Release Notes for OmniOSce v11 r151042

r151042o (2022-08-10)

Weekly release for w/c 8th of August 2022.

This update requires a reboot

Security Fixes

• Fix for Post-barrier Return Stack Buffer Predictions CVE-2022-26373

• Fix for a rare kernel panic due to a race condition in poll()

• net-snmp updated to version 5.9.3, fixing CVE-2022-24805, CVE-2022-24809, CVE-2022-24806, CVE-2022-24807, CVE-2022-24808 and CVE-2022-24810

• AMD CPU microcode updated to latest versions as of 20220408

• Python 3.10 updated to version 3.10.6

• OpenJDK packages updated to versions 1.8.345-01, 11.0.16+8 and 17.0.4+8

• OpenSSL updated to version 1.1.1q and 3.0.5

Other Changes

• Updates to ZFS to gracefully handle unknown/invalid vdev device IDs

r151042i (2022-06-30)

Weekly release for w/c 27th of June 2022.

This update requires a reboot

Security Fixes

• OpenSSL 3.0.4 patched, fixing GSD-2022-1002526 heap overflow.

• Intel CPU microcode has been updated to version 20220510.

• curl updated to version 7.84.0, fixing CVE-2022-32208, CVE-2022-32207, CVE-2022-32206 and CVE-2022-32205.

r151042h (2022-06-22)

Weekly release for w/c 20th of June 2022.

This update requires a reboot

Security Fixes

• OpenSSL has been updated to versions 3.0.4 and 1.1.1p, fixing CVE-2022-2068.

• Intel CPU microcode has been updated to version 20220419.

Other Changes

• Python 3.10 has been updated to version 3.10.5

• tcsh has been updated to version 6.24.01

r151042b (2022-05-12)

Weekly release for w/c 9th of May 2022.

This is a non-reboot update

Security Fixes

• libxml2 updated to version 2.9.14, fixing CVE-2022-23308.

• curl updated to version 7.83.1, fixing CVE-2022-30115, CVE-2022-27782, CVE-2022-27781, CVE-2022-27780, CVE-2022-27779 and CVE-2022-27778.

r151042a (2022-05-04)

Weekly release for w/c 2nd of May 2022.

This is a non-reboot update

Security Fixes

• OpenSSL has been updated to versions 3.0.3 and 1.1.1o, fixing four CVEs.

Stable Release, 2nd of May 2022

uname -a shows omnios-r151042-2a01bcc289

r151042 release repository: https://pkg.omnios.org/r151042/core

Upgrade Notes

Upgrades are supported from the r151038 and r151040 releases only. If upgrading from an earlier version, upgrade in stages, referring to the table at https://omnios.org/upgrade.

The location of the system global configuration for vim has been changed to /etc/vimrc. If you had previously created a system-wide vimrc file under /usr/share/vim/ then you will need to copy it to the new location.

OpenSSH no longer accepts RSA signatures using SHA-1 by default. When connecting to very old servers, it may be necessary to selectively re-enable RSA/SHA1. The following stanza in ~/.ssh/config will enable RSA/SHA1 for a single destination host:

Host old-host
    HostkeyAlgorithms +ssh-rsa

New features since r151040

System Features

• Manual pages have been resectioned to match the numbering scheme used on most platforms, instead of the legacy System V numbering. For example, man pages which were previously in section 1M of the manual are now in section 8. illumos IPD 4 has more details.

• The standard OpenSSL is now version 3, and version 1.0.2 is not installed by default unless it is required by legacy packages. The default OpenSSL version can be selected using the openssl mediator, for example:

  pkg set-mediator -V 1.1 openssl
  

• openjdk17 is now available and will be the default system java implementation if installed. As for most components, the default openjdk version can be changed via a mediator:

  pkg set-mediator -V 1.8 openjdk
  

  Thanks to Peter Tribble for doing the work to get OpenJDK17 running on illumos.

• Python has been upgraded to version 3.10, replacing version 3.9 used in the previous release.

• The python package now includes a variant which contains a dtrace ustack helper to aid debugging complex python applications - for more details and an example, see https://omnios.org/article/python-ustack.

• The system can now detect when its attached vioblk or NVMe disks are dynamically resized and grow ZFS pools accordingly (subject to the pool's autoexpand property).

