Amazon Linux 2 version 2.0.20211001.1 release notes - Amazon Linux 2

Amazon Linux 2 version 2.0.20211001.1 release notes

These are the release notes for Amazon Linux 2 version 2.0.20211001.1.

Major updates

  • ca-certificates was updated to version 2021.2.50-72.amzn2.0.1. This addresses the fact that the IdentTrust DST Root CA X3 was about to expire. This affected some Let’s Encrypt TLS certificates. If you continued using the expired certificate, you can't use OpenSSL to validate impacted certificates that are issued by Let’s Encrypt. If you were impacted by this issue, you might have experienced connection or certificate errors when trying to connect to certain websites or APIs that use Let's Encrypt certificates.

Package updates

Amazon Linux 2 includes the following packages.

Package

ca-certificates-2021.2.50-72.amzn2.0.1.noarch

curl-7.76.1-7.amzn2.0.2.aarch64

curl-7.76.1-7.amzn2.0.2.x86_64

device-mapper-1.02.170-6.amzn2.5.aarch64

device-mapper-1.02.170-6.amzn2.5.x86_64

device-mapper-event-1.02.170-6.amzn2.5.aarch64

device-mapper-event-1.02.170-6.amzn2.5.x86_64

device-mapper-event-libs-1.02.170-6.amzn2.5.aarch64

device-mapper-event-libs-1.02.170-6.amzn2.5.x86_64

device-mapper-libs-1.02.170-6.amzn2.5.aarch64

device-mapper-libs-1.02.170-6.amzn2.5.x86_64

glibc-2.26-54.amzn2.aarch64

glibc-2.26-54.amzn2.x86_64

glibc-all-langpacks-2.26-54.amzn2.aarch64

glibc-all-langpacks-2.26-54.amzn2.x86_64

glibc-common-2.26-54.amzn2.aarch64

glibc-common-2.26-54.amzn2.x86_64

glibc-devel-2.26-54.amzn2.x86_64

glibc-headers-2.26-54.amzn2.x86_64

glibc-langpack-en-2.26-54.amzn2.aarch64

glibc-langpack-en-2.26-54.amzn2.x86_64

glibc-locale-source-2.26-54.amzn2.aarch64

glibc-locale-source-2.26-54.amzn2.x86_64

glibc-minimal-langpack-2.26-54.amzn2.aarch64

glibc-minimal-langpack-2.26-54.amzn2.x86_64

grub2-2.06-2.amzn2.0.6.aarch64

grub2-2.06-2.amzn2.0.6.x86_64

grub2-common-2.06-2.amzn2.0.6.noarch

grub2-efi-aa64-2.06-2.amzn2.0.6.aarch64

grub2-efi-aa64-ec2-2.06-2.amzn2.0.6.aarch64

grub2-efi-aa64-modules-2.06-2.amzn2.0.6.noarch

grub2-efi-x64-ec2-2.06-2.amzn2.0.6.x86_64

grub2-pc-2.06-2.amzn2.0.6.x86_64

grub2-pc-modules-2.06-2.amzn2.0.6.noarch

grub2-tools-2.06-2.amzn2.0.6.aarch64

grub2-tools-2.06-2.amzn2.0.6.x86_64

grub2-tools-minimal-2.06-2.amzn2.0.6.aarch64

grub2-tools-minimal-2.06-2.amzn2.0.6.x86_64

kernel-4.14.246-187.474.amzn2.aarch64

kernel-4.14.246-187.474.amzn2.x86_64

kernel-devel-4.14.246-187.474.amzn2.x86_64

kernel-headers-4.14.246-187.474.amzn2.x86_64

kernel-tools-4.14.246-187.474.amzn2.aarch64

kernel-tools-4.14.246-187.474.amzn2.x86_64

libblkid-2.30.2-2.amzn2.0.5.aarch64

libblkid-2.30.2-2.amzn2.0.5.x86_64

libcrypt-2.26-54.amzn2.aarch64

libcrypt-2.26-54.amzn2.x86_64

libcurl-7.76.1-7.amzn2.0.2.aarch64

libcurl-7.76.1-7.amzn2.0.2.x86_64

libfdisk-2.30.2-2.amzn2.0.5.aarch64

libfdisk-2.30.2-2.amzn2.0.5.x86_64

libmount-2.30.2-2.amzn2.0.5.aarch64

libmount-2.30.2-2.amzn2.0.5.x86_64

libsmartcols-2.30.2-2.amzn2.0.5.aarch64

libsmartcols-2.30.2-2.amzn2.0.5.x86_64

libuuid-2.30.2-2.amzn2.0.5.aarch64

libuuid-2.30.2-2.amzn2.0.5.x86_64

lvm2-2.02.187-6.amzn2.5.aarch64

lvm2-2.02.187-6.amzn2.5.x86_64

lvm2-libs-2.02.187-6.amzn2.5.aarch64

lvm2-libs-2.02.187-6.amzn2.5.x86_64

openldap-2.4.44-23.amzn2.0.2.aarch64

openldap-2.4.44-23.amzn2.0.2.x86_64

systemd-219-78.amzn2.0.15.aarch64

systemd-219-78.amzn2.0.15.x86_64

systemd-libs-219-78.amzn2.0.15.aarch64

systemd-libs-219-78.amzn2.0.15.x86_64

systemd-sysv-219-78.amzn2.0.15.aarch64

systemd-sysv-219-78.amzn2.0.15.x86_64

util-linux-2.30.2-2.amzn2.0.5.aarch64

util-linux-2.30.2-2.amzn2.0.5.x86_64

Kernel updates

Rebase kernel to upstream stable 4.14.252.

