Release Notes for OmniOSce v11 r151026

r151026az (2019-04-29)

Weekly release for w/c 29th of April 2019.

This is a non-reboot update.

Security fixes

• Update to pkg, fixing CVE-2019-2704
• wget updated to 1.20.3, fixing CVE-2019-5953

r151026av (2019-04-01)

Weekly release for w/c 1st of April 2019.

This update requires a reboot.

Security fixes

• Access problem with SMB server - illumos issue 10506 - CVE-2019-9579
• dls_unbind() needs better checking - illumos issue 10543

r151026at (2019-03-19)

Weekly release for w/c 18th of March 2019.

This is a non-reboot update.

Security fixes

• The network/ntp package has been updated to version 4.2.8p13 addressing one security vulnerability.

r151026ar (2019-03-06)

Weekly release for w/c 4th of March 2019.

This update requires a reboot.

Security fixes

• A system crash can occur if a corrupt/malicious ELF object is executed; illumos issue 10505.
• Fix for denial of service (requires access to a non-global zone in order to exploit); illumos issue 10472.
• python2 updated to 2.7.16 fixing CVE-2019-5010, CVE-2013-1752, CVE-2018-14647

r151026aq (2019-02-27)

Weekly release for w/c 25th of February 2019.

This is a non-reboot update

Security fixes

• openssl updated to 1.0.2r/1.1.1b fixing CVE-2019-1559

r151026ao (2019-02-11)

Weekly release for w/c 11th of February 2019.

This is a non-reboot update

Security fixes

• curl update to 7.64.0 fixing CVE-2018-16890, CVE-2019-3822, CVE-2019-3823.

• mercurial updated to 4.9 addressing a security issue regarding symlinks and subrepository checkout.

Other fixes

• Fix problem where pkg could take a long time to generate a uuid by installing the developer/object-file package by default.

r151026al (2019-01-21)

Weekly release for w/c 21st of January 2019.

This is a non-reboot update

Security fixes

• ntpsec updated to version 1.1.3 fixing CVE-2019-6442, CVE-2019-6443, CVE-2019-6444, CVE-2019-6445

• openssh updated to fix CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111

r151026aj (2019-01-07)

Weekly release for w/c 7th of January 2019.

This is a non-reboot update

Security fixes

• Update GNU tar to 1.31, fixing CVE-2018-20482
• libxml2 updated to 2.9.9 - CVE-2018-9251, CVE-2018-14404, CVE-2018-14567

r151026af (2018-12-10)

Weekly release for w/c 10th of December 2018.

This update requires a reboot (if system/bhyve is installed).

Security fixes

• bhyve updated to fix - CVE-2018-17160

• nss updated to fix - CVE-2018-12404

Other Changes

• web/ca-bundle updated

r151026ae (2018-12-03)

Weekly release for w/c 3rd of December 2018.

This is a non-reboot update.

Security fixes

• perl updated to 5.26.3 - CVE-2018-12015 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314

• nss/nspr updated to 3.40.1/4.20 - CVE-2018-12404

r151026ac (2018-11-22)

Weekly release for w/c 19th of November 2018.

This is a non-reboot update.

Security fixes

• openssl updated to 1.1.0j/1.0.2q CVE-2018-0734 CVE-2018-5407
• openjdk updated to 1.7.0_201-b00

Other Changes

• pkg updated to fix a problem that could occur when removing some packages.

r151026aa (2018-11-05)

Weekly release for w/c 5th of November 2018.

This is a non-reboot update.

Security fixes

• Curl updated to 7.62.0 CVE-2018-16842

r151026y (2018-10-25)

Weekly release for w/c 22nd of October 2018.

This is a non-reboot update.

Bug Fixes

• The sparse zone brand has been updated to resolve a problem found during upgrading to the r151028 release candidate. After installing this update, please reboot any sparse-branded zones.

r151026w (2018-10-08)

Weekly release for w/c 8th of October 2018.

This is a non-reboot update.

Security fixes

• Git updated to 2.17.2 CVE-2018-17456

• Mercurial updated to fix a potential out-of-bounds read in manifest parsing C code.

r151026u (2018-09-26)

Weekly release for w/c 24th of September 2018.

This update requires a reboot

Security fixes

• Mitigation for Foreshadow/L1TF - CVE-2018-3646, with thanks to Joyent. This includes a CPU microcode update.

  For full protection from this problem, ensure that sensitive services, including KVM instances, are separated into different non-global zones.

