Re: [atomic-announce] Fedora Atomic Host Two Week Release Announcement: 29.20190219.0
In this release, two major bugfixes are included: 1. runc container escape to host filesystem (CVE-2019-5736) [1], fixed with runc RPM version 1.0.0-68.dev.git6635b4f.fc29 2. rpm-ostree labeling of /home symlink to /var/home [2], fixed with rpm-ostree RPM version 2019.2-1.fc29 To reiterate, Atomic Host systems are protected from the runc exploit due to two lines of defense: SELinux, and /usr being mounted as read-only (see [3]). Thus, existing Atomic Host systems should not be affected. The kernel update to 4.20.3-200.fc29, which introduced bugs that blocked the 20190204 release [4], is now being tracked at [5] and [6]. Since we have confirmed the ppc64le image boots with nested kvm/qemu virtualization on Power9 hardware, we have decided to release. An example of the diff between this and the previous released version (for x86_64) is: ostree diff commit old: cdcbea2ccac7804770be806befd30895457de080d1525ee6050a5bebdfeefeb7 ostree diff commit new: d00adf110907f93f6cdd05deda0e2878c9bd71c74e0c4c2e9a5250d2f4cc8868 Upgraded: checkpolicy 2.8-2.fc29 -> 2.8-3.fc29 cockpit-bridge 185-1.fc29 -> 187-1.fc29 cockpit-docker 185-1.fc29 -> 187-1.fc29 cockpit-networkmanager 185-1.fc29 -> 187-1.fc29 cockpit-system 185-1.fc29 -> 187-1.fc29 container-selinux 2:2.77-1.git2c57a17.fc29 -> 2:2.81-2.git484806a.fc29 crypto-policies 20181026-1.gitd42aaa6.fc29 -> 20190211-2.gite3eacfc.fc29 curl 7.61.1-6.fc29 -> 7.61.1-9.fc29 dbus 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29 dbus-common 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29 dbus-daemon 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29 dbus-libs 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29 dbus-tools 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29 docker 2:1.13.1-62.git9cb56fd.fc29 -> 2:1.13.1-65.git1185cfd.fc29 docker-common 2:1.13.1-62.git9cb56fd.fc29 -> 2:1.13.1-65.git1185cfd.fc29 docker-rhel-push-plugin 2:1.13.1-62.git9cb56fd.fc29 -> 2:1.13.1-65.git1185cfd.fc29 elfutils-default-yama-scope 0.174-5.fc29 -> 0.176-1.fc29 elfutils-libelf 0.174-5.fc29 -> 0.176-1.fc29 elfutils-libs 0.174-5.fc29 -> 0.176-1.fc29 file 5.34-7.fc29 -> 5.34-11.fc29 file-libs 5.34-7.fc29 -> 5.34-11.fc29 geolite2-city 20181204-1.fc29 -> 20190205-1.fc29 geolite2-country 20181204-1.fc29 -> 20190205-1.fc29 glib2 2.58.2-1.fc29 -> 2.58.3-1.fc29 gnutls 3.6.5-2.fc29 -> 3.6.6-1.fc29 gpgme 1.11.1-3.fc29 -> 1.12.0-1.fc29 iproute 4.18.0-3.fc29 -> 4.20.0-1.fc29 iproute-tc 4.18.0-3.fc29 -> 4.20.0-1.fc29 kernel 4.19.15-300.fc29 -> 4.20.8-200.fc29 kernel-core 4.19.15-300.fc29 -> 4.20.8-200.fc29 kernel-modules 4.19.15-300.fc29 -> 4.20.8-200.fc29 libcurl 7.61.1-6.fc29 -> 7.61.1-9.fc29 libidn2 2.0.5-2.fc29 -> 2.1.1a-1.fc29 libpng 2:1.6.34-6.fc29 -> 2:1.6.34-7.fc29 libreport-filesystem 2.9.7-2.fc29 -> 2.10.0-1.fc29 libselinux 2.8-4.fc29 -> 2.8-6.fc29 libselinux-utils 2.8-4.fc29 -> 2.8-6.fc29 libsemanage 2.8-4.fc29 -> 2.8-8.fc29 libsepol 2.8-2.fc29 -> 2.8-3.fc29 libsolv 