Another day another bash version bump. This is the final version of the
patch to add a special prefix and suffix to exported functions in the
environment, preventing bugs similar to the previous two from becoming
remotely exploitable.
http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00279.html
There still remain two less significant memory-access issues, dubbed
CVE-2014-7186 and CVE-2014-7187. So expect another bump soon.
http://www.openwall.com/lists/oss-security/2014/09/25/32
Prioritizing security and stability over performance in SSH, omitting
this kind of patch is generally more consistent with our objectives.
Visibly this removes "-hpn14v4" from the OpenSSH protocol banner:
SSH-2.0-OpenSSH_6.6p1-hpn14v4
Discussion: https://github.com/coreos/bugs/issues/149
Pruning files via INSTALL_MASK in the profile is a bit more apropriate
since it allows us to keep most of that info in one place. The only
parts that need to be deleted or adjusted here are inputs and outputs of
`env-update` which has to be run after everything is installed.
Previously we didn't actually clean up `env.d` at all which lead at
least one user to think they should edit those files and run
`env-update` themselves but we don't ship that tool on prod images.
Some of these were deleted by build_image, others were still being
shipped but aren't really needed.
The big question mark is LVM, it isn't clear if LVM's default behavior
is actually sane or if the configs are needed to make it sane. Either
way we were already removing this, but something to note in case issues
crop up eventually.
This sets the IMG_FORCE_OEM_PACKAGE variable to the supplied string. If a
':' is present, what follows it gets put in the IMG_FORCE_OEM_USE variable
and what precedes in the former.
_get_vm_opt() has been modified to generally support forced overrides such
as this one, simply set variables named IMG_FORCE_$opt.
Now you can do things like:
for fmt in cloudstack \
digitalocean \
ec2-compat:ec2 \
ec2-compat:openstack \
ec2-compat:brightbox \
exoscale \
gce \
hyperv \
rackspace \
rackspace-onmetal; do
./image_to_vm.sh --format=qemu --oem_pkg=$fmt
../build/images/amd64-usr/latest/coreos_developer_qemu.sh -curses
done
rather than having to modify build_library/vm_image_util.sh to test oem
builds in qemu.
We enabled ipset support a while back but missed NETFILTER_XT_SET which
is needed for using ipsets in iptables rules. Enable a few other
iptables options we were missing just in case someone wants them.