  Protection status for this and other vulnerabilities can be viewed with mdb -ke ::sec.

Bug fixes

• Kernel panic in RPC gss module - illumos issue 3354

• Kernel panic with Smartmontools 6.6 on ESXi 6.7 when trying to enable smart on rpool - omnios-build issue 960

• Windows 10 could not access CIFS share by name with i18n username - illumos-omnios issue 254, with thanks to Nexenta.

Other changes

• The installer is now able to force 4k or 8k alignment on the root pool regardless of the underlying storage. Previously this did not work for NVMe or virtual disks - Kayak issue 72

  New installation media have been prepared for this release and can be found at https://omniosce.org/download

r151026r (2018-09-05)

Weekly release for w/c 3rd of September 2018.

This is a non-reboot update.

Security fixes

• Curl updated to 7.61.1 CVE-2018-14618

• Zsh updated to fix CVE-2018-0502 and CVE-2018-13259

Other changes

• system/cpuid updated to introduce detection of features listed in the May 2018 Intel ISA extensions manual.

r151026p (2018-08-20)

Weekly release for w/c 20th of August 2018.

This is a non-reboot update.

Security fixes

• OpenSSH updated to patch user-enumeration flaw CVE-2018-15473

r151026o (2018-08-15)

Weekly release for w/c 13th of August 2018.

This update requires a reboot.

Security fixes

• OpenSSL updated to 1.1.0i and 1.0.2p CVE-2018-0732 CVE-2018-0737

• NTP Daemon updated to 4.2.8p12 Network Time Foundation Security Notice

  Note that we recommend the use of the newer ntpsec package over this one - refer to the r151026 release notes below for more information.

Bug Fixes

• SmartOS Issue OS-7064 Fix KPTI-related kernel panic.
• SmartOS Issue OS-7090 Fix for virtual machine memory management.

r151026m (2018-07-30)

Weekly release for w/c 30th of July 2018.

This update requires a reboot.

Bug Fixes

• illumos Issue 7941 cannot use crypto lofi on a block/character device
• Newer versions of the iproute2 utilities fail in an lx zone with ('DONE truncated', 'Dump terminated')

Other Changes

• Automatic naming is now supported for boot environments created during package operations. This is configured via the new auto-be-name image property which specifies a template for the new name; see the man page for the pkg command for more information and examples. A suggested property value is omnios-r%r which results in BE names such as omnios-r151026m:

  # pkg set-property auto-be-name omnios-r%r
  # pkg update
  ...
  A clone of r151026 exists and has been updated and activated.
  On the next boot the Boot Environment omnios-r151026m will be
  mounted on '/'.  Reboot when ready to switch to this updated BE.
  

r151026k (2018-07-16)

Weekly release for w/c 16th of July 2018.

This is a non-reboot update.

Security fixes

• Mercurial updated to fix CVE-2018-13348
• Curl updated to 7.61.0
  • CVE-2018-0500
• Bind updated to 9.11.4
  • CVE-2018-5738

r151026i (2018-07-02)

Weekly release for w/c 2nd of July 2018.

This update requires a reboot.

Security fixes

• Kernel update to protect against the Lazy FPU vulnerability
  • CVE-2018-3665
• Mozilla NSS updated to version 3.38
  • CVE-2018-0495

Other Changes

• New ::sec mdb command to summarise protection against CPU vulnerabilities
• Fix problem when using native grep with context arguments (-A, -B, -C)
• Linked-ipkg zones could end up with packages newer than those in the global zone; this is now resolved.
• Add support for recursive pkg set-publisher operations

r151026g (2018-06-18)

Weekly release for w/c 18th of June 2018.

This is a non-reboot update.

Changes

• rsync has been updated and is now twice as fast at checksumming data.

r151026e (2018-06-04)

Weekly release for w/c 4th of June 2018.

This is a non-reboot update.

Security fixes

• git upgraded to version 2.17.1:
  • CVE-2018-11233
  • CVE-2018-11235

Other changes

• pkg updated to fix support URL.

r151026c (2018-05-17)

Weekly release for w/c 17th of May 2018.

This is a non-reboot update.