0.7.2-1.fc29 -> 0.7.2-2.fc29 libxcrypt 4.4.2-3.fc29 -> 4.4.3-2.fc29 libyaml 0.2.1-2.fc29 -> 0.2.1-5.fc29 linux-firmware 20181219-89.git0f22c852.fc29 -> 20190213-93.git710963fe.fc29 lua-libs 5.3.5-2.fc29 -> 5.3.5-3.fc29 nss 3.41.0-3.fc29 -> 3.42.1-1.fc29 nss-softokn 3.41.0-3.fc29 -> 3.42.1-1.fc29 nss-softokn-freebl 3.41.0-3.fc29 -> 3.42.1-1.fc29 nss-sysinit 3.41.0-3.fc29 -> 3.42.1-1.fc29 nss-util 3.41.0-3.fc29 -> 3.42.1-1.fc29 oci-umount 2:2.3.4-2.git87f9237.fc29 -> 2:2.5-1.gitc3cda1f.fc29 openssh 7.9p1-3.fc29 -> 7.9p1-4.fc29 openssh-clients 7.9p1-3.fc29 -> 7.9p1-4.fc29 openssh-server 7.9p1-3.fc29 -> 7.9p1-4.fc29 p11-kit 0.23.14-2.fc29 -> 0.23.15-1.fc29 p11-kit-trust 0.23.14-2.fc29 -> 0.23.15-1.fc29 policycoreutils 2.8-8.fc29 -> 2.8-17.fc29 policycoreutils-python-utils 2.8-8.fc29 -> 2.8-17.fc29 polkit 0.115-4.2.fc29 -> 0.115-4.3.fc29 polkit-libs 0.115-4.2.fc29 -> 0.115-4.3.fc29 python2-libselinux 2.8-4.fc29 -> 2.8-6.fc29 python2-libsemanage 2.8-4.fc29 -> 2.8-8.fc29 python2-policycoreutils 2.8-8.fc29 -> 2.8-17.fc29 python2-pyOpenSSL 18.0.0-3.fc29 -> 19.0.0-1.fc29 python3 3.7.2-1.fc29 -> 3.7.2-4.fc29 python3-dateutil 1:2.7.0-3.fc29 -> 1:2.7.5-1.fc29 python3-jsonschema 2.6.0-5.fc29 -> 2.6.0-6.fc29 python3-libs 3.7.2-1.fc29 -> 3.7.2-4.fc29 python3-libselinux 2.8-4.fc29 -> 2.8-6.fc29 python3-libsemanage 2.8-4.fc29 -> 2.8-8.fc29 python3-policycoreutils 2.8-8.fc29 -> 2.8-17.fc29 python3-pyOpenSSL 18.0.0-3.fc29 -> 19.0.0-1.fc29 rpm-ostree 2018.10-1.fc29 -> 2019.2-1.fc29 rpm-ostree-libs 2018.10-1.fc29 -> 2019.2-1.fc29 runc 2:1.0.0-66.dev.gitbbb17ef.fc29 -> 2:1.0.0-68.dev.git6635b4f.fc29 selinux-policy 3.14.2-47.fc29 -> 3.14.2-49.fc29 selinux-policy-targeted 3.14.2-47.fc29 -> 3.14.2-49.fc29 systemd 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29 systemd-container 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29 systemd-libs 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29 systemd-pam 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29 systemd-udev
[atomic-announce] Fedora Atomic Host Two Week Release Announcement: 29.20190219.0
A new Fedora Atomic Host update is available via an OSTree update: Version: 29.20190219.0 Commit(x86_64): d00adf110907f93f6cdd05deda0e2878c9bd71c74e0c4c2e9a5250d2f4cc8868 Commit(aarch64): b87cb9e59aa668ea0e79c3d2e7c017a340c03dcf79a2f7756fedddb3831ca74e Commit(ppc64le): 33ee5adfd3e33c8e03ad460c75fe71858528f0d91cffd9c01c07a92b2ad000c2 We are releasing images from multiple architectures but please note that x86_64 architecture is the only one that undergoes automated testing at this time. Existing systems can be upgraded in place via e.g. `atomic host upgrade`. Corresponding image media for new installations can be downloaded from: https://getfedora.org/en/atomic/download/ Alternatively, image artifacts can be found at the following links: https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/images/Fedora-AtomicHost-29-20190219.0.aarch64.qcow2 https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/images/Fedora-AtomicHost-29-20190219.0.aarch64.raw.xz