In this release, two major bugfixes are included: 1. runc container escape to host filesystem (CVE-2019-5736) [1], fixed with runc RPM version 1.0.0-68.dev.git6635b4f.fc29 2. rpm-ostree labeling of /home symlink to /var/home [2], fixed with rpm-ostree RPM version 2019.2-1.fc29
To reiterate, Atomic Host systems are protected from the runc exploit due to two lines of defense: SELinux, and /usr being mounted as read-only (see [3]). Thus, existing Atomic Host systems should not be affected. The kernel update to 4.20.3-200.fc29, which introduced bugs that blocked the 20190204 release [4], is now being tracked at [5] and [6]. Since we have confirmed the ppc64le image boots with nested kvm/qemu virtualization on Power9 hardware, we have decided to release. An example of the diff between this and the previous released version (for x86_64) is: ostree diff commit old: cdcbea2ccac7804770be806befd30895457de080d1525ee6050a5bebdfeefeb7 ostree diff commit new: d00adf110907f93f6cdd05deda0e2878c9bd71c74e0c4c2e9a5250d2f4cc8868 Upgraded: checkpolicy 2.8-2.fc29 -> 2.8-3.fc29 cockpit-bridge 185-1.fc29 -> 187-1.fc29 cockpit-docker 185-1.fc29 -> 187-1.fc29 cockpit-networkmanager 185-1.fc29 -> 187-1.fc29 cockpit-system 185-1.fc29 -> 187-1.fc29 container-selinux 2:2.77-1.git2c57a17.fc29 -> 2:2.81-2.git484806a.fc29 crypto-policies 20181026-1.gitd42aaa6.fc29 -> 20190211-2.gite3eacfc.fc29 curl 7.61.1-6.fc29 -> 7.61.1-9.fc29 dbus 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29 dbus-common 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29 dbus-daemon 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29 dbus-libs 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29 dbus-tools 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29 docker 2:1.13.1-62.git9cb56fd.fc29 -> 2:1.13.1-65.git1185cfd.fc29 docker-common 2:1.13.1-62.git9cb56fd.fc29 -> 2:1.13.1-65.git1185cfd.fc29 docker-rhel-push-plugin 2:1.13.1-62.git9cb56fd.fc29 -> 2:1.13.1-65.git1185cfd.fc29 elfutils-default-yama-scope 0.174-5.fc29 -> 0.176-1.fc29 elfutils-libelf 0.174-5.fc29 -> 0.176-1.fc29 elfutils-libs 0.174-5.fc29 -> 0.176-1.fc29 file 5.34-7.fc29 -> 5.34-11.fc29 file-libs 5.34-7.fc29 -> 5.34-11.fc29 geolite2-city 20181204-1.fc29 -> 20190205-1.fc29 geolite2-country 20181204-1.fc29 -> 20190205-1.fc29 glib2 2.58.2-1.fc29 -> 2.58.3-1.fc29 gnutls 3.6.5-2.fc29 -> 3.6.6-1.fc29 gpgme 1.11.1-3.fc29 -> 1.12.0-1.fc29 iproute 4.18.0-3.fc29 -> 4.20.0-1.fc29 iproute-tc 4.18.0-3.fc29 -> 4.20.0-1.fc29 kernel 4.19.15-300.fc29 -> 4.20.8-200.fc29 kernel-core 4.19.15-300.fc29 -> 4.20.8-200.fc29 kernel-modules 4.19.15-300.fc29 -> 4.20.8-200.fc29 libcurl 7.61.1-6.fc29 -> 7.61.1-9.fc29 libidn2 2.0.5-2.fc29 -> 2.1.1a-1.fc29 libpng 2:1.6.34-6.fc29 -> 2:1.6.34-7.fc29 libreport-filesystem 2.9.7-2.fc29 -> 2.10.0-1.fc29 libselinux 2.8-4.fc29 -> 2.8-6.fc29 libselinux-utils 2.8-4.fc29 -> 2.8-6.fc29 libsemanage 2.8-4.fc29 -> 2.8-8.fc29 libsepol 2.8-2.fc29 -> 2.8-3.fc29 libsolv 0.7.2-1.fc29 -> 0.7.2-2.fc29 libxcrypt 4.4.2-3.fc29 -> 4.4.3-2.fc29 libyaml 0.2.1-2.fc29 -> 0.2.1-5.fc29 linux-firmware 20181219-89.git0f22c852.fc29 -> 20190213-93.git710963fe.fc29 lua-libs 5.3.5-2.fc29 -> 5.3.5-3.fc29 nss 3.41.0-3.fc29 -> 3.42.1-1.fc29 nss-softokn 