CVEs fixed:

  • CVE-2021-3732 [ovl: Prevents private clone if bind mount is not allowed]

  • CVE-2021-38205 [net: xilinx_emaclite: Doesn't print real IOMEM pointer]

  • CVE-2020-3702 [ath: Uses safer key clearing with key cache entries]

  • CVE-2021-3653 [KVM: nSVM: Avoids picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)]

  • CVE-2021-3656 [KVM: nSVM: Always intercepts VMLOAD/VMSAVE when nested (CVE-2021-3656)]

  • CVE-2021-42008 [net: 6pack: Fixes slab-out-of-bounds in decode_data]

  • CVE-2021-3753 [vt_kdsetmode: Extends console locking]

  • CVE-2021-38198 [KVM: X86: MMU: Uses the correct inherited permissions tget shadow page]

Amazon Features and Backports:

  • Revert "gup: Documents and works around "COW can break either way" issue"

  • arm64: Implements ooptimized checksum routine

  • arm64: csum: Disables KASAN for do_csum()

  • arm64: csum: Optimizes IPv6 header checksum

  • arm64: csum: Fixes pathological zero-length calls

  • kvm/svm: PKU not currently supported

  • EDAC/amd64: Drops some family checks for newer systems

  • x86/amd_nb: Adds Family 19h PCI IDs

  • EDAC/mce_amd: Always loads on SMCA systems

  • x86/MCE/AMD, EDAC/mce_amd: Adds new Load Store unit McaType

  • EDAC/amd64: Makes struct amd64_family_type global

  • EDAC/amd64: Uses a macrfor iterating over Unified Memory Controllers

  • EDAC/amd64: Saves max number of controllers tfamily type

  • EDAC/amd64: Supports more than twcontrollers for chip selects handling

  • EDAC/amd64: Finds Chip Select memory size using Address Mask

  • EDAC/amd64: Adds family ops for Family 19h Models 00h-0Fh

  • perf/amd/uncore: Prepares L3 thread mask code for Family 19h

  • perf/amd/uncore: Makes L3 thread mask code more readable

  • perf/amd/uncore: Adds support for Family 19h L3 PMU

  • perf/x86/amd: Constrains Large Increment per Cycle events

  • perf/x86/amd: Adds support for Large Increment per Cycle Events

  • perf/x86/amd: Fixes sampling Large Increment per Cycle events

  • perf/amd/uncore: Sets all slices and threads trestore perf stat -a behaviour

  • perf/amd/uncore: Prepares tscale for more attributes that vary per family

  • perf/amd/uncore: Allows F19h user coreid, threadmask, and sliceid specification

  • perf vendor events: Supports metric_group and nevent name in JSON parser

  • perf vendor events amd: perf PMU events for AMD Family 17h

  • perf vendor events amd: Adds L3 cache events for Family 17h

  • perf vendor events amd: Removes redundant '['

  • perf vendor events amd: Restricts model detection for zen1 based processors

  • perf vendor events amd: Adds Zen2 events

  • perf vendor events amd: Updates Zen1 events tV2

  • perf vendor events amd: Adds L2 Prefetch events for zen1

  • perf vendor events amd: Adds ITLB Instruction Fetch Hits event for zen1

  • perf vendor events amd: Adds recommended events

  • perf vendor events amd: Enables Family 19h users by matching Zen2 events

  • perf vendor events amd: Fixes broken L2 Cache Hits from L2 HWPF metric

  • perf/amd/uncore: Fixes sysfs type mismatch

  • mm/page_alloc: Prints node fallback order

  • mm/page_alloc: Uses accumulated load when building node fallback list

  • ext4: Fixes race writing tan inline_data file while its xattrs are changing

Other Fixes:

  • ext4: Fixes potential htree corruption when growing large_dir directories

  • perf/x86/amd: Doesn't touch the AMD64_EVENTSEL_HOSTONLY bit inside the guest

  • net: Fixes memory leak in ieee802154_raw_deliver

  • net: bridge: Fixes memleak in br_add_if()

  • tcp_bbr: Fixes u32 wrap bug in round logic if bbr_init() called after 2B packets

  • vsock/virtio: Avoids potential deadlock when vsock device remove

  • x86/tools: Fixes objdump version check again

  • KVM: nSVM: Aalways intercepts VMLOAD/VMSAVE when nested (CVE-2021-3656)

  • KVM: nSVM: Avoids picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)

  • x86/fpu: Makes init_fpstate correct with optimized XSAVE

  • fs: Warns about impending deprecation of mandatory locks

  • virtio: Improves vq->broken access tavoid any compiler optimization

  • KVM: x86/mmu: Treats NX as used (not reserved) for all !TDP shadow MMUs

  • KVM: X86: MMU: Uses the correct inherited permissions tget shadow page