https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/iso/Fedora-AtomicHost-ostree-aarch64-29-20190219.0.iso https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/images/Fedora-AtomicHost-29-20190219.0.ppc64le.qcow2 https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/images/Fedora-AtomicHost-29-20190219.0.ppc64le.raw.xz https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/iso/Fedora-AtomicHost-ostree-ppc64le-29-20190219.0.iso https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-29-20190219.0.x86_64.qcow2 https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-29-20190219.0.x86_64.raw.xz https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-Vagrant-29-20190219.0.x86_64.vagrant-libvirt.box https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-Vagrant-29-20190219.0.x86_64.vagrant-virtualbox.box https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/iso/Fedora-AtomicHost-ostree-x86_64-29-20190219.0.iso Respective signed CHECKSUM files can be found here: https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/images/Fedora-AtomicHost-29-20190219.0-aarch64-CHECKSUM https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/iso/Fedora-AtomicHost-29-20190219.0-aarch64-CHECKSUM https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/images/Fedora-AtomicHost-29-20190219.0-ppc64le-CHECKSUM https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/iso/Fedora-AtomicHost-29-20190219.0-ppc64le-CHECKSUM https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-29-20190219.0-x86_64-CHECKSUM https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/iso/Fedora-AtomicHost-29-20190219.0-x86_64-CHECKSUM For direct download, the "latest" targets are always available here: x86_64: https://getfedora.org/atomic_qcow2_x86_64_latest https://getfedora.org/atomic_raw_x86_64_latest https://getfedora.org/atomic_vagrant_libvirt_x86_64_latest https://getfedora.org/atomic_vagrant_virtualbox_x86_64_latest https://getfedora.org/atomic_dvd_ostree_x86_64_latest aarch64: https://getfedora.org/atomic_qcow2_aarch64_latest https://getfedora.org/atomic_raw_aarch64_latest https://getfedora.org/atomic_dvd_ostree_aarch64_latest ppc64le: https://getfedora.org/atomic_qcow2_ppc64le_latest https://getfedora.org/atomic_raw_ppc64le_latest https://getfedora.org/atomic_dvd_ostree_ppc64le_latest Filename fetching URLs are available here: x86_64: https://getfedora.org/atomic_qcow2_x86_64_latest_filename https://getfedora.org/atomic_raw_x86_64_latest_filename https://getfedora.org/atomic_vagrant_libvirt_x86_64_latest_filename https://getfedora.org/atomic_vagrant_virtualbox_x86_64_latest_filename https://getfedora.org/atomic_dvd_ostree_x86_64_latest_filename aarch64: https://getfedora.org/atomic_qcow2_aarch64_latest_filename https://getfedora.org/atomic_raw_aarch64_latest_filename https://getfedora.org/atomic_dvd_ostree_aarch64_latest_filename ppc64le: https://getfedora.org/atomic_qcow2_ppc64le_latest_filename https://getfedora.org/atomic_raw_ppc64le_latest_filename