------------------------------
Title: March 25, 2024
[content]
AlloyDB for PostgreSQL
Issue
AlloyDB clusters created using the Google Cloud CLI, the AlloyDB Admin API, or Terraform have PostgreSQL 14 compatibility by default, instead of PostgreSQL 15 compatibility.

To mitigate this issue, take either one of the following steps:


Specify PostgreSQL version 15 when creating a cluster, instead of relying on the default value.
Use the Google Cloud console to create the cluster.

Artifact Registry
Feature
The software bill of materials (SBOM) feature is now Generally Available (GA).
To learn more, see SBOM overview.
Changed
Artifact Analysis support for Vulnerability Exploitability eXchange (VEX) statements now includes the capability to upload VEX statements for multiple versions of an image. You can specify whether to associate a VEX statement with one image digest, or all versions of an image. This feature is in Preview. To learn more, see Upload VEX statements.
Backup and DR
Feature
Backup and DR Service added support to view daily scheduled compliance logs in Cloud Logging.
Feature
Backup and DR Service added support to view daily scheduled compliance reports in BigQuery.
BigQuery
Libraries
A weekly digest of client library updates from across the Cloud SDK.

JavaChanges for google-cloud-bigquery

2.38.2 (2024-03-21)

Dependencies


Update actions/checkout action (#3190) (940e4f6)
Update arrow.version to v15.0.1 (#3189) (fb6284e)
Update dependency com.google.api.grpc:proto-google-cloud-bigqueryconnection-v1 to v2.39.0 (#3186) (9e705a1)
Update dependency com.google.apis:google-api-services-bigquery to v2-rev20240229-2.0.0 (#3188) (a018424)
Update dependency com.google.cloud:google-cloud-datacatalog-bom to v1.43.0 (#3187) (497ff29)
Update dependency com.google.cloud:sdk-platform-java-config to v3.28.1 (#3196) (61f23a3)
Update github/codeql-action action to v2.24.6 (#3178) (8843cae)
Update github/codeql-action action to v2.24.7 (#3194) (2e2d730)
Update github/codeql-action action to v2.24.8 (#3198) (bd81a56)


Chronicle
Feature
Chronicle Applied Threat Intelligence helps you identify and respond to threats. When enabled, it ingests IOCs curated by Mandiant Threat Intelligence with an IC-Score greater than 80 and generates an error when a match is found. The following are some of the features of Applied Threat Intelligence.


Event-level enrichment: All telemetry in Chronicle is enriched with Google Threat Intelligence which is a combination of Mandiant and Virus Total, including all threat intelligence associations like campaigns and actors.
Sophisticated indicator matching: Curated out-of-the-box detections that deliver sophisticated indicator matching using augmented prioritization logic, noise reduction based on customer environment context, and other correlation techniques to maximize signal to noise.
Active breach alerting: Uses Mandiant's incident response intelligence to alert on potential active breaches delivering on our no patient 1 vision. 
Curated behavioral detections for emerging threats: To protect against newly emerging risks and tactics, techniques, and procedures (TTPs), Applied Threat Intelligence uses real-time insights.
DIY detection engineering and response automation: Access to Fusion intelligence (formerly known as Mandiant Fusion) for the following.


Customer authoring of rules
Customer development of response playbooks

Curated views for Investigation and triage Insights: Applied Threat Intelligence provides curated  views that show valuable associations between an indicator and threat actor, threat campaign, or malware, statistics about a threat observed in customer environments. These views are invaluable for all security operations workflows.


For more information about Applied Threat Intelligence, see Applied Threat Intelligence overview.
Cloud Asset Inventory
Feature
The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.


Compute Engine

compute.googleapis.com/NetworkEdgeSecurityService

Database Migration

datamigration.googleapis.com/ConversionWorkspace

Redis

redis.googleapis.com/Cluster


Cloud Composer
Issue
In Cloud Composer versions from 2.1.0 to 2.6.4, task instances that succeeded in the past can be marked as FAILED in some cases. We recommend to upgrade to Cloud Composer version 2.6.5 or later where this issue is fixed. For more information, see the related known issue.
Cloud Logging
Libraries
A weekly digest of client library updates from across the Cloud SDK.

