Re: Fedora Atomic Host Two Week Release Announcement: 29.20190219.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In this release, two major bugfixes are included:

1. runc container escape to host filesystem (CVE-2019-5736) [1], fixed with runc RPM version  1.0.0-68.dev.git6635b4f.fc29
2. rpm-ostree labeling of /home symlink to /var/home [2], fixed with rpm-ostree RPM version 2019.2-1.fc29

To reiterate, Atomic Host systems are protected from the runc exploit due to two lines of defense: SELinux, and /usr being mounted as read-only (see [3]). Thus, existing Atomic Host systems should not be affected.

The kernel update to 4.20.3-200.fc29, which introduced bugs that blocked the 20190204 release [4], is now being tracked at [5] and [6]. Since we have confirmed the ppc64le image boots with nested kvm/qemu virtualization on Power9 hardware, we have decided to release.

An example of the diff between this and the previous released version
(for x86_64) is:
ostree diff commit old: cdcbea2ccac7804770be806befd30895457de080d1525ee6050a5bebdfeefeb7
ostree diff commit new: d00adf110907f93f6cdd05deda0e2878c9bd71c74e0c4c2e9a5250d2f4cc8868
Upgraded:
  checkpolicy 2.8-2.fc29 -> 2.8-3.fc29
  cockpit-bridge 185-1.fc29 -> 187-1.fc29
  cockpit-docker 185-1.fc29 -> 187-1.fc29
  cockpit-networkmanager 185-1.fc29 -> 187-1.fc29
  cockpit-system 185-1.fc29 -> 187-1.fc29
  container-selinux 2:2.77-1.git2c57a17.fc29 -> 2:2.81-2.git484806a.fc29
  crypto-policies 20181026-1.gitd42aaa6.fc29 -> 20190211-2.gite3eacfc.fc29
  curl 7.61.1-6.fc29 -> 7.61.1-9.fc29
  dbus 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29
  dbus-common 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29
  dbus-daemon 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29
  dbus-libs 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29
  dbus-tools 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29
  docker 2:1.13.1-62.git9cb56fd.fc29 -> 2:1.13.1-65.git1185cfd.fc29
  docker-common 2:1.13.1-62.git9cb56fd.fc29 -> 2:1.13.1-65.git1185cfd.fc29
  docker-rhel-push-plugin 2:1.13.1-62.git9cb56fd.fc29 -> 2:1.13.1-65.git1185cfd.fc29
  elfutils-default-yama-scope 0.174-5.fc29 -> 0.176-1.fc29
  elfutils-libelf 0.174-5.fc29 -> 0.176-1.fc29
  elfutils-libs 0.174-5.fc29 -> 0.176-1.fc29
  file 5.34-7.fc29 -> 5.34-11.fc29
  file-libs 5.34-7.fc29 -> 5.34-11.fc29
  geolite2-city 20181204-1.fc29 -> 20190205-1.fc29
  geolite2-country 20181204-1.fc29 -> 20190205-1.fc29
  glib2 2.58.2-1.fc29 -> 2.58.3-1.fc29
  gnutls 3.6.5-2.fc29 -> 3.6.6-1.fc29
  gpgme 1.11.1-3.fc29 -> 1.12.0-1.fc29
  iproute 4.18.0-3.fc29 -> 4.20.0-1.fc29
  iproute-tc 4.18.0-3.fc29 -> 4.20.0-1.fc29
  kernel 4.19.15-300.fc29 -> 4.20.8-200.fc29
  kernel-core 4.19.15-300.fc29 -> 4.20.8-200.fc29
  kernel-modules 4.19.15-300.fc29 -> 4.20.8-200.fc29
  libcurl 7.61.1-6.fc29 -> 7.61.1-9.fc29
  libidn2 2.0.5-2.fc29 -> 2.1.1a-1.fc29
  libpng 2:1.6.34-6.fc29 -> 2:1.6.34-7.fc29
  libreport-filesystem 2.9.7-2.fc29 -> 2.10.0-1.fc29
  libselinux 2.8-4.fc29 -> 2.8-6.fc29
  libselinux-utils 2.8-4.fc29 -> 2.8-6.fc29
  libsemanage 2.8-4.fc29 -> 2.8-8.fc29
  libsepol 2.8-2.fc29 -> 2.8-3.fc29
  libsolv 0.7.2-1.fc29 -> 0.7.2-2.fc29
  libxcrypt 4.4.2-3.fc29 -> 4.4.3-2.fc29
  libyaml 0.2.1-2.fc29 -> 0.2.1-5.fc29
  linux-firmware 20181219-89.git0f22c852.fc29 -> 20190213-93.git710963fe.fc29
  lua-libs 5.3.5-2.fc29 -> 5.3.5-3.fc29
  nss 3.41.0-3.fc29 -> 3.42.1-1.fc29
  nss-softokn 3.41.0-3.fc29 -> 3.42.1-1.fc29
  nss-softokn-freebl 3.41.0-3.fc29 -> 3.42.1-1.fc29
  nss-sysinit 3.41.0-3.fc29 -> 3.42.1-1.fc29
  nss-util 3.41.0-3.fc29 -> 3.42.1-1.fc29
  oci-umount 2:2.3.4-2.git87f9237.fc29 -> 2:2.5-1.gitc3cda1f.fc29
  openssh 7.9p1-3.fc29 -> 7.9p1-4.fc29
  openssh-clients 7.9p1-3.fc29 -> 7.9p1-4.fc29
  openssh-server 7.9p1-3.fc29 -> 7.9p1-4.fc29
  p11-kit 0.23.14-2.fc29 -> 0.23.15-1.fc29
  p11-kit-trust 0.23.14-2.fc29 -> 0.23.15-1.fc29
  policycoreutils 2.8-8.fc29 -> 2.8-17.fc29
  policycoreutils-python-utils 2.8-8.fc29 -> 2.8-17.fc29
  polkit 0.115-4.2.fc29 -> 0.115-4.3.fc29
  polkit-libs 0.115-4.2.fc29 -> 0.115-4.3.fc29
  python2-libselinux 2.8-4.fc29 -> 2.8-6.fc29
  python2-libsemanage 2.8-4.fc29 -> 2.8-8.fc29
  python2-policycoreutils 2.8-8.fc29 -> 2.8-17.fc29
  python2-pyOpenSSL 18.0.0-3.fc29 -> 19.0.0-1.fc29
  python3 3.7.2-1.fc29 -> 3.7.2-4.fc29
  python3-dateutil 1:2.7.0-3.fc29 -> 1:2.7.5-1.fc29
  python3-jsonschema 2.6.0-5.fc29 -> 2.6.0-6.fc29
  python3-libs 3.7.2-1.fc29 -> 3.7.2-4.fc29
  python3-libselinux 2.8-4.fc29 -> 2.8-6.fc29
  python3-libsemanage 2.8-4.fc29 -> 2.8-8.fc29
  python3-policycoreutils 2.8-8.fc29 -> 2.8-17.fc29
  python3-pyOpenSSL 18.0.0-3.fc29 -> 19.0.0-1.fc29
  rpm-ostree 2018.10-1.fc29 -> 2019.2-1.fc29
  rpm-ostree-libs 2018.10-1.fc29 -> 2019.2-1.fc29
  runc 2:1.0.0-66.dev.gitbbb17ef.fc29 -> 2:1.0.0-68.dev.git6635b4f.fc29
  selinux-policy 3.14.2-47.fc29 -> 3.14.2-49.fc29
  selinux-policy-targeted 3.14.2-47.fc29 -> 3.14.2-49.fc29
  systemd 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29
  systemd-container 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29
  systemd-libs 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29
  systemd-pam 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29
  systemd-udev 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29
  vim-minimal 2:8.1.702-1.fc29 -> 2:8.1.897-1.fc29
  zchunk-libs 1.0.2-1.fc29 -> 1.0.3-1.fc29
Removed:
  python3-IPy-0.81-23.fc29.noarch
Added:
  linux-firmware-whence-20190213-93.git710963fe.fc29.noarch

