Mariner Release Notes Security Update secure@microsoft.com The Microsoft Security Response Center (MSRC) identifies, monitors, resolves, and responds to security incidents and Microsoft software security vulnerabilities. For more information, see http://www.microsoft.com/security/msrc. 2014-Feb 2014-Feb Final 1.0 6 2026-02-18T01:27:51 Mariner Release Notes 2014-02-02T00:00:00 2026-02-18T01:27:51 <p>Mariner Release notes</p> The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. cm1 libtar 1.2.20-8 on CBL Mariner 1.0 cbl2 libtar 1.2.20-8 on CBL Mariner 2.0 azl3 libtar 1.2.20-11 on Azure Linux 3.0 cbl2 kernel 5.15.148.2-2 on CBL Mariner 2.0 azl3 kernel 6.6.29.1-4 on Azure Linux 3.0 azl3 kernel 6.6.35.1-4 on Azure Linux 3.0 cm1 cpio 2.13-3 on CBL Mariner 1.0 cbl2 cpio 2.13-5 on CBL Mariner 2.0 cbl2 kernel 5.15.160.1-1 on CBL Mariner 2.0 azl3 cpio 2.14-1 on Azure Linux 3.0 cbl2 kernel 5.15.148.2-2 on CBL Mariner 2.0 azl3 kernel 6.6.29.1-4 on Azure Linux 3.0 azl3 kernel 6.6.35.1-4 on Azure Linux 3.0 azl3 libtar 1.2.20-11 on Azure Linux 3.0 cm1 cpio 2.13-3 on CBL Mariner 1.0 cbl2 cpio 2.13-5 on CBL Mariner 2.0 cm1 libtar 1.2.20-8 on CBL Mariner 1.0 cbl2 libtar 1.2.20-8 on CBL Mariner 2.0 cbl2 kernel 5.15.160.1-1 on CBL Mariner 2.0 azl3 cpio 2.14-1 on Azure Linux 3.0 Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20 and earlier allow remote attackers to overwrite arbitrary files via a .. (dot dot) in a crafted tar file. <p><strong>Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?</strong></p> <p>One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See <a href="https://www.microsoft.com/en-us/msrc/blog/2025/10/toward-greater-transparency-machine-readable-vulnerability-exploitability-xchange-for-azure-linux">this blog</a> post for more information. If impact to additional products is identified, we will update the CVE to reflect this.</p> Mariner redhat Yes CVE-2013-4420 19222-16820 19223-16823 18850-17084 19222-16820 19223-16823 18850-17084 Moderate 19222-16820 Moderate 19223-16823 Moderate 18850-17084 CBL-Mariner Releases 19222-16820 19223-16823 No Security Update 1.2.20-8 https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade 19222-16820 19223-16823 CBL-Mariner Releases CBL-Mariner Releases 18850-17084 No Security Update 1.2.20-11 https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade 18850-17084 CBL-Mariner Releases 1.0 2020-08-18T00:00:00 <p>Information published.</p> 1.1 2021-12-16T00:00:00 <p>Added libtar to CBL-Mariner 2.0</p> 1.2 2024-06-30T07:00:00 <p>Information published.</p> The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes which allows local users to obtain sensitive information from kernel memory cause a denial of service (memory corruption and system crash) or possibly gain privileges via a writev system call with a crafted pointer. <p><strong>Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?</strong></p> <p>One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See <a href="https://www.microsoft.com/en-us/msrc/blog/2025/10/toward-greater-transparency-machine-readable-vulnerability-exploitability-xchange-for-azure-linux">this blog</a> post for more information. If impact to additional products is identified, we will update the CVE to reflect this.</p> Mariner redhat Yes CVE-2014-0069 16960-16823 17062-17084 19702-17086 17065-17084 16960-16823 17062-17084 19702-17086 17065-17084 Important 16960-16823 Important 17062-17084 19702-17086 17065-17084 CBL-Mariner Releases 16960-16823 19702-17086 No Security Update 5.15.148.2-2 https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade 16960-16823 19702-17086 CBL-Mariner Releases CBL-Mariner Releases 17062-17084 No Security Update - https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade 17062-17084 CBL-Mariner Releases CBL-Mariner Releases 17065-17084 No Security Update 6.6.29.1-4 https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade 17065-17084 CBL-Mariner Releases 1.0 2024-02-06T00:00:00 <p>Information published.</p> 1.1 2024-06-30T07:00:00 <p>Information published.</p> cpio, as used in build 2007.05.10, 2010.07.28, and possibly other versions, allows remote attackers to overwrite arbitrary files via a symlink within an RPM package archive. <p><strong>Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?</strong></p> <p>One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See <a href="https://www.microsoft.com/en-us/msrc/blog/2025/10/toward-greater-transparency-machine-readable-vulnerability-exploitability-xchange-for-azure-linux">this blog</a> post for more information. If impact to additional products is identified, we will update the CVE to reflect this.</p> Mariner mitre Yes CVE-2010-4226 Improper Link Resolution Before File Access (&#39;Link Following&#39;) 19011-16820 19221-16823 19929-17084 19011-16820 19221-16823 19929-17084 Moderate 19011-16820 Moderate 19221-16823 Moderate 19929-17084 7.2 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 19011-16820 7.2 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 19221-16823 7.2 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 19929-17084 CBL-Mariner Releases 19011-16820 No Security Update 2.13-3 https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade 19011-16820 CBL-Mariner Releases CBL-Mariner Releases 19221-16823 No Security Update 2.13-5 https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade 19221-16823 CBL-Mariner Releases 1.0 2025-09-03T20:26:05 <p>Information published.</p> 1.1 2026-02-18T01:27:51 <p>Information published.</p>