# Amazon Linux 2 version 2.0.20211001.1 release notes
These are the release notes for Amazon Linux 2 version 2.0.20211001.1.
## Major updates
+ ca-certificates was updated to version 2021.2.50-72.amzn2.0.1. This addresses the fact that the IdentTrust DST Root CA X3 was about to expire. This affected some Let’s Encrypt TLS certificates. If you continued using the expired certificate, you can't use OpenSSL to validate impacted certificates that are issued by Let’s Encrypt. If you were impacted by this issue, you might have experienced connection or certificate errors when trying to connect to certain websites or APIs that use Let's Encrypt certificates.
## Package updates
Amazon Linux 2 includes the following packages.
| Package |
| --- |
| ca-certificates-2021.2.50-72.amzn2.0.1.noarch |
| curl-7.76.1-7.amzn2.0.2.aarch64 |
| curl-7.76.1-7.amzn2.0.2.x86\$164 |
| device-mapper-1.02.170-6.amzn2.5.aarch64 |
| device-mapper-1.02.170-6.amzn2.5.x86\$164 |
| device-mapper-event-1.02.170-6.amzn2.5.aarch64 |
| device-mapper-event-1.02.170-6.amzn2.5.x86\$164 |
| device-mapper-event-libs-1.02.170-6.amzn2.5.aarch64 |
| device-mapper-event-libs-1.02.170-6.amzn2.5.x86\$164 |
| device-mapper-libs-1.02.170-6.amzn2.5.aarch64 |
| device-mapper-libs-1.02.170-6.amzn2.5.x86\$164 |
| glibc-2.26-54.amzn2.aarch64 |
| glibc-2.26-54.amzn2.x86\$164 |
| glibc-all-langpacks-2.26-54.amzn2.aarch64 |
| glibc-all-langpacks-2.26-54.amzn2.x86\$164 |
| glibc-common-2.26-54.amzn2.aarch64 |
| glibc-common-2.26-54.amzn2.x86\$164 |
| glibc-devel-2.26-54.amzn2.x86\$164 |
| glibc-headers-2.26-54.amzn2.x86\$164 |
| glibc-langpack-en-2.26-54.amzn2.aarch64 |
| glibc-langpack-en-2.26-54.amzn2.x86\$164 |
| glibc-locale-source-2.26-54.amzn2.aarch64 |
| glibc-locale-source-2.26-54.amzn2.x86\$164 |
| glibc-minimal-langpack-2.26-54.amzn2.aarch64 |
| glibc-minimal-langpack-2.26-54.amzn2.x86\$164 |
| grub2-2.06-2.amzn2.0.6.aarch64 |
| grub2-2.06-2.amzn2.0.6.x86\$164 |
| grub2-common-2.06-2.amzn2.0.6.noarch |
| grub2-efi-aa64-2.06-2.amzn2.0.6.aarch64 |
| grub2-efi-aa64-ec2-2.06-2.amzn2.0.6.aarch64 |
| grub2-efi-aa64-modules-2.06-2.amzn2.0.6.noarch |
| grub2-efi-x64-ec2-2.06-2.amzn2.0.6.x86\$164 |
| grub2-pc-2.06-2.amzn2.0.6.x86\$164 |
| grub2-pc-modules-2.06-2.amzn2.0.6.noarch |
| grub2-tools-2.06-2.amzn2.0.6.aarch64 |
| grub2-tools-2.06-2.amzn2.0.6.x86\$164 |
| grub2-tools-minimal-2.06-2.amzn2.0.6.aarch64 |
| grub2-tools-minimal-2.06-2.amzn2.0.6.x86\$164 |
| kernel-4.14.246-187.474.amzn2.aarch64 |
| kernel-4.14.246-187.474.amzn2.x86\$164 |
| kernel-devel-4.14.246-187.474.amzn2.x86\$164 |
| kernel-headers-4.14.246-187.474.amzn2.x86\$164 |
| kernel-tools-4.14.246-187.474.amzn2.aarch64 |
| kernel-tools-4.14.246-187.474.amzn2.x86\$164 |
| libblkid-2.30.2-2.amzn2.0.5.aarch64 |
| libblkid-2.30.2-2.amzn2.0.5.x86\$164 |
| libcrypt-2.26-54.amzn2.aarch64 |
| libcrypt-2.26-54.amzn2.x86\$164 |
| libcurl-7.76.1-7.amzn2.0.2.aarch64 |
| libcurl-7.76.1-7.amzn2.0.2.x86\$164 |
| libfdisk-2.30.2-2.amzn2.0.5.aarch64 |
| libfdisk-2.30.2-2.amzn2.0.5.x86\$164 |
| libmount-2.30.2-2.amzn2.0.5.aarch64 |
| libmount-2.30.2-2.amzn2.0.5.x86\$164 |
| libsmartcols-2.30.2-2.amzn2.0.5.aarch64 |
| libsmartcols-2.30.2-2.amzn2.0.5.x86\$164 |
| libuuid-2.30.2-2.amzn2.0.5.aarch64 |
| libuuid-2.30.2-2.amzn2.0.5.x86\$164 |
| lvm2-2.02.187-6.amzn2.5.aarch64 |
| lvm2-2.02.187-6.amzn2.5.x86\$164 |
| lvm2-libs-2.02.187-6.amzn2.5.aarch64 |
| lvm2-libs-2.02.187-6.amzn2.5.x86\$164 |
| openldap-2.4.44-23.amzn2.0.2.aarch64 |
| openldap-2.4.44-23.amzn2.0.2.x86\$164 |
| systemd-219-78.amzn2.0.15.aarch64 |
| systemd-219-78.amzn2.0.15.x86\$164 |
| systemd-libs-219-78.amzn2.0.15.aarch64 |
| systemd-libs-219-78.amzn2.0.15.x86\$164 |
| systemd-sysv-219-78.amzn2.0.15.aarch64 |
| systemd-sysv-219-78.amzn2.0.15.x86\$164 |
| util-linux-2.30.2-2.amzn2.0.5.aarch64 |
| util-linux-2.30.2-2.amzn2.0.5.x86\$164 |
## Kernel updates
Rebase kernel to upstream stable 4.14.252.
