CVE-2023-6277
Patch moby-engine for CVE-2024-41110
Patch package for CVE-2024-6104
Patch python-twisted to fix CVE-2024-41671 and CVE-2024-41810
Patch python3 to address CVE-2024-7592
Patch rapidjson to address CVE-2024-38517 and CVE-2024-39684
Patch skopeo for CVE-2024-6104
Patch unbound for CVE-2024-43168
Patch yasm for CVE-2021-33454
Path vim for CVE-2024-41957 CVE-2024-41965, CVE-2024-43374
Remove daemon.json with backported fix
Remove kexec-tools from azure vm definition
Remove libssp files to fix avahi hang
Restore removed libguestfs tests
Restore syslog message passing behavior
Sdd patch in WALinuxAgent to update setup.py to support azurelinux
Update 3.0 kata-containers build invocations to use OS_VERSION=3.0
Update go link commands for go-1.21 in ubuntu prereq
Update msopenjdk to latest prod version and add hash verification
Updated kernel-uki to include systemd-cryptsetup in initrd
Updated kernel-uki to use new initrd
Upgade Kernel RT to version 6.6.43.1-rt38
Upgrade Kernel to version 6.6.47.1 to address CVE-2024-36288 CVE-2024-42075 CVE-2024-42071 CVE-2024-42078 CVE-2024-42083 CVE-2024-42072 CVE-2024-42226
Upgrade SymCrypt-OpenSSL to 1.5.1
Upgrade distribution-gpg-keys to version 1.104, a more recent version that includes the Azure Linux keys.
Upgrade valgrind to version 3.22.0.
Upgrade and Patch frr to 9.1.1 to fix CVE-224-31950, CVE-2024-31951, CVE-2024-44070
Upgrade azcopy to version to 10.25.1 to fix CVE-2024-35255
Upgrade bind to 9.20.0 to address CVE-CVE-2024-0760, CVE-2024-1737, CVE-2024-1975 & CVE-2024-4076
Upgrade ca-certificates to latest Msft cert change
Upgrade curl to 8.8.0 for CVE-2024-2398
Upgrade edk to 20240524; hvloader to ekd2 version
Upgrade golang to 1.22.6-1
Upgrade httpd to 2.4.62 to address CVE-2024-40725
Upgrade iperf3 version to 3.17.1 to address CVE-2024-26306
Upgrade krb5 to 1.21.3 CVE-2024-37371, CVE-2024-37370
Upgrade libtevent to build with Python 3.12
Upgrade nghttp2 to 1.61.0 to address CVE-2024-28182
Upgrade postgresql to 16.4 CVE-2024-7348
Upgrade python-idna to 3.7 CVE-2024-3651
Upgrade python-webob to 1.8.8 Fix CVE-2024-42353
Upgrade ruby version to 3.3.3 to fix CVE-2024-41946
Upgrade tpm2-tss version to 4.0.2 to resolve CVE-2024-29040
Upgrade walinuxagent to 2.11.1.4 and add azurelinux patch
selinux-policy: Change unconfined to a separate module.
selinux-policy: Clean up testing rules and add systemd fix.
selinux-policy: Updated SELinux policy module composition.
Image Customizer: Account for GPT footer when validating partitions.
Image Customizer: Add ISO tests.
Image Customizer: Add modprobe to list of chroot incompatible commands.
Image Customizer: Add check for installed kernel.
Image Customizer: Add checks for missing/duplicate partition labels.
Image Customizer: Add tests for services enable/disable.
Image Customizer: Add tests for users API.
Image Customizer: Always refresh RPM repo metadata.
Image Customizer: Be robust to lsblk and fdisk output ordering.
Image Customizer: Bugfix Verity dependency handling in Azl3.
Image Customizer: Bump release version to v0.6.
Image Customizer: Create and log image uuid in release file
Image Customizer: Do not shrink verity hash partition.
Image Customizer: Expand legacy boot tests.
Image Customizer: Fix call to parted mkpart.
Image Customizer: Fix merge in 'TestCustomizeImagePartitionsLegacy'.
Image Customizer: Fixes for grub2-install.
Image Customizer: Improve copy directory error message.
Image Customizer: Improve error message for missing filesystem entry.
Image Customizer: Increase loopback detach timeout.
Image Customizer: Partition UUID reset.
Image Customizer: Split up customizeutils.go.
Image Customizer: Validate HOME and USER env vars.
Image Customizer: Validate fields on FileConfig.
Image Customizer: Verity: Use loopback + Add tests.
