v4.2.6

4.2.6 - 2024-10-04

Added

• (NEXMANAGE-515) Update dispatcher SOTA related classes for supporting TiberOS
• (NEXMANAGE-598) Expanding INBC for handling TiberOS update cmd
• Updated proto files to add new RPC calls to allow edge node to update
  its status with INBS.
• (NEXMANAGE-610) Add functionality to INBM Cloudadapter-agent to support OOB AMT RPC command requests from INBS
• Update TiberOS name to "tiber"
• (NEXMANAGE-613) Store Scheduled updates in DB, Add nodeUpdate communication stream, and plumbing to return correct jobID on scheduled request.

Changed

• (NEXARL-306) Update agents' prerm script to prevent them from disabling and stopping if it's an upgrade process

Fixed

• (NEXMANAGE-746) Add extra sleeptime in INBM tpm script to resolve ARL platform issue

Security

• Updated 'docker' go library version in trtl to 25.0.6, fixing CVE-2024-41110
• Updated 'cryptography' Python library in dispatcher to 43.0.1, fixing GHSA-h4gh-qq45-vh27.

Changed

• Removed all references to future library as we do not use Python 2
• (NEX-11354) Moved /etc/dispatcher_state to /var/intel-manageability/dispatcher_state
• (NEXMANAGE-744) Remove psutil in favor if shutil.disk_usage to save space
• (NEXMANAGE-744) Don't pull in dmidecode in inbm-lib -- pull in only in telemetry
• (NEXMANAGE-744) Removed all references to future library as we do not use Python 2

v4.2.5

4.2.5 - 2024-09-04

Fixed

• Added #!/usr/bin/python3 lines to agents to work in source install mode.

v4.2.4.2

4.2.4.2 - 2024-08-09

Fixed

• (NEXMANAGE-493) Fixed dispatcher error in getting granular log during download-only mode

v4.2.4

4.2.4 - 2024-07-24

Added

• Added INBS cloud with Ping support to Cloudadapter
• Added firmware update support to Arrow Lake specifically using a generic script that will work for any platform using fwupdtool
• (NEXMANAGE-259) Update status enhancements(granular package level data) in INBM
• (NEXMANAGE-314) Fixed Cloudadapter sometimes sends INBS commands to Dispatcher before it's fully up

Fixed

• Fixed some Yocto issues found after migrating to scarthgap
• (NEXARL-195) Fixed device tree detection check on systems that implement only part of device tree
• (NEXARL-279) Fixed system would not be able to access secret volume after fwupd on Arrow Lake platform

Security

• Bump requests from 2.31.0 to 2.32.2 in multiple agents resolving detected 3rd party CVE: CVE-2024-35195
• Bump urllib3 from 1.26.18 to 1.26.19 in cloudadapter agent and dispatcher agent resolving detected 3rd party CVE: CVE-2024-37891
• Bump setuptools from 65.5.1 to 70.0.0 in multiple agents resolving detected 3rd party CVE: CVE-2024-6345
• Bump certifi from 2023.7.22 to 2024.07.04 in dispatcher agent resolving detected 3rd party CVE: CVE-2024-39689
• Bump golang-runtime from 1.20.14 to 1.22.5 in all go binaries resolving detected 3rd party CVE: CVE-2024-24790

v4.2.3

4.2.3 - 2024-05-02

Changed

• Moved service files from /lib to /usr/lib for all Linux OSes

Security

• Bump golang.org/x/net from 0.17.0 to 0.23.0 in /inbm/trtl resolving detected 3rd party CVE: CVE-2023-45288

v4.2.2

4.2.2 - 2024-03-26

Changed

• Removed remaining Bit Creek code including 'Target' references from the manifest schema.

Fixed

• RTC 539880 - Fix encountered disconnected with code 7 after successfully provision to Azure cloud

Security

• Bump cryptography to 42.0.4, resolving CVE-2024-26130
• Bump github.com/docker/docker from 24.0.7+incompatible to 24.0.9+incompatible in /inbm/trtl, resolving CVE-2024-21626 and CVE-2024-24557 (NOTE: trtl does not use runc or Docker Engine, so these CVEs would not actually apply to this project)

v4.2.1

Changed

• Added --build-windows and --build-check flags to build scripts to allow optional skipping of Windows build and unit tests/mypy checks. One example scenario where this would be useful would be building an official version that has already been validated and unit tests already run, to reduce build time. Another scenario would be to skip the Windows build if the user only needs a Linux build.