Security fixes

• curl upgraded to version 7.60.0:
  • CVE-2018-1000300
  • CVE-2018-1000301

Other changes

• dma updated so that it strips header lines that begin with the five-character sequence "From ". This is the default behaviour of other MTAs such as Sendmail. This fixes a problem with processing emails generated by cron or by other users of the mail command where message headers end up as part of the body.

r151026 (2018-05-07)

Stable Release, 7th of May 2018

uname -v shows omnios-r151026-673c59f55d

r151026 release repository: https://pkg.omniosce.org/r151026/core

New features since r151024

System Features

• Kernel Page Table Isolation (KPTI) feature from Joyent. This adds protection against the Meltdown Intel CPU vulnerability announced early in 2018. See https://omniosce.org/info/kpti for details.

• Stack-clash mitigation for 64-bit processes; from Joyent.

• Experimental support for bhyve virtual machines. See https://omniosce.org/info/bhyve for details.

• Support for sparse branded zones. This is a linked-ipkg zone that shares most of the /usr, /sbin and /lib directories with the global zone. Sparse zones are tiny (under 4MiB of installed files) and perfect for isolating small services or VM instances for extra security or to apply more granular resource controls.

• The ISO/USB installer has received multiple updates. It is now half the size and around seven times faster to start up, text menus have been replaced with dialogues to make it easier to navigate, and it is now possible to select DHCP assignment of the DNS parameters. Additional options are available for configuring aspects of the root pool including whether to force a 4K block size (ashift=12), whether to use stripe, mirror or a RAIDZ level, and whether to use EFI or MBR labels.

• The default mail submission agent is now Dragonfly Mail Agent (dma) rather than sendmail. In a default installation, /usr/lib/sendmail points to dma and can deliver email messages to local users and Internet recipients. Dragonfly supports TLS and SMTP authentication out of the box - see /etc/dma/dma.conf and man dma for available options. There are now three mediated MTA/MSA packages in OmniOS, dma, sendmail and mailwrapper; only dma is installed by default. To switch between them, install the appropriate package and then configure the mta mediator implementation, for example:

  # pkg install service/network/smtp/sendmail
  
  # pkg mediator -a mta
  MEDIATOR VER. SRC. VERSION IMPL. SRC. IMPLEMENTATION
  mta      system            system     mailwrapper
  mta      system            system     sendmail
  mta      vendor            vendor     dma
  
  # pkg set-mediator -I sendmail mta
  

  Note that dma does not support more advanced features such as .forward files in home directories. If you need these features you should switch back to sendmail as shown above.

  Mailwrapper is still available to support use of packages from non-IPS repositories such as pkgsrc via /etc/mailer.conf

• A new service/network/ntpsec package is available as an alternative to service/network/ntp. NTPsec is a secure, hardened and improved implementation of the Network Time Protocol derived from NTP Classic. NTPsec also runs with stack protection and ASLR out of the box on OmniOS. To switch just record any changes you have made to /etc/inet/ntp.conf and the service manifest properties (svcprop -p config ntp) and then pkg uninstall service/network/ntp && pkg install service/network/ntpsec. Restore any customisations and then start the network/ntp service.

• A number of system components now enable Address Space Layout Randomisation (ASLR) by default:

  • DHCP daemon
  • Dragonfly Mail Agent
  • NTP & NTPsec
  • OpenSSH daemon
  • pfexecd
  • rpcbind
  • Sendmail
  • SNMP daemon

• openssh has been upgraded to 7.6p1. This version drops support for SSH protocol version 1, RSA keys under 1024 bits in length and a number of old ciphers and MACs. Refer to the release notes for more details. Several legacy SunSSH compatibility options for OpenSSH are deprecated and will be removed in a future release; see below for more details.

  Note that OpenSSH is now delivered as a 64-bit application and so you may need to adjust your PAM configuration if you have custom rules in /etc/pam.conf

• libdiskmgt (and therefore diskinfo) now recognises nvme, sata and xen controllers.

• It is now possible to boot OmniOS from a root pool which uses RAIDZ2 or RAIDZ3.

• New zfs remove and zpool checkpoint features - see Commands and options below.

• Improved support for ZFS pool recovery - see Pavel Zakharov's Turbocharging ZFS Data Recovery article for more details.

• The /etc/screenrc file delivered by the screen package is now based on the recommended global template as delivered by the authors; you may wish to check that it still meets your needs. If you have previously customised this file then it will not be updated but the new template file will be installed as /etc/screenrc.new.

• screen is now linked against ncurses in order to support more terminal types (e.g. iterm)

• New fault management (FMA) event for an SSD that is nearing its end-of-life as projected by the manufacturer (SSD wearout, see illumos Issue 8074)

• Many improvements in resource management within zones.

• IPv6 default address selection table updated for RFC6724.