Image Customizer: docs for run.sh
Image Customizer: fix typos
Image Customizer: rename /etc/mariner-customizer-release to /etc/image-customizer-release
Image Customizer: test mic container script
Toolkit: Add priorities to local repos
Toolkit: Do not give GPT partitions a default label of "primary".
Toolkit: Explicit toolchain signature validation
Toolkit: Fix readdirent toolchain errors for reusable chroots
Toolkit: Ignore bogus case-insensitive provides results from repocloner
Toolkit: Integrate new license checker package into image and package builds.
Toolkit: Make check-circular-deps.yml faster with -j, use lkg
Toolkit: Removed unused argument in preparerequest.go
Toolkit: Respect overridden home directory for .ssh path.
Toolkit: bugfix: update_manifest.sh group name may not always exist
Toolkit: add a helper script to build packages locally
Toolkit: check for parted version before setting partition type
Toolkit: Update toolkit building docs for 3.0
Toolkit: Use structs to pass data to scheduler prints
2.0.20240731
Generic Kernel version-release: kernel-5.15.162.2-1
Kernel upgrade to version 5.15.162.2 to resolved CVE-2021-3847, CVE-2024-26913, CVE-2024-26933, CVE-2024-26978, CVE-2024-36477, CVE-2024-36481, CVE-2024-38664, CVE-2024-39291, CVE-2024-36288, CVE-2024-38662, CVE-2024-38780, CVE-2024-39277, CVE-2024-39292
Filter out debuginfo packages when running sodiff
Fix CVE-2024-6104 in skopeo
Fix CVE-2024-6345 in python3
Patched CVE-2023-26253 in glusterfs. (CP: #9717)
Python3 patch CVE-2024-0397
Update shim-unsigned-x64 to 15.8 and updates signed shim
Upgrade kernel-mos version to 5.15.161.1
Add Patch in terraform for CVE-2024-6257.
Bug fix in patch CVE-2024-5535 in openssl
Patch CVE-2024-5535 in openssl
Patch for gtk2 and gtk3 CVE-2024-6655
Patch moby-buildx CVES CVE-2021-43565 CVE-2022-28948 CVE-2022-41723
Patch tpm2-tools for CVE-2024-29038 & CVE-2024-29039.
Patched CVE-2024-37890, CVE-2023-42282, and CVE-2017-18214 in reaper.
Reverted packer to version 1.9.5 and patched its CVEs.
Upgrade default golang to 1.22.5 and backport the fix for 1.18
Upgrade httpd to 2.4.61 to fix CVE-2024-38473
Upgrade httpd to 2.4.62 to address CVE-2024-40725
Upgrade python-idna to 3.7 CVE-2024-3651
Upgrade to version 5.15.162.1
ceph: Fix high CVE-2024-38517 and CVE-2024-39684
cf-cli: patch CVE-2021-43565
cloud-hypervisor-cvm: update to 38.0.72.2
cri-o: patch CVE-2021-43565
fix CVE-2024-41110 in moby-engine
gh: patch CVE-2021-43565
libcontainers-common: introduce patch to address CVE-2024-37298
libmemcached-awesome: Upgrading version to 1.1.4 to address CVE-2023-27478
openssh: fix "regresshion" CVE, CVE-2024-6387, with patch from debian.
rapidjson: fix CVE-2024-38517 and CVE-2024-39684
telegraf: Add patch for CVE-2024-37298
Upgrade krb5 to 1.21.3 CVE-2024-37371, CVE-2024-37370
curl: upgrade 8.5.0 -> 8.8.0 to address CVE-2024-2398
emacs: Upgrading emacs version to 29.4 to address CVE-2024-39331
fix intermittent openssl FIPS selftest failures in jitterentropy
golang: drop golang-1.17
hvloader: add patch for CVE-2023-0464
kata-cc: Fix make clean call in UVM build
kata-containers-cc: Adapt tarfs make install trgt
moby-engine: remove daemon.json with backported fix
msft-golang: upgrade 1.22.4 -> 1.22.5 to address CVE-2024-24790 & CVE-2024-24791
terraform: Patch CVE-2024-6104 for bundled hashicorp/go-retryablehttp.
3.0.20240727 GA Release
Key Features and Updates
Security Updates
OpenSSL 3
Changes
-
We are now offering OpenSSL 3.3. The full change log can be found here.
-
Under the hood, Azure Linux 3.0 uses SymCrypt as the default cryptographic library. SymCrypt is the core cryptographic function library used by Windows. Azure Linux 3.0 uses SymCrypt engine for OpenSSL (SCOSSL) to direct OpenSSL API calls to the SymCrypt module via the OpenSSL engine interface.