JavaChanges for google-cloud-logging

3.16.2 (2024-03-20)

Dependencies


Update dependency com.google.cloud:sdk-platform-java-config to v3.28.0 (#1560) (d52e623)
Update dependency com.google.cloud:sdk-platform-java-config to v3.28.1 (#1563) (81aa3e6)


Cloud SQL for MySQL
Feature
Private Service Connect now includes support for cross-region read replicas. You can also choose an availability type (REGIONAL or ZONAL) for Private Service Connect-enabled instances. Both features are in GA.
Cloud SQL for PostgreSQL
Feature
Private Service Connect now includes support for cross-region read replicas. You can also choose an availability type (REGIONAL or ZONAL) for Private Service Connect-enabled instances. Both features are in GA.
Cloud SQL for SQL Server
Feature
You can now use Private Service Connect to connect to a Cloud SQL for SQL Server instance. This solution allows you to connect to the instance from multiple VPC networks that belong to different groups, teams, projects, or organizations.

Private Service Connect includes support for cross-region read replicas. You can also choose an availability type (REGIONAL or ZONAL) for Private Service Connect-enabled instances. 

All features are in GA.
Container Optimized OS
Changed
cos-beta-113-18244-1-7 


  
    Kernel
    Docker
    Containerd
    GPU Drivers
  
  
    COS-6.1.77
    v24.0.9
    v1.7.10
    v535.154.05(default, latest),v470.223.02(R470 for compatibility with K80 GPUs)
  

Announcement
Updates to Major Packages:
Feature
Updated cos-gpu-installer to v2.2.0. Some key features of this update include: 

Switched precompiled
driver and signature location to COS build artifacts for M109.
This fixes a permissions issue in the GPU driver install directory with OSS drivers.
Added major version specification for GPU driver installation.

Changed
Update default and latest NVIDIA GPU drivers to v535.154.05.
Changed
Updated sys-apps/systemd to v254.9.
Changed
Updated docker-credential-gcr to v2.1.22.
Changed
Updated app-containers/docker-cli to v24.0.5.
Changed
Updated app-emulation/kubernetes to v1.29.1.
Changed
Updated app-containers/containerd to v1.7.10.
Changed
Updated app-containers/runc to v1.1.12.
Changed
Upgraded app-emulation/cloud-init to v23.4.3.
Fixed
Upgraded app-admin/oslogin to v20231004.00.
Changed
Upgraded app-admin/google-osconfig-agent to v20240126.00.
Changed
Upgraded app-admin/google-guest-agent to v20240213.00.
Changed
Upgraded app-admin/google-guest-configs to v20240122.00.
Changed
Updated app-admin/sosreport to v4.6.1.
Changed
Updated latest GPU driver to v535.104.05.
Changed
Updated GPU drivers to v535.54.03 (R535 LTSB NVIDIA branch).
Changed
Upgraded app-containers/docker-credential-helpers to v0.8.1.
Changed
Runtime sysctl changes:

Added: net.ipv4.tcp_backlog_ack_defer: 1
Changed: fs.epoll.max_user_watches: 1809920 -> 1809474
Changed: fs.fanotify.max_user_marks: 67577 -> 67560
Changed: fs.file-max: 812606 -> 812400
Changed: fs.inotify.max_user_watches: 63456 -> 63441
Changed: kernel.threads-max: 63520 -> 63504
Changed: net.core.optmem_max: 20480 -> 131072
Changed: net.ipv4.tcp_mem: 94092    125456  188184 -> 94068 125424  188136
Changed: net.ipv4.udp_mem: 188184   250912  376368 -> 188136    250848  376272
Changed: net.ipv6.route.max_size: 4096 -> 2147483647
Changed: user.max_cgroup_namespaces: 31760 -> 31752
Changed: user.max_fanotify_marks: 67577 -> 67560
Changed: user.max_inotify_watches: 63456 -> 63441
Changed: user.max_ipc_namespaces: 31760 -> 31752
Changed: user.max_mnt_namespaces: 31760 -> 31752
Changed: user.max_net_namespaces: 31760 -> 31752
Changed: user.max_pid_namespaces: 31760 -> 31752
Changed: user.max_time_namespaces: 31760 -> 31752
Changed: user.max_user_namespaces: 31760 -> 31752
Changed: user.max_uts_namespaces: 31760 -> 31752
Changed: vm.lowmem_reserve_ratio: 256   256 32  0 -> 256    256 32  0   0