• Improvements to page recovery under low memory conditions.

• Workarounds for some systems with known broken firmware.

• New file: /etc/os-release

Commands and Command Options

• ZFS now supports the removal of a top-level vdev from a pool via zfs remove, reducing the total amount of storage in the pool without requiring a pool rebuild. More information ca be found in illumos Issue 7614.

• ZFS now supports pool-wide state checkpoints via zpool checkpoint.

A pool checkpoint can be thought of as a pool-wide snapshot and should be used with care as it contains every part of the pool's state, from properties to vdev configuration. Refer to the zpool man page for more details. illumos Issue 9166

• /bin/uname -o and /usr/gnu/bin/uname -o report illumos as the operating system name.

• grep now supports context options (-A, -B, -C)

• date -r to display the date associated with an epoch value, or the timestamp of a file.

• netstat now supports the -c option to print IPv4 networks using CIDR notation (x.y.z.a/NN) with the -i, -r and -M options. IPv6 networks default to including the mask information but, to preserve backwards compatibility, IPv4 ones do not without this new flag.

• The reboot now command, as sometimes mistyped due to its prevelance on other system types, no longer breaks booting due to trying to load a kernel called now; the system now always falls back to unix for the default kernel.

LX zones

• The IP address information for an interface in an LX zone can now be set directly via the allowed-address and defrouter properties instead of by using attributes. In addition to setting the address within the zone, this also enables L3 protection on the interface so that it can no longer be changed from inside the zone. The old method of setting attributes is still supported but does not afford this protection.

  GZ# zonecfg -z lx info net
  net:
  	address not specified
  	allowed-address: 172.30.1.129/26
  	defrouter: 172.30.1.254
  	physical: deb0
  
  GZ# dladm show-linkprop deb0
  LINK         PROPERTY        PERM VALUE          DEFAULT        POSSIBLE
  deb0         protection      rw   ip-nospoof     --
  deb0         allowed-ips     rw   172.30.1.129/32 --            --
  

• Any secondary file-systems mounted within /usr, /lib or /sbin are no longer accessible from within an LX zone through /native/.

• Report that /proc/sys is writable to keep systemd happy.

• More complete emulation of /proc/mounts.

• Emulate a userspace clock of 100Hz to accommodate some broken applications.

• Support for joining multicast group.

• Many other fixes and compatibility updates from Joyent.

Package Management

• A new pkg apply-hot-fix command has been added to make it easier to apply a hot-fix directly from a package archive. For example:

  % pfexec pkg apply-hot-fix --be-name=hotfix1234 https://downloads.omniosce.org/pkg/r151022/1234_hotfix.p5p
  

• It is now possible to set an image property to make recursive operations the default behaviour and also to specify the default concurrency for package operations. So if you routinely use pkg udpate -r -C 0 then you can now:

  # pkg set-property default-recurse True
  # pkg set-property recursion-concurrency 0
  

  The new -R option allows temporary override for recursion, refer to the pkg.1 man page for more details.

• The pkg set-publisher -O option is now documented and has been extended to support bare and relative path-names. This is now the recommended way to switch releases - see upgrade notes

• A number of core packages can now be removed if not required. In particular removing packages which require a reboot on upgrade will mean that the reboot is avoided if that package is updated upstream. The list can be viewed with pkg contents -m entire | grep optional. This in addition to the runtime/java java/jdk and service/resource-pools/poold packages which became optional in the last release.

• pkgsign has gained --dkey and --dcert options to enable use of an SSL client certificate when signing packages in a remote HTTPS repository.

• pkg install now permits package downgrades.

• pkg history -o time,command -n 5 now works as expected.

Hardware Support

• Support for Broadcom/Avago tri-mode adapters.

• Better support for AMD Ryzen processors.

• Support for Sound Blaster Audigy RX.

Developer Features

• GCC version 7 is now available - pkg install developer/gcc7 - and can be found in /opt/gcc-7. Details of the changes in GCC 7 can be found on the gcc web site.

• Perl has been upgraded to 5.26.

• MDB smart-write feature via /z - see illumos issue 9091

Deprecated features

• Several legacy SunSSH compatibility options for OpenSSH are deprecated with this release and should be removed from SSH daemon configuration files. A future release of OmniOS will remove support for these options completely. Refer to https://omniosce.org/info/sunssh for more details.

• The python m2crypto, typing, lxml and pyrex modules have been removed as they are no longer required by core OmniOS packages.

Package changes