Breaking Changes
- Previously, non FIPS-approved algorithms would be blocked at the OpenSSL layer when the system is in FIPS mode. With Azure Linux 3.0 + OpenSSL 3 + SymCrypt, the behavior will behave more like Windows where, when the system is in FIPS mode, non FIPS-approved algorithms will be allowable, and FIPS compliance will be assessed through other means such as SDL.
Linux Security Modules (LSM)
Changes
-
SELinux set as the default major LSM.
-
Integrity Policy Enforcement (IPE) LSM is available for use.
-
New BPF LSM is available for use.
-
Landlock LSM is available.
Breaking Changes
-
No breaking changes are expected for SELinux users. Our SELinux configuration remains unchanged.
-
AppArmor support has been removed; please migrate to SELinux.
Kernel
Changes
-
Added AMD SEV-SNP support for Confidential Computing scenarios.
-
Secondary keyring support was added to allow trusted key addition at runtime.
-
Prebuilt Unified Kernel Images (UKI) is now supported through the kernel-uki package.
-
Multipath TCP (MPTCP) support added, allowing multiple interface paths to improve throughput and redundancy.
-
user-based event tracing added, allowing user processes to create events and trace data that can be viewed by tools such as ftrace and perf.
-
Added Extended Verification Module (EVM) support for IMA, allowing verification of security-related extended attributes like SELinux labels or IMA hashes.
-
FS-verity support added.
-
Enhanced Read-Only File System (EROFS) support added.
Breaking Changes
-
Users of kernel-hci and kernel-mos packages can now enjoy the desired kernel features without needing to replace the kernel. All previous kernel-hci and kernel-mos features and code are integrated into the default mainstream Azure Linux kernel.
-
Disabled legacy kexec. It is recommended to use the file-based kexec system call instead since it is more secure.
-
Deprecated XFS V4 support in favor of XFS V5 format
-
Disabled legacy TIOCSTI due to security hardening concerns
Cloud-init
Changes
- Azure Linux has been added as a supported distro in upstream cloud-init.
Breaking Changes
- No breaking changes are expected.
Dhcp
Changes
- dhcp package replaced by dhcpd. isc-dhcp has been deprecated upstream. Dhcpd works the same as isc-dhcp as the network configurator. All packages which have dependency on dhcp now use dhcpcd.
Breaking Changes
- Services referencing files provided by the deprecated dhcp package (i.e., dhclient, dhclient-script) should now use dhcpd instead.
Cgroups
Changes
- cgroupsv2 is now the default resource control method in all Azure Linux base images. Cgroups v2 is the new generation of the Linux cgroup API. Cgroup v2 provides a single unified hierarchy in the API, new features such as pressure stall information (PSI), and better resource allocation management and isolation across multiple resources. Azure Linux 3.0 will still have cgroupsv1 support that users can choose to enable.
Breaking Changes
- Azure Linux 3.0 defaults to using cgroup v2, which may impact some of your application runtimes if they explicitly relied on cgroupsv1 file locations. As a result, certain adaptations and compatibility work may be required. (e.g., If you have applications that access the cgroups file system directly, either on the node or from inside a container, you must update the applications to use the cgroups v2 API instead of the cgroups v1 API.)
Reference
Compiler
Changes
-
Gcc was upgraded from the 11 series to the 13 series. For a complete list of changes, refer to the upstream gcc documentation for both series 12 and series 13. The default dialect for C remains gnu17. For C++ the default dialect remains gnu++17.
-
Clang was upgraded from the 12 series to the 18 series. For a complete list of changes, refer to the upstream clang documentation for series 13, series 14, series 15, series 16, series 17 and series 18. The default dialect for C remains gnu17. For C++ the default dialect is now c++17.
Boot
Changes
- Grub2-mkconfig is now the default for grub configuration. Users can configure the boot behavior by editing values inside /etc/default/grub and invoking grub2-mkconfig. This grub2-mkconfig tooling is standard across many popular distributions, including Azure Linux 3.0.
Breaking Changes
- Services that previously would edit the grub.cfg file directly should now use grub2-mkconfig tooling to regenerate the system grub.cfg file with the desired customizations.
Systemd
Changes
-
Unified Kernel Image (UKI) Support - The "systemd-bootctl" tool now shows if the system was booted from a UKI, and new tools like "systemd-pcrlock" manage TPM2 PCR policies, improving security for systems using Secure Boot.
-
Systemd-boot bootloader now available. It is a simpler bootloader than grub2, with smaller attack surface and generally just works without additional configuration.
-
Storage Target Mode. Inspired by macOS, the new "systemd-storagetm" feature allows locked block devices to be exposed as NVMe-TCP, facilitating remote access and management of storage devices.