x86_64 AMIs are here:
Fedora-AtomicHost-29-20190219.0.x86_64        eu-west-2            ami-0ec9ed52bec7e243a hvm           gp2            
Fedora-AtomicHost-29-20190219.0.x86_64        ap-northeast-1       ami-0f0e0f0a2110ffc03 hvm           gp2            
Fedora-AtomicHost-29-20190219.0.x86_64        eu-central-1         ami-0af0e87e8ed63dd45 hvm           gp2            
Fedora-AtomicHost-29-20190219.0.x86_64        us-west-1            ami-0f9f2dfdb7825543a hvm           gp2            
Fedora-AtomicHost-29-20190219.0.x86_64        us-west-2            ami-0d27a0b6a82bc2737 hvm           gp2            
Fedora-AtomicHost-29-20190219.0.x86_64        ap-southeast-2       ami-0458a3b8c2f19e4f9 hvm           gp2            
Fedora-AtomicHost-29-20190219.0.x86_64        ca-central-1         ami-04ad07470f41a547f hvm           gp2            
Fedora-AtomicHost-29-20190219.0.x86_64        ap-southeast-1       ami-0601b1fcd48a38040 hvm           gp2            
Fedora-AtomicHost-29-20190219.0.x86_64        sa-east-1            ami-0656310a3bbb4c745 hvm           gp2            
Fedora-AtomicHost-29-20190219.0.x86_64        ap-northeast-2       ami-0f7a7d20979d3223e hvm           gp2            
Fedora-AtomicHost-29-20190219.0.x86_64        eu-west-1            ami-0401658df6c69a65d hvm           gp2            
Fedora-AtomicHost-29-20190219.0.x86_64        ap-south-1           ami-0fbe9bac04a17820a hvm           gp2            
Fedora-AtomicHost-29-20190219.0.x86_64        us-east-1            ami-0c97b936303859c89 hvm           gp2            