Added: net.netfilter.nf_flowtable_tcp_timeout: 30
Added: net.netfilter.nf_flowtable_udp_timeout: 30

Changed: fs.file-max: 812608 -> 812606

Added: net.ipv4.tcp_shrink_window: 0
Added: net.ipv6.conf.all.accept_ra_min_lft: 0
Added: net.ipv6.conf.default.accept_ra_min_lft: 0
Added: net.ipv6.conf.docker0.accept_ra_min_lft: 0
Added: net.ipv6.conf.eth0.accept_ra_min_lft: 0
Added: net.ipv6.conf.lo.accept_ra_min_lft: 0

Added: kernel.io_uring_disabled: 0
Changed: fs.file-max: 812619 -> 812608
Changed: kernel.threads-max: 63519 -> 63520
Changed: net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd: 0 -> 3
Changed: net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent: 0 -> 3
Changed: user.max_cgroup_namespaces: 31759 -> 31760
Changed: user.max_ipc_namespaces: 31759 -> 31760
Changed: user.max_mnt_namespaces: 31759 -> 31760
Changed: user.max_net_namespaces: 31759 -> 31760
Changed: user.max_pid_namespaces: 31759 -> 31760
Changed: user.max_time_namespaces: 31759 -> 31760
Changed: user.max_user_namespaces: 31759 -> 31760
Changed: user.max_uts_namespaces: 31759 -> 31760

Changed: fs.epoll.max_user_watches: 1809474 -> 1809452
Changed: fs.file-max: 812400 -> 812392
Changed: kernel.threads-max: 63504 -> 63503
Changed: net.ipv4.tcp_mem: 94068    125424  188136 -> 94065 125423  188130
Changed: net.ipv4.udp_mem: 188136   250848  376272 -> 188133    250847  376266
Changed: user.max_cgroup_namespaces: 31752 -> 31751
Changed: user.max_ipc_namespaces: 31752 -> 31751
Changed: user.max_mnt_namespaces: 31752 -> 31751
Changed: user.max_net_namespaces: 31752 -> 31751
Changed: user.max_pid_namespaces: 31752 -> 31751
Changed: user.max_time_namespaces: 31752 -> 31751
Changed: user.max_user_namespaces: 31752 -> 31751
Changed: user.max_uts_namespaces: 31752 -> 31751