CVEs fixed:
+ CVE-2021-3732 [ovl: Prevents private clone if bind mount is not allowed]
+ CVE-2021-38205 [net: xilinx\$1emaclite: Doesn't print real IOMEM pointer]
+ CVE-2020-3702 [ath: Uses safer key clearing with key cache entries]
+ CVE-2021-3653 [KVM: nSVM: Avoids picking up unsupported bits from L2 in int\$1ctl (CVE-2021-3653)]
+ CVE-2021-3656 [KVM: nSVM: Always intercepts VMLOAD/VMSAVE when nested (CVE-2021-3656)]
+ CVE-2021-42008 [net: 6pack: Fixes slab-out-of-bounds in decode\$1data]
+ CVE-2021-3753 [vt\$1kdsetmode: Extends console locking]
+ CVE-2021-38198 [KVM: X86: MMU: Uses the correct inherited permissions tget shadow page]
Amazon Features and Backports:
+ Revert "gup: Documents and works around "COW can break either way" issue"
+ arm64: Implements ooptimized checksum routine
+ arm64: csum: Disables KASAN for do\$1csum()
+ arm64: csum: Optimizes IPv6 header checksum
+ arm64: csum: Fixes pathological zero-length calls
+ kvm/svm: PKU not currently supported
+ EDAC/amd64: Drops some family checks for newer systems
+ x86/amd\$1nb: Adds Family 19h PCI IDs
+ EDAC/mce\$1amd: Always loads on SMCA systems
+ x86/MCE/AMD, EDAC/mce\$1amd: Adds new Load Store unit McaType
+ EDAC/amd64: Makes struct amd64\$1family\$1type global
+ EDAC/amd64: Uses a macrfor iterating over Unified Memory Controllers
+ EDAC/amd64: Saves max number of controllers tfamily type
+ EDAC/amd64: Supports more than twcontrollers for chip selects handling
+ EDAC/amd64: Finds Chip Select memory size using Address Mask
+ EDAC/amd64: Adds family ops for Family 19h Models 00h-0Fh
+ perf/amd/uncore: Prepares L3 thread mask code for Family 19h
+ perf/amd/uncore: Makes L3 thread mask code more readable
+ perf/amd/uncore: Adds support for Family 19h L3 PMU
+ perf/x86/amd: Constrains Large Increment per Cycle events
+ perf/x86/amd: Adds support for Large Increment per Cycle Events
+ perf/x86/amd: Fixes sampling Large Increment per Cycle events
+ perf/amd/uncore: Sets all slices and threads trestore perf stat -a behaviour
+ perf/amd/uncore: Prepares tscale for more attributes that vary per family
+ perf/amd/uncore: Allows F19h user coreid, threadmask, and sliceid specification
+ perf vendor events: Supports metric\$1group and nevent name in JSON parser
+ perf vendor events amd: perf PMU events for AMD Family 17h
+ perf vendor events amd: Adds L3 cache events for Family 17h
+ perf vendor events amd: Removes redundant '['
+ perf vendor events amd: Restricts model detection for zen1 based processors
+ perf vendor events amd: Adds Zen2 events
+ perf vendor events amd: Updates Zen1 events tV2
+ perf vendor events amd: Adds L2 Prefetch events for zen1
+ perf vendor events amd: Adds ITLB Instruction Fetch Hits event for zen1
+ perf vendor events amd: Adds recommended events
+ perf vendor events amd: Enables Family 19h users by matching Zen2 events
+ perf vendor events amd: Fixes broken L2 Cache Hits from L2 HWPF metric
+ perf/amd/uncore: Fixes sysfs type mismatch
+ mm/page\$1alloc: Prints node fallback order
+ mm/page\$1alloc: Uses accumulated load when building node fallback list
+ ext4: Fixes race writing tan inline\$1data file while its xattrs are changing
Other Fixes:
+ ext4: Fixes potential htree corruption when growing large\$1dir directories
+ perf/x86/amd: Doesn't touch the AMD64\$1EVENTSEL\$1HOSTONLY bit inside the guest
+ net: Fixes memory leak in ieee802154\$1raw\$1deliver
+ net: bridge: Fixes memleak in br\$1add\$1if()
+ tcp\$1bbr: Fixes u32 wrap bug in round logic if bbr\$1init() called after 2B packets
+ vsock/virtio: Avoids potential deadlock when vsock device remove
+ x86/tools: Fixes objdump version check again
+ KVM: nSVM: Aalways intercepts VMLOAD/VMSAVE when nested (CVE-2021-3656)
+ KVM: nSVM: Avoids picking up unsupported bits from L2 in int\$1ctl (CVE-2021-3653)
+ x86/fpu: Makes init\$1fpstate correct with optimized XSAVE
+ fs: Warns about impending deprecation of mandatory locks
+ virtio: Improves vq->broken access tavoid any compiler optimization
+ KVM: x86/mmu: Treats NX as used (not reserved) for all \$1TDP shadow MMUs
+ KVM: X86: MMU: Uses the correct inherited permissions tget shadow page