-
Soft Reboot capability available. It is similar to a regular reboot except it only affects user-space.
-
Disabled Link-Local Multicast Name Resolution (LLMNR) support to prevent MitM attack technique through LLMNR poisoning. LLMNR is actively being phased out in favor of mDNS.
Breaking Changes
-
We are now implementing systemd to always coredump using zstd compression, instead of LZ4.
-
Drop TPM 1.x support in favor of TPM2 support.
-
Most systemd services start off by default to improve security and need to be enabled per application.
Cloud Hypervisor
- Cloud-hypervisor package is now cloud-hypervisor-cvm. A cloud-hypervisor-cvm contains the Microsoft enhancements to support confidential VMs and the codebase is maintained by Microsoft.
Debugging Tools
-
Inspektor Gadget now available in Azure Linux 3.0
-
Kernel Crashdumps (kdump) are now compressed and collection performance improved
-
Support added to crash utility for analyzing arm64 kernel dump files with crash on x86-64 host machines.
-
Sos now has built-in Azure Linux support, for better diagnostics collection and system triage
Package Manager
| Package Manager | Azure Linux 3.0 | Mariner 2.0 |
|---|---|---|
| DNF | 4.19 | 4.8.0 |
| TDNF | 3.5.6 | 3.5.2 |
| RPM | 4.18.2 | 4.18.0 |
| Symbolic link YUM -> TDNF | No longer present | Present |
Changes
-
RPM: RPM (Red Hat Package Manager) has been upgraded including several bugfixes and enhancements. Here's the summary of the changes from RPM 4.18.1
-
TDNF&DNF: The default software package management tool on Azure Linux 3.0 remains TDNF (lightweight implementation of DNF for containers) & DNF. Note that they have been upgraded to a version closer to upstream. (DNF5 is also available, however, TDNF and DNF remain the default and the official supported Azure Linux 3.0 package managers.)
Breaking Changes
- Yum: Yum is deprecated upstream. Therefore, the symbolic link found in Mariner 2.0 to provide a convenient alias to allow users to silently redirect their yum commands to tdnf has been removed in Azure Linux 3.0.
Using yum command in Azure Linux 3.0 will fail and generate an error as follows:
# yum
-bash: yum: command not found
Meaning that users now need to explicitly call tdnf.
Explicitly calling tdnf has zero impact because users running the yum command in Mariner 2.0 were seamlessly using tdnf without noticing any difference, due to the symlink. Users will be able to perform the same package management tasks as before.
- Createrepo: Creat...
2.0.20240628
KERNEL Notes
Generic Kernel version-release: kernel-5.15.160.1-1
Toolkit Notes
Bump azidentity 1.3.1 -> 1.6.0 to address CVE-2024-35255
General Notes:
Patch nano fo+r CVE-2024-5742
Patch R to address CVE-2024-27322
Patch cri-o to resolve CVE-2024-3727 (Patched vendored github.com/containers/image)
Patch edk2 for CVE-2024-1298
Patch guava for CVE-2023-2976
Patch hvloader to resolve CVE-2024-1298
Patch libarchive to resolve CVE-2024-26256
Patch libndp for CVE-2024-5564
Patch ntfs-3g for CVE-2023-52890
Patch openssh to fix CVE-2023-28531
Patch skopeo for CVE-2024-3727
Patch telegraf for CVE-2024-35255
Patch vte291 for CVE-2024-37535
Patch wget for CVE-2024-38428
Patch yasm for CVE-2021-33454
Remove isorelax project from 2.0 Extended
Update conntrack-tools to addresses situations where conntrack flush command exits with error code 1.
Upgrade dhcp to 4.4.3-P1 to fix CVE-2022-2928, CVE-2022-2929
Upgrade golang to 1.21.11 to address CVE-2024-24790
Upgrade kernel to 5.15.160.1 to fix CVE-2024-26583, CVE-2024-26584, CVE-2024-26585, CVE-2022-48670, CVE-2024-36023, CVE-2024-36897, CVE-2024-36902, CVE-2024-36938, CVE-2024-36971
Upgrade libpng to 1.6.39 to fix CVE-2022-3857
Upgrade msft-golang to version 1.22.4 to address CVE-2024-24790
Upgrade mysql to 8.0.36 to fix 10 CVEs
Upgrade nodejs18 to 18.20.3 to fix CVE-2024-28863
Upgrade php to 8.1.29 to fix CVE-2024-4577, CVE-2024-5585, CVE-2024-5458
Upgrade python-urllib3 to 1.26.19 patch CVE-2024-37891
Upgrade vitess to v17.0.7 to fix CVE-2024-32886
3.0.20240624
This is the preview release for 3.0.20240624