3.41.0-3.fc29 -> 3.42.1-1.fc29 nss-softokn-freebl 3.41.0-3.fc29 -> 3.42.1-1.fc29 nss-sysinit 3.41.0-3.fc29 -> 3.42.1-1.fc29 nss-util 3.41.0-3.fc29 -> 3.42.1-1.fc29 oci-umount 2:2.3.4-2.git87f9237.fc29 -> 2:2.5-1.gitc3cda1f.fc29 openssh 7.9p1-3.fc29 -> 7.9p1-4.fc29 openssh-clients 7.9p1-3.fc29 -> 7.9p1-4.fc29 openssh-server 7.9p1-3.fc29 -> 7.9p1-4.fc29 p11-kit 0.23.14-2.fc29 -> 0.23.15-1.fc29 p11-kit-trust 0.23.14-2.fc29 -> 0.23.15-1.fc29 policycoreutils 2.8-8.fc29 -> 2.8-17.fc29 policycoreutils-python-utils 2.8-8.fc29 -> 2.8-17.fc29 polkit 0.115-4.2.fc29 -> 0.115-4.3.fc29 polkit-libs 0.115-4.2.fc29 -> 0.115-4.3.fc29 python2-libselinux 2.8-4.fc29 -> 2.8-6.fc29 python2-libsemanage 2.8-4.fc29 -> 2.8-8.fc29 python2-policycoreutils 2.8-8.fc29 -> 2.8-17.fc29 python2-pyOpenSSL 18.0.0-3.fc29 -> 19.0.0-1.fc29 python3 3.7.2-1.fc29 -> 3.7.2-4.fc29 python3-dateutil 1:2.7.0-3.fc29 -> 1:2.7.5-1.fc29 python3-jsonschema 2.6.0-5.fc29 -> 2.6.0-6.fc29 python3-libs 3.7.2-1.fc29 -> 3.7.2-4.fc29 python3-libselinux 2.8-4.fc29 -> 2.8-6.fc29 python3-libsemanage 2.8-4.fc29 -> 2.8-8.fc29 python3-policycoreutils 2.8-8.fc29 -> 2.8-17.fc29 python3-pyOpenSSL 18.0.0-3.fc29 -> 19.0.0-1.fc29 rpm-ostree 2018.10-1.fc29 -> 2019.2-1.fc29 rpm-ostree-libs 2018.10-1.fc29 -> 2019.2-1.fc29 runc 2:1.0.0-66.dev.gitbbb17ef.fc29 -> 2:1.0.0-68.dev.git6635b4f.fc29 selinux-policy 3.14.2-47.fc29 -> 3.14.2-49.fc29 selinux-policy-targeted 3.14.2-47.fc29 -> 3.14.2-49.fc29 systemd 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29 systemd-container 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29 systemd-libs 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29 systemd-pam 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29 systemd-udev 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29 vim-minimal 2:8.1.702-1.fc29 -> 2:8.1.897-1.fc29 zchunk-libs 1.0.2-1.fc29 -> 1.0.3-1.fc29 Removed: python3-IPy-0.81-23.fc29.noarch Added: linux-firmware-whence-20190213-93.git710963fe.fc29.noarch x86_64 AMIs are here: Fedora-AtomicHost-29-20190219.0.x86_64 eu-west-2 ami-0ec9ed52bec7e243a hvm gp2 Fedora-AtomicHost-29-20190219.0.x86_64 ap-northeast-1 ami-0f0e0f0a2110ffc03 hvm gp2 Fedora-AtomicHost-29-20190219.0.x86_64 eu-central-1 ami-0af0e87e8ed63dd45 hvm gp2 Fedora-AtomicHost-29-20190219.0.x86_64 us-west-1 ami-0f9f2dfdb7825543a hvm gp2 Fedora-AtomicHost-29-20190219.0.x86_64 us-west-2 ami-0d27a0b6a82bc2737 hvm gp2 Fedora-AtomicHost-29-20190219.0.x86_64 ap-southeast-2 ami-0458a3b8c2f19e4f9 hvm gp2 Fedora-AtomicHost-29-20190219.0.x86_64 ca-central-1 ami-04ad07470f41a547f hvm gp2 Fedora-AtomicHost-29-20190219.0.x86_64 ap-southeast-1 ami-0601b1fcd48a38040 hvm gp2 Fedora-AtomicHost-29-20190219.0.x86_64 sa-east-1 ami-0656310a3bbb4c745 hvm gp2 Fedora-AtomicHost-29-20190219.0.x86_64 ap-northeast-2 ami-0f7a7d20979d3223e hvm gp2 Fedora-AtomicHost-29-20190219.0.x86_64 eu-west-1 ami-0401658df6c69a65d hvm gp2 Fedora-AtomicHost-29-20190219.0.x86_64 ap-south-1 ami-0fbe9bac04a17820a hvm gp2 Fedora-AtomicHost-29-20190219.0.x86_64 us-east-1 ami-0c97b936303859c89 hvm gp2 Fedora-AtomicHost-29-20190219.0.x86_64 eu-west-2 ami-012e11237f48309b2 hvm standard Fedora-AtomicHost-29-20190219.0.x86_64 ap-northeast-1 ami-088e976156e988908 