Changed: fs.file-max: 812620 -> 812619

Added: fs.overflowgid: 65534
Added: fs.overflowuid: 65534


Announcement
New Features and Changes in the Linux Kernel:
Feature
Added additional option to existing kernel cmdline flag that moves protected stateful partition integrity tags to memory.
Fixed
Fixed a kernel crash that occurred when running Postgres databases.
Feature
Enabled TDX Guest support in the Linux Kernel.
Changed
Updated the Linux kernel to v6.1.77.
Announcement
New Features and Changes in the Image:
Feature
Changed default umask value for a user to 027.
Feature
Removed legacy logging agent (fluentd).
Feature
Fragmented nvidia-drivers and nvidia-drivers-open pkg into separate packages per major version.
Feature
Enhanced integrity-fs with disk resize and dm-clone.
Feature
Removed deprecated R525 NVIDIA GPU drivers.
Feature
Added support for dm-zero and dm-clone.
Feature
Sosreport now includes GPU Installer logs.
Fixed
Fixed a performance issue that was observed in Postgres databases.
Fixed
Fixed a container performance issue that occurred after running systemctl start cloud-audit-setup.
Feature
Updated NVIDIA GPU drivers.
Feature
Backported support for TCP RTO configuration in networkd.
Feature
Enable portmapper registration reporting for lsof. This also fixes an issue where lsof is missing from SOS reports.
Feature
Add compiler mitigations to mitigate memory corruption vulnerabilities.
Feature
Sequence named before nss-lookup.target.
Fixed
Restore systemd-logind restart behavior when dbus restarts.
Changed
Fixed an issue where symlinks could not be moved.
Fixed
Fixed an issue where IPv6 networking would fail under high CPU load.
Fixed
Fixed an issue with NFS reconnects on GKE.
Fixed
The get_metadata_value script will now retry if it experiences a connection error.
Fixed
Enabled persistence mode with Nvidia GPU driver installation.
Fixed
Fixed an issue in ip6tables where the -C option did not work correctly.
Changed
Simplified GPU driver installation by remounting driver installation path as executable from cos-extensions.
Feature
Added support for user.* xattr on tmpfs.
Feature
Added automatic generation of known modules list to image build process.
Feature
Include nvidia plugin into sosreport.
Feature
Added support for iSCSI targets and RAM block devices.
Fixed
Fixed a time-to-login slowdown introduced by cloud-init changes.
Announcement
CVE/Security Fixes:
Security
Fixed CVE-2024-21626 in app-containers/runc.
Security
Upgraded app-editors/vim to v9.0.2167 and app-editors/vim-core to v9.0.2167. This resolves CVE-2023-4733, CVE-2023-4734, CVE-2023-4735, CVE-2023-4736, CVE-2023-4738, CVE-2023-4750, CVE-2023-4752, CVE-2023-4781, CVE-2023-5344, CVE-2023-5441, CVE-2023-5535.
Security
Updated dev-lang/go to v1.21.5. This fixes CVE-2023-45285 and CVE-2023-39326.
Security
Upgraded dev-go/crypto to v0.17.0. This fixes CVE-2023-48795.
Security
Upgraded sys-apps/dbus to v1.12.28. This fixes CVE-2023-34969.
Security
Fixed CVE-2023-49083 in package dev-python/cryptography.
Security
Fixed CVE-2023-6622, CVE-2023-5197, CVE-2023-42753, CVE-2023-4921, CVE-2023-4623, CVE-2023-4194, CVE-2024-23851, CVE-2024-26581 in the Linux kernel.
Security
Updated net-libs/nghttp2 to v1.57.0. This resolves CVE-2023-44487 and CVE-2023-35945.
Security
Updated dev-go/net to v0.17.0. This resolves CVE-2023-44487 and CVE-2023-39325.
Security
Fixed CVE-2023-4911 in sys-libs/glibc.
Security
Fixed CVE-2023-38039 in net-misc/curl.
Security
Fixed CVE-2023-5345 and CVE-2023-42756 in COS kernel.
Security
Fixed CVE-2023-32636, CVE-2023-29499, CVE-2023-32643, CVE-2023-32665, CVE-2023-32611 in glib and glib-utils.
Security
Upgraded sys-fs/mdadm to v4.2. This resolves CVE-2023-28938 and CVE-2023-28736.
Security
Fixed CVE-2023-4016 in sys-process/procps.
Security
Updated dev-go/yaml to v3.0.1. This resolves CVE-2022-28948.
Security
Fixed CVE-2022-40896 in pygments.
Security
Fixed CVE-2023-24329 and CVE-2023-40217 in dev-lang/python.
Security
Fixed ncurses upgrade to 6.4p20220423. This resolves CVE-2023-29491.
Security
Upgraded dev-db/sqlite to v3.45.1-r1. This also fixes CVE-2023-7104.
Security
Fixed CVE-2023-40546, CVE-2023-40548, CVE-2023-40549, CVE-2023-40551, CVE-2023-40547, and CVE-2023-40550 in sys-boot/shim.
Security
Upgrade docker to v24.0.9. This fixes CVE-2024-24557.
Security
Updated dev-libs/openssl to v3.0.13. This resolves CVE-2024-0727 and CVE-2023-6129.
Security
Fixed CVE-2024-0684 in sys-apps/coreutils.
Security
Upgraded net-misc/curl to version 8.6.0. This fixes CVE-2024-0853 and CVE-2023-38545.
Security
Updated dev-libs/libxml2 to 2.11.7. This fixes CVE-2024-25062.
Security
Updated default GPU driver to v470.199.02 and latest GPU driver to v525.125.06. This resolves CVE-2023-25515 and CVE-2023-25516.
Announcement