Commands and Command Options

• ipadm(8) has gained support for configuring and managing IP-multiPath (IPMP) interfaces.

• ar(1) now supports the -s option on its own. It was previously necessary to also specify -t and this change makes it easier to build third party software.

• The dd(1) command now supports status= to allow choosing the way in which information about transfers is reported.

• snoop(8) has been updated to be able to decode more DNS resource record types.

• Cron jobs can now support a randomised delay via the RANDOM_DELAY keyword; see crontab(1).

• The diff(1) command now supports the -q option.

• Direct execution of compiled ksh scripts and of Java .jar files is now supported.

Libraries and Library Functions

• The memrchr(3C) function has been added to the standard C library.

• Static initialisers are now provided for error checking and recursive mutexes:

  • PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP
  • PTHREAD_RECURSIVE_MUTEX_INITIALIZER_NP

  These complement the existing:

  • PTHREAD_MUTEX_INITIALIZER

• The TCP_QUICKACK socket option is now supported; see tcp(7P).

• fchmodat(AT_SYMLINK_NOFOLLOW) now works for plain files (non-symlinks).

Zones

• Any error output emitted by a zone during boot was previously lost and is now shown by zoneadm(8).

LX zones

• Added support for running more recent distributions which use newer versions of glibc.

• Compatibility fixes to the sendfile system call.

• Improve support for Linux's SECCOMP. This allows elasticsearch8 to run in LX zones.

Bhyve

• The built-in VNC server has been improved, allows multiple concurrent connections and supports more alternative pixel formats.

• The internal clock implementation has been improved, resulting in better timer calibration by guests.

• The bhyve SMBIOS type 3 structure was incorrect.

• Persistent UEFI environment variables are now supported. These are enabled by default when booting with a UEFI bootrom but can be disabled on a per-zone basis via the new uefivars attribute - see bhyve(7).

• The emulated NVMe device has received many fixes, now reports as NVMe 1.4, and passes the UNH NVMe compliance tests.

• Dynamic disk resizing is now supported for both virtio and NVMe disks. Guests receive notifications when a disk is resized and many (including OmniOS) will automatically detect the new size.

ZFS

• A new ZFS channel program is available, zfs.sync.change-key, which allows changing a dataset's encryption key in the context of a channel program.

• zpool online -e can now properly expand whole-disk EFI pools that are backed by blkdev or sd drivers.

Drivers and Hardware Support

• Support for Amazon Nitro instances has been added via the new ENA driver.

• It is now possible to use OmniOS inside a Gen 2 Hyper-V virtual machine via a serial console. VGA is not yet supported.

• There have been multiple improvements to NVMe support.

• The Intel I219 v16-v23 network cards are now supported.

• The bundled firmware for cxgbe network devices has been updated to version 1.26.4.0.

• A new Smart Array storage controller driver (smrt) is available.

• Support for SMBIOS 3.5 has been added.

Developer Features

• It is now possible to configure the system to include any DWARF data found in objects in their core files. This can be enabled globally or on a per process basis using coreadm(8).

• There have been several improvements to the linker, ld(1) to better support clang and rust.

• elfdump(1) now understands LLVM section types.

• Kernel modules are now linked with type=kmod.

• The modular debugger - mdb(8) - can now support separators in numbers using the underscore (_) character. This makes it easier to enter long numbers, e.g. 0x123_456_789.

• The sys/atomic.h header file has been restructured to resolve problems with some guards.

• The sys/mman.h header file has been updated, fixing several problems with symbol visibility and portability. illumos issue 14418 has more details.

Deprecated features

• OpenSSH no longer accepts RSA signatures using SHA-1 by default.

• OpenSSH in OmniOS no longer provides support for GSSAPI key exchange. This was removed in release r151038.

• Python 2 is now end-of-life and will not receive any further updates. The python-27 package is still available for backwards compatibility but will be maintained only on a best-efforts basis.

• OpenSSL 1.0.x is deprecated and reached end-of-support at the end of 2019. OmniOS core software uses the newer OpenSSL 3 and 1.1.1 libraries but retains the OpenSSL 1.0.2 libraries for backwards compatibility. The 1.0.2 libraries are maintained solely on a best-efforts basis.

Package changes