Fixed

• RTC 538468 - paho-mqtt upgrade broke cloudadapter's mqtt connections. Fixed proxy setting code to not override all sockets with proxy as paho-mqtt 1.6.0 relies on listening/connecting to localhost to set up sockets, and this doesn't work with a global proxy on all sockets.
• RTC 538549 - improved errors when unable to fetch from URLs. For example, if INBM receives a "404 Not Found" it will return this as part of its error instead of simply returning a generic error message about being unable to fetch the URL.
• RTC 538524 - GUID missing when not provided by manifest when running fwupdate tool
• RTC 530960 - Fix SOTA snapshot conditions to not reboot twice on EXT4 system

Security

• RTC 537811 - Bump cryptography from 41.0.6 to 42.0.2 in /inbm/dispatcher-agent (addresses CVE-2023-5678, CVE-2023-6129)

v4.2.0

Changed

• RTC 536078 - Added package list option to inbc, cloud, and internal manifest. This allows SOTA to run an install/upgrade command on a set of individual packages rather than all installed packages.

Added

• RTC 536601 - Added 'source' command to INBM. This command manages /etc/apt/sources.list and /etc/apt/sources.list.d/* and associated gpg keys on Ubuntu.
• RTC 537769 - Added verification of GPG key URIs against a list of trusted repositories for enhanced security

check if sourceApplication Gpg key URL is in trusted repo

Fixed

• RTC 534426 - Could not write to /var/log/inbm-update-status.log on Yocto due to /var/log being a symlink to /var/volatile/log.
• RTC 523677 - Improve INBC error logging - invalid child tag not printed
• RTC 522583 - Fix missing SOTA logs
• RTC 534998 - Fix SOTA failure due to snapshot error
• Fixed some mismatched types in abstract classes vs subtypes in dispatcher agent
• Fixed some container mode issues

Security

• RTC 533615 - Validate GUID format in manifest using XML schema.

•          Ensure the GUID in the manifest if provided matches one of the GUIDs on the system before performing a FOTA.
  

• dependabot: update golang.org/x/net from 0.14.0 to 0.17.0 in /inbm/trtl (addresses CVE-2023-39325, CVE-2023-44487)
• update pypi urllib3 from 1.26.17 to 1.26.18 (addresses CVE-2023-45803 in urllib3)
• dependabot: bump github.com/docker/docker from 24.0.5+incompatible to 24.0.7+incompatible in /inbm/trtl (addresses GHSA-jq35-85cj-fj4p)
• update included reference certifi source code from 2020.12.05 to 2023.7.22, which was not a security issue per se but was flagged in BDBA as it contains CVE-2022-23491 and CVE-2023-37920
• dependabot: Bump pyinstaller from 5.13.0 to 5.13.1 in all agents/programs (addresses CVE-2023-49797)
• RTC 536046 - Add a workflow to perform signature checks for AOTA packages if user enrolled a key during provisioning

v4.1.4

4.1.4 - 2023-10-11

Fixed

• RTC 533936 - [INBM] Fix sota Kernel upgrade failure

Added

• Add firmware update database entry for NUC12WSHv5 using /usr/bin/iFlashVLnx64. This tool can be downloaded from https://www.intel.com/content/www/us/en/download/19504/intel-aptio-v-uefi-firmware-integrator-tools-for-intel-nuc.html

Security

• dependabot: update cryptography from 41.0.3 to 41.0.4
• update urllib3 from 1.26.16 to 1.26.17 (addresses CVE-2023-43804 in urllib3)

v4.1.3

4.1.3 - 2023-09-05

Fixed

• RTC 532663 - [INBM][UCC][Bug] During every windows reboot there will be a temporary folder created
• RTC 531795 - [Bug] inbc defaults to deviceReboot=yes even with download-only mode
• RTC 531796 - [Bug] dispatcher reboots device after failed update even in download-only mode
• RTC [533020] - Fix SOTA to handle dpkg interactive prompt
• RTC 532662 - [INBM][UCC][Bug] INBM fails to send telemetry when IP is changed manually
• Changed golang builds to not depend on glibc.
• Updated OpenSSL download path in Windows installer.

Added

• RTC 532655 - Add AOTA docker-compose up,down and pull commands to INBC
• RTC 532848 - Add AOTA docker pull, import, load and remove commands to INBC

Security

• (dependabot) - Updated cryptography from 41.0.0 to 41.0.2
• (dependabot) - Updated cryptography from 41.0.2 to 41.0.3
• Updated golang runtime from 1.20.5 to 1.20.6
• (533039) Added Intel standard compiler flags and settings to golang builds
• (533037) CT72 - Secure Configuration Guidance: remove all remaining Telit references
• Update to Python 3.11 to address some CVEs.
• Update Windows Dockerfile to pull in Python 3.11.5 to address some CVEs.