Updates for Minor Packages:
Changed
Upgraded dev-libs/nss to v3.97.
Changed
Upgraded net-libs/gnutls to v3.8.3.
Changed
Upgraded dev-python/jinja to v3.1.3.
Fixed
Upgraded app-admin/node-problem-detector to v0.8.15.
Fixed
Upgraded app-eselect/eselect-iptables to v20220320.
Fixed
Upgraded sys-libs/libcap-ng to v0.8.4-r1.
Fixed
Upgraded net-misc/rsync to v3.2.7-r4.
Fixed
Upgraded dev-python/netifaces to v0.11.0-r2.
Fixed
Upgraded net-libs/libtirpc to v1.3.4-r1.
Fixed
Upgraded app-admin/sudo to v1.9.15_p5.
Fixed
Upgraded app-misc/jq to v1.7.1.
Fixed
Upgraded sys-apps/pv to v1.8.5.
Fixed
Upgraded sys-process/lsof to v4.99.3.
Fixed
Upgraded dev-util/bsdiff to v4.3.1-r42.
Fixed
Updated net-misc/openssh to v9.6_p1-r1.
Changed
Upgraded sys-apps/less to v643-r1.
Fixed
Upgraded chromeos-base/mojo_service_manager to v0.0.1-r271.
Fixed
Upgraded net-misc/socat to v1.8.0.0.
Fixed
Upgraded dev-python/jsonpatch to v1.33.
Fixed
Upgraded dev-python/pyyaml to v6.0.1-r1.
Fixed
Upgraded dev-lang/python-exec to v2.4.10.
Fixed
Upgraded dev-python/six to v1.16.0-r1.
Fixed
Upgraded dev-python/configobj to v5.0.8.
Fixed
Upgraded dev-python/nose to v1.3.7_p20221026.
Fixed
Upgraded dev-python/mock to v5.1.0.
Fixed
Upgraded dev-python/pyserial to v3.5-r2.
Fixed
Upgraded sys-apps/hwdata to v0.376.
Changed
Upgraded sys-fs/xfsprogs to v6.5.0.
Changed
Upgraded dev-python/pygobject to v3.46.0.
Fixed
Upgraded sys-devel/libtool to v2.4.6-r7.
Fixed
Upgraded dev-libs/double-conversion to v3.2.1.
Fixed
Upgraded net-fs/cifs-utils to v7.0-r1, Upgraded sys-libs/talloc to v2.4.1.
Fixed
Upgraded app-arch/unzip to v6.0_p27-r1.
Fixed
Upgraded sys-apps/dmidecode to v3.5-r3.
Fixed
Upgraded dev-util/gn to v2121.
Fixed
Upgraded chromeos-base/chromeos-dbus-bindings to v0.0.1-r2787.
Changed
Updated dev-embedded/libftdi to v1.5-r5.
Fixed
Upgraded sys-apps/coreutils to v9.4.
Fixed
Upgraded sys-process/procps to v4.0.4.
Changed
Updated dev-go/go-tools to v0.11.1_p20230712.
Fixed
Upgraded app-arch/pigz to v2.8.
Fixed
Upgraded sys-block/thin-provisioning-tools to v0.9.0-r2.
Fixed
Upgraded app-arch/tar to v1.35.
Changed
Upgraded app-arch/xz-utils to v5.4.6-r1.
Changed
Upgraded app-misc/ca-certificates to v20230311.3.97.
Changed
Upgraded net-dns/c-ares to v1.26.0.
Changed
Upgraded net-dns/libidn2 to v2.3.7.
Changed
Upgraded sys-apps/attr to v2.5.2-r1.
Changed
Upgraded sys-apps/ethtool to v6.7.
Changed
Upgraded sys-apps/file to v5.45-r4.
Changed
Upgraded sys-libs/libcap to v2.69-r1.
Changed
Upgraded sys-libs/timezone-data to v2024a.
Changed
Upgraded sys-libs/zlib to v1.3.1-r1.
Changed
Upgraded dev-libs/libusb to v1.0.27.
Changed
Upgraded dev-libs/expat to v2.6.0.
Changed
Upgraded sys-apps/acl to v2.3.2.
Changed
Updated gzip to v1.13.
Changed
Upgraded sys-auth/pambase to v20240128.
Changed
Upgraded net-misc/chrony to v4.5.
Changed
Upgraded app-containers/cni-plugins to v1.4.0.
Changed
Upgraded sys-apps/makedumpfile to v1.7.4.
Changed
Upgraded chromeos-base/system_api to v0.0.1-r5643.
Changed
Upgraded chromeos-base/update_engine-client to v0.0.1-r2385.
Changed
Upgraded chromeos-base/hiberman-client to v0.0.1-r455.
Changed
Upgraded chromeos-base/power_manager-client to v0.0.1-r2859.
Changed
Upgraded chromeos-base/dlcservice-client to v0.0.1-r884.
Changed
Upgraded chromeos-base/vm_protos to v0.0.1-r552.
Changed
Upgraded chromeos-base/shill-client to v0.0.1-r4325.
Changed
Upgraded chromeos-base/minijail to v18-r135.
Changed
Upgraded chromeos-base/debugd-client to v0.0.1-r2641.
Changed
Upgraded chromeos-base/session_manager-client to v0.0.1-r2722.
Changed
Upgraded chromeos-base/chromeos-common-script to v0.0.1-r601.
Changed
Upgraded chromeos-base/google-breakpad to v2024.01.16.190249-r226.
Changed
Upgraded dev-util/puffin to v1.0.0-r450.
Changed
Upgraded sys-fs/squashfs-tools to v4.6.1.
Changed
Upgraded sys-apps/sandbox to v2.29-r1.
Dialogflow
Feature
Dialogflow CX: The Override request-level speech model has been added to advanced speech settings. This can be used to override the speech model provided in a runtime API request. 
Feature
Vertex AI Conversation data stores: Gemini-pro 1.0 is now officially in General Availability. The model includes optimized prompting, delivering enhanced results with minimal latency impact. Please note: prompt optimization is currently focused on English, with other languages to follow.
Deprecated
Vertex AI Conversation data stores: The text-bison-001 model and fine-tuned text-bison@001 options will be deprecated by Vertex AI on July 6th. Please transition as soon as possible to the default option or another model available in the settings.
Feature
Dialogflow CX: DTMF for telephony integrations is now available for preview.
Firestore in Datastore mode
Libraries
A weekly digest of client library updates from across the Cloud SDK.