hvm standard Fedora-AtomicHost-29-20190219.0.x86_64 eu-central-1 ami-0536ed74c1dcc6c7f hvm standard Fedora-AtomicHost-29-20190219.0.x86_64 us-west-1 ami-0cb526c05de3d75ed hvm standard Fedora-AtomicHost-29-20190219.0.x86_64 us-west-2 ami-045874f74038dab5b hvm standard Fedora-AtomicHost-29-20190219.0.x86_64 ap-southeast-2 ami-00a6cafaabfd65de3 hvm standard Fedora-AtomicHost-29-20190219.0.x86_64 ca-central-1 ami-0cab048455908459a hvm standard Fedora-AtomicHost-29-20190219.0.x86_64 ap-southeast-1 ami-0dc00809d23864794 hvm standard Fedora-AtomicHost-29-20190219.0.x86_64 sa-east-1 ami-00ffffbf0fa05f024 hvm standard Fedora-AtomicHost-29-20190219.0.x86_64 ap-northeast-2 ami-04c2c71840279c581 hvm standard Fedora-AtomicHost-29-20190219.0.x86_64 eu-west-1 ami-025a9a2d67f5cf8d1 hvm standard Fedora-AtomicHost-29-20190219.0.x86_64 ap-south-1 ami-081c0af897ecc0cba hvm standard Fedora-AtomicHost-29-20190219.0.x86_64 us-east-1 ami-0a1ebea4bfc1ef073 hvm standard aarch64 AMIs are here: Fedora-AtomicHost-29-20190219.0.aarch64 us-west-2 ami-05c281b052ff87d45 hvm gp2 Fedora-AtomicHost-29-20190219.0.aarch64 eu-west-1 ami-0bab5d6192e989266 hvm gp2 Fedora-AtomicHost-29-20190219.0.aarch64 us-east-1 ami-0d57fc3645ee641d4 hvm gp2 The Vagrant Cloud page with the new Atomic Host: https://app.vagrantup.com/fedora/boxes/29-atomic-host https://app.vagrantup.com/fedora/boxes/29-atomic-host/versions/29.20190219.0 Thanks, Fedora Atomic Working Group [1] https://nvd.nist.gov/vuln/detail/CVE-2019-5736 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1669982 [3] https://lists.projectatomic.io/projectatomic-archives/atomic-announce/2019-February/msg00002.html [4] https://lists.projectatomic.io/projectatomic-archives/atomic-announce/2019-February/msg00001.html [5] https://bugzilla.redhat.com/show_bug.cgi?id=1676475 [6] https://bugzilla.redhat.com/show_bug.cgi?id=1668751 On Tue, Feb 19, 2019 at 6:51 PM <nore...@fedoraproject.org> wrote: > > > A new Fedora Atomic Host update is available via an OSTree update: > > Version: 29.20190219.0 > Commit(x86_64): d00adf110907f93f6cdd05deda0e2878c9bd71c74e0c4c2e9a5250d2f4cc8868 > Commit(aarch64): b87cb9e59aa668ea0e79c3d2e7c017a340c03dcf79a2f7756fedddb3831ca74e > Commit(ppc64le): 33ee5adfd3e33c8e03ad460c75fe71858528f0d91cffd9c01c07a92b2ad000c2 > > > We are releasing images from multiple architectures but please note > that x86_64 architecture is the only one that undergoes automated > testing at this time. > > Existing systems can be upgraded in place via e.g. `atomic host upgrade`. > > Corresponding image media for new installations can be downloaded from: > > https://getfedora.org/en/atomic/download/ > > Alternatively, image artifacts can be found at the following links: > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/images/Fedora-AtomicHost-29-20190219.0.aarch64.qcow2 > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/images/Fedora-AtomicHost-29-20190219.0.aarch64.raw.xz > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/iso/Fedora-AtomicHost-ostree-aarch64-29-20190219.0.iso > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/images/Fedora-AtomicHost-29-20190219.0.ppc64le.qcow2 > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/images/Fedora-AtomicHost-29-20190219.0.ppc64le.raw.xz > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/iso/Fedora-AtomicHost-ostree-ppc64le-29-20190219.0.iso > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-29-20190219.0.x86_64.qcow2 > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-29-20190219.0.x86_64.raw.xz > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-Vagrant-29-20190219.0.x86_64.vagrant-libvirt.box > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-Vagrant-29-20190219.0.x86_64.vagrant-virtualbox.box > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/iso/Fedora-AtomicHost-ostree-x86_64-29-20190219.0.iso > > Respective signed CHECKSUM files can be found here: > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/images/Fedora-AtomicHost-29-20190219.0-aarch64-CHECKSUM > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/iso/Fedora-AtomicHost-29-20190219.0-aarch64-CHECKSUM > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/images/Fedora-AtomicHost-29-20190219.0-ppc64le-CHECKSUM > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/iso/Fedora-AtomicHost-29-20190219.0-ppc64le-CHECKSUM > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-29-20190219.0-x86_64-CHECKSUM > https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/iso/Fedora-AtomicHost-29-20190219.0-x86_64-CHECKSUM > > For direct download, the "latest" targets are always available here: > x86_64: > https://getfedora.org/atomic_qcow2_x86_64_latest > https://getfedora.org/atomic_raw_x86_64_latest > https://getfedora.org/atomic_vagrant_libvirt_x86_64_latest > https://getfedora.org/atomic_vagrant_virtualbox_x86_64_latest > https://getfedora.org/atomic_dvd_ostree_x86_64_latest > > aarch64: > https://getfedora.org/atomic_qcow2_aarch64_latest > https://getfedora.org/atomic_raw_aarch64_latest > https://getfedora.org/atomic_dvd_ostree_aarch64_latest > > ppc64le: > https://getfedora.org/atomic_qcow2_ppc64le_latest > https://getfedora.org/atomic_raw_ppc64le_latest > https://getfedora.org/atomic_dvd_ostree_ppc64le_latest > > Filename fetching URLs are available here: > x86_64: > https://getfedora.org/atomic_qcow2_x86_64_latest_filename > https://getfedora.org/atomic_raw_x86_64_latest_filename > https://getfedora.org/atomic_vagrant_libvirt_x86_64_latest_filename > https://getfedora.org/atomic_vagrant_virtualbox_x86_64_latest_filename > https://getfedora.org/atomic_dvd_ostree_x86_64_latest_filename > > aarch64: > https://getfedora.org/atomic_qcow2_aarch64_latest_filename > https://getfedora.org/atomic_raw_aarch64_latest_filename > https://getfedora.org/atomic_dvd_ostree_aarch64_latest_filename > > ppc64le: > https://getfedora.org/atomic_qcow2_ppc64le_latest_filename > https://getfedora.org/atomic_raw_ppc64le_latest_filename > https://getfedora.org/atomic_dvd_ostree_ppc64le_latest_filename > > For more information about the latest targets, please reference the Fedora > Atomic Wiki space. > > https://fedoraproject.org/wiki/Atomic_WG#Fedora_Atomic_Image_Download_Links > > Do note that it can take some of the mirrors up to 12 hours to "check-in" at > their own discretion. > > Thank you, > Fedora Release Engineering >
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org