Fedora-AtomicHost-29-20190219.0.x86_64        eu-west-2            ami-012e11237f48309b2 hvm           standard      
Fedora-AtomicHost-29-20190219.0.x86_64        ap-northeast-1       ami-088e976156e988908 hvm           standard      
Fedora-AtomicHost-29-20190219.0.x86_64        eu-central-1         ami-0536ed74c1dcc6c7f hvm           standard      
Fedora-AtomicHost-29-20190219.0.x86_64        us-west-1            ami-0cb526c05de3d75ed hvm           standard      
Fedora-AtomicHost-29-20190219.0.x86_64        us-west-2            ami-045874f74038dab5b hvm           standard      
Fedora-AtomicHost-29-20190219.0.x86_64        ap-southeast-2       ami-00a6cafaabfd65de3 hvm           standard      
Fedora-AtomicHost-29-20190219.0.x86_64        ca-central-1         ami-0cab048455908459a hvm           standard      
Fedora-AtomicHost-29-20190219.0.x86_64        ap-southeast-1       ami-0dc00809d23864794 hvm           standard      
Fedora-AtomicHost-29-20190219.0.x86_64        sa-east-1            ami-00ffffbf0fa05f024 hvm           standard      
Fedora-AtomicHost-29-20190219.0.x86_64        ap-northeast-2       ami-04c2c71840279c581 hvm           standard      
Fedora-AtomicHost-29-20190219.0.x86_64        eu-west-1            ami-025a9a2d67f5cf8d1 hvm           standard      
Fedora-AtomicHost-29-20190219.0.x86_64        ap-south-1           ami-081c0af897ecc0cba hvm           standard      
Fedora-AtomicHost-29-20190219.0.x86_64        us-east-1            ami-0a1ebea4bfc1ef073 hvm           standard      

aarch64 AMIs are here:
Fedora-AtomicHost-29-20190219.0.aarch64       us-west-2            ami-05c281b052ff87d45 hvm           gp2            
Fedora-AtomicHost-29-20190219.0.aarch64       eu-west-1            ami-0bab5d6192e989266 hvm           gp2            
Fedora-AtomicHost-29-20190219.0.aarch64       us-east-1            ami-0d57fc3645ee641d4 hvm           gp2            

The Vagrant Cloud page with the new Atomic Host:
https://app.vagrantup.com/fedora/boxes/29-atomic-host
https://app.vagrantup.com/fedora/boxes/29-atomic-host/versions/29.20190219.0

Thanks,
Fedora Atomic Working Group

[1] https://nvd.nist.gov/vuln/detail/CVE-2019-5736
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1669982
[3] https://lists.projectatomic.io/projectatomic-archives/atomic-announce/2019-February/msg00002.html
[4] https://lists.projectatomic.io/projectatomic-archives/atomic-announce/2019-February/msg00001.html
[5] https://bugzilla.redhat.com/show_bug.cgi?id=1676475
[6] https://bugzilla.redhat.com/show_bug.cgi?id=1668751