PythonChanges for google-cloud-ndb

2.3.1 (2024-03-16)

Bug Fixes


grpc: Fix large payload handling when using the emulator. (#975) (d9162ae)
Remove uses of six. #913 (#958) (e17129a)
Show a non-None error for core_exception.Unknown errors. (#968) (66e61cc)


Documentation


Document how to run system tests against the emulator. (#963) (47db5b9)
Note to use functools.wrap instead of utils.wrapping. (#966) (5e9f3d6)
Tell users of utils.wrapping to use functools.wraps (#967) (042645b)

JavaChanges for google-cloud-datastore

2.18.6 (2024-03-18)

Bug Fixes


deps: Update the Java code generator (gapic-generator-java) to 2.37.0 (#1355) (bcc5668)


Dependencies


Update dependency com.google.cloud:sdk-platform-java-config to v3.28.0 (#1372) (09db2a7)
Update dependency com.google.cloud:sdk-platform-java-config to v3.28.1 (#1373) (c6e63e5)
Update dependency com.google.errorprone:error_prone_core to v2.26.0 (#1361) (9442766)
Update dependency com.google.errorprone:error_prone_core to v2.26.1 (#1363) (05fe5bc)
Update dependency com.google.guava:guava-testlib to v33.1.0-jre (#1368) (0195345)


Secret Manager
Libraries
A weekly digest of client library updates from across the Cloud SDK.

GoChanges for secretmanager/apiv1

1.12.0 (2024-03-19)

Features


secretmanager: New client apiv1beta2 (#9610) (443914f)


Sensitive Data Protection
Fixed
From February 12 through 27, 2024, a bug caused Sensitive Data Protection to inaccurately set the free-text scores of certain data profiles to 0, where they should have been higher. This bug is now resolved. All affected data profiles have been reprofiled.

For more information about the discovery service, see Data profiles.
[/content]

PublishedDate: 2024-03-25
Category: Technology
NewsPaper: GCP latest releases