On Tue, Feb 19, 2019 at 6:51 PM <noreply@xxxxxxxxxxxxxxxxx> wrote:
>
>
> A new Fedora Atomic Host update is available via an OSTree update:
>
> Version: 29.20190219.0
> Commit(x86_64): d00adf110907f93f6cdd05deda0e2878c9bd71c74e0c4c2e9a5250d2f4cc8868
> Commit(aarch64): b87cb9e59aa668ea0e79c3d2e7c017a340c03dcf79a2f7756fedddb3831ca74e
> Commit(ppc64le): 33ee5adfd3e33c8e03ad460c75fe71858528f0d91cffd9c01c07a92b2ad000c2
>
>
> We are releasing images from multiple architectures but please note
> that x86_64 architecture is the only one that undergoes automated
> testing at this time.
>
> Existing systems can be upgraded in place via e.g. `atomic host upgrade`.
>
> Corresponding image media for new installations can be downloaded from:
>
>     https://getfedora.org/en/atomic/download/
>
> Alternatively, image artifacts can be found at the following links:
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/images/Fedora-AtomicHost-29-20190219.0.aarch64.qcow2
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/images/Fedora-AtomicHost-29-20190219.0.aarch64.raw.xz
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/iso/Fedora-AtomicHost-ostree-aarch64-29-20190219.0.iso
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/images/Fedora-AtomicHost-29-20190219.0.ppc64le.qcow2
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/images/Fedora-AtomicHost-29-20190219.0.ppc64le.raw.xz
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/iso/Fedora-AtomicHost-ostree-ppc64le-29-20190219.0.iso
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-29-20190219.0.x86_64.qcow2
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-29-20190219.0.x86_64.raw.xz
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-Vagrant-29-20190219.0.x86_64.vagrant-libvirt.box
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-Vagrant-29-20190219.0.x86_64.vagrant-virtualbox.box
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/iso/Fedora-AtomicHost-ostree-x86_64-29-20190219.0.iso
>
> Respective signed CHECKSUM files can be found here:
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/images/Fedora-AtomicHost-29-20190219.0-aarch64-CHECKSUM
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/iso/Fedora-AtomicHost-29-20190219.0-aarch64-CHECKSUM
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/images/Fedora-AtomicHost-29-20190219.0-ppc64le-CHECKSUM
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/iso/Fedora-AtomicHost-29-20190219.0-ppc64le-CHECKSUM
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-29-20190219.0-x86_64-CHECKSUM
> https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/iso/Fedora-AtomicHost-29-20190219.0-x86_64-CHECKSUM
>
> For direct download, the "latest" targets are always available here:
>     x86_64:
>     https://getfedora.org/atomic_qcow2_x86_64_latest
>     https://getfedora.org/atomic_raw_x86_64_latest
>     https://getfedora.org/atomic_vagrant_libvirt_x86_64_latest
>     https://getfedora.org/atomic_vagrant_virtualbox_x86_64_latest
>     https://getfedora.org/atomic_dvd_ostree_x86_64_latest
>
>     aarch64:
>     https://getfedora.org/atomic_qcow2_aarch64_latest
>     https://getfedora.org/atomic_raw_aarch64_latest
>     https://getfedora.org/atomic_dvd_ostree_aarch64_latest
>
>     ppc64le:
>     https://getfedora.org/atomic_qcow2_ppc64le_latest
>     https://getfedora.org/atomic_raw_ppc64le_latest
>     https://getfedora.org/atomic_dvd_ostree_ppc64le_latest
>
> Filename fetching URLs are available here:
>     x86_64:
>     https://getfedora.org/atomic_qcow2_x86_64_latest_filename
>     https://getfedora.org/atomic_raw_x86_64_latest_filename
>     https://getfedora.org/atomic_vagrant_libvirt_x86_64_latest_filename
>     https://getfedora.org/atomic_vagrant_virtualbox_x86_64_latest_filename
>     https://getfedora.org/atomic_dvd_ostree_x86_64_latest_filename
>
>     aarch64:
>     https://getfedora.org/atomic_qcow2_aarch64_latest_filename
>     https://getfedora.org/atomic_raw_aarch64_latest_filename
>     https://getfedora.org/atomic_dvd_ostree_aarch64_latest_filename
>
>     ppc64le:
>     https://getfedora.org/atomic_qcow2_ppc64le_latest_filename
>     https://getfedora.org/atomic_raw_ppc64le_latest_filename
>     https://getfedora.org/atomic_dvd_ostree_ppc64le_latest_filename
>
> For more information about the latest targets, please reference the Fedora
> Atomic Wiki space.
>
>     https://fedoraproject.org/wiki/Atomic_WG#Fedora_Atomic_Image_Download_Links
>
> Do note that it can take some of the mirrors up to 12 hours to "check-in" at
> their own discretion.
>
> Thank you,
> Fedora Release Engineering
>
_______________________________________________
cloud mailing list -- cloud@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to cloud-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/cloud@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Big List of Linux Books]     [Yosemite News]     [Linux Apps]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux