Release Channels
The Stable channel is intended for use in production clusters. Versions of Flatcar Container Linux have been tested as they move through Alpha and Beta channels before being promoted to stable.
The Beta channel is where Flatcar Container Linux stability is solidified. We encourage including some beta machines in production clusters in order to catch any issues that may arise with your setup.
The Alpha channel follows a more frequent release cadence and is where new updates are introduced. Users can try the new versions of the Linux kernel, systemd and other core packages.
Release Notes
Move to Docker 25
We will begin moving to Docker 25 (or newer) in the near future. Among other changes, Docker 25 and above remove the devicemapper storage driver. While new provisionings should not be affected by the change, long-lived nodes which use this back-end will break after the update.
- We plan to introduce Docker 25 (or a newer release) in the Alpha release late July 2024.
- We expect the Docker upgrade to hit Stable in October 2024 the earliest.
Any nodes using the devicemapper storage driver will lose access to all docker state (local container images and stopped containers) after this update. Please participate in Beta testing and run Beta canaries if you suspect you might be affected. If you are reading this after Docker 25 hits stable in late 2024 and want to keep using Docker 24 while still updating to the latest OS release, please consider masking Docker 25 altogether and using the Docker 24 sysext from our sysext-bakery. Please find a full, up-to-date list of deprecated and removed features across Docker versions here: https://github.com/docker/cli/blob/master/docs/deprecated.md
We will also discuss the docker upgrade and provide status updates in our Office Hours and Developer Sync calls.
docker - 24.0.9
ignition - 2.18.0
kernel - 6.6.54
systemd - 255
Changes since Stable 3975.2.1
Security fixes:
- Linux (CVE-2024-46711, CVE-2024-46709, CVE-2024-46680, CVE-2024-46679, CVE-2024-46678, CVE-2024-46677, CVE-2024-46676, CVE-2024-46695, CVE-2024-46694, CVE-2024-46693, CVE-2024-46675, CVE-2024-46692, CVE-2024-46689, CVE-2024-46687, CVE-2024-46686, CVE-2024-46685, CVE-2024-46673, CVE-2024-46674, CVE-2024-46811, CVE-2024-46810, CVE-2024-46809, CVE-2024-46807, CVE-2024-46806, CVE-2024-46805, CVE-2024-46804, CVE-2024-46821, CVE-2024-46819, CVE-2024-46818, CVE-2024-46817, CVE-2024-46815, CVE-2024-46814, CVE-2024-46812, CVE-2024-46802, CVE-2024-46803, CVE-2024-46724, CVE-2024-46732, CVE-2024-46731, CVE-2024-46728, CVE-2024-46726, CVE-2024-46725, CVE-2024-46723, CVE-2024-46722, CVE-2024-46721, CVE-2024-46720, CVE-2024-46719, CVE-2024-46717, CVE-2024-46716, CVE-2024-46714, CVE-2024-46715, CVE-2024-46831, CVE-2024-46840, CVE-2024-46839, CVE-2024-46838, CVE-2024-46836, CVE-2024-46835, CVE-2024-46848, CVE-2024-46847, CVE-2024-46846, CVE-2024-46845, CVE-2024-46844, CVE-2024-46843, CVE-2024-46832, CVE-2024-46830, CVE-2024-46829, CVE-2024-46828, CVE-2024-46827, CVE-2024-46826, CVE-2024-46825, CVE-2024-46822, CVE-2024-46788, CVE-2024-46797, CVE-2024-46796, CVE-2024-46795, CVE-2024-46794, CVE-2024-46791, CVE-2024-46800, CVE-2024-46798, CVE-2024-46760, CVE-2024-46768, CVE-2024-46767, CVE-2024-46765, CVE-2024-46763, CVE-2024-46787, CVE-2024-46786, CVE-2024-46785, CVE-2024-46784, CVE-2024-46783, CVE-2024-46782, CVE-2024-46781, CVE-2024-46780, CVE-2024-46762, CVE-2024-46777, CVE-2024-46776, CVE-2024-46773, CVE-2024-46771, CVE-2024-46770, CVE-2024-46761, CVE-2024-46743, CVE-2024-46742, CVE-2024-46741, CVE-2024-46740, CVE-2024-46739, CVE-2024-46738, CVE-2024-46737, CVE-2024-46759, CVE-2024-46758, CVE-2024-46757, CVE-2024-46756, CVE-2024-46755, CVE-2024-46736, CVE-2024-46752, CVE-2024-46750, CVE-2024-46749, CVE-2024-46747, CVE-2024-46746, CVE-2024-46745, CVE-2024-46744, CVE-2024-46734, CVE-2024-46735, CVE-2024-46713, CVE-2024-46858, CVE-2024-46857, CVE-2024-46855, CVE-2024-46854, CVE-2024-46853, CVE-2024-46852, CVE-2024-46865, CVE-2024-46864, CVE-2024-46861, CVE-2024-46860, CVE-2024-46859, CVE-2024-46849)
- expat (CVE-2024-45490)
Bug fixes:
- Equinix Metal: fixed race condition on ‘mount’ Ignition stage (scripts#2308)
- Fixed slow boots PXE and ISO boots caused by the decrypt-root.service. (Flatcar#1514)
Changes:
- Azure, HyperV: Added daemons
kvp
,vss
, andfcopy
for better HyperV hypervisor integration with Flatcar guests (scripts#2309). - Enable mpi3mr kernel module for Broadcom Storage/RAID-Controllers (flatcar/scripts#2355)
Updates:
docker - 24.0.9
ignition - 2.18.0
kernel - 6.6.48
systemd - 255
Changes since Stable 3975.2.0
Security fixes:
- Linux (CVE-2024-44944, CVE-2024-43877, CVE-2024-43876, CVE-2024-43875, CVE-2024-43873, CVE-2024-43871, CVE-2024-43881, CVE-2024-43880, CVE-2024-43879, CVE-2024-43869, CVE-2024-43870, CVE-2024-43856, CVE-2024-43860, CVE-2024-43859, CVE-2024-43858, CVE-2024-43833, CVE-2024-43832, CVE-2024-43831, CVE-2024-43830, CVE-2024-43829, CVE-2024-43828, CVE-2024-43855, CVE-2024-43854, CVE-2024-43853, CVE-2024-43851, CVE-2024-43850, CVE-2024-43849, CVE-2024-43847, CVE-2024-43846, CVE-2024-43845, CVE-2024-43842, CVE-2024-43841, CVE-2024-43839, CVE-2024-43837, CVE-2024-43834, CVE-2024-43825, CVE-2024-43823, CVE-2024-43821, CVE-2024-43818, CVE-2024-43817, CVE-2024-42321, CVE-2024-42322, CVE-2024-42288, CVE-2024-42297, CVE-2024-42296, CVE-2024-42295, CVE-2024-42294, CVE-2024-42292, CVE-2024-42320, CVE-2024-42318, CVE-2024-42291, CVE-2024-42316, CVE-2024-42315, CVE-2024-42314, CVE-2024-42313, CVE-2024-42311, CVE-2024-42310, CVE-2024-42309, CVE-2024-42308, CVE-2024-42290, CVE-2024-42307, CVE-2024-42306, CVE-2024-42305, CVE-2024-42304, CVE-2024-42303, CVE-2024-42302, CVE-2024-42301, CVE-2024-42299, CVE-2024-42298, CVE-2024-42289, CVE-2024-42284, CVE-2024-42283, CVE-2024-42281, CVE-2024-42280, CVE-2024-42279, CVE-2024-42278, CVE-2024-42277, CVE-2024-42287, CVE-2024-42286, CVE-2024-42285, CVE-2023-52889, CVE-2024-42276, CVE-2024-43867, CVE-2024-43866, CVE-2024-43864, CVE-2024-43863, CVE-2024-42312, CVE-2024-42274, CVE-2024-42273, CVE-2024-42272, CVE-2024-42271, CVE-2024-42270, CVE-2024-42269, CVE-2024-42268, CVE-2024-42267, CVE-2024-42265, CVE-2024-43908, CVE-2024-44931, CVE-2024-43914, CVE-2024-43912, CVE-2024-44935, CVE-2024-44934, CVE-2024-43909, CVE-2024-43905, CVE-2024-43903, CVE-2024-43902, CVE-2024-43900, CVE-2024-43907, CVE-2024-43906, CVE-2024-43897, CVE-2024-43894, CVE-2024-43893, CVE-2024-43892, CVE-2024-43890, CVE-2024-43889, CVE-2024-43895, CVE-2024-43883, CVE-2024-43861, CVE-2024-42259, CVE-2024-44943, CVE-2024-44942, CVE-2024-44941, CVE-2024-44940, CVE-2024-44938, CVE-2024-44939, CVE-2024-43898, CVE-2024-43882, CVE-2024-44947, CVE-2024-44946)
Bug fixes:
- Fix ownership of systemd units shipped with built-in docker/containerd sysexts. The files shipped on production images were accidentally owned by 1000:1000 instead of 0:0. This uid/gid is not present on Flatcar images but would be assigned to the first created user. Due to contents of sysexts and /usr being readonly on Flatcar, the invalid permissions can’t be used to escalate privileges. (scripts#2266)
- Equinix Metal: Fixed oem-cloudinit.service. The availability check now uses the https://metadata.platformequinix.com/metadata endpoint. (scripts#2222)
Updates:
docker - 24.0.9
ignition - 2.18.0
kernel - 6.6.43
systemd - 255
Changes since Stable 3815.2.5
Security fixes:
- Linux (CVE-2022-27672, CVE-2022-36402, CVE-2022-36402, CVE-2022-40982, CVE-2022-4269, CVE-2022-45886, CVE-2022-45887, CVE-2022-45919, CVE-2022-48425, CVE-2022-48628, CVE-2023-0160, CVE-2023-0160, CVE-2023-0459, CVE-2023-1032, CVE-2023-1076, CVE-2023-1077, CVE-2023-1079, CVE-2023-1118, CVE-2023-1192, CVE-2023-1194, CVE-2023-1206, CVE-2023-1281, CVE-2023-1380, CVE-2023-1380, CVE-2023-1513, CVE-2023-1583, CVE-2023-1611, CVE-2023-1670, CVE-2023-1829, CVE-2023-1855, CVE-2023-1859, CVE-2023-1989, CVE-2023-1990, CVE-2023-1998, CVE-2023-2002, CVE-2023-2002, CVE-2023-20569, CVE-2023-20588, CVE-2023-20593, CVE-2023-2124, CVE-2023-21255, CVE-2023-21264, CVE-2023-2156, CVE-2023-2156, CVE-2023-2163, CVE-2023-2163, CVE-2023-2194, CVE-2023-2235, CVE-2023-2248, CVE-2023-2248, CVE-2023-2269, CVE-2023-2269, CVE-2023-2483, CVE-2023-25012, CVE-2023-25775, CVE-2023-25775, CVE-2023-2598, CVE-2023-26545, CVE-2023-28466, CVE-2023-28746, CVE-2023-28866, CVE-2023-2898, CVE-2023-2985, CVE-2023-30456, CVE-2023-30772, CVE-2023-3090, CVE-2023-31085, CVE-2023-3117, CVE-2023-31248, CVE-2023-3141, CVE-2023-31436, CVE-2023-31436, CVE-2023-3212, CVE-2023-3220, CVE-2023-32233, CVE-2023-32233, CVE-2023-32247, CVE-2023-32247, CVE-2023-32248, CVE-2023-32248, CVE-2023-32250, CVE-2023-32250, CVE-2023-32252, CVE-2023-32252, CVE-2023-32254, CVE-2023-32254, CVE-2023-32257, CVE-2023-32257, CVE-2023-32258, CVE-2023-32258, CVE-2023-3268, CVE-2023-3268, CVE-2023-3269, CVE-2023-3269, CVE-2023-3312, CVE-2023-3312, CVE-2023-3317, CVE-2023-33203, CVE-2023-33250, CVE-2023-33250, CVE-2023-33288, CVE-2023-3355, CVE-2023-3390, CVE-2023-33951, CVE-2023-33951, CVE-2023-33952, CVE-2023-33952, CVE-2023-34255, CVE-2023-34256, CVE-2023-34256, CVE-2023-34319, CVE-2023-34324, CVE-2023-35001, CVE-2023-35788, CVE-2023-35823, CVE-2023-35823, CVE-2023-35824, CVE-2023-35824, CVE-2023-35826, CVE-2023-35826, CVE-2023-35827, CVE-2023-35828, CVE-2023-35828, CVE-2023-35829, CVE-2023-35829, CVE-2023-3609, CVE-2023-3610, CVE-2023-3610, CVE-2023-3611, CVE-2023-37453, CVE-2023-37453, CVE-2023-3772, CVE-2023-3773, CVE-2023-3776, CVE-2023-3777, CVE-2023-38409, CVE-2023-38426, CVE-2023-38427, CVE-2023-38428, CVE-2023-38429, CVE-2023-38430, CVE-2023-38431, CVE-2023-38432, CVE-2023-38432, CVE-2023-3863, CVE-2023-3863, CVE-2023-3865, CVE-2023-3865, CVE-2023-3866, CVE-2023-3866, CVE-2023-3867, CVE-2023-39189, CVE-2023-39191, CVE-2023-39192, CVE-2023-39192, CVE-2023-39193, CVE-2023-39193, CVE-2023-39194, CVE-2023-39197, CVE-2023-39197, CVE-2023-39198, CVE-2023-4004, CVE-2023-4015, CVE-2023-40283, CVE-2023-40791, CVE-2023-4128, CVE-2023-4132, CVE-2023-4133, CVE-2023-4133, CVE-2023-4134, CVE-2023-4134, CVE-2023-4147, CVE-2023-4155, CVE-2023-4194, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208, CVE-2023-4244, CVE-2023-4273, CVE-2023-42752, CVE-2023-42752, CVE-2023-42753, CVE-2023-42753, CVE-2023-42754, CVE-2023-42756, CVE-2023-44466, CVE-2023-4563, CVE-2023-4569, CVE-2023-45862, CVE-2023-45863, CVE-2023-45871, CVE-2023-45871, CVE-2023-45898, CVE-2023-4610, CVE-2023-4611, CVE-2023-4623, CVE-2023-4623, CVE-2023-46343, CVE-2023-46813, CVE-2023-46838, CVE-2023-46862, CVE-2023-46862, CVE-2023-47233, CVE-2023-4881, CVE-2023-4921, CVE-2023-50431, CVE-2023-5090, CVE-2023-51042, CVE-2023-51043, CVE-2023-5158, CVE-2023-51779, CVE-2023-51780, CVE-2023-51781, CVE-2023-51782, CVE-2023-5197, CVE-2023-52429, CVE-2023-52433, CVE-2023-52434, CVE-2023-52435, CVE-2023-52436, CVE-2023-52438, CVE-2023-52439, CVE-2023-52440, CVE-2023-52440, CVE-2023-52441, CVE-2023-52442, CVE-2023-52443, CVE-2023-52444, CVE-2023-52445, CVE-2023-52446, CVE-2023-52447, CVE-2023-52448, CVE-2023-52449, CVE-2023-52450, CVE-2023-52451, CVE-2023-52452, CVE-2023-52453, CVE-2023-52454, CVE-2023-52455, CVE-2023-52456, CVE-2023-52457, CVE-2023-52458, CVE-2023-52459, CVE-2023-52462, CVE-2023-52463, CVE-2023-52464, CVE-2023-52465, CVE-2023-52467, CVE-2023-52468, CVE-2023-52469, CVE-2023-52470, CVE-2023-52472, CVE-2023-52473, CVE-2023-52474, CVE-2023-52474, CVE-2023-52475, CVE-2023-52476, CVE-2023-52477, CVE-2023-52478, CVE-2023-52479, CVE-2023-52480, CVE-2023-52481, CVE-2023-52482, CVE-2023-52483, CVE-2023-52484, CVE-2023-52486, CVE-2023-52487, CVE-2023-52488, CVE-2023-52489, CVE-2023-52490, CVE-2023-52491, CVE-2023-52492, CVE-2023-52493, CVE-2023-52494, CVE-2023-52495, CVE-2023-52497, CVE-2023-52498, CVE-2023-52499, CVE-2023-52500, CVE-2023-52501, CVE-2023-52502, CVE-2023-52503, CVE-2023-52504, CVE-2023-52505, CVE-2023-52506, CVE-2023-52507, CVE-2023-52508, CVE-2023-52509, CVE-2023-52510, CVE-2023-52511, CVE-2023-52512, CVE-2023-52513, CVE-2023-52515, CVE-2023-52516, CVE-2023-52517, CVE-2023-52518, CVE-2023-52519, CVE-2023-52520, CVE-2023-52522, CVE-2023-52523, CVE-2023-52524, CVE-2023-52526, CVE-2023-52527, CVE-2023-52528, CVE-2023-52529, CVE-2023-52530, CVE-2023-52531, CVE-2023-52532, CVE-2023-52559, CVE-2023-52560, CVE-2023-52561, CVE-2023-52562, CVE-2023-52563, CVE-2023-52564, CVE-2023-52565, CVE-2023-52566, CVE-2023-52567, CVE-2023-52568, CVE-2023-52569, CVE-2023-52570, CVE-2023-52571, CVE-2023-52572, CVE-2023-52573, CVE-2023-52574, CVE-2023-52575, CVE-2023-52576, CVE-2023-52578, CVE-2023-52580, CVE-2023-52581, CVE-2023-52582, CVE-2023-52583, CVE-2023-52584, CVE-2023-52587, CVE-2023-52588, CVE-2023-52589, CVE-2023-52591, CVE-2023-52593, CVE-2023-52594, CVE-2023-52595, CVE-2023-52596, CVE-2023-52597, CVE-2023-52598, CVE-2023-52599, CVE-2023-52600, CVE-2023-52601, CVE-2023-52602, CVE-2023-52603, CVE-2023-52604, CVE-2023-52606, CVE-2023-52607, CVE-2023-52608, CVE-2023-52609, CVE-2023-52610, CVE-2023-52611, CVE-2023-52612, CVE-2023-52613, CVE-2023-52614, CVE-2023-52615, CVE-2023-52616, CVE-2023-52617, CVE-2023-52618, CVE-2023-52619, CVE-2023-52620, CVE-2023-52621, CVE-2023-52622, CVE-2023-52623, CVE-2023-52627, CVE-2023-52628, CVE-2023-52629, CVE-2023-52630, CVE-2023-52631, CVE-2023-52632, CVE-2023-52633, CVE-2023-52635, CVE-2023-52636, CVE-2023-52637, CVE-2023-52638, CVE-2023-52639, CVE-2023-52640, CVE-2023-52641, CVE-2023-5345, CVE-2023-5633, CVE-2023-5717, CVE-2023-5972, CVE-2023-6039, CVE-2023-6111, CVE-2023-6121, CVE-2023-6176, CVE-2023-6200, CVE-2023-6270, CVE-2023-6356, CVE-2023-6531, CVE-2023-6536, CVE-2023-6546, CVE-2023-6560, CVE-2023-6606, CVE-2023-6610, CVE-2023-6622, CVE-2023-6817, CVE-2023-6915, CVE-2023-6931, CVE-2023-6932, CVE-2023-7042, CVE-2023-7192, CVE-2024-0193, CVE-2024-0443, CVE-2024-0565, CVE-2024-0582, CVE-2024-0584, CVE-2024-0607, CVE-2024-0607, CVE-2024-0639, CVE-2024-0641, CVE-2024-0646, CVE-2024-0775, CVE-2024-0775, CVE-2024-0841, CVE-2024-1085, CVE-2024-1086, CVE-2024-1151, CVE-2024-1312, CVE-2024-22099, CVE-2024-22705, CVE-2024-23196, CVE-2024-23307, CVE-2024-23849, CVE-2024-23850, CVE-2024-23851, CVE-2024-24860, CVE-2024-24861, CVE-2024-25744, CVE-2024-26581, CVE-2024-26582, CVE-2024-26583, CVE-2024-26584, CVE-2024-26585, CVE-2024-26586, CVE-2024-26587, CVE-2024-26588, CVE-2024-26589, CVE-2024-26590, CVE-2024-26591, CVE-2024-26592, CVE-2024-26593, CVE-2024-26594, CVE-2024-26595, CVE-2024-26597, CVE-2024-26598, CVE-2024-26599, CVE-2024-26600, CVE-2024-26601, CVE-2024-26602, CVE-2024-26603, CVE-2024-26604, CVE-2024-26606, CVE-2024-26607, CVE-2024-26608, CVE-2024-26610, CVE-2024-26611, CVE-2024-26612, CVE-2024-26614, CVE-2024-26615, CVE-2024-26616, CVE-2024-26618, CVE-2024-26620, CVE-2024-26622, CVE-2024-26623, CVE-2024-26625, CVE-2024-26627, CVE-2024-26629, CVE-2024-26630, CVE-2024-26631, CVE-2024-26632, CVE-2024-26633, CVE-2024-26634, CVE-2024-26635, CVE-2024-26636, CVE-2024-26638, CVE-2024-26640, CVE-2024-26641, CVE-2024-26642, CVE-2024-26643, CVE-2024-26644, CVE-2024-26645, CVE-2024-26646, CVE-2024-26647, CVE-2024-26648, CVE-2024-26649, CVE-2024-26650, CVE-2024-26651, CVE-2024-26652, CVE-2024-26654, CVE-2024-26656, CVE-2024-26659, CVE-2024-26660, CVE-2024-26661, CVE-2024-26662, CVE-2024-26663, CVE-2024-26664, CVE-2024-26665, CVE-2024-26666, CVE-2024-26667, CVE-2024-26668, CVE-2024-26669, CVE-2024-26670, CVE-2024-26671, CVE-2024-26673, CVE-2024-26674, CVE-2024-26675, CVE-2024-26676, CVE-2024-26677, CVE-2024-26679, CVE-2024-26680, CVE-2024-26681, CVE-2024-26684, CVE-2024-26685, CVE-2024-26687, CVE-2024-26688, CVE-2024-26689, CVE-2024-26690, CVE-2024-26691, CVE-2024-26692, CVE-2024-26693, CVE-2024-26694, CVE-2024-26695, CVE-2024-26696, CVE-2024-26697, CVE-2024-26698, CVE-2024-26700, CVE-2024-26702, CVE-2024-26703, CVE-2024-26704, CVE-2024-26705, CVE-2024-26706, CVE-2024-26707, CVE-2024-26708, CVE-2024-26711, CVE-2024-26712, CVE-2024-26713, CVE-2024-26714, CVE-2024-26715, CVE-2024-26716, CVE-2024-26717, CVE-2024-26718, CVE-2024-26719, CVE-2024-26720, CVE-2024-26723, CVE-2024-26726, CVE-2024-26727, CVE-2024-26730, CVE-2024-26731, CVE-2024-26733, CVE-2024-26734, CVE-2024-26735, CVE-2024-26736, CVE-2024-26737, CVE-2024-26738, CVE-2024-26739, CVE-2024-26740, CVE-2024-26741, CVE-2024-26742, CVE-2024-26743, CVE-2024-26744, CVE-2024-26745, CVE-2024-26746, CVE-2024-26747, CVE-2024-26748, CVE-2024-26749, CVE-2024-26751, CVE-2024-26752, CVE-2024-26753, CVE-2024-26754, CVE-2024-26759, CVE-2024-26760, CVE-2024-26761, CVE-2024-26763, CVE-2024-26764, CVE-2024-26765, CVE-2024-26766, CVE-2024-26766, CVE-2024-26767, CVE-2024-26768, CVE-2024-26769, CVE-2024-26770, CVE-2024-26771, CVE-2024-26772, CVE-2024-26773, CVE-2024-26774, CVE-2024-26775, CVE-2024-26776, CVE-2024-26777, CVE-2024-26778, CVE-2024-26779, CVE-2024-26782, CVE-2024-26783, CVE-2024-26786, CVE-2024-26787, CVE-2024-26788, CVE-2024-26789, CVE-2024-26790, CVE-2024-26791, CVE-2024-26793, CVE-2024-26795, CVE-2024-26796, CVE-2024-26798, CVE-2024-26799, CVE-2024-26801, CVE-2024-26802, CVE-2024-26803, CVE-2024-26804, CVE-2024-26805, CVE-2024-26807, CVE-2024-26808, CVE-2024-26809, CVE-2024-41081, CVE-2024-41078, CVE-2024-41079, CVE-2024-41076, CVE-2024-41075, CVE-2024-41074, CVE-2024-41073, CVE-2024-41072, CVE-2024-41070, CVE-2024-41069, CVE-2024-41077, CVE-2024-41068, CVE-2024-41066, CVE-2024-41065, CVE-2024-41064, CVE-2024-41063, CVE-2024-41062, CVE-2024-41060, CVE-2024-41059, CVE-2024-41057, CVE-2024-41058, CVE-2024-41056, CVE-2024-41053, CVE-2024-41055, CVE-2024-41054, CVE-2024-41032, CVE-2024-41031, CVE-2024-41030, CVE-2024-41028, CVE-2024-41027, CVE-2024-41052, CVE-2024-41051, CVE-2024-41050, CVE-2024-41049, CVE-2024-41048, CVE-2024-41047, CVE-2024-41046, CVE-2024-41044, CVE-2024-41025, CVE-2024-41041, CVE-2024-41040, CVE-2024-41039, CVE-2024-41038, CVE-2024-41037, CVE-2024-41036, CVE-2024-41035, CVE-2024-41034, CVE-2024-41024, CVE-2024-42226, CVE-2024-42145, CVE-2024-42154, CVE-2024-42153, CVE-2024-42152, CVE-2024-42148, CVE-2024-42230, CVE-2024-42229, CVE-2024-42228, CVE-2024-42226, CVE-2024-42225, CVE-2024-42147, CVE-2024-42224, CVE-2024-42223, CVE-2024-42161, CVE-2024-42160, CVE-2024-42159, CVE-2024-42157, CVE-2024-42110, CVE-2024-42119, CVE-2024-42116, CVE-2024-42115, CVE-2024-42144, CVE-2024-42143, CVE-2024-42142, CVE-2024-42141, CVE-2024-42140, CVE-2024-42113, CVE-2024-42138, CVE-2024-42137, CVE-2024-42136, CVE-2024-42135, CVE-2024-42133, CVE-2024-42132, CVE-2024-42131, CVE-2024-42130, CVE-2024-42128, CVE-2024-42127, CVE-2024-42126, CVE-2024-42124, CVE-2024-42121, CVE-2024-42120, CVE-2023-52888, CVE-2024-42106, CVE-2024-42105, CVE-2024-42104, CVE-2024-42103, CVE-2024-42102, CVE-2024-42101, CVE-2024-42100, CVE-2024-42109, CVE-2024-40947, CVE-2024-42068, CVE-2024-42067, CVE-2024-42098, CVE-2024-42097, CVE-2024-42096, CVE-2024-42095, CVE-2024-42093, CVE-2024-42094, CVE-2024-42092, CVE-2024-42090, CVE-2024-42089, CVE-2024-42087, CVE-2024-42086, CVE-2024-42084, CVE-2024-42085, CVE-2024-42070, CVE-2024-42069, CVE-2024-42068, CVE-2024-42067, CVE-2024-42082, CVE-2024-42080, CVE-2024-42079, CVE-2024-42077, CVE-2024-42076, CVE-2024-42074, CVE-2024-42073, CVE-2023-52887, CVE-2024-42063, CVE-2024-41094, CVE-2024-41093, CVE-2024-41092, CVE-2024-41089, CVE-2024-41088, CVE-2024-41087, CVE-2024-41098, CVE-2024-41097, CVE-2024-41096, CVE-2024-41095, CVE-2024-41084, CVE-2024-41009, CVE-2024-39486, CVE-2024-41006, CVE-2024-41005, CVE-2024-41004, CVE-2024-40996, CVE-2024-41002, CVE-2024-41001, CVE-2024-41000, CVE-2024-40998, CVE-2024-40997, CVE-2024-40994, CVE-2024-40993, CVE-2024-40992, CVE-2024-40990, CVE-2024-40989, CVE-2024-40988, CVE-2024-40987, CVE-2024-40995, CVE-2024-40983, CVE-2024-40984, CVE-2024-40970, CVE-2024-40978, CVE-2024-40977, CVE-2024-40976, CVE-2024-40974, CVE-2024-40973, CVE-2024-40982, CVE-2024-40981, CVE-2024-40980, CVE-2024-40971, CVE-2024-40955, CVE-2024-40954, CVE-2024-40953, CVE-2024-40952, CVE-2024-40951, CVE-2024-40969, CVE-2024-40968, CVE-2024-40967, CVE-2024-40966, CVE-2024-40948, CVE-2024-40964, CVE-2024-40963, CVE-2024-40962, CVE-2024-40961, CVE-2024-40960, CVE-2024-40959, CVE-2024-40958, CVE-2024-40957, CVE-2024-40956, CVE-2024-40929, CVE-2024-40938, CVE-2024-40937, CVE-2024-40936, CVE-2024-40935, CVE-2024-40934, CVE-2024-40932, CVE-2024-40931, CVE-2024-40945, CVE-2024-40944, CVE-2024-40943, CVE-2024-40942, CVE-2024-40941, CVE-2024-40940, CVE-2024-40939, CVE-2024-40922, CVE-2024-40921, CVE-2024-40920, CVE-2024-40919, CVE-2024-40918, CVE-2024-40916, CVE-2024-40915, CVE-2024-40928, CVE-2024-40927, CVE-2024-40925, CVE-2024-40924, CVE-2024-40923, CVE-2024-40913, CVE-2024-40914, CVE-2024-40912, CVE-2024-39503, CVE-2024-39502, CVE-2024-39501, CVE-2024-39500, CVE-2024-39499, CVE-2024-39497, CVE-2024-40911, CVE-2024-40910, CVE-2024-40909, CVE-2024-40908, CVE-2024-40906, CVE-2024-40905, CVE-2024-40904, CVE-2024-40903, CVE-2024-40902, CVE-2024-39496, CVE-2024-40901, CVE-2024-40900, CVE-2024-39509, CVE-2024-39508, CVE-2024-39507, CVE-2024-39506, CVE-2024-39505, CVE-2024-39504, CVE-2024-39494, CVE-2024-39495, CVE-2024-39469, CVE-2024-39298, CVE-2024-39371, CVE-2024-37078, CVE-2024-39493, CVE-2024-39476, CVE-2024-39485, CVE-2024-39484, CVE-2024-39483, CVE-2024-39482, CVE-2024-39481, CVE-2024-39480, CVE-2024-39479, CVE-2024-39475, CVE-2024-39473, CVE-2024-39474, CVE-2024-39471, CVE-2024-39470, CVE-2024-39468, CVE-2024-39467, CVE-2024-39466, CVE-2024-39464, CVE-2024-39461, CVE-2024-39463, CVE-2024-39462, CVE-2024-39296, CVE-2024-39276, CVE-2024-38661, CVE-2024-38385, CVE-2024-37354, CVE-2024-39362, CVE-2024-39301, CVE-2022-48772, CVE-2024-39491, CVE-2024-39490, CVE-2024-39489, CVE-2024-39488, CVE-2024-37021, CVE-2024-36479, CVE-2024-35247, CVE-2024-34030, CVE-2024-34027, CVE-2024-33847, CVE-2024-39292, CVE-2024-38667, CVE-2024-39291, CVE-2024-38384, CVE-2024-38664, CVE-2024-38663, CVE-2024-36481, CVE-2024-36477, CVE-2024-34777, CVE-2024-39277, CVE-2024-38662, CVE-2024-38780, CVE-2024-38659, CVE-2024-38634, CVE-2024-38637, CVE-2024-38636, CVE-2024-38635, CVE-2024-36484, CVE-2024-36286, CVE-2024-36281, CVE-2024-36270, CVE-2024-36244, CVE-2024-33621, CVE-2024-38633, CVE-2024-38632, CVE-2024-38630, CVE-2024-38629, CVE-2024-38628, CVE-2024-38627, CVE-2024-38625, CVE-2024-38624, CVE-2024-33619, CVE-2024-38623, CVE-2024-38622, CVE-2024-38621, CVE-2024-38391, CVE-2024-38390, CVE-2024-38388, CVE-2024-38381, CVE-2024-37356, CVE-2024-37353, CVE-2024-36489, CVE-2023-52884, CVE-2024-31076, CVE-2024-38620, CVE-2024-38617, CVE-2024-38616, CVE-2024-38615, CVE-2024-38614, CVE-2024-38613, CVE-2024-38612, CVE-2024-38611, CVE-2024-38610, CVE-2024-38618, CVE-2024-38607, CVE-2024-38605, CVE-2024-38604, CVE-2024-38603, CVE-2024-38601, CVE-2024-38602, CVE-2024-38598, CVE-2024-38597, CVE-2024-38596, CVE-2024-38593, CVE-2024-38591, CVE-2024-38600, CVE-2024-38599, CVE-2024-38589, CVE-2024-38590, CVE-2024-38575, CVE-2024-38584, CVE-2024-38583, CVE-2024-38582, CVE-2024-38581, CVE-2024-38580, CVE-2024-38579, CVE-2024-38578, CVE-2024-38577, CVE-2024-38588, CVE-2024-38587, CVE-2024-38586, CVE-2024-38585, CVE-2024-38576, CVE-2024-38568, CVE-2024-38573, CVE-2024-38572, CVE-2024-38571, CVE-2024-38570, CVE-2024-38569, CVE-2024-36979, CVE-2024-38546, CVE-2024-38545, CVE-2024-38544, CVE-2024-38543, CVE-2024-38541, CVE-2024-38567, CVE-2024-38540, CVE-2024-38566, CVE-2024-38565, CVE-2024-38564, CVE-2024-38562, CVE-2024-38561, CVE-2024-38560, CVE-2024-38559, CVE-2024-38558, CVE-2024-38557, CVE-2024-38539, CVE-2024-38556, CVE-2024-38555, CVE-2024-38554, CVE-2024-38553, CVE-2024-38552, CVE-2024-38551, CVE-2024-38550, CVE-2024-38549, CVE-2024-38548, CVE-2024-38547, CVE-2024-38538, CVE-2024-36977, CVE-2024-36975, CVE-2024-36969, CVE-2024-36968, CVE-2024-36967, CVE-2024-36965, CVE-2024-36966, CVE-2024-41011, CVE-2024-36964, CVE-2024-36963, CVE-2024-36962, CVE-2024-36960, CVE-2024-36942, CVE-2024-36951, CVE-2024-36950, CVE-2024-36949, CVE-2024-36947, CVE-2024-36946, CVE-2024-36945, CVE-2024-36944, CVE-2024-36959, CVE-2024-36957, CVE-2024-36955, CVE-2024-36954, CVE-2024-36953, CVE-2024-36952, CVE-2024-36916, CVE-2024-36914, CVE-2024-36913, CVE-2024-36912, CVE-2024-36911, CVE-2024-36941, CVE-2024-36940, CVE-2024-36939, CVE-2024-36938, CVE-2024-36937, CVE-2024-36910, CVE-2024-36934, CVE-2024-36933, CVE-2024-36931, CVE-2024-36930, CVE-2024-36929, CVE-2024-36928, CVE-2024-36927, CVE-2024-36909, CVE-2024-36926, CVE-2024-36925, CVE-2024-36924, CVE-2024-36922, CVE-2024-36921, CVE-2024-36920, CVE-2024-36919, CVE-2024-36918, CVE-2024-36917, CVE-2024-36908, CVE-2024-36880, CVE-2024-36889, CVE-2024-36888, CVE-2024-36887, CVE-2024-36886, CVE-2024-36885, CVE-2024-36883, CVE-2024-36906, CVE-2024-36905, CVE-2024-36904, CVE-2024-36903, CVE-2024-36902, CVE-2024-36901, CVE-2024-36900, CVE-2024-36882, CVE-2024-36899, CVE-2024-36898, CVE-2024-36897, CVE-2024-36896, CVE-2024-36895, CVE-2024-36894, CVE-2024-36893, CVE-2024-36891, CVE-2024-36890, CVE-2024-36881, CVE-2024-36032, CVE-2023-52882, CVE-2024-36031, CVE-2024-36028, CVE-2024-36017, CVE-2024-36011, CVE-2024-36012, CVE-2024-35947, CVE-2024-35848, CVE-2024-36029, CVE-2024-35990, CVE-2024-35999, CVE-2024-35998, CVE-2024-35997, CVE-2024-35996, CVE-2024-35995, CVE-2024-35993, CVE-2024-35992, CVE-2024-36009, CVE-2024-36008, CVE-2024-36007, CVE-2024-36006, CVE-2024-36005, CVE-2024-36004, CVE-2024-36003, CVE-2024-36000, CVE-2024-35991, CVE-2024-35989, CVE-2024-35988, CVE-2024-35987, CVE-2024-35986, CVE-2024-35985, CVE-2024-35983, CVE-2024-35984, CVE-2024-35855, CVE-2024-35854, CVE-2024-35853, CVE-2024-35852, CVE-2024-35851, CVE-2024-35850, CVE-2024-35849, CVE-2024-35858, CVE-2024-35857, CVE-2024-35856, CVE-2024-35847, CVE-2024-27396, CVE-2024-27395, CVE-2024-35981, CVE-2024-35980, CVE-2024-35869, CVE-2024-35870, CVE-2024-35812, CVE-2024-27013, CVE-2024-27020, CVE-2024-27019, CVE-2024-27018, CVE-2024-27016, CVE-2024-27015, CVE-2024-27014, CVE-2024-26988, CVE-2024-26987, CVE-2024-26986, CVE-2024-26984, CVE-2024-26983, CVE-2024-27009, CVE-2024-27008, CVE-2024-27005, CVE-2024-27004, CVE-2024-27003, CVE-2024-27002, CVE-2024-27001, CVE-2024-27000, CVE-2024-26999, CVE-2024-26981, CVE-2024-26998, CVE-2024-26997, CVE-2024-26996, CVE-2024-26994, CVE-2024-26993, CVE-2024-26992, CVE-2024-26990, CVE-2024-26989, CVE-2024-26936, CVE-2024-26980, CVE-2024-26939, CVE-2024-36025, CVE-2024-36026, CVE-2024-35961, CVE-2024-35960, CVE-2024-35959, CVE-2024-35958, CVE-2024-35956, CVE-2024-35982, CVE-2024-35955, CVE-2024-35979, CVE-2024-35978, CVE-2024-35977, CVE-2024-35976, CVE-2024-35975, CVE-2024-35974, CVE-2024-35973, CVE-2024-35972, CVE-2024-35954, CVE-2024-35971, CVE-2024-35970, CVE-2024-35969, CVE-2024-35967, CVE-2024-35962, CVE-2024-35953, CVE-2024-35952, CVE-2024-35950, CVE-2024-35951, CVE-2024-26923CVE-2024-36023, CVE-2024-35941, CVE-2024-35946, CVE-2024-35945, CVE-2024-35944, CVE-2024-35943, CVE-2024-35942, CVE-2024-35925, CVE-2024-35924, CVE-2024-35923, CVE-2024-35922, CVE-2024-35921, CVE-2024-35920, CVE-2024-35940, CVE-2024-35939, CVE-2024-35938, CVE-2024-35937, CVE-2024-35919, CVE-2024-35936, CVE-2024-35935, CVE-2024-35934, CVE-2024-35933, CVE-2024-35932, CVE-2024-35930, CVE-2024-35929, CVE-2024-35928, CVE-2024-35927, CVE-2023-52699, CVE-2024-35918, CVE-2024-26817,CVE-2024-36021, CVE-2024-36020, CVE-2024-36018, CVE-2024-36019, CVE-2024-35910, CVE-2024-35917, CVE-2024-35916, CVE-2024-35915, CVE-2024-35912, CVE-2024-35911, CVE-2024-35890, CVE-2024-35888, CVE-2024-35887, CVE-2024-35886, CVE-2024-35885, CVE-2024-35884, CVE-2024-35909, CVE-2024-35908, CVE-2024-35907, CVE-2024-35905, CVE-2024-35904, CVE-2024-35903, CVE-2024-35902, CVE-2024-35901, CVE-2024-35883, CVE-2024-35900, CVE-2024-35899, CVE-2024-35898, CVE-2024-35897, CVE-2024-35896, CVE-2024-35895, CVE-2024-35893, CVE-2024-35892, CVE-2024-35891, CVE-2024-35882, CVE-2024-35860, CVE-2024-35868, CVE-2024-35867, CVE-2024-35866, CVE-2024-35865, CVE-2024-35864, CVE-2024-35863, CVE-2024-35880, CVE-2024-35862, CVE-2024-35879, CVE-2024-35878, CVE-2024-35877, CVE-2024-35876, CVE-2024-35875, CVE-2024-35872, CVE-2024-35871, CVE-2024-35861, CVE-2024-35799, CVE-2024-27393, CVE-2024-27080, CVE-2024-26928, CVE-2024-26925, CVE-2024-26921CVE-2024-27055CVE-2023-52671, CVE-2024-35826, CVE-2024-35824, CVE-2024-35825, CVE-2024-35804, CVE-2024-35803, CVE-2024-35802, CVE-2024-35801, CVE-2024-35800, CVE-2024-35798, CVE-2024-35823, CVE-2024-35822, CVE-2024-35821, CVE-2024-35819, CVE-2024-35818, CVE-2024-35817, CVE-2024-35816, CVE-2024-35815, CVE-2024-35797, CVE-2024-35814, CVE-2024-35813, CVE-2024-35812, CVE-2024-35811, CVE-2024-35810, CVE-2024-35809, CVE-2024-35807, CVE-2024-35806, CVE-2024-35805, CVE-2024-35795, CVE-2024-35796, CVE-2024-35792, CVE-2024-35791, CVE-2024-35790, CVE-2024-35789, CVE-2024-35787, CVE-2024-35786, CVE-2024-35784, CVE-2024-35785, CVE-2024-27063, CVE-2024-27062, CVE-2024-27061, CVE-2024-27058, CVE-2024-27059, CVE-2024-26965, CVE-2024-26974, CVE-2024-26973, CVE-2024-26971, CVE-2024-26970, CVE-2024-26969, CVE-2024-26968, CVE-2024-26979, CVE-2024-26978, CVE-2024-26977, CVE-2024-26976, CVE-2024-26975, CVE-2024-26966, CVE-2024-26937, CVE-2024-26935, CVE-2024-26934, CVE-2024-26933, CVE-2024-26931, CVE-2024-26964, CVE-2024-26963, CVE-2024-26961, CVE-2024-26960, CVE-2024-26959, CVE-2024-26958, CVE-2024-26930, CVE-2024-26957, CVE-2024-26956, CVE-2024-26955, CVE-2024-26953, CVE-2024-26951, CVE-2024-26950, CVE-2024-26929, CVE-2024-26947, CVE-2024-26946, CVE-2024-26943, CVE-2024-26940, CVE-2024-26938, CVE-2023-52647, CVE-2023-52648, CVE-2024-27437, CVE-2024-26814, CVE-2024-26813, CVE-2024-26810, CVE-2024-26812)
- binutils (CVE-2023-1972)
- c-ares (CVE-2024-25629)
- coreutils (coreutils-2024-03-28, CVE-2024-0684)
- curl (CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466, CVE-2023-46218, CVE-2023-46219)
- expat (CVE-2023-52425, CVE-2024-28757)
- gcc (CVE-2023-4039)
- glibc (CVE-2024-2961, CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602, CVE-2023-5156, CVE-2023-6246, CVE-2023-6779, CVE-2023-6780)
- gnupg (gnupg-2024-01-25)
- gnutls (CVE-2024-28834, CVE-2024-28835, CVE-2023-5981, CVE-2024-0567, CVE-2024-0553)
- intel-microcode (CVE-2023-22655, CVE-2023-28746, CVE-2023-38575, CVE-2023-39368, CVE-2023-43490, CVE-2023-23583)
- less (CVE-2024-32487)
- libuv (CVE-2024-24806)
- libxml2 (CVE-2024-25062, CVE-2023-45322)
- nghttp2 (CVE-2024-28182)
- openssl (CVE-2023-5678, CVE-2023-6129, CVE-2023-6237, CVE-2024-0727)
- sudo (CVE-2023-42465)
- traceroute (CVE-2023-46316)
- vim (CVE-2023-48231, CVE-2023-48232, CVE-2023-48233, CVE-2023-48234, CVE-2023-48235, CVE-2023-48236, CVE-2023-48237, CVE-2023-48706, CVE-2023-5344, CVE-2023-5441, CVE-2023-5535, CVE-2023-46246)
- SDK: dnsmasq (CVE-2023-28450, CVE-2023-50387, CVE-2023-50868)
- SDK: perl (CVE-2023-47038, CVE-2023-3817, CVE-2023-5363, CVE-2023-5678)
- SDK: python (CVE-2023-6597, CVE-2024-0450, gh-81194, gh-113659, gh-102388, gh-114572, gh-115243)
Bug fixes:
- Fixed issue file generation from ‘/etc/issue.d’ (scripts#2018)
- Fixed the handling of OEM update payloads in a Nebraska response with self-hosted packages (ue-rs#49)
- Fixes kubevirt vm creation by ensuring that /dev/vhost-net exists (Flatcar#1336)
- Hetzner: Fixed duplicated prefix in the Afterburn metadata (scripts#2141)
- Removed custom CloudSigma coreos-cloudinit service configuration since it will be called with the cloudsigma oem anyway. The restart of the service can also cause the serial port to be stuck in an nondeterministic state which breaks future runs.
- Resolved kmod static nodes creation in bootengine (bootengine#85)
Changes:
- Added zram-generator package to the image (scripts#1772)
- A new format
qemu_uefi_secure
is introduced to test Flatcar for SecureBoot-enabled features. The format will be later merged intoqemu_uefi
. - Added Intel igc driver to support I225/I226 family NICs. (flatcar/scripts#1786)
- Added Hetzner images (flatcar/scripts#1880)
- Added Hyper-V VHDX image (flatcar/scripts#1791)
- Added Ignition Clevis support for encrypted disks unlocked with a TPM2 device or a Tang server (scripts#1560)
- Added KubeVirt qcow2 image for amd64/arm64 (flatcar/scripts#1962)
- Added Scaleway images (flatcar/scripts#1683)
- Added support for unlocking the rootfs with a TPM set up by systemd-cryptenroll (bootengine#93)
- Backported systemd-sysext mutable overlays functionality from yet-unreleased systemd v256. (flatcar/scripts#1753)
- Enabled amd-pstate,amd-pstate-epp cpufreq drivers for some AMD CPUs in the kernel. (flatcar/scripts#1770)
- Enabled ntpd by default on AWS & GCP, enabled chronyd by default on Azure. The native time sync source is used on each cloud. (scripts#1792)
- Enabled the GRUB TPM2 module to measure the boot code path and files into PCR 8+9 in UEFI (scripts#1861)
- Enabled the ptp_vmw module in the kernel.
- Hetzner: Added
COREOS_HETZNER_PRIVATE_IPV4_0
Afterburn attribute for Hetzner private IPs (scripts#2141) - Hyper-V images, both .vhd and .vhdx files are available as
zip
compressed, switching frombzip2
to a built-in available Windows compression -zip
(scripts#1878) - OpenStack, Brightbox: Added the
flatcar.autologin
kernel cmdline parameter by default as the hypervisor manages access to the console (scripts#1866) - Provided a Podman Flatcar extension as optional systemd-sysext image with the release. Write ‘podman’ to
/etc/flatcar/enabled-sysext.conf
through Ignition and the sysext will be installed during provisioning (scripts#1964) - OpenStack: Changed metadata hostname source order. The service first tries with the config drive then fallback on the metadata service. (bootengine#96)
- Provided a ZFS-2.2.2 Flatcar extension as optional systemd-sysext image with the release. Write ‘zfs’ to
/etc/flatcar/enabled-sysext.conf
through Ignition and the sysext will be installed during provisioning. ZFS support is experimental and ZFS is not supported for the root partition. (flatcar/scripts#1742) - Removed Linux drivers for Mellanox Technologies Switch ASICs family and Spectrum/Spectrum-2/Spectrum-3/Spectrum-4 Ethernet Switch ASICs to reduce the initrd size on AMD64 by ~5MB (flatcar/scripts#1734). This change is part of the effort to reduce the initrd size (Flatcar#1381).
- Removed
actool
from the image andacbuild
from the SDK as these tools are deprecated and not used (scripts#1817) - Scaleway: images are now provided directly as
.qcow2
to ease the import on Scaleway (scripts#1953) - Switched ptp_kvm from kernel builtin to module.
- The default VM memory was bumped to 2 GB in the Qemu script and for VMware OVFs
- Update generation SLSA provenance info from v0.2 to v1.0.
- Removed coreos-cloudinit support for automatic keys conversion (e.g
reboot-strategy
->reboot_strategy
) (scripts#1687)
Updates:
- Linux (6.6.43 (includes 6.6.42, 6.6.41, 6.6.40, 6.6.39, 6.6.38, 6.6.37, 6.6.36, 6.6.35, 6.6.34, 6.6.33, 6.6.32, 6.6.31, 6.6.30, 6.6.29, 6.6.28, 6.6.27, 6.6.26, 6.6.25, 6.6.24, 6.6.23, 6.6.22, 6.6.21, 6.6.20, 6.6.19, 6.6.18, 6.6.17, 6.6.16, 6.6.15, 6.6.14, 6.6.13, 6.6.12, 6.6.11, 6.6.10, 6.6.9, 6.6.8, 6.6.7, 6.6))
- Linux Firmware (20240513 (includes 20240410, 20240312, 20240220, 20240115, 20231211))
- Go (1.20.14 (includes 1.20.13))
- Ignition (2.18.0 (includes 2.17.0, 2.16.2, 2.16.1 and 2.16.0))
- acl (2.3.2)
- afterburn (5.5.1)
- attr (2.5.2)
- audit (3.1.1)
- bash (5.2_p21)
- bind-tools (9.16.48)
- binutils (2.41)
- bpftool (6.7.6 (includes 6.5.7))
- c-ares (1.27.0 (includes 1.26.0, 1.25.0, 1.21.0))
- cJSON (1.7.17)
- ca-certificates (3.103 (includes 3.102, 3.102.1, 3.101.1))
- checkpolicy (3.6)
- containerd (1.7.17 (includes 1.7.16, 1.7.15, 1.7.14, 1.7.13, 1.7.12, 1.7.11))
- coreutils (9.5 (includes 9.4))
- curl (8.7.1 (includes 8.7.0, 8.6.0, 8.5.0))
- docker (24.0.9)
- elfutils (0.190)
- ethtool (6.7 (includes 6.6))
- expat (2.6.2 (includes 2.6.1 and 2.6.0))
- gawk (5.3.0)
- gentoolkit (0.6.3)
- gettext (0.22.4)
- git (2.43.2 (includes 2.43.0, 2.42.0))
- glib (2.78.3)
- glibc (2.38)
- gnupg (2.4.4 (includes 2.2.42))
- gnutls (3.8.5 (includes 3.8.4, 3.8.2))
- groff (1.23.0)
- hwdata (0.376)
- inih (58)
- intel-microcode (20240312 (includes 20231114_p20231114))
- iperf (3.16)
- iproute2 (6.6.0)
- ipset (7.21 (includes 7.20, 7.19))
- iputils (20240117 (includes 20231222)
- jq (1.7.1 (includes 1.7))
- kbd (2.6.4)
- kmod (31)
- less (643)
- libarchive (3.7.2)
- libbsd (0.11.8)
- libcap-ng (0.8.4)
- libdnet (1.16.4)
- libgcrypt (1.10.3)
- libidn2 (2.3.7 (includes 2.3.4))
- libksba (1.6.6 (includes 1.6.5))
- libnsl (2.0.1)
- libnvme (1.8 (includes 1.7.1, 1.7))
- libpng (1.6.43 (includes 1.6.42 and 1.6.41))
- libpsl (0.21.5)
- libseccomp (2.5.5)
- libselinux (3.6)
- libsemanage (3.6)
- libsepol (3.6)
- libunistring (1.2)
- libuv (1.48.0 (includes 1.47.0))
- libverto (0.3.2)
- libxml2 (2.12.5 (includes 2.12.4))
- libxslt (1.1.39)
- lsof (4.99.3 (includes 4.99.2, 4.99.1, 4.99.0))
- lz4 (1.9.4)
- mime-types (2.1.54)
- multipath-tools (0.9.7)
- nghttp2 (1.61.0 (includes 1.58.0, 1.59.0 and 1.60.0))
- nvme-cli (2.8, 2.7.1, 2.7)
- openssl (3.2.1 (includes 3.0.12))
- policycoreutils (3.6)
- readline (8.2_p7)
- runc (1.1.12)
- samba (4.18.9)
- selinux-base (2.20231002)
- selinux-base-policy (2.20231002)
- selinux-container (2.20231002)
- selinux-dbus (2.20231002)
- selinux-refpolicy (2.20240226)
- selinux-sssd (2.20231002)
- selinux-unconfined (2.20231002)
- semodule-utils (3.6)
- shim (15.8)
- sqlite (3.45.1 (includes 3.44.2))
- strace (6.6)
- sudo (1.9.15p5)
- systemd (255.4 (includes 255.3))
- thin-provisioning-tools (1.0.10)
- traceroute (2.1.5 (includes 2.1.4, 2.1.3))
- usbutils (017 (includes 016))
- util-linux (2.39.3 (includes 2.39.2))
- vim (9.0.2167 (includes (9.0.2092)))
- whois (5.5.20)
- xmlsec (1.3.3 (includes 1.3.2))
- xz-utils (5.4.6 (includes 5.4.5))
- zlib (1.3)
- SDK: make (4.4.1 (includes 4.4))
- SDK: perl (5.38.2)
- SDK: portage (3.0.61 (includes 3.0.59))
- SDK: python (3.11.9 (includes 3.11.8, 3.11.7))
- SDK: qemu (8.1.5)
- SDK: repo (2.37)
- SDK: Rust (1.77.2 (includes 1.77.1, 1.77.0, 1.76.0, 1.75.0, 1.74.1))
- VMware: open-vm-tools (12.4.0)
Changes since Beta 3975.1.1
Bug fixes:
- Hetzner: Fixed duplicated prefix in the Afterburn metadata (scripts#2141)
Changes:
- Hetzner: Added
COREOS_HETZNER_PRIVATE_IPV4_0
Afterburn attribute for Hetzner private IPs (scripts#2141)
Updates:
docker - 24.0.9
ignition - 2.15.0
kernel - 6.1.96
systemd - 252
docker - 24.0.9
ignition - 2.15.0
kernel - 6.1.95
systemd - 252
Changes since Stable 3815.2.3
Changes:
- Added azure-nvme-utils to the image, which is used by udev to create symlinks for NVMe disks on Azure v6 instances under /dev/disk/azure/. (scripts#1950)
Updates:
docker - 24.0.9
ignition - 2.15.0
kernel - 6.1.85
systemd - 252
Changes since Stable 3815.2.1
Security fixes:
- Linux (CVE-2023-28746, CVE-2023-47233, CVE-2023-52639, CVE-2023-6270, CVE-2023-7042, CVE-2024-22099, CVE-2024-23307, CVE-2024-24861, CVE-2024-26584, CVE-2024-26585, CVE-2024-26642, CVE-2024-26651, CVE-2024-26654, CVE-2024-26659, CVE-2024-26686, CVE-2024-26700, CVE-2024-26809)
- Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor (CVE-2024-3094)
- openssh (CVE-2023-48795, CVE-2023-51384, CVE-2023-51385)
Bug fixes:
- Disabled user-configdrive.service on OpenStack when config drive is used, which caused the hostname to be overwritten. The coreos-cloudinit.service unit already runs on OpenStack if the system is not configured via ignition. (Flatcar#1385)
- Fixed
toolbox
to prevent mountedctr
snapshots from being garbage-collected (toolbox#9)
Changes:
- Disabled real-time priority for multipathd as it prevents the cgroups2 cpu controller from working. (scripts#1771)
- SDK: Unified qemu image formats, so that the
qemu_uefi
build target provides the regularqemu
and theqemu_uefi_secure
artifacts (scripts#1847)
Updates:
docker - 24.0.9
ignition - 2.15.0
kernel - 6.1.81
systemd - 252
Changes since Stable 3815.2.0
Security fixes:
- Linux (CVE-2023-52429, CVE-2023-52434, CVE-2023-52435, CVE-2024-0340, CVE-2024-1151, CVE-2024-23850, CVE-2024-23851, CVE-2024-26582, CVE-2024-26583, CVE-2024-26586, CVE-2024-26593)
Bug fixes:
- Fixed that systemd-sysext images can extend directories where Flatcar extensions are also shipping files, e.g., that the sysext-bakery Kubernetes extension works when OEM extensions are present (sysext-bakery#50)
- Fixed the handling of OEM update payloads in a Nebraska response with self-hosted packages in an airgapped environment (update_engine#39)
- Restored support for custom OEMs supplied in the PXE boot where
/usr/share/oem
brings the OEM partition contents (Flatcar#1376)
Changes:
Updates:
docker - 24.0.9
ignition - 2.15.0
kernel - 6.1.77
systemd - 252
Changes since Stable 3760.2.0
Security fixes:
- Linux (CVE-2023-46838, CVE-2023-50431, CVE-2023-6610, CVE-2023-6915, CVE-2024-1085, CVE-2024-1086, CVE-2024-23849)
- Go (CVE-2023-39326, CVE-2023-45285)
- VMWare: open-vm-tools (CVE-2023-34058, CVE-2023-34059)
- docker (CVE-2024-24557)
- nghttp2 (CVE-2023-44487)
- runc (CVE-2024-21626)
- samba (CVE-2023-4091)
- zlib (CVE-2023-45853)
Bug fixes:
- Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
- Forwarded the proxy environment variables of
update-engine.service
to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326) - Set TTY used for fetching server_context to RAW mode before running cloudinit on cloudsigma (scripts#1280)
Changes:
- torcx was replaced by systemd-sysext in the OS image. Learn more about sysext and how to customise OS images here.
(which is now also a legacy option because systemd-sysext offers a more robust and better structured way of customisation, including OS independent updates).
- Torcx entered deprecation 2 years ago in favour of deploying plain Docker binaries
- Torcx has been removed entirely; if you use torcx to extend the Flatcar base OS image, please refer to our conversion script and to the sysext documentation mentioned above for migrating.
- Consequently,
update_engine
will not perform torcx sanity checks post-update anymore. - Relevant changes: scripts#1216, update_engine#30, Mantle#466, Mantle#465.
- NOTE: The docker btrfs storage driver has been de-prioritised; BTRFS backed storage will now default to the
overlay2
driver (changelog, upstream pr). - NOTE: If you are already using btrfs-backed Docker storage and are upgrading to this new version, Docker will automatically use the
btrfs
storage driver for backwards-compatibility with your deployment. - Docker will remove the
btrfs
driver entirely in a future version. Please consider migrating your deployments to theoverlay2
driver. Using the btrfs driver can still be enforced by creating a respective docker config at/etc/docker/daemon.json
. - cri-tools, runc, containerd, docker, and docker-cli are now built from Gentoo upstream ebuilds. Docker received a major version upgrade - it was updated to Docker 24 (from Docker 20; see “updates”).
- GCP OEM images now use a systemd-sysext image for layering additional platform-specific software on top of
/usr
and being part of the OEM A/B updates (flatcar#1146) - Added a
flatcar-update --oem-payloads <yes|no>
flag to skip providing OEM payloads, e.g., for downgrades (init#114)
Updates:
- Linux (6.1.77 (includes 6.1.76, 6.1.75, 6.1.74))
- Linux Firmware (20231111 (includes 20231030))
- Go (1.20.12)
- Azure: WALinuxAgent (v2.9.1.1)
- DEV: Azure (3.11.6)
- DEV: iperf (3.15)
- DEV: smartmontools (7.4)
- SDK: Rust (1.73.0)
- SDK: Python (3.11.0 (includes 23.2))
- VMWare: open-vm-tools (12.3.5)
- acpid (2.0.34)
- ca-certificates (3.97)
- containerd (1.7.9 (includes 1.7.8, 1.7.13, 1.7.10))
- cri-tools (1.27.0)
- ding-libs (0.6.2)
- docker (24.0.9 (includes 24.0.6, 23.0))
- efibootmgr (18)
- efivar (38)
- ethtool (6.5)
- hwdata (v0.375 (includes 0.374))
- iproute2 (6.5.0)
- ipvsadm (1.31 (includes 1.30, 1.29, 1.28))
- json-c (0.17)
- libffi (3.4.4 (includes 3.4.3, 3.4.2))
- liblinear (246)
- libmnl (1.0.5)
- libnetfilter_conntrack (1.0.9)
- libnetfilter_cthelper (1.0.1)
- libnetfilter_cttimeout (1.0.1)
- libnfnetlink (1.0.2)
- libsodium (1.0.19)
- libunistring (1.1)
- libunwind (1.7.2 (includes 1.7.0))
- liburing (2.3)
- mpc (1.3.1 (includes 1.3.0))
- mpfr (4.2.1)
- nghttp2 (1.57.0 (includes 1.56.0, 1.55.1, 1.55.0, 1.54.0, 1.53.0, 1.52.0))
- nspr (4.35)
- ntp (4.2.8p17)
- nvme-cli (v2.6 (includes v1.6))
- protobuf (21.12 (includes 21.11, 21.10))
- runc (1.1.12)
- samba (4.18.8)
- sqlite (3.43.2)
- squashfs-tools (4.6.1 (includes 4.6))
- thin-provisioning-tools (1.0.6)
Changes since Beta 3815.1.0
Security fixes:
- Linux (CVE-2023-46838, CVE-2023-50431, CVE-2023-6610, CVE-2023-6915, CVE-2024-1085, CVE-2024-1086, CVE-2024-23849)
- docker (CVE-2024-24557)
- runc (CVE-2024-21626)
Bug fixes:
- Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
- Forwarded the proxy environment variables of
update-engine.service
to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)
Changes:
- Added a
flatcar-update --oem-payloads <yes|no>
flag to skip providing OEM payloads, e.g., for downgrades (init#114)
Updates:
docker - 20.10.24
ignition - 2.15.0
kernel - 6.1.73
systemd - 252
⚠️ From Alpha 3794.0.0 Torcx has been removed - please assert that you don’t rely on specific Torcx mechanism but now use systemd-sysext. See here for more information.
Changes since Stable-3602.2.3
Security fixes
- Linux (CVE-2023-7192 (includes CVE-2023-6932, CVE-2023-6931, CVE-2023-6817, CVE-2023-6622, CVE-2023-6606, CVE-2023-6546, CVE-2023-6531, CVE-2023-6176, CVE-2023-6121, CVE-2023-5717, CVE-2023-5345, CVE-2023-5197, CVE-2023-51782, CVE-2023-51781, CVE-2023-51780, CVE-2023-51779, CVE-2023-5158, CVE-2023-5090, CVE-2023-4921, CVE-2023-46862, CVE-2023-46813, CVE-2023-4623, CVE-2023-45871, CVE-2023-45863, CVE-2023-45862, CVE-2023-4569, CVE-2023-4459, CVE-2023-44466, CVE-2023-4394, CVE-2023-4389, CVE-2023-4387, CVE-2023-4385, CVE-2023-42755, CVE-2023-42754, CVE-2023-42753, CVE-2023-42752, CVE-2023-4273, CVE-2023-4244, CVE-2023-4208, CVE-2023-4207, CVE-2023-4206, CVE-2023-4155, CVE-2023-4147, CVE-2023-4132, CVE-2023-40283, CVE-2023-4015, CVE-2023-4004, CVE-2023-39198, CVE-2023-39197, CVE-2023-39194, CVE-2023-39193, CVE-2023-39192, CVE-2023-39189, CVE-2023-3867, CVE-2023-3866, CVE-2023-3865, CVE-2023-3863, CVE-2023-38432, CVE-2023-38431, CVE-2023-38430, CVE-2023-38429, CVE-2023-38428, CVE-2023-38427, CVE-2023-38426, CVE-2023-38409, CVE-2023-3812, CVE-2023-3777, CVE-2023-3776, CVE-2023-3773, CVE-2023-3772, CVE-2023-3611, CVE-2023-3610, CVE-2023-3609, CVE-2023-35829, CVE-2023-35828, CVE-2023-35827, CVE-2023-35826, CVE-2023-35824, CVE-2023-35823, CVE-2023-35788, CVE-2023-3567, CVE-2023-35001, CVE-2023-3439, CVE-2023-34324, CVE-2023-34319, CVE-2023-34256, CVE-2023-33952, CVE-2023-33951, CVE-2023-3390, CVE-2023-3359, CVE-2023-3358, CVE-2023-3357, CVE-2023-3355, CVE-2023-33288, CVE-2023-33203, CVE-2023-3269, CVE-2023-3268, CVE-2023-32269, CVE-2023-32258, CVE-2023-32257, CVE-2023-32254, CVE-2023-32252, CVE-2023-32250, CVE-2023-32248, CVE-2023-32247, CVE-2023-32233, CVE-2023-3220, CVE-2023-3212, CVE-2023-3161, CVE-2023-3159, CVE-2023-31436, CVE-2023-3141, CVE-2023-31248, CVE-2023-3111, CVE-2023-31085, CVE-2023-3090, CVE-2023-30772, CVE-2023-30456, CVE-2023-3006, CVE-2023-2985, CVE-2023-2898, CVE-2023-28866, CVE-2023-28466, CVE-2023-28410, CVE-2023-28328, CVE-2023-28327, CVE-2023-26607, CVE-2023-26606, CVE-2023-26545, CVE-2023-26544, CVE-2023-25775, CVE-2023-2513, CVE-2023-25012, CVE-2023-2430, CVE-2023-23559, CVE-2023-23455, CVE-2023-23454, CVE-2023-23002, CVE-2023-23001, CVE-2023-22999, CVE-2023-22998, CVE-2023-22997, CVE-2023-22996, CVE-2023-2269, CVE-2023-2236, CVE-2023-2235, CVE-2023-2194, CVE-2023-2177, CVE-2023-2166, CVE-2023-2163, CVE-2023-2162, CVE-2023-2156, CVE-2023-21255, CVE-2023-2124, CVE-2023-21106, CVE-2023-21102, CVE-2023-20938, CVE-2023-20928, CVE-2023-20593, CVE-2023-20588, CVE-2023-20569, CVE-2023-2019, CVE-2023-2008, CVE-2023-2006, CVE-2023-2002, CVE-2023-1998, CVE-2023-1990, CVE-2023-1989, CVE-2023-1872, CVE-2023-1859, CVE-2023-1855, CVE-2023-1838, CVE-2023-1829, CVE-2023-1670, CVE-2023-1652, CVE-2023-1637, CVE-2023-1611, CVE-2023-1583, CVE-2023-1582, CVE-2023-1513, CVE-2023-1382, CVE-2023-1380, CVE-2023-1281, CVE-2023-1249, CVE-2023-1206, CVE-2023-1194, CVE-2023-1193, CVE-2023-1192, CVE-2023-1118, CVE-2023-1095, CVE-2023-1079, CVE-2023-1078, CVE-2023-1077, CVE-2023-1076, CVE-2023-1075, CVE-2023-1074, CVE-2023-1073, CVE-2023-1032, CVE-2023-0615, CVE-2023-0590, CVE-2023-0469, CVE-2023-0468, CVE-2023-0461, CVE-2023-0459, CVE-2023-0458, CVE-2023-0394, CVE-2023-0386, CVE-2023-0266, CVE-2023-0210, CVE-2023-0179, CVE-2023-0160, CVE-2023-0045, CVE-2022-48619, CVE-2022-48502, CVE-2022-48425, CVE-2022-48424, CVE-2022-48423, CVE-2022-4842, CVE-2022-47943, CVE-2022-47942, CVE-2022-47941, CVE-2022-47940, CVE-2022-47939, CVE-2022-47938, CVE-2022-47929, CVE-2022-47521, CVE-2022-47520, CVE-2022-47519, CVE-2022-47518, CVE-2022-4662, CVE-2022-45934, CVE-2022-45919, CVE-2022-45887, CVE-2022-45886, CVE-2022-45869, CVE-2022-43945, CVE-2022-4382, CVE-2022-4379, CVE-2022-4378, CVE-2022-43750, CVE-2022-42896, CVE-2022-42895, CVE-2022-42722, CVE-2022-42721, CVE-2022-42720, CVE-2022-42719, CVE-2022-42703, CVE-2022-4269, CVE-2022-42432, CVE-2022-42329, CVE-2022-42328, CVE-2022-41858, CVE-2022-41850, CVE-2022-41849, CVE-2022-41674, CVE-2022-4139, CVE-2022-4128, CVE-2022-41218, CVE-2022-40982, CVE-2022-4095, CVE-2022-40768, CVE-2022-40307, CVE-2022-40133, CVE-2022-3977, CVE-2022-39190, CVE-2022-39189, CVE-2022-3910, CVE-2022-38457, CVE-2022-3707, CVE-2022-36946, CVE-2022-36879, CVE-2022-3649, CVE-2022-3646, CVE-2022-3643, CVE-2022-3640, CVE-2022-3635, CVE-2022-3630, CVE-2022-3629, CVE-2022-36280, CVE-2022-3628, CVE-2022-3625, CVE-2022-3623, CVE-2022-3621, CVE-2022-3619, CVE-2022-36123, CVE-2022-3595, CVE-2022-3594, CVE-2022-3586, CVE-2022-3577, CVE-2022-3565, CVE-2022-3564, CVE-2022-3543, CVE-2022-3541, CVE-2022-3534, CVE-2022-3526, CVE-2022-3524, CVE-2022-3521, CVE-2022-34918, CVE-2022-34495, CVE-2022-34494, CVE-2022-3435, CVE-2022-3424, CVE-2022-33981, CVE-2022-33744, CVE-2022-33743, CVE-2022-33742, CVE-2022-33741, CVE-2022-33740, CVE-2022-3344, CVE-2022-3303, CVE-2022-32981, CVE-2022-3239, CVE-2022-32296, CVE-2022-32250, CVE-2022-3202, CVE-2022-3169, CVE-2022-3115, CVE-2022-3113, CVE-2022-3112, CVE-2022-3111, CVE-2022-3110, CVE-2022-3108, CVE-2022-3107, CVE-2022-3105, CVE-2022-3104, CVE-2022-3078, CVE-2022-3077, CVE-2022-30594, CVE-2022-3028, CVE-2022-29968, CVE-2022-29901, CVE-2022-29900, CVE-2022-2978, CVE-2022-2977, CVE-2022-2964, CVE-2022-2959, CVE-2022-29582, CVE-2022-29581, CVE-2022-2938, CVE-2022-29156, CVE-2022-2905, CVE-2022-28893, CVE-2022-28796, CVE-2022-2873, CVE-2022-28390, CVE-2022-28389, CVE-2022-28388, CVE-2022-28356, CVE-2022-27950, CVE-2022-2785, CVE-2022-27672, CVE-2022-27666, CVE-2022-27223, CVE-2022-26966, CVE-2022-2663, CVE-2022-26490, CVE-2022-2639, CVE-2022-26373, CVE-2022-26365, CVE-2022-2602, CVE-2022-2590, CVE-2022-2588, CVE-2022-2586, CVE-2022-2585, CVE-2022-25636, CVE-2022-25375, CVE-2022-25258, CVE-2022-2503, CVE-2022-24959, CVE-2022-24958, CVE-2022-24448, CVE-2022-23960, CVE-2022-2380, CVE-2022-23222, CVE-2022-2318, CVE-2022-2308, CVE-2022-23042, CVE-2022-23041, CVE-2022-23040, CVE-2022-23039, CVE-2022-23038, CVE-2022-23037, CVE-2022-23036, CVE-2022-22942, CVE-2022-2196, CVE-2022-2153, CVE-2022-21505, CVE-2022-21499, CVE-2022-21166, CVE-2022-21125, CVE-2022-21123, CVE-2022-2078, CVE-2022-20572, CVE-2022-20566, CVE-2022-20423, CVE-2022-20422, CVE-2022-20421, CVE-2022-20369, CVE-2022-20368, CVE-2022-20158, CVE-2022-20008, CVE-2022-1998, CVE-2022-1976, CVE-2022-1975, CVE-2022-1974, CVE-2022-1973, CVE-2022-1943, CVE-2022-1882, CVE-2022-1852, CVE-2022-1789, CVE-2022-1734, CVE-2022-1729, CVE-2022-1679, CVE-2022-1671, CVE-2022-1652, CVE-2022-1651, CVE-2022-1516, CVE-2022-1462, CVE-2022-1353, CVE-2022-1263, CVE-2022-1205, CVE-2022-1204, CVE-2022-1199, CVE-2022-1198, CVE-2022-1184, CVE-2022-1158, CVE-2022-1055, CVE-2022-1048, CVE-2022-1016, CVE-2022-1015, CVE-2022-1012, CVE-2022-1011, CVE-2022-0995, CVE-2022-0847, CVE-2022-0742, CVE-2022-0617, CVE-2022-0516, CVE-2022-0500, CVE-2022-0494, CVE-2022-0492, CVE-2022-0487, CVE-2022-0435, CVE-2022-0433, CVE-2022-0382, CVE-2022-0330, CVE-2022-0185, CVE-2022-0168, CVE-2022-0002, CVE-2022-0001, CVE-2021-45469, CVE-2021-44879, CVE-2021-43976, CVE-2021-4197, CVE-2021-4155, CVE-2021-3923, CVE-2021-33655, CVE-2021-33135, CVE-2021-26401, CVE-2020-36516))
- Go (CVE-2023-39323, CVE-2023-39322, CVE-2023-39321, CVE-2023-39320, CVE-2023-39319, CVE-2023-39318, CVE-2023-29409, CVE-2023-29406, CVE-2023-29405, CVE-2023-29404, CVE-2023-29403, CVE-2023-29402)
- OpenSSL (CVE-2023-3446, CVE-2023-2975, CVE-2023-2650)
- Python (CVE-2023-41105, CVE-2023-40217)
- SDK: Rust (CVE-2023-38497)
- VMware: open-vm-tools (CVE-2023-20900, CVE-2023-20867)
- binutils (CVE-2023-1579, CVE-2022-4285, CVE-2022-38533)
- c-ares (CVE-2023-32067, CVE-2023-31147, CVE-2023-31130, CVE-2023-31124)
- curl (CVE-2023-38546, CVE-2023-38545, CVE-2023-38039, CVE-2023-28322, CVE-2023-28321, CVE-2023-28320, CVE-2023-28319)
- git (CVE-2023-29007, CVE-2023-25815, CVE-2023-25652)
- glibc (CVE-2023-4911, CVE-2023-4806, CVE-2023-4527)
- go (CVE-2023-39325)
- grub (CVE-2023-4693, CVE-2023-4692, CVE-2022-3775, CVE-2022-28737, CVE-2022-28736, CVE-2022-28735, CVE-2022-28734, CVE-2022-28733, CVE-2022-2601, CVE-2021-3981, CVE-2021-3697, CVE-2021-3696, CVE-2021-3695, CVE-2021-20233, CVE-2021-20225, CVE-2020-27779, CVE-2020-27749, CVE-2020-25647, CVE-2020-25632, CVE-2020-14372, CVE-2020-10713)
- intel-microcode (CVE-2023-23908, CVE-2022-41804, CVE-2022-40982)
- libarchive (libarchive-20230729)
- libcap (CVE-2023-2603, CVE-2023-2602)
- libmicrohttpd (CVE-2023-27371)
- libtirpc (libtirpc-rhbg-2224666, libtirpc-rhbg-2150611, libtirpc-rhbg-2138317)
- libxml2 (libxml2-20230428)
- lua (CVE-2022-33099)
- mit-krb5 (CVE-2023-36054)
- ncurses (CVE-2023-29491)
- nvidia-drivers (CVE-2023-25516, CVE-2023-25515)
- openldap (CVE-2023-2953)
- procps (CVE-2023-4016)
- protobuf (CVE-2022-1941)
- qemu (CVE-2023-2861, CVE-2023-0330)
- samba (CVE-2022-1615, CVE-2021-44142)
- shadow (CVE-2023-29383)
- sudo (CVE-2023-28487, CVE-2023-28486, CVE-2023-27320)
- torcx (CVE-2022-28948)
- vim (CVE-2023-2610, CVE-2023-2609, CVE-2023-2426)
Bug fixes
- AWS: Fixed the Amazon SSM agent that was crashing. (Flatcar#1307)
- Added AWS EKS support for versions 1.24-1.28. Fixed
/usr/share/amazon/eks/download-kubelet.sh
to include download paths for these versions. (scripts#1210) - Fix the RemainAfterExit clause in nvidia.service (Flatcar#1169)
- Fixed a bug resulting in coreos-cloudinit resetting the instance hostname to ‘localhost’ if no metadata could be found (coreos-cloudinit#25, Flatcar#1262), with contributions from MichaelEischer
- Fixed bug in handling renamed network interfaces when generating login issue (init#102)
- Fixed iterating over the OEM update payload signatures which prevented the AWS OEM update to 3745.x.y (update-engine#31)
- Fixed quotes handling for update-engine (Flatcar#1209)
- Fixed supplying extension update payloads with a custom base URL in Nebraska (Flatcar#1281)
- Fixed the missing
/etc/extensions/
symlinks for the inbuilt Docker/containerd systemd-sysext images on update from Beta 3760.1.0 (update_engine#32) - Fixed the postinstall hook failure when updating from Azure instances without OEM systemd-sysext images to Flatcar Alpha 3745.x.y (update_engine#29)
- GCP: Fixed OS Login enabling (scripts#1445)
- Made
sshkeys.service
more robust to only run[email protected]
when not masked and also retry on failure (init#112)
Changes
- :warning: Dropped support for niftycloud and interoute. For interoute we haven’t been generating the images for some time already. (scripts#971) :warning:
- AWS OEM images now use a systemd-sysext image for layering additional platform-specific software on top of
/usr
- Added TLS Kernel module (scripts#865)
- Added support for multipart MIME userdata in coreos-cloudinit. Ignition now detects multipart userdata and delegates execution to coreos-cloudinit. (scripts#873)
- Azure and QEMU OEM images now use systemd-sysext images for layering additional platform-specific software on top of
/usr
. For Azure images this also means that the image has a normal Python installation available through the sysext image. The OEM software is still not updated but this will be added soon. - Change nvidia.service to type oneshot (from the default “simple”) so the subsequent services (configured with “Requires/After”) are executed after the driver installation is successfully finished (flatcar/Flatcar#1136)
- Enabled the virtio GPU driver (scripts#830)
- Migrate to Type=notify in containerd.service. Changed the unit to Type=notify, utilizing the existing containerd support for sd_notify call after socket setup.
- Migrated the NVIDIA installer from the Azure/AWS OEM partition to
/usr
to make it available on all platforms (scripts#932, Flatcar#1077) - Moved a mountpoint of the OEM partition from
/usr/share/oem
to/oem
./usr/share/oem
became a symlink to/oem
for backward compatibility. Despite the move, the initrd images providing files through/usr/share/oem
should keep using/usr/share/oem
. The move was done to enable activating the OEM sysext images that are placed in the OEM partition. - OEM vendor tools are now A/B updated if they are shipped as systemd-sysext images, the migration happens when both partitions require a systemd-sysext OEM image - note that this will delete the
nvidia.service
from/etc
on Azure because it’s now part of/usr
(Flatcar#60) - Reworked the VMware OEM software to be shipped as A/B updated systemd-sysext image
- SDK: Experimental support for prefix builds to create distro independent, portable, self-contained applications w/ all dependencies included. With contributions from chewi and HappyTobi.
- Started shipping default ssh client and ssh daemon configs in
/etc/ssh/ssh_config
and/etc/ssh/sshd_config
which include config snippets in/etc/ssh/ssh_config.d
and/etc/ssh/sshd_config.d
, respectively. - The open-vm-tools package in VMware OEM now comes with vmhgfs-fuse, udev rules, pam and vgauth
- Updated locksmith to use non-deprecated resource control options in the systemd unit (Locksmith#20)
Updates
- Linux (6.1.73 (includes 6.1.72, 6.1.71, 6.1.70, 6.1.69, 6.1.68, 6.1.67, 6.1.66, 6.1.65, 6.1.64, 6.1.63, 6.1.62, 6.1.61, 6.1.60, 6.1.59, 6.1.58, 6.1.57, 6.1.56, 6.1.55, 6.1.54, 6.1.53, 6.1.52, 6.1.51, 6.1.50, 6.1.49, 6.1.48, 6.1.47, 6.1.46, 6.1.45, 6.1.44, 6.1.43, 6.1.42, 6.1.41, 6.1.40, 6.1.39, 6.1.38, 6.1.37, 6.1.36, 6.1.35, 6.1.34, 6.1.33, 6.1.32, 6.1.31, 6.1.30, 6.1.29, 6.1.28, 6.1.27, 6.1))
- Linux Firmware (20230919 (includes 20230804, 20230625, 20230515))
- AWS: amazon-ssm-agent (3.2.985.0)
- Go (1.20.9 (includes 1.20.8, 1.20.7, 1.20.6, 1.20.5, 1.20.4, 1.20.10, 1.19.13, 1.19.12, 1.19.11, 1.19.10))
- OpenSSL (3.0.9)
- SDK: Rust (1.72.1 (includes 1.72.0, 1.71.1, 1.71.0, 1.70.0))
- SDK: file (5.45)
- SDK: gnuconfig (20230731)
- SDK: libxslt (1.1.38)
- SDK: man-db (2.11.2)
- SDK: man-pages (6.03)
- SDK: pahole (1.25)
- SDK: perf (6.3)
- SDK: perl (5.36.1)
- SDK: portage (3.0.49 (includes 3.0.49, 3.0.46))
- SDK: python (3.11.5 (includes 3.11.3, 3.10.12, 3.10.11))
- SDK: qemu (8.0.4 (includes 8.0.3, 7.2.3))
- SDK: qemu-guest-agent (8.0.3 (includes 8.0.0))
- VMWARE: libdnet (1.16.2 (includes 1.16))
- VMware: open-vm-tools (12.3.0 (includes 12.2.5))
- XZ Utils (5.4.3)
- afterburn (5.5.0)
- bind-tools (9.16.42 (includes 9.16.41))
- binutils (2.40)
- bpftool (6.3)
- c-ares (1.19.1)
- cJSON (1.7.16)
- ca-certificates (3.96.1 (includes 3.96))
- checkpolicy (3.5)
- cifs-utils (7.0)
- containerd (1.7.7 (includes 1.7.6, 1.7.5, 1.7.4, 1.7.3, 1.7.2))
- coreutils (9.3 (includes 9.1))
- cryptsetup (2.6.1 (includes 2.6.0, 2.5.0))
- curl (8.4.0 (includes 8.3.0, 8.2.1, 8.2.0, 8.1.2, 8.1.0))
- debianutils (5.7)
- diffutils (3.10)
- elfutils (0.189)
- ethtool (6.4 (includes 6.3, 6.2))
- gawk (5.2.2)
- gcc (13.2)
- gdb (13.2)
- gdbm (1.23)
- git (2.41.0 (includes 2.39.3))
- glib (2.76.4 (includes 2.76.3, 2.76.2))
- glibc (2.37)
- gmp (6.3.0)
- gptfdisk (1.0.9)
- grep (3.8 (includes 3.11))
- grub (2.06)
- gzip (1.13)
- hwdata (0.373 (includes 0.372, 0.371, 0.367))
- inih (57 (includes 56))
- intel-microcode (20230808 (includes 20230613, 20230512))
- iperf (3.14)
- iproute2 (6.4.0 (includes 6.3.0, 6.2))
- ipset (7.17)
- kbd (2.6.1 (includes 2.6.0, 2.5.1))
- kexec-tools (2.0.24)
- kmod (30)
- ldb (2.4.4 (includes 2.4.3, 2.4.2))
- less (633 (includes 632))
- libarchive (3.7.1 (includes 3.7.0))
- libassuan (2.5.6)
- libbsd (0.11.7)
- libcap (2.69)
- libgcrypt (1.10.2 (includes 1.10.1))
- libgpg-error (1.47 (includes 1.46))
- libksba (1.6.4)
- libmd (1.1.0)
- libmicrohttpd (0.9.77 (includes 0.9.76))
- libnftnl (1.2.6 (includes 1.2.5))
- libnl (3.8.0)
- libnvme (1.5)
- libpcap (1.10.4)
- libpcre (8.45)
- libpipeline (1.5.7)
- libselinux (3.5)
- libsemanage (3.5)
- libsepol (3.5)
- libtirpc (1.3.4)
- libusb (1.0.26)
- libuv (1.46.0 (includes 1.45.0))
- libxml2 (2.11.5 (includes 2.11.4))
- lsof (4.98.0)
- lua (5.4.6 (includes 5.4.4))
- mit-krb5 (1.21.2)
- multipath-tools (0.9.5)
- ncurses (6.4)
- nettle (3.9.1)
- nmap (7.94)
- nvidia-drivers (535.104.05)
- nvme-cli (2.5 (includes 2.3))
- open-isns (0.102)
- openldap (2.6.4 (includes 2.6.3, 2.6, 2.5.14, 2.5))
- openssh (9.5p1 (includes 9.4p1))
- parted (3.6)
- pax-utils (1.3.7)
- pciutils (3.9.0 (includes 3.10.0))
- pigz (2.8)
- policycoreutils (3.5)
- popt (1.19)
- procps (4.0.4 (includes 4.0.3, 4.0.0))
- protobuf (21.9)
- psmisc (23.6)
- quota (4.09)
- rpcsvc-proto (1.4.4)
- runc (1.1.9 (includes 1.1.8))
- samba (4.18.4)
- sed (4.9)
- selinux-base (2.20221101)
- selinux-base-policy (2.20221101)
- selinux-container (2.20221101)
- selinux-sssd (2.20221101)
- selinux-unconfined (2.20221101)
- semodule-utils (3.5)
- smartmontools (7.3)
- sqlite (3.42.0)
- strace (6.4 (includes 6.3, 6.2))
- sudo (1.9.13p3)
- talloc (2.4.0 (includes 2.3.4))
- tar (1.35)
- tdb (1.4.8 (includes 1.4.7, 1.4.6))
- tevent (0.14.1 (includes 0.14.0, 0.13.0, 0.12.1, 0.12.0))
- usbutils (015)
- userspace-rcu (0.14.0)
- util-linux (2.38.1)
- vim (9.0.1678 (includes 9.0.1677, 9.0.1503))
- wget (1.21.4)
- whois (5.5.18 (includes 5.5.17))
- xfsprogs (6.4.0 (includes 6.3.0))
- zstd (1.5.5)
Changes since Beta-3760.1.1
Security fixes:
- Linux (CVE-2023-1193, CVE-2023-51779, CVE-2023-51780, CVE-2023-51781, CVE-2023-51782, CVE-2023-6531, CVE-2023-6606, CVE-2023-6622, CVE-2023-6817, CVE-2023-6931)
Bug fixes:
- AWS: Fixed the Amazon SSM agent that was crashing. (Flatcar#1307)
- Fixed a bug resulting in coreos-cloudinit resetting the instance hostname to ‘localhost’ if no metadata could be found (coreos-cloudinit#25, Flatcar#1262), with contributions from MichaelEischer
- Fixed supplying extension update payloads with a custom base URL in Nebraska (Flatcar#1281)
Updates
docker - 20.10.24
ignition - 2.15.0
kernel - 5.15.142
systemd - 252
Changes since Stable 3602.2.2
Security fixes:
- Linux (CVE-2023-46862, CVE-2023-6121)
Bug fixes:
- Deleted files in
/etc
that have a tmpfiles rule that normally would recreate them will now show up again through the/etc
lowerdir (Flatcar#1265, bootengine#79)
Updates:
docker - 20.10.24
ignition - 2.15.0
kernel - 5.15.138
systemd - 252
⚠️ From Alpha 3794.0.0 Torcx has been removed - please assert that you don’t rely on specific Torcx mechanism but now use systemd-sysext. See here for more information.
Changes since Stable 3602.2.1
Security fixes:
- Linux (CVE-2023-46813, CVE-2023-5178, CVE-2023-5717)
Changes:
- Brightbox: The regular OpenStack image should now be used, it includes Afterburn for instance metadata attributes
- OpenStack: An uncompressed image is provided for simpler import (since the images use qcow2 inline compression, there is no benefit in using the
.gz
or.bz2
images) - linux kernel: added zstd support for squashfs kernel module (scripts#1297)
Updates:
docker - 20.10.24
ignition - 2.15.0
kernel - 5.15.136
systemd - 252
Changes since Stable 3602.2.0
Security fixes:
- Linux (CVE-2023-31085, CVE-2023-34324, CVE-2023-4244, CVE-2023-42754, CVE-2023-5197)
- curl (CVE-2023-38545, CVE-2023-38546)
Bug fixes:
- Disabled systemd-networkd’s RoutesToDNS setting by default to fix provisioning failures observed in VMs with multiple network interfaces on Azure (scripts#1206)
- Fixed a regression in Docker resulting in file permissions being dropped from exported container images. (scripts#1231)
Changes:
- To make Kubernetes work by default,
/usr/libexec/kubernetes/kubelet-plugins/volume/exec
is now a symlink to the writable folder/var/kubernetes/kubelet-plugins/volume/exec
(Flatcar#1193)
Updates:
docker - 20.10.24
ignition - 2.15.0
kernel - 5.15.133
systemd - 252
Changes since Beta 3602.1.6
Security fixes:
- Linux (CVE-2023-42755)
Bug fixes:
- Triggered re-reading of partition table to fix adding partitions to the boot disk (scripts#1202)
Changes:
- Use qcow2 compressed format instead of additional compression layer in Qemu images (Flatcar#1135, scripts#1132)
Updates:
- Linux (5.15.133)
Changes compared to Stable 3510.2.8
Security fixes:
- Linux (CVE-2023-42752, CVE-2023-42753, CVE-2023-42755, CVE-2023-4623, CVE-2023-4921)
- Go (CVE-2023-24532, CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725)
- bash (CVE-2022-3715)
- c-ares (CVE-2022-4904)
- containerd (CVE-2023-25153, CVE-2023-25173)
- curl (CVE-2023-23914, CVE-2023-23915 and CVE-2023-23916, CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536, CVE-2023-27537, CVE-2023-27538)
- Docker (CVE-2023-28840, CVE-2023-28841, CVE-2023-28842)
- e2fsprogs (CVE-2022-1304)
- git (CVE-2023-22490, CVE-2023-23946)
- GnuTLS (CVE-2023-0361)
- intel-microcode (CVE-2022-21216, CVE-2022-33196, CVE-2022-38090)
- less (CVE-2022-46663)
- libxml2 (CVE-2023-28484, CVE-2023-29469)
- OpenSSH (CVE-2023-25136, CVE-2023-28531, CVE-2023-38408)
- OpenSSL (CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0216, CVE-2023-0217, CVE-2023-0286, CVE-2023-0401, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-1255)
- runc (CVE-2023-25809, CVE-2023-27561, CVE-2023-28642)
- tar (CVE-2022-48303)
- torcx (CVE-2022-32149)
- vim (CVE-2023-0288, CVE-2023-0433, CVE-2023-1127, CVE-2023-1175, CVE-2023-1170)
- SDK: dnsmasq (CVE-2022-0934)
- SDK: pkgconf (CVE-2023-24056)
- SDK: python (CVE-2023-24329)
Bug fixes:
- Ensured that
/var/log/journal/
is created early enough for systemd-journald to persist the logs on first boot (bootengine#60, baselayout#29) - Fixed
journalctl --user
permission issue (Flatcar#989) - Ensured that the folder
/var/log/sssd
is created if it doesn’t exist, required forsssd.service
(Flatcar#1096) - Fixed a miscompilation of getfacl causing it to dump core when executed (scripts#809)
- Restored the reboot warning and delay for non-SSH console sessions (locksmith#21)
- Triggered re-reading of partition table to fix adding partitions to the boot disk (scripts#1202)
- Worked around a bash regression in
flatcar-install
and added error reporting for disk write failures (Flatcar#1059)
Changes:
- Added
pigz
to the image, a parallel gzip implementation, which is useful to speed up the (de)compression for large container image imports/exports (coreos-overlay#2504) - Added a new
flatcar-reset
tool and boot logic for selective OS resets to reconfigure the system with Ignition while avoiding config drift (bootengine#55, init#91) - Enabled elfutils support in systemd-coredump. A backtrace will now appear in the journal for any program that dumps core (coreos-overlay#2489)
- Improved the OS reset tool to offer preview, backup and restore (init#94)
- On boot any files in
/etc
that are the same as provided by the booted/usr/share/flatcar/etc
default for the overlay mount on/etc
are deleted to ensure that future updates of/usr/share/flatcar/etc
are propagated - to opt out create/etc/.no-dup-update
in case you want to keep an unmodified config file as is or because you fear that a future Flatcar version may use the same file as you at which point your copy is cleaned up and any other future Flatcar changes would be applied (bootengine#54) - Switched systemd log reporting to the combined format of both unit description, as before, and now the unit name to easily find the unit (coreos-overlay#2436)
/etc
is now set up as overlayfs with the original/etc
folder being the store for changed files/directories and/usr/share/flatcar/etc
providing the lower default directory tree (bootengine#53, scripts#666)- Changed coreos-cloudinit to now set the short hostname instead of the FQDN when fetched from the metadata service (coreos-cloudinit#19)
- Use qcow2 compressed format instead of additional compression layer in Qemu images (Flatcar#1135, scripts#1132)
Updates:
- Linux (5.15.133 (includes 5.15.132, 5.15.131, 5.15.130, 5.15.129, 5.15.128, 5.15.127, 5.15.126, 5.15.125, 5.15.124, 5.15.123, 5.15.122, 5.15.121, 5.15.120, 5.15.119, 5.15.118, 5.15.117, 5.15.116, 5.15.115, 5.15.114, 5.15.113, 5.15.112, 5.15.111, 5.15.110, 5.15.109, 5.15.108, 5.15.107, 5.15.106, 5.15.105, 5.15.104, 5.15.103, 5.15.102, 5.15.101, 5.15.100, 5.15.99))
- Linux Firmware (20230404 (includes 20230310, 20230210))
- Go (1.19.9 (includes 1.19.8, 1.19.7, 1.19.6))
- bash (5.2)
- bind tools (9.16.37)
- bpftool (6.2.1)
- btrfs-progs (6.0.2, includes 6.0)
- c-ares (1.19.0)
- containerd (1.6.21 (includes 1.6.20, 1.6.19 1.6.18)
- curl (8.0.1 (includes 7.88.1, 7.88.0))
- diffutils (3.9)
- Docker (20.10.24)
- e2fsprogs (1.47.0 (includes 1.46.6))
- findutils (4.9.0)
- gcc (12.2.1)
- gdb (13.1.90)
- git (2.39.2)
- GLib (2.74.6 (includes 2.74.5))
- GnuTLS (3.8.0)
- ignition (2.15.0)
- intel-microcode (20230214)
- iperf (3.13)
- iputils (20221126)
- less (608)
- libarchive (3.6.2)
- libpcap (1.10.3 (includes 1.10.2))
- libpcre2 (10.42)
- libxml2 (2.10.4)
- multipath-tools (0.9.4)
- OpenSSH (9.3 (includes 9.2))
- OpenSSL (3.0.8)
- pinentry (1.2.1)
- qemu guest agent (7.1.0)
- readline (8.2)
- runc (1.1.7 (includes 1.1.6, 1.1.5))
- socat (1.7.4.4)
- sqlite (3.41.2)
- strace (6.1)
- traceroute (2.1.1)
- vim (9.0.1403 (includes 9.0.1363))
- XZ utils (5.4.2)
- Zstandard (1.5.4 (includes 1.5.2, 1.5.1 and 1.5.0))
- SDK: cmake (3.25.2)
- SDK: dnsmasq (2.89)
- SDK: pahole (1.24)
- SDK: portage (3.0.44)
- SDK: python (3.10.10 (includes 3.10.9, 3.10))
- SDK: Rust (1.68.2 (includes 1.68.0, 1.67.1))
- SDK: nano (7.2)
- VMware: open-vm-tools (12.2.0)
docker - 20.10.23
ignition - 2.14.0
kernel - 5.15.129
systemd - 252
Changes since Stable 3510.2.7
Security fixes:
- Linux (CVE-2023-20588, CVE-2023-3772, CVE-2023-40283, CVE-2023-4128, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208, CVE-2023-4273, CVE-2023-4569)
Changes:
- Azure: Add support for Microsoft Azure Network Adapter (MANA) NICs on Azure (scripts#1131)
Updates:
docker - 20.10.23
ignition - 2.14.0
kernel - 5.15.125
systemd - 252
Changes since Stable 3510.2.6
Security fixes:
- Linux (CVE-2022-40982, CVE-2022-41804, CVE-2023-1206, CVE-2023-20569, CVE-2023-4004, CVE-2023-4147, CVE-2023-20569, CVE-2023-23908)
Bug fixes:
- Fixed the restart of Systemd services when the main process is being killed by a SIGHUP signal (flatcar#1157)
Updates:
docker - 20.10.23
ignition - 2.14.0
kernel - 5.15.122
systemd - 252
Changes since Stable 3510.2.5
Security fixes:
- Linux (CVE-2022-48502, CVE-2023-20593, CVE-2023-2898, CVE-2023-31248, CVE-2023-35001, CVE-2023-3611, CVE-2023-3776, CVE-2023-38432, CVE-2023-3863)
- linux-firmware (CVE-2023-20593)
Updates:
docker - 20.10.23
ignition - 2.14.0
kernel - 5.15.119
systemd - 252
Changes since Stable 3510.2.4
Security fixes:
- Linux (CVE-2023-3338, CVE-2023-3390)
Bug fixes:
- Resolved the conflicting FD usage of libselinux and systemd which caused, e.g., a systemd crash on certain watchdog interaction during shutdown (patch in systemd 252.11)
Updates:
docker - 20.10.23
ignition - 2.14.0
kernel - 5.15.117
systemd - 252
Changes since Stable 3510.2.3
Security fixes:
- Linux (CVE-2023-2124, CVE-2023-3212, CVE-2023-35788)
Bug fixes:
Changes:
- Changed ext4 inode size of root partition to 256 bytes. This improves compatibility with applications and is necessary for 2038 readiness (Flatcar#1082)
Updates:
docker - 20.10.23
ignition - 2.14.0
kernel - 5.15.113
systemd - 252
docker - 20.10.23
ignition - 2.14.0
kernel - 5.15.111
systemd - 252
Changes since Stable 3510.2.1
Security fixes:
Bug fixes:
Changes:
Updates:
docker - 20.10.23
ignition - 2.14.0
kernel - 5.15.106
systemd - 252
Changes since Stable 3510.2.0
Security fixes:
- Linux (CVE-2022-4269, CVE-2022-4379, CVE-2023-1076, CVE-2023-1077, CVE-2023-1079, CVE-2023-1118, CVE-2023-1611, CVE-2023-1670, CVE-2023-1829, CVE-2023-1855, CVE-2023-1989, CVE-2023-1990, CVE-2023-23004, CVE-2023-25012, CVE-2023-28466, CVE-2023-30456, CVE-2023-30772)
- nvidia-drivers (CVE-2022-31607, CVE-2022-31608, CVE-2022-31615, CVE-2022-34665, CVE-2022-34666, CVE-2022-34670, CVE-2022-34673, CVE-2022-34674, CVE-2022-34676, CVE-2022-34677, CVE-2022-34678, CVE-2022-34679, CVE-2022-34680, CVE-2022-34682, CVE-2022-34684, CVE-2022-42254, CVE-2022-42255, CVE-2022-42256, CVE-2022-42257, CVE-2022-42258, CVE-2022-42259, CVE-2022-42260, CVE-2022-42261, CVE-2022-42263, CVE-2022-42264, CVE-2022-42265)
Bug fixes:
- Fixed the broken emerge-gitclone in the dev-container owing to the missing migration action around the unification of the Flatcar core repositories
Changes:
- The package upgrade for nvidia-drivers might result in not supporting a few of the older NVIDIA Tesla GPUs. If you are facing issues, set
NVIDIA_DRIVER_VERSION=460.106.00
in/etc/flatcar/nvidia-metadata
Updates:
docker - 20.10.23
ignition - 2.14.0
kernel - 5.15.98
systemd - 252
Changes since Stable 3374.2.5
Security fixes:
- Linux (CVE-2022-2196, CVE-2022-27672, CVE-2022-3707, CVE-2023-1078, CVE-2023-1281, CVE-2023-1513, CVE-2023-26545)
- bind tools (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178)
- binutils (CVE-2022-38126, CVE-2022-38127)
- containerd (CVE-2022-23471)
- cpio (CVE-2021-38185)
- curl (CVE-2022-35252, CVE-2022-43551, CVE-2022-43552,CVE-2022-32221, CVE-2022-35260, CVE-2022-42915, CVE-2022-42916)
- dbus (CVE-2022-42010, CVE-2022-42011, CVE-2022-42012)
- git (CVE-2022-39253, CVE-2022-39260, CVE-2022-23521, CVE-2022-41903)
- glib (fixes to normal form handling in GVariant)
- Go (CVE-2022-41717)
- libarchive (CVE-2022-36227)
- libksba (CVE-2022-47629, CVE-2022-3515)
- libxml2 (CVE-2022-40303, CVE-2022-40304)
- logrotate (CVE-2022-1348)
- multipath-tools (CVE-2022-41973, CVE-2022-41974)
- sudo (CVE-2023-22809, CVE-2022-43995)
- systemd (CVE-2022-3821, CVE-2022-4415)
- vim (CVE-2023-0049, CVE-2023-0051, CVE-2023-0054, CVE-2022-3705, CVE-2022-3491, CVE-2022-3520, CVE-2022-3591, CVE-2022-4141, CVE-2022-4292, CVE-2022-4293,CVE-2022-1725, CVE-2022-3234, CVE-2022-3235, CVE-2022-3278, CVE-2022-3256, CVE-2022-3296, CVE-2022-3297, CVE-2022-3324, CVE-2022-3352, CVE-2022-2042, CVE-2022-2124, CVE-2022-2125, CVE-2022-2126, CVE-2022-2129, CVE-2022-2175, CVE-2022-2182, CVE-2022-2183, CVE-2022-2206, CVE-2022-2207, CVE-2022-2208, CVE-2022-2210, CVE-2022-2231, CVE-2022-2257, CVE-2022-2264, CVE-2022-2284, CVE-2022-2285, CVE-2022-2286, CVE-2022-2287, CVE-2022-2288, CVE-2022-2289, CVE-2022-2304, CVE-2022-2343, CVE-2022-2344, CVE-2022-2345, CVE-2022-2522, CVE-2022-2816, CVE-2022-2817, CVE-2022-2819, CVE-2022-2845, CVE-2022-2849, CVE-2022-2862, CVE-2022-2874, CVE-2022-2889, CVE-2022-2923, CVE-2022-2946, CVE-2022-2980, CVE-2022-2982, CVE-2022-3016, CVE-2022-3099, CVE-2022-3134, CVE-2022-3153)
- SDK: Python (CVE-2015-20107, CVE-2020-10735, CVE-2021-3654, CVE-2022-37454, CVE-2022-42919, CVE-2022-45061)
- SDK: qemu (CVE-2022-4172, CVE-2020-14394, CVE-2022-0216, CVE-2022-35414, CVE-2022-3872)
- SDK: rust (CVE-2022-46176, CVE-2022-36113, CVE-2022-36114)
Bug fixes:
- Added back Ignition support for Vagrant (coreos-overlay#2351)
- Added support for hardware security keys in update-ssh-keys (update-ssh-keys#7)
- Enabled IOMMU on arm64 kernels, the lack of which prevented some systems from booting (coreos-overlay#2235)
- Fixed a regression (in Alpha/Beta) where machines failed to boot if they didn’t have the
core
user or group in/etc/passwd
or/etc/group
(baselayout#26) - Fix “ext4 deadlock under heavy I/O load” kernel issue. The patch for this is included provisionally while we wait for it to be merged upstream (Flatcar#847, coreos-overlay#2315)
- Restored the support to specify OEM partition files in Ignition when
/usr/share/oem
is given as initrd mount point (bootengine#58) - The rootfs setup in the initrd now runs systemd-tmpfiles on every boot, not only when Ignition runs, to fix a dbus failure due to missing files (Flatcar#944)
Changes:
- Added
CONFIG_NF_CONNTRACK_BRIDGE
(for nf_conntrack_bridge) andCONFIG_NFT_BRIDGE_META
(for nft_meta_bridge) to the kernel config to allow using conntrack rules for bridges in nftables and to match on bridge interface names (coreos-overlay#2207) - Added new image signing pub key to
flatcar-install
, needed for download verification of releases built from July 2023 onwards, if you have copies offlatcar-install
or the image signing pub key, you need to update them as well (init#92) - Change CONFIG_WIREGUARD kernel option to module to save space on boot partition (coreos-overlay#2239)
- Disable several arch specific arm64 kernel config options for unsupported platforms to save space on boot partition (coreos-overlay#2239)
- Specifying the OEM filesystem in Ignition to write files to
/usr/share/oem
is not needed anymore (bootengine#58) - Switched from
--strip-unneeded
to--strip-debug
when installing kernel modules, which makes kernel stacktraces more accurate and makes debugging issues easier (coreos-overlay#2196) - The flatcar-update tool got two new flags to customize ports used on the host while updating flatcar (init#81)
- Toolbox now uses containerd to download and mount the image (toolbox#7)
- Add qemu-guest-agent to all amd64 images, it will be automatically enabled when qemu-ga virtio-port is detected (coreos-overlay#2240, portage-stable#373)
Updates:
- Linux (5.15.98 (includes 5.15.97, 5.15.96, 5.15.95, 5.15.94, 5.15.93))
- Linux Firmware (20230117)
- adcli (0.9.2)
- bind tools (9.16.36 (includes 9.16.34 and 9.16.35))
- binutils (2.39)
- bpftool (5.19.12)
- ca-certificates (3.89)
- containerd (1.6.16)
- cpio (2.13)
- curl (7.87.0 (includes 7.85))
- dbus (1.14.4)
- Docker (20.10.23)
- elfutils (0.188 (includes 0.187))
- Expat (2.5.0)
- gawk (5.2.1 (contains 5.2.0))
- gettext (0.21.1)
- git (2.39.1 (includes 2.39.0))
- glib (2.74.4)
- Go (1.19.5)
- glibc (2.36 (includes 2.35))
- GnuTLS (3.7.8)
- I2C tools (4.3)
- Intel Microcode (20221108)
- iptables (1.8.8)
- iputils (20211215)
- libcap (2.66)
- libcap-ng (0.8.3)
- libksba (1.6.3)
- libseccomp (2.5.4 (contains 2.5.2, 2.5.3))
- libxml2 (2.10.3)
- logrotate (3.20.1)
- MIT Kerberos V (1.20.1)
- multipath-tools (0.9.3)
- nettle (3.8.1)
- nmap (7.93)
- OpenSSH (9.1)
- rsync (3.2.7)
- shadow (4.13)
- sqlite (3.40.1 (contains 3.40.0 and 3.39.4))
- strace (5.19)
- sudo (1.9.12_p2)
- systemd (252.5 (includes 252))
- vim (9.0.1157 (includes 9.0.0469))
- wget (1.21.3)
- whois (5.5.14)
- wireguard-tools (1.0.20210914)
- XZ utils (5.4.1 (includes 5.4.0))
- zlib (1.2.13)
- OEM: python-oem (3.9.16)
- SDK: boost (1.81.0)
- SDK: catalyst (3.0.21)
- SDK: cmake (3.23.3)
- SDK: file (5.43 (includes 5.44))
- SDK: libpng (1.6.39 (includes 1.6.38))
- SDK: libxslt (1.1.37)
- SDK: meson (0.62.2)
- SDK: ninja (1.11.0)
- SDK: pahole (1.23)
- SDK: perl (5.36.0)
- SDK: portage (3.0.43 (includes 3.0.42, 3.0.41))
- SDK: qemu (7.2.0 (includes 7.1.0))
- SDK: Rust (1.67.0)
- VMware: open-vm-tools (12.1.5)
Changes since Beta 3510.1.0
Security fixes:
Bug fixes:
- Restored the support to specify OEM partition files in Ignition when
/usr/share/oem
is given as initrd mount point (bootengine#58)
Changes:
- Added new image signing pub key to
flatcar-install
, needed for download verification of releases built from July 2023 onwards, if you have copies offlatcar-install
or the image signing pub key, you need to update them as well (init#92) - Specifying the OEM filesystem in Ignition to write files to
/usr/share/oem
is not needed anymore (bootengine#58)
Updates:
- ca-certificates (3.89)
docker - 20.10.18
ignition - 2.14.0
kernel - 5.15.92
systemd - 250
Changes since Stable 3374.2.4
Security fixes:
Bug fixes:
- Excluded the special Kubernetes network interfaces
nodelocaldns
andkube-ipvs0
from being managed with systemd-networkd which interfered with the setup (init#89).
Updates:
docker - 20.10.18
ignition - 2.14.0
kernel - 5.15.89
systemd - 250
Changes since Stable 3374.2.3
Security fixes:
- Linux (CVE-2022-36280, CVE-2022-41218, CVE-2022-47929, CVE-2023-0045, CVE-2023-0179, CVE-2023-0210, CVE-2023-0266, CVE-2023-0394, CVE-2023-23454, CVE-2023-23455)
Updates:
docker - 20.10.18
ignition - 2.14.0
kernel - 5.15.86
systemd - 250
Changes since Stable 3374.2.2
Security fixes:
- Linux (CVE-2022-3169, CVE-2022-3344, CVE-2022-3424, CVE-2022-3521, CVE-2022-3534, CVE-2022-3545, CVE-2022-3643, CVE-2022-4378, CVE-2022-45869, CVE-2022-45934, CVE-2022-47518, CVE-2022-47519, CVE-2022-47520, CVE-2022-47521)
- git (CVE-2022-23521, CVE-2022-41903)
Bug fixes:
- Fix “ext4 deadlock under heavy I/O load” kernel issue. The patch for this is included provisionally while we stay with Kernel 5.15.86. (Flatcar#847, coreos-overlay#2402)
Changes:
Updates:
docker - 20.10.18
ignition - 2.14.0
kernel - 5.15.79
systemd - 250
Changes since Stable 3374.2.1
Security fixes:
- Linux (CVE-2022-3543, CVE-2022-3564, CVE-2022-3619, CVE-2022-3623, CVE-2022-3628, CVE-2022-42895, CVE-2022-42896)
Updates:
docker - 20.10.18
ignition - 2.14.0
kernel - 5.15.77
systemd - 250
Changes since Stable 3374.2.0
Security fixes:
- Linux (CVE-2022-2602, CVE-2022-3524, CVE-2022-3535, CVE-2022-3542, CVE-2022-3565, CVE-2022-3594, CVE-2022-41849, CVE-2022-41850, CVE-2022-43945)
Updates:
docker - 20.10.18
ignition - 2.14.0
kernel - 5.15.74
systemd - 250
Changes since Stable 3227.2.4
Security fixes:
- Linux (CVE-2022-2308, CVE-2022-3621, CVE-2022-3646, CVE-2022-3649, CVE-2022-40768, CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722, CVE-2022-43750)
- binutils (CVE-2021-45078)
- cifs-utils (CVE-2022-27239, CVE-2022-29869)
- curl (CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776, CVE-2022-27778, CVE-2022-27779, CVE-2022-27780, CVE-2022-27781, CVE-2022-27782, CVE-2022-30115, CVE-2022-32205, CVE-2022-32206, CVE-2022-32207, CVE-2022-32208)
- Docker (CVE-2022-29526, CVE-2022-36109)
- git (CVE-2022-24765, CVE-2022-29187)
- GNU Libtasn1 (Gentoo#866237)
- gnupg (CVE-2022-34903)
- gnutls (CVE-2022-2509)
- Go (CVE-2022-1705, CVE-2022-1962, CVE-2022-27664, CVE-2022-28131, CVE-2022-29526, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, CVE-2022-32148, CVE-2022-32190)
- ignition (CVE-2022-1706)
- intel-microcode (CVE-2022-21151, CVE-2022-21233)
- libtirpc (CVE-2021-46828)
- libxml2 (CVE-2016-3709, CVE-2022-2309, CVE-2022-29824)
- ncurses (CVE-2022-29458)
- oniguruma (oniguruma-20220430)
- openssl (CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473)
- polkit (CVE-2021-4115)
- rsync (CVE-2018-25032, CVE-2022-29154)
- runc (CVE-2022-29162)
- shadow (CVE-2013-4235)
- unzip (CVE-2022-0529, CVE-2022-0530, CVE-2021-4217)
- vim (CVE-2022-0629, CVE-2022-0685, CVE-2022-0714, CVE-2022-0729, CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-1616, CVE-2022-1619, CVE-2022-1620, CVE-2022-1621, CVE-2022-1629, CVE-2022-1674, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796, CVE-2022-1897, CVE-2022-1898, CVE-2022-1886, CVE-2022-1851, CVE-2022-1927, CVE-2022-1942, CVE-2022-1968, CVE-2022-2000)
- zlib (CVE-2022-37434)
- VMware: open-vm-tools (CVE-2022-31676)
- SDK: qemu (CVE-2021-20203, CVE-2021-3713, CVE-2021-3930, CVE-2021-3947, CVE-2021-4145, CVE-2022-26353, CVE-2022-26354)
Bug fixes:
- Fixed Ignition btrfs forced formatting for OEM partition (coreos-overlay#2277)
- Removed outdated LTS channel information printed on login (init#75)
Changes:
- Added efibootmgr binary to the image (coreos-overlay#1955)
- Added symlink from
nc
toncat
.-q
option is not yet supported (flatcar#545) - flatcar-install: Added option to create UEFI boot entry (init#74)
- AWS: Added AWS IMDSv2 support to coreos-cloudinit (flatcar-linux/coreos-cloudinit#13)
- VMware: Added VMware networking configuration in the initramfs via guestinfo settings (bootengine#44, flatcar#717)
- VMWare: Added
ignition-delete-config.service
to remove Ignition config from VM metadata, see also here (coreos-overlay#1948)
Updates:
- Linux (5.15.74 (includes (5.15.73, 5.15.72. 5.15.71))
- Linux Firmware (20220913)
- acpid (2.0.33)
- adcli (0.9.1)
- automake (1.16.5)
- binutils (2.38)
- bison (3.8.2)
- boost (1.79)
- cifs-utils (6.15)
- containerd (1.6.8)
- curl (7.84.0)
- Cyrus SASL (2.1.28)
- dbus (1.12.22)
- Docker (20.10.18)
- e2fsprogs (1.46.5)
- gcc (11.3.0)
- gdb (11.2)
- gdbm (1.22)
- git (2.35.3)
- glib (2.72.3)
- GNU Libtasn1 (4.19.0)
- gnupg (2.2.35)
- gnutls (3.7.7)
- Go (1.18.6)
- ignition (2.14.0)
- intel-microcode (20220809)
- ldb (2.4.1)
- libtool (2.4.7)
- libxml2 (2.10.2)
- ncurses (6.3_p20220423)
- oniguruma (6.9.8)
- OpenSSL (3.0.7)
- perl (5.34.1)
- pkgconf (1.8.0)
- polkit (121)
- python (3.9.12)
- rsync (3.2.6)
- runc (1.1.4)
- samba (4.15.4)
- shadow (4.12.3)
- sqlite (3.38.1)
- sudo (1.9.10)
- talloc (2.3.3)
- tevent (0.11.0)
- unzip (6.0_p27)
- vim (8.2.5066)
- OEM: distro (1.7.0)
- OEM: python (3.9.12)
- VMware: open-vm-tools (12.1.0)
- SDK: libxslt (1.1.35)
- SDK: qemu (7.0.0)
- SDK: Rust (1.63.0)
Changes since Beta 3374.1.1
Bug fixes:
- Fixed Ignition btrfs forced formatting for OEM partition (coreos-overlay#2277)
Updates:
- OpenSSL (3.0.7)
docker - 20.10.14
ignition - 2.13.0
kernel - 5.15.70
systemd - 250
Changes since Stable 3227.2.3
Security fixes:
- OpenSSL (CVE-2022-3602, CVE-2022-3786)
Changes:
- OpenStack: enabled
[email protected]
to provision SSH keys from metadata. (Flatcar#817, coreos-overlay#2246)
Updates:
- ca-certificates (3.84)
docker - 20.10.14
ignition - 2.13.0
kernel - 5.15.70
systemd - 250
Changes since Stable 3227.2.2
Security fixes:
- Linux (CVE-2022-0171, CVE-2022-2663, CVE-2022-2905, CVE-2022-3028, CVE-2022-3061, CVE-2022-3176, CVE-2022-3303, CVE-2022-39190, CVE-2022-39842, CVE-2022-40307)
- Go (CVE-2022-32189)
- torcx (CVE-2022-27191)
- expat (CVE-2022-40674)
Bug fixes:
- Added back
gettext
to the OS (Flatcar#849) - Added merging of Ignition systemd duplicated units when auto-translating from Ignition 2 to Ignition 3. (coreos-overlay#2187)
- Equinix Metal: Fixed serial console settings for the
m3.small.x86
instance by expanding the GRUB check fori386
tox86_64
coreos-overlay#2122
Changes:
- emerge-gitclone: Migrate emerge-gitclone to use scripts repo tags and submodule refs
Updates:
docker - 20.10.14
ignition - 2.13.0
kernel - 5.15.63
systemd - 250
Note: The ARM64 AWS AMI of the Stable release has an unknown issue of corrupted images which we are still investigating. We will release the AMI as soon as we have resolved the issue. Follow #840 for more information
Changes since Stable 3227.2.1
Security fixes:
Bug fixes:
- AWS: added EKS support for version 1.22 and 1.23. (coreos-overlay#2110, Flatcar#829)
- VMWare: excluded
wireguard
(and others) fromsystemd-networkd
management. (init#80)
Changes:
- The new image signing subkey was added to the public key embedded into
flatcar-install
(the old expired on 10th August 2022), only an updatedflatcar-install
script can verify releases signed with the new key (init#79)
Updates:
docker - 20.10.14
ignition - 2.13.0
kernel - 5.15.58
systemd - 250
New Stable Release 3227.2.1
Changes since Stable 3227.2.0
Security fixes:
- Linux (CVE-2022-23816, CVE-2022-23825, CVE-2022-29900, CVE-2022-29901)
Bug fixes:
- Added support for Openstack for cloud-init activation (flatcar-linux/init#76)
- Excluded Wireguard interface from
systemd-networkd
default management (Flatcar#808) - Fixed
/etc/resolv.conf
symlink by pointing it atresolv.conf
instead ofstub-resolv.conf
. This bug was present since the update to systemd v250 (coreos-overlay#2057) - Fixed excluded interface type from default systemd-networkd configuration (flatcar-linux/init#78)
- Fixed space escaping in the
networkd
Ignition translation (Flatcar#812)
Changes:
Updates:
docker - 20.10.14
ignition - 2.13.0
kernel - 5.15.55
systemd - 250
New Stable Release 3227.2.0
Changes since Beta 3227.1.1
Security fixes:
- Linux (CVE-2021-33655, CVE-2022-2318, CVE-2022-26365, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742, CVE-2022-33743, CVE-2022-33744, CVE-2022-34918)
- Go (CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, CVE-2022-32148)
Bug fixes:
- The Ignition v3 kargs directive failed before when used with the generic image where no
grub.cfg
exists, this was fixed by creating it first (bootengine#47)
Changes:
- Enabled
containerd.service
unit,br_netfilter
andoverlay
modules by default to follow Kubernetes requirements (coreos-overlay#1944, init#72)
Updates:
- Linux (5.15.55 (includes 5.15.54, 5.15.53, 5.15.52, 5.15.51, 5.15.50, 5.15.49))
- Go (1.17.12)
- ca-certificates (3.80)
Changes compared to Stable 3139.2.3
Security fixes:
- Linux (CVE-2021-33655, CVE-2022-2318, CVE-2022-26365, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742, CVE-2022-33743, CVE-2022-33744, CVE-2022-34918)
- Go (CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, CVE-2022-32148)
- cifs-utils (CVE-2021-20208)
- containerd (CVE-2022-23648, CVE-2022-24769, CVE-2022-31030)
- cryptsetup (CVE-2021-4122)
- duktape (CVE-2021-46322)
- gnutls (CVE-2021-4209, GNUTLS-SA-2022-01-17)
- gzip,xz-utils (CVE-2022-1271)
- intel-microcode (CVE-2021-0127, CVE-2021-0146)
- libarchive (CVE-2021-31566, CVE-2021-36976, CVE-2022-26280)
- libxml2 (CVE-2022-23308)
- nvidia-drivers (CVE-2022-28181, CVE-2022-28183, CVE-2022-28184, CVE-2022-28185)
- shadow (CVE-2013-4235)
- systemd (CVE-2021-3997)
- util-linux (CVE-2021-3995, CVE-2021-3996, CVE-2022-0563)
- vim (CVE-2021-3984, CVE-2021-4019, CVE-2021-4069, CVE-2021-4136, CVE-2021-4173, CVE-2021-4166, CVE-2021-4187, CVE-2021-4192, CVE-2021-4193, CVE-2022-0128, CVE-2022-0156, CVE-2022-0158, CVE-2022-0213, CVE-2022-0261, CVE-2022-0318, CVE-2022-0319, CVE-2022-0351, CVE-2022-0359, CVE-2022-0361, CVE-2022-0368, CVE-2022-0392, CVE-2022-0393, CVE-2022-0407, CVE-2022-0408, CVE-2022-0413, CVE-2022-0417, CVE-2022-0443)
- zlib (CVE-2018-25032)
- SDK: squashfs-tools (CVE-2021-40153, CVE-2021-41072)
Bug fixes:
- Added
networkd
translation tofiles
section when converting from Ignition 2.x to Ignition 3.x (coreos-overlay#1910, flatcar#741) - Added a remount action as
systemd-sysext.service
drop-in unit to restore the OEM partition mount after the overlay mounts in/usr
are done (init#69) - Fixed Ignition’s OEM ID to be
metal
to follow the Ignition upstream change which otherwise resulted in a broken boot when the Flatcar OEM IDpxe
was used (bootengine#45) - Made Ignition write the SSH keys into a file under
authorized_keys.d/ignition
again and added a call toupdate-ssh-keys
after Ignition ran to create the mergedauthorized_keys
file, which fixes the problem that keys added by Ignition get lost whenupdate-ssh-keys
runs (init#66) - Skipped starting
ensure-sysext.service
ifsystemd-sysext.service
won’t be started, to prevent reporting a dependency failure (Flatcar#710) - The Ignition v3 kargs directive failed before when used with the generic image where no
grub.cfg
exists, this was fixed by creating it first (bootengine#47)
Changes:
- Added
auditd.service
but left it disabled by default, a custom configuration can be created by removing/etc/audit/auditd.conf
and replacing it with an own file (coreos-overlay#1636) - Added
cryptsetup
to the initramfs for the Ignitionluks
directive (flatcar-linux/coreos-overlay#1760) - Besides Ignition v1 and v2 configurations, Ignition configurations with specification v3 (up to 3.3.0) are now supported, see the docs section for details
- Bring in dependencies for NFS4 with Kerberos both in kernel and userspace. Tested against NFS4.1 server. coreos-overlay#1664
- Enabled
CONFIG_INTEL_RAPL
on AMD64 Kernel config to compileintel_rapl_common
module in order to allow power monitoring on modern Intel processors (coreos-overlay#1801) - Enabled
containerd.service
unit,br_netfilter
andoverlay
modules by default to follow Kubernetes requirements (coreos-overlay#1944, init#72) - Enabled
systemd-sysext.service
to activate systemd-sysext images on boot, to disable you will need to mask it. Also added a helper serviceensure-sysext.service
which reloads the systemd units to reevaluate thesockets
,timers
, andmulti-user
targets whensystemd-sysext.service
is (re)started, making it possible to enable units that are part of a sysext image (init#65) - For amd64
/usr/lib
used to be a symlink to/usr/lib64
but now they became two separate folders as common in other distributions (and was the case for arm64 already). Compatibility symlinks exist in case/usr/lib64
was used to access, e.g., themodules
folder or thesystemd
folder (coreos-overlay#1713, scripts#255) - Made SELinux enabled by default in default containerd configuration file. (coreos-overlay#1699)
- Removed rngd.service because it is not essential anymore for the kernel to boot fast in VM environments (coreos-overlay#1700)
- The systemd-networkd
ManageForeignRoutes
andManageForeignRoutingPolicyRules
settings are now disabled through a drop-in file and thus can only be enabled again by a drop-in file under/etc/systemd/networkd.conf.d/
because drop-in files take precedence over/etc/systemd/networkd.conf
(init#61) - Azure VHD disks are now created using subformat=fixed, which makes them suitable for immediate upload to Azure using any tool.
- Defined a systemd-sysext level that sysext images can match for instead of the OS version when they don’t have a strong coupling, meaning the only metadata required is
SYSEXT_LEVEL=1.0
andID=flatcar
(Flatcar#643) - ARM64: Added cifs-utils for ARM64
- ARM64: Added sssd, adcli and realmd for ARM64
- AWS EC2: Removed the setup of
/etc/hostname
from the instance metadata because it used a long FQDN but we can just use use the hostname set via DHCP (Flatcar#707) - Azure: Set up
/etc/hostname
from instance metadata with Afterburn - DigitalOcean: In addition to the
bz2
image, agz
compressed image is published. This helps against hitting the compression timeout that sometimes lets the image import fail. - OpenStack: In addition to the
bz2
image, agz
compressed image is published. This allows Glance to directly consume the images by simply passing in the URL of the image. - SDK: The image compression format is now configurable. Supported formats are:
bz2
,gz
,zip
,none
,zst
. Selecting the image format can now be done by passing the--image_compression_formats
option. This flag gets a comma separated list of formats. - SDK / ARM64: Added go-tspi bindings for ARM64
Updates:
- Linux (5.15.55 (includes 5.15.54, 5.15.53, 5.15.52, 5.15.51, 5.15.50, 5.15.49, 5.15.48, 5.15.47, 5.15.46, 5.15.45, 5.15.44, 5.15.43, 5.15.42, 5.15.41, 5.15.40, 5.15.39, 5.15.38, 5.15.37, 5.15.36, 5.15.35))
- Linux Firmware (20220411 (includes 20220310, 20220209))
- Docker (20.10.14 (includes 20.10.13))
- Go (1.17.12)
- afterburn (5.2.0)
- bind-tools (9.16.27)
- bpftool (5.15.8)
- bridge-utils (1.7.1)
- ca-certificates (3.80 (includes 3.79, 3.78, 3.77, 3.76, 3.75))
- cifs-utils (6.13)
- conntrack-tools (1.4.6)
- containerd (1.6.6 (includes 1.6.5, 1.6.4, 1.6.3, 1.6.2, 1.6.1, 1.6.0))
- cryptsetup (2.4.3)
- dosfstools (4.2)
- duktape (2.7.0)
- e2fsprogs (1.46.4)
- elfutils (0.186)
- gcc (10.3.0)
- gnutls (3.7.3)
- grep (3.7)
- gzip (1.12 (includes 1.11))
- ignition (2.13.0)
- intel-microcode (20220207_p20220207)
- iperf (3.10.1)
- jansson (2.14)
- kexec-tools (2.0.22)
- less (590)
- libarchive (3.6.1 (includes 3.5.3))
- libbsd (0.11.3)
- libmspack (0.10.1_alpha)
- libnetfilter_queue (1.0.5)
- libpcap (1.10.1)
- libtasn1 (4.17.0)
- liburing (2.1)
- libxml2 (2.9.13)
- lsscsi (0.32)
- mdadm (4.2)
- multipath-tools (0.8.7)
- nfs-utils (2.5.4)
- nghttp2 (1.45.1)
- nvidia-drivers (510.73.05)
- nvme-cli (1.16)
- oniguruma (6.9.7.1)
- open-isns (0.101)
- pam (1.5.1_p20210622)
- pambase (20220214)
- pcre2 (10.39)
- pinentry (1.2.0)
- quota (4.06)
- rpcbind (1.2.6)
- runc (1.1.1)
- socat (1.7.4.3)
- shadow (4.11.1)
- systemd (250.3)
- timezone-data (2021a)
- tcpdump (4.99.1)
- thin-provisioning-tools (0.9.0)
- unzip (6.0_p26)
- util-linux (2.37.4)
- vim (8.2.4328)
- whois (5.5.11)
- xfsprogs (5.14.2)
- zlib (1.2.12)
- SDK: gcc-config (2.5)
- SDK: iasl (20200717)
- SDK: man-db (2.9.4)
- SDK: man-pages (5.12-r2)
- SDK: netperf (2.7.0)
- SDK: Rust (1.60.0 (includes 1.59.0))
- SDK: squashfs-tools (4.5_p20210914)
- VMware: open-vm-tools (12.0.0)
docker - 20.10.12
ignition - 0.36.1
kernel - 5.15.48
systemd - 249
New Stable Release 3139.2.3
Changes since Stable 3139.2.2
Security fixes:
- Linux (CVE-2022-1789, CVE-2022-1852, CVE-2022-1972, CVE-2022-1973, CVE-2022-2078, CVE-2022-32250, CVE-2022-32981)
- libpcre2 (CVE-2022-1586, CVE-2022-1587)
Updates:
ignition - 0.36.1
kernel - 5.15.43
systemd - 249
New Stable Release 3139.2.2
Changes since Stable 3139.2.1
Security fixes:
- Linux (CVE-2022-1734, CVE-2022-28893, CVE-2022-1012, CVE-2022-1729)
- Go (CVE-2022-29526)
Bug fixes:
- Ensured
/etc/flatcar/update.conf
exists because it happens to be used as flag file for Ansible (init#71) - GCP: Fixed shutdown script execution (coreos-overlay#1912, flatcar#743)
Updates:
ignition - 0.36.1
kernel - 5.15.37
systemd - 249
New Stable Release 3139.2.1
Changes since Stable 3139.2.0
Security fixes:
- Linux (CVE-2022-28390, CVE-2022-0168, CVE-2022-1158, CVE-2022-1353, CVE-2022-1198, CVE-2022-28389, CVE-2022-28388, CVE-2022-1516, CVE-2022-1263, CVE-2022-29582, CVE-2022-1204, CVE-2022-1205, CVE-2022-0500, CVE-2022-23222)
- nvidia-drivers (CVE-2022-21814, CVE-2022-21813)
- Go (CVE-2022-24675)
Bug fixes:
- AWS: specify correct console (ttyS0) on kernel command line for ARM64 instances (coreos-overlay#1628)
- GCE: Restored oem-gce.service functionality on GCP (coreos-overlay#1813)
- Added pahole to developer container, without it kernel modules built against /usr/src/linux may fail to probe with an ‘invalid relocation target’ error (coreos-overlay#1839)
Changes:
- Merge the Flatcar Pro features into the regular Flatcar images (coreos-overlay#1679)
- GCE: Enabled GVE kernel driver, which adds support for Google Virtual NIC on GCP (coreos-overlay#1802)
- SDK: Dropped the mantle binaries (kola, ore, etc.) from the SDK, they are now provided by the
ghcr.io/flatcar/mantle
image (coreos-overlay#1827, scripts#275)
Updates:
ignition - 0.36.1
kernel - 5.15.32
systemd - 249
New Stable Release 3139.2.0
Changes since Stable 3033.2.4
Security fixes:
- Linux (CVE-2022-1015, CVE-2022-1016)
- Go (CVE-2021-44716, CVE-2021-44717)
- containerd (CVE-2021-43816, CVE-2022-24769)
- gcc (CVE-2020-13844)
- Ignition (CVE-2020-14040, CVE-2021-38561)
- krb5 (CVE-2021-37750)
- libarchive (libarchive-1565, libarchive-1566)
- OpenSSH (CVE-2021-41617)
- openssl (CVE-2021-4044)
- torcx (CVE-2021-38561, CVE-2021-43565)
- vim (CVE-2021-3872, CVE-2021-3875, CVE-2021-3903, CVE-2021-3927, CVE-2021-3928, CVE-2021-3968, CVE-2021-3973, CVE-2021-3974)
- SDK: edk2-ovmf (CVE-2019-14584, CVE-2021-28210, CVE-2021-28211, CVE-2021-28213)
- SDK: libxslt (CVE-2021-30560)
- SDK: mantle (CVE-2021-3121, CVE-2021-38561, CVE-2021-43565)
- SDK: QEMU (CVE-2020-35504, CVE-2020-35505, CVE-2020-35506, CVE-2020-35517, CVE-2021-20203, CVE-2021-20255, CVE-2021-20257, CVE-2021-20263, CVE-2021-3409, CVE-2021-3416, CVE-2021-3527, CVE-2021-3544, CVE-2021-3545, CVE-2021-3546, CVE-2021-3582, CVE-2021-3607, CVE-2021-3608, CVE-2021-3682)
- SDK: Rust (CVE-2022-21658)
Bug fixes:
- Excluded the Kubenet cbr0 interface from networkd’s DHCP config and set it to Unmanaged to prevent interference and ensure that it is not part of the network online check (init#55)
- Fixed the dracut emergency Ignition log printing that had a scripting error causing the cat command to fail (bootengine#33)
- network: Accept ICMPv6 Router Advertisements to fix IPv6 address assignment in the default DHCP setting (init#51, coreos-cloudinit#12, bootengine#30)
- flatcar-update: Stopped checking for the
USER
environment variable which may not be set in all environments, causing the script to fail unless a workaround was used like prepending an additionalsudo
invocation (init#58) - Reverted the Linux kernel commit which broke networking on AWS instances which use Intel 82559 NIC (c4/m4) (Flatcar#665, coreos-overlay#1723)
- Re-added the
brd drbd nbd rbd xen-blkfront zram libarc4 lru_cache zsmalloc
kernel modules to the initramfs since they were missing compared to the Flatcar 3033.2.x releases where the 5.10 kernel is used (bootengine#40)
Changes:
- Added a new flatcar-update tool to the image to ease manual updates, rollbacks, channel/release jumping, and airgapped updates (init#53)
- Update-engine now creates the
/run/reboot-required
flag file for kured (update_engine#15) - Excluded special network interface devices like bridge, tunnel, vxlan, and veth devices from the default DHCP configuration to prevent networkd interference (init#56)
- Added CONFIG_NF_CT_NETLINK_HELPER (for libnetfilter_cthelper), CONFIG_NET_VRF (for virtual routing and forwarding) and CONFIG_KEY_DH_OPERATIONS (for keyutils) to the kernel config (coreos-overlay#1524)
- Enabled the FIPS support for the Linux kernel, which users can now choose through a kernel parameter in
grub.cfg
(check it taking effect withcat /proc/sys/crypto/fips_enabled
) (coreos-overlay#1602) - Enabled FIPS mode for cryptsetup (portage-stable#312)
- Rework the way we set up the default python intepreter in SDK - it is now without specifying a version. This should work fine as long as we keep having one version of python in SDK.
- Add a way to remove packages that are hard-blockers for update. A hard-blocker means that the package needs to be removed (for example with
emerge -C
) before an update can happen. - Removed the pre-shipped
/etc/flatcar/update.conf
file, leaving it totally to the user to define the contents as it was unnecessarily overwriting the/use/share/flatcar/update.conf
(scripts#212)
Updates:
- Linux (5.15.32) (from 5.15.30)
- Linux headers (5.15)
- GCC 9.4.0
- acl (2.3.1)
- attr (2.5.1)
- audit (3.0.6)
- boost (1.76.0)
- btrfs-progs (5.15.1)
- ca-certificates (3.77)
- containerd (1.5.11)
- coreutils (8.32)
- diffutils (3.8)
- ethtool (5.10)
- findutils (4.8.0)
- glib (2.68.4)
- i2c-tools (4.2)
- iproute2 (5.15)
- ipset (7.11)
- iputils (20210722)
- ipvsadm (1.27)
- kmod (29)
- libarchive 3.5.2
- libcap-ng (0.8.2)
- libseccomp (2.5.1)
- lshw (02.19.2b_p20210121)
- lsof (4.94.0)
- openssh (8.8)
- openssl (3.0.2)
- parted (3.4 (includes 3.3))
- pciutils (3.7.0)
- polkit (0.120)
- runc (1.1.0)
- sbsigntools (0.9.4)
- sed (4.8)
- usbutils (014)
- vim 8.2.3582
- Azure: Python for OEM images (3.9.8)
- Azure: WALinuxAgent (2.6.0.2)
- SDK: edk2-ovmf 202105
- SDK: file (5.40)
- SDK: ipxe 1.21.1
- SDK: mantle (0.18.0)
- SDK: perf (5.15)
- SDK: Python (3.9.8)
- SDK: qemu (6.1.0
- SDK: Rust (1.58.1)
- SDK: seabios 1.14.0
- SDK: sgabios 0.1_pre10
Changes since Beta 3139.1.1
Security fixes:
- Linux (CVE-2022-1015, CVE-2022-1016)
- containerd (CVE-2022-24769)
Changes:
- Enabled FIPS mode for cryptsetup (portage-stable#312)
Updates:
ignition - 0.36.1
kernel - 5.10.107
systemd - 249
New Stable Release 3033.2.4
Changes since Stable-3033.2.3
Security fixes
- Linux (CVE-2022-25636)
- Go (CVE-2022-24921)
- systemd (CVE-2021-3997)
- containerd (CVE-2022-23648)
- openssl (CVE-2022-0778)
Bug fixes
- Reverted the Linux kernel commit which broke networking on AWS instances which use Intel 82559 NIC (c4/m4) (Flatcar#665, coreos-overlay#1720)
Changes
- Added support for switching back to CGroupsV1 without requiring a reboot. Create
/etc/flatcar-cgroupv1
through ignition. (coreos-overlay#1666)
Updates
ignition - 0.36.1
kernel - 5.10.102
systemd - 249
New Stable Release 3033.2.3
Changes since Stable 3033.2.2
Security fixes
- Linux (CVE-2022-24448, CVE-2022-0617, CVE-2022-24959, CVE-2022-0492, CVE-2022-0516, CVE-2022-0435, CVE-2022-0487, CVE-2022-25375, CVE-2022-25258, CVE-2022-0847)
- go (CVE-2022-23806, CVE-2022-23772, CVE-2022-23773)
- ignition (CVE-2020-14040)
- expat (CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315)
Bug fixes
- Disabled the systemd-networkd settings
ManageForeignRoutes
andManageForeignRoutingPolicyRules
by default to ensure that CNIs like Cilium don’t get their routes or routing policy rules discarded on network reconfiguration events (Flatcar#620). - Prevented hitting races when creating filesystems in Ignition, these races caused boot failures like
fsck[1343]: Failed to stat /dev/disk/by-label/ROOT: No such file or directory
when creating a btrfs root filesystem (ignition#35) - Reverted the Linux kernel change to forbid xfrm id 0 for IPSec state because it broke Cilium (Flatcar#626, coreos-overlay#1682)
Updates
ignition - 0.34.0
kernel - 5.10.96
systemd - 249
New Stable Release 3033.2.2
Changes since Stable 3033.2.1
Security fixes
- Linux (CVE-2021-43976, CVE-2022-0330, CVE-2022-22942)
- expat (CVE-2022-23852, CVE-2022-23990)
- glibc (CVE-2021-3998, CVE-2021-3999, CVE-2022-23218, CVE-2022-23219)
- polkit (CVE-2021-4034)
Bug fixes
- SDK: Fixed build error popping up in the new SDK Container because
policycoreutils
used the wrong ROOT to update the SELinux store (flatcar-linux/coreos-overlay#1502) - Fixed leak of SELinux policy store to the root filesystem top directory due to wrong store path in
policycoreutils
instead of/var/lib/selinux
(flatcar-linux/Flatcar#596)
Updates
ignition - 0.34.0
kernel - 5.10.93
systemd - 249
New Stable release 3033.2.1
Changes since Stable 3033.2.0
Known issues:
- The SELinux policy store update fix resulted in some files leaked to the root filesystem top directory (flatcar-linux/Flatcar#596)
Security fixes:
- Linux (CVE-2021-4135, CVE-2021-4155, CVE-2021-28711, CVE-2021-28712, CVE-2021-28713, CVE-2021-28714, CVE-2021-28715, CVE-2021-39685, CVE-2021-44733, CVE-2021-45095, CVE-2022-0185)
- ca-certificates (CVE-2021-43527)
- containerd (CVE-2021-43816)
- expat (CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827)
Bug fixes:
- Ensured that the
/run/xtables.lock
coordination file exists for modifications of the xtables backend from containers (must be bind-mounted) or theiptables-legacy
binaries on the host (flatcar-linux/init#57) - dev container: Fix github URL for coreos-overlay and portage-stable to use repos from flatcar-linux org directly instead of relying on redirects from the kinvolk org. This fixes checkouts with emerge-gitclone inside dev-container. (flatcar-linux/scripts#194)
- SDK: Fixed build error popping up in the new SDK Container because
policycoreutils
used the wrong ROOT to update the SELinux store (flatcar-linux/coreos-overlay#1502)
Changes:
- Backported
elf
support foriproute2
(flatcar-linux/coreos-overlay#1256)
Updates:
ignition - 0.34.0
kernel - 5.10.84
systemd - 249
New Stable release 3033.2.0
Changes since Stable 2983.2.1
Security fixes
- Linux (CVE-2021-4002, CVE-2020-27820, CVE-2021-4001, CVE-2021-43975)
- Go (CVE-2021-29923, CVE-2021-39293, CVE-2021-38297,CVE-2021-39293, CVE-2021-44717, CVE-2021-44716)
- bash (CVE-2019-9924, CVE-2019-18276)
- binutils (CVE-2021-3530, CVE-2021-3549)
- ca-certificates (CVE-2021-43527)
- containerd (CVE-2021-41103)
- curl (CVE-2021-22945, CVE-2021-22946, CVE-2021-22947)
- Docker (CVE-2021-41092, CVE-2021-41089, CVE-2021-41091)
- git (CVE-2021-40330)
- glibc (CVE-2021-38604)
- gnupg (CVE-2020-25125)
- libgcrypt (CVE-2021-40528)
- nettle (CVE-2021-20305, CVE-2021-3580)
- polkit (CVE-2021-3560)
- sssd (CVE-2021-3621)
- util-linux (CVE-2021-37600)
- vim (CVE-2021-3770, CVE-2021-3778, CVE-2021-3796)
- SDK: bison (CVE-2020-14150, CVE-2020-24240)
- SDK: perl (CVE-2020-10878)
Bug fixes
- arm64: the Polkit service does not crash anymore. (flatcar-linux/Flatcar#156)
- toolbox: fixed support for multi-layered docker images (toolbox#5)
- Run emergency.target on ignition/torcx service unit failure in dracut (bootengine#28)
- Fix vim warnings on missing file, when built with USE=”minimal” (portage-stable#260)
- The Torcx profile
docker-1.12-no
got fixed to reference the current Docker version instead of 19.03 which wasn’t found on the image, causing Torcx to fail to provide Docker (PR#1456)
Changes
- Added GPIO support (coreos-overlay#1236)
- Enabled SELinux in permissive mode on ARM64 (coreos-overlay#1245)
- The
iptables
command uses the nftables kernel backend instead of the iptables backend, you can also migrate to using thenft
tool instead ofiptables
. Containers withiptables
binaries that use the iptables backend will result in mixing both kernel backends which is supported but you have to look up the rules separately (on the host you can use theiptables-legacy
and friends).
Updates
- Linux (5.10.84)
- Linux Firmware (20210919)
- Docker (20.10.9)
- Go (1.17.5)
- containerd (1.5.8)
- systemd (249.4)
- bash (5.1_p8)
- binutils (2.37)
- curl (7.79.1)
- ca-certificates (3.73)
- duktape (2.6.0)
- ebtables (2.0.11)
- git (2.32.0)
- gnupg (2.2.29)
- iptables (1.8.7)
- keyutils (1.6.1)
- ldb (2.3.0)
- libgcrypt (1.9.4)
- libmnl (1.0.4)
- libnftnl (1.2.0)
- libtirpc (1.3.2)
- lvm2 (2.02.188)
- nettle (3.7.3)
- nftables (0.9.9)
- net-tools (2.10)
- openssh (8.7_p1-r1)
- open-vm-tools (11.3.5)
- polkit (0.119)
- realmd (0.17.0)
- runc (1.0.3)
- talloc (2.3.2)
- util-linux (2.37.2)
- vim (8.2.3428)
- xenstore (4.14.2)
- SDK: gnuconfig (20210107)
- SDK: google-cloud-sdk (355.0.0)
- SDK: meson (0.57.2)
- SDK: mtools (4.0.35)
- SDK: perl (5.34.0)
- SDK: Rust (1.55.0)
- SDK: texinfo (6.8)
Changes since Beta 3033.1.1
Security fixes
- Linux (CVE-2021-4002, CVE-2020-27820, CVE-2021-4001, CVE-2021-43975)
- Go (CVE-2021-29923, CVE-2021-39293, CVE-2021-38297,CVE-2021-39293, CVE-2021-44717, CVE-2021-44716)
- ca-certificates (CVE-2021-43527)
Bug fixes
- Fix vim warnings on missing file, when built with USE=”minimal” (portage-stable#260)
Updates
Release Date: Nov 25, 2021 amd64
ignition - 0.34.0
kernel - 5.10.80
systemd - 247
New Stable Release 2983.2.1
Changes since Stable 2983.2.0
Security fixes
- Linux (CVE-2021-42739)
- Docker, containerd (CVE-2021-41190)
Updates
Changes
- Added missing SELinux rule as initial step to resolve Torcx unpacking issue (coreos-overlay#1426)
Release Date: Nov 9, 2021 amd64
ignition - 0.34.0
kernel - 5.10.77
systemd - 247
New Stable release 2983.2.0
Update to CGroupsV2
CGroups V2 is coming to Stable! Introduced in Alpha 2969.0.0, the feature has been stabilising for almost three months now and will be included in Stable 2983.2.0.
NOTE that only new nodes will utilize CGroupsV2 by default. Existing nodes remain on CGroupsV1 and need to be manually migrated to CGroupsV2. To learn more about CGroupsV2 on Flatcar Container Linux and the migration guide, please refer to https://kinvolk.io/docs/flatcar-container-linux/latest/container-runtimes/switching-to-unified-cgroups/
Changes since Beta 2983.1.2
Security fixes
- Linux (CVE-2021-3760, CVE-2021-3772, CVE-2021-42327, CVE-2021-43056, CVE-2021-43267, CVE-2021-43389)
- Go (CVE-2021-41771, CVE-2021-41772)
Bug fixes
- Use https protocol instead of git for Github URLs (flatcar-linux/coreos-overlay#1394)
Updates
Changes since Stable 2905.2.6
Security fixes
- Linux (CVE-2021-3609, CVE-2021-3653, CVE-2021-3655, CVE-2021-3656, CVE-2021-3760, CVE-2021-3772, CVE-2020-26541, CVE-2021-35039, CVE-2021-37576, CVE-2021-22543, CVE-2021-33909, CVE-2021-34556, CVE-2021-35477, CVE-2021-38166, CVE-2021-38205, CVE-2021-42327, CVE-2021-43056, CVE-2021-43267, CVE-2021-43389)
- Go (CVE-2021-34558, CVE-2021-41771, CVE-2021-41772)
- c-ares (CVE-2021-3672)
- containerd (CVE-2021-32760)
- curl (CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22926)
- dnsmasq (CVE-2021-3448)
- expat (CVE-2013-0340)
- glibc (CVE-2020-29562, CVE-2019-25013, CVE-2020-27618, CVE-2021-27645, CVE-2021-33574, CVE-2021-35942)
- libgcrypt (CVE-2021-33560)
- libpcre (CVE-2019-20838, CVE-2020-14155)
- libuv (CVE-2021-22918)
- mit-krb5 (CVE-2021-36222)
- NVIDIA Drivers (CVE-2021-1090, CVE-2021-1093, CVE-2021-1094, CVE-2021-1095)
- systemd (CVE-2020-13529, CVE-2021-33910)
- tar (CVE-2021-20193)
Bug fixes
- Use https protocol instead of git for Github URLs (flatcar-linux/coreos-overlay#1394)
- Skip tcsd.service for TPM2 devices to fix failures on c3.small.x86 instances of Equinix Metal (Flatcar#208)
- Fixed containerd config after introduction of CGroupsV2 (coreos-overlay#1214)
- Fixed path for amazon-ssm-agent in base-ec2.ign (coreos-overlay#1228)
- Fixed locksmith adhering to reboot window when getting the etcd lock (locksmith#10)
- Add the systemd tag in udev for Azure storage devices, to fix /boot automount (init#41)
Changes
- Added Azure Generation 2 VM support (coreos-overlay#1198)
- cgroups v2 by default for new nodes (coreos-overlay#931).
- Upgrade Docker to 20.10 (coreos-overlay#931)
- Switched Docker ecosystem packages to go1.16 (coreos-overlay#1217)
- Added lbzip2 binary to the image (coreos-overlay#1221)
- flatcar-install uses lbzip2 if present, falls back on bzip2 if not (init#46)
- Added Intel E800 series network adapter driver (coreos-overlay#1237)
- Enabled ‘audit’ use flag for sys-libs/pam (coreos-overlay#1233)
- Bumped etcd and flannel to respectively 3.5.0, 0.14.0 to get multiarch images for arm64 support. Note for users of the old etcd v2 support: ETCDCTL_API=2 must be set to use v2 store as well as ETCD_ENABLE_V2=true in the etcd-member.service - this support will be removed in 3.6.0 (coreos-overlay#1179)
- Support BTRFS in OEM and /usr partitions, but only used it for the OEM partition for now. Ignition configurations that refer to the OEM partition will work with any filesystem format specified, a mismatch is not resulting in a boot error. (coreos-overlay#1106)
- Switched the arm64 kernel to use a 4k page size instead of 64k
- Switched dm-verity corruption detection to issue a kernel panic (a panic results in a reboot after 1 minute, this was the case before already) instead of merely failing certain syscalls that try to use the corrupted data
- Enabled ARM64 SDK bootstrap (flatcar-linux/scripts#134)
- SDK: enabled experimental ARM64 SDK usage (flatcar-linux/scripts#134) (flatcar-linux/scripts#141)
- AWS: Added amazon-ssm-agent (coreos-overlay#1162)
- Azure: Compile OEM contents for all architectures (coreos-overlay#1196)
- update_engine: add postinstall hook to stay on cgroupv1 (update_engine#13)
- Enable telnet support for curl (coreos-overlay#1099)
- Enable ssl USE flag for wget (coreos-overlay#932)
- Enable MDIO_BCM_UNIMAC for arm64 (coreos-overlay#929)
Updates
- Linux (5.10.77)
- Linux firmware (20210818)
- Go (1.16.10)
- c-ares (1.17.2)
- containerd (1.5.7)
- cryptsetup (2.3.6)
- curl (7.78)
- dbus (1.12.20)
- docker (20.10.10)
- docker CLI (20.10.10)
- docker proxy (0.8.0_p20210525)
- dracut (053)
- etcd (3.5.0)
- expat (2.4.1)
- gettext (0.21-r1)
- glibc (2.33-r5)
- gptfdisk (1.0.7)
- flannel (0.14.0)
- intel-microcode (20210608)
- libarchive (3.5.1)
- libev (4.33)
- libpcre (8.44)
- libuv (1.41.1)
- libverto (0.3.1)
- lz4 (1.9.3-r1)
- mit-krb5 (1.19.2)
- NVIDIA Drivers (470.57.02)
- pax-utils (1.3.1)
- portage-utils (0.90)
- readline (8.1_p1)
- runc (1.0.2)
- selinux (3.1)
- selinux-refpolicy (2.20200818)
- strace (5.12)
- systemd (247.9)
- tar (1.34)
- tini (0.19)
- wa-linux-agent (2.3.1.1)
- xz-utils (5.2.5)
- SDK: dnsmasq (2.85)
- SDK: rust (1.54)
- VMWare: open-vm-tools (11.3.0)
Release Date: Oct 25, 2021 amd64
ignition - 0.34.0
kernel - 5.10.75
systemd - 247
New Stable release 2905.2.6
Changes since Stable 2905.2.5
Security fixes
- Linux (CVE-2021-3764, CVE-2021-3744, CVE-2021-38300, CVE-2021-20321, CVE-2021-41864)
- containerd (CVE-2021-41103)
Bux fixes
- The tcsd service for TPM 1 is not started on machines with TPM 2 anymore where it fails and isn’t necessary (flatcar-linux/coreos-overlay#1364)
Updates
Release Date: Sep 30, 2021 amd64
ignition - 0.34.0
kernel - 5.10.69
systemd - 247
New Stable release 2905.2.5
Changes since Stable 2905.2.4
Security fixes
- Linux (CVE-2021-41073, CVE-2020-16119)
Bug fixes
- The Mellanox NIC Linux driver issue introduced in the previous release was fixed (Flatcar#520)
Updates
- Linux (5.10.69)
Release Date: Sep 27, 2021 amd64
ignition - 0.34.0
kernel - 5.10.67
systemd - 247
New Stable release 2905.2.4
Changes since Stable 2905.2.3
Security fixes
- Linux (CVE-2021-3753, CVE-2021-3739, CVE-2021-40490)
Updates
- Linux (5.10.67)
Release Date: Sep 1, 2021 amd64
ignition - 0.34.0
kernel - 5.10.61
systemd - 247
New Stable release 2905.2.3
Changes since Stable 2905.2.2
Security fixes
- Linux (CVE-2021-3653, CVE-2021-3656, CVE-2021-38166)
- openssl (CVE-2021-3711, CVE-2021-3712)
Bug Fixes
- Re-enabled kernel config FS_ENCRYPTION (coreos-overlay#1212)
- Fixed Perl in dev-container (coreos-overlay#1238)
Updates
Release Date: Aug 19, 2021 amd64
ignition - 0.34.0
kernel - 5.10.59
systemd - 247
Changes since Stable 2905.2.1
Security fixes
- Linux (CVE-2021-34556, CVE-2021-35477, CVE-2021-38205)
- Go (CVE-2021-36221)
- Systemd (CVE-2020-13529, CVE-2021-33910)
Bug Fixes
- Fixed
pam.d
sssd LDAP auth with sudo (coreos-overlay#1170) - Let network-cleanup.service finish before entering rootfs (coreos-overlay#1182)
Changes
- Switched to zstd for the initramfs (coreos-overlay#1136)
- Embedded new subkey in flatcar-install (coreos-overlay#1180)
Updates
Release Date: Aug 4, 2021 amd64
ignition - 0.34.0
kernel - 5.10.55
systemd - 247
Security fixes
- Linux (CVE-2021-37576)
Bug fixes
- Set the cilium_vxlan interface to be not managed by networkd’s default setup with DHCP as it’s managed by Cilium. (init#43)
- Disabled SELinux by default on
dockerd
wrapper script (coreos-overlay#1149) - GCE: Granted CAP_NET_ADMIN to set routes for the TCP LB when starting oem-gce.service (coreos-overlay#1146)
Updates
- Linux (5.10.55)
Release Date: Jul 28, 2021 amd64
ignition - 0.34.0
kernel - 5.10.52
systemd - 247
Changes since Beta 2905.1.0
Security Fixes
- containerd (CVE-2021-32760)
- curl (CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22926)
- linux (CVE-2020-26541, CVE-2021-35039, CVE-2021-22543, CVE-2021-3609, CVE-2021-3655, CVE-2021-33909)
Updates
Changes since Stable 2765.2.6
Security Fixes:
- Linux (CVE-2020-26541, CVE-2021-35039, CVE-2021-22543, CVE-2021-3609, CVE-2021-3655, CVE-2021-33909, CVE-2021-34693, CVE-2021-33624)
- containerd (CVE-2021-32760)
- curl (CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22926)
- boost (CVE-2012-2677)
- Docker (CVE-2021-21285, CVE-2021-21284)
- c-ares (CVE-2020-8277)
- coreutils (CVE-2017-7476)
- dbus (CVE-2020-35512)
- dnsmasq (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687)
- git (CVE-2021-21300)
- glib (CVE-2021-28153, CVE-2021-27218, CVE-2021-27219)
- gnutls (CVE-2021-20231, CVE-2021-20232)
- intel-microcode (CVE-2020-8696, CVE-2020-8698)
- libxml2 (CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3541)
- ncurses (CVE-2019-17594, CVE-2019-17595)
- openldap (CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230)
- samba (CVE-2020-14318, CVE-2020-14323, CVE-2020-14383)
- sqlite (CVE-2021-20227)
- binutils (CVE-2021-20197,CVE-2021-3487)
Bug Fixes:
- passwd: use correct GID for tss (baselayout#15)
- flatcar-eks: add missing mkdir and update to latest versions (coreos-overlay#817)
- gmerge: Stop installing gmerge script (coreos-overlay#828)
- Add explicit path to the binary call in the coreos-metadata unit file (Issue #360)
- Fix the patch to update DefaultTasksMax in systemd (coreos-overlay#971)
Changes
- Docker: disabled SELinux support in the Docker daemon
- The pam_faillock PAM module was enabled as replacement for the removed pam_tally2 module and will temporarily lock an account if there were login attempts with a wrong password. The faillock command can be used to show the current state. With pam_tally2 there was no limit for wrong password login attempts but with faillock the default is already restricting the attempts. The default behavior was relaxed to allow 5 wrong passwords per two minutes, and a one minute account lock time. This does not apply to logins with an SSH key. (baselayout#17)
- The etcd and flannel services are now run with Docker and any rkt-based customizations of the etcd-member and flanneld services not supported anymore. Also, because the flanneld service relies on Docker and will restart Docker after applying the new configuration, it is not possible anymore to set Requires=flanneld.service for docker.service and instead it’s enough to have flanneld.service enabled. (coreos-overlay#857)
- toolbox: replace rkt with docker (coreos-overlay#881)
- flatcar-install: add parameters to make wget more resilient (init#35)
- flatcar-install: Add -D flag to only download the image file (Flatcar#248)
- flatcar-install: Detect device mapper (e.g., LVM/LUKS) usage when searching for free drives with the -s flag (Flatcar#332)
- motd: Add OEM information to motd output (init#34)
- open-iscsi: Command substitution in iscsi-init system service (coreos-overlay#801)
- sshd: use secure crypto algos only (kinvolk/coreos-overlay#852)
- kernel: enable kernel config CONFIG_BPF_LSM (kinvolk/coreos-overlay#846)
- bootengine: set hostname for EC2 and OpenStack from metadata (kinvolk/coreos-overlay#848)
- Make the hostname setting units optional. Having the hostname units as required by the initrd.target meant that if the unit failed the machine wouldn’t start, disrupting the whole boot. (bootengine#23)
- Enable using iSCSI netroot devices on Flatcar (bootengine#22)
- systemd-networkd: Do not manage loopback network interface (bootengine#24 init#40)
- containerd: Removed the containerd-stress binary (coreos-overlay#858)
- dhcpcd: Removed the dhcpcd binary from the image, systemd-networkd is the only DHCP client (coreos-overlay#858)
- samba: Update to EAPI=7, add new USE flags and remove deps on icu (kinvolk/coreos-overlay#864)
- GCE: The oem-gce.service was ported to use systemd-nspawn instead of rkt. A one-time action is required to fetch the new service file because the OEM partition is not updated: sudo curl -s -S -f -L -o /etc/systemd/system/oem-gce.service https://raw.githubusercontent.com/kinvolk/coreos-overlay/fe7b0047ef5b634ebe04c9627bbf1ce3008ee5fa/coreos-base/oem-gce/files/units/oem-gce.service && sudo systemctl daemon-reload && sudo systemctl restart oem-gce.service
- SDK: update portage and related packages to newer versions (coreos-overlay#840)
- SDK: Drop jobs parameter in flatcar-scripts (flatcar-scripts#121)
- SDK: delete Go 1.6 (coreos-overlay#827)
- Update sys-apps/coreutils and make sure they have split-usr disabled for generic images (coreos-overlay#829)
- systemd: Fix unit installation (coreos-overlay#810)
Updates
- Linux (5.10.52)
- Linux firmware (20210511)
- boost (1.75.0)
- docker (19.03.15)
- c-ares (1.17.1)
- curl (7.78)
- containerd (1.5.4)
- coreutils (8.32)
- cri-tools (1.19.0)
- dbus (1.10.32)
- dnsmasq (2.83)
- go (1.16.5)
- git (2.26.3)
- glib (2.66.8)
- gnutls (3.7.1)
- intel-microcode (20210216)
- libxml2 (2.9.12)
- multipath-tools (0.8.5)
- ncurses (6.2)
- open-iscsi (2.1.4)
- openldap (2.4.58)
- openssh (8.6_p1)
- runc (1.0.0_rc95)
- samba (4.12.9)
- sqlite (3.34.1)
- systemd (247.6)
- zstd (1.4.9)
- SDK: Rust (1.52.1)
- SDK: QEMU (5.2.0)
- SDK: cmake (3.18.5)
- SDK: binutils (2.36.1)
Deprecation
- docker-1.12, rkt and kubelet-wrapper are deprecated and removed from Stable, also from subsequent channels in the future. Please read the removal announcement to know more
Release Date: Jun 17, 2021 amd64
ignition - 0.34.0
kernel - 5.10.43
systemd - 247
Security fixes
- Linux (CVE-2020-26558, CVE-2021-0129, CVE-2020-24587, CVE-2020-24586, CVE-2020-24588, CVE-2020-26139, CVE-2020-26145, CVE-2020-26147, CVE-2020-26141, CVE-2021-3564, CVE-2021-28691, CVE-2021-3587, CVE-2021-3573)
Bug fixes
- Update-engine sent empty requests when restarted before a pending reboot (Flatcar#388)
- motd login prompt list of failed services: The output of “systemctl list-units –state=failed –no-legend” contains a bullet point which is not expected and ended up being taken as the unit name of failed units which was previously on the start of the line. Filtered the bullet point out to stay compatible with the old behavior in case upstream would remove the bullet point again. (coreos-overlay#1042)
Updates
- Linux (5.10.43)
Release Date: May 21, 2021 amd64
ignition - 0.34.0
kernel - 5.10.38
systemd - 247
Bug fixes
- The Linux kernel IOMMU-related crash introduced in the 5.10.37 update got fixed through the 5.10.38 update (Flatcar#400)
Updates
- Linux (5.10.38)
Release Date: May 19, 2021 amd64
ignition - 0.34.0
kernel - 5.10.37
systemd - 247
Security fixes
- Linux (CVE-2021-3491, CVE-2021-31440, CVE-2021-31829)
- nvidia-drivers (CVE-2021-1052, CVE-2021-1053, CVE-2021-1056, CVE-2021-1076, CVE-2021-1077)
- runc (CVE-2021-30465)
Updates
Release Date: Apr 28, 2021 amd64
ignition - 0.34.0
kernel - 5.10.32
systemd - 247
Security fixes
- Linux (CVE-2021-28964, CVE-2021-28972, CVE-2021-28971, CVE-2021-28951, CVE-2021-28952, CVE-2021-29266, CVE-2021-28688, CVE-2021-29264, CVE-2021-29649, CVE-2021-29650, CVE-2021-29646, CVE-2021-29647, CVE-2021-29154, CVE-2021-29155, CVE-2021-23133)
Bug fixes
- Fix the patch to update DefaultTasksMax in systemd (coreos-overlay#971)
Updates
- Linux (5.10.32)
Release Date: Mar 25, 2021 amd64
ignition - 0.34.0
kernel - 5.10.25
systemd - 247
Security fixes
- Linux (CVE-2021-27365, CVE-2021-27364, CVE-2021-27363, CVE-2021-28038,CVE-2021-28039, CVE-2021-28375, CVE-2021-28660, CVE-2021-27218, CVE-2021-27219)
- openssl (CVE-2021-23840, CVE-2021-23841, CVE-2020-1971, CVE-2021-23840, CVE-2021-23841, CVE-2021-3449, CVE-2021-3450)
Bug Fixes
- GCE: The old interface name ens4v1 which was replaced by eth0 due to a broken udev rule was restored, but now as alternative interface name, and eth0 will stay the primary name for consistency across cloud environments. (init#38)
Changes
- The virtio network interfaces got predictable interface names as alternative interface names, and thus these names can also be used to match for a specific interface in case there is more than one and the eth0 and eth1 name assignment is not stable. (init#38)
Updates
Release Date: Mar 11, 2021 amd64
ignition - 0.34.0
kernel - 5.10.21
systemd - 247
Security fixes
- Linux - (CVE-2020-25639, CVE-2021-27365, CVE-2021-27364, CVE-2021-27363, CVE-2021-28038, CVE-2021-28039)
- containerd (GHSA-6g2q-w5j3-fwh4)
Bug fixes
- Include firmware files for all modules shipped in our image (Issue #359, PR #887)
- Add explicit path to the binary call in the coreos-metadata unit file (Issue #360)
Updates
Release Date: Mar 3, 2021 amd64
ignition - 0.34.0
kernel - 5.10.19
systemd - 247
Release Date: Dec 7, 2020 amd64
ignition - 0.34.0
kernel - 5.4.81
systemd - 246
Security fixes:
- containerd (CVE-2020-15257)
- glibc (CVE-2019-9169, CVE-2019-6488, CVE-2019-7309, CVE-2020-10029, CVE-2020-1751, CVE-2020-6096, CVE-2018-20796)
- Linux (CVE-2020-28941, CVE-2020-4788, CVE-2020-25669, CVE-2020-14351)
- glib (CVE-2019-12450)
- open-iscsi (CVE-2017-17840)
- samba (CVE-2019-10197, CVE-2020-10704, CVE-2020-10745, CVE-2019-3880, CVE-2019-10218)
- shadow (CVE-2019-19882)
- sssd (CVE-2018-16883, CVE-2019-3811, CVE-2018-16838)
- trousers (CVE-2020-24330, CVE-2020-24331)
- cifs-utils (CVE-2020-14342)
- ntp (CVE-2020-11868, CVE-2020-13817, CVE-2018-8956, CVE-2020-15025)
- bzip2 (CVE-2019-12900)
- c-ares (CVE-2017-1000381)
- file (CVE-2019-18218)
- json-c (CVE-2020-12762)
- jq (CVE-2015-8863, CVE-2016-4074)
- libuv (CVE-2020-8252)
- libxml2 (CVE-2019-20388, CVE-2020-7595)
- re2c (CVE-2020-11958)
- tar (CVE-2019-9923)
- sqlite (CVE-2020-11656, CVE-2020-9327, CVE-2020-11655, CVE-2020-13630, CVE-2020-13435, CVE-2020-13434, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358)
- tcpdump and pcap (CVE-2018-10103, CVE-2018-10105, CVE-2019-15163, CVE-2018-14461, CVE-2018-14462, CVE-2018-14463, CVE-2018-14464, CVE-2018-14465, CVE-2018-14466, CVE-2018-14467, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14880, CVE-2018-14881, CVE-2018-14882, CVE-2018-16227, CVE-2018-16228, CVE-2018-16229, CVE-2018-16230, CVE-2018-16300, CVE-2018-16451, CVE-2018-16452, CVE-2019-15166, CVE-2018-14879, CVE-2017-16808, CVE-2018-19519, CVE-2019-15161, CVE-2019-15165, CVE-2019-15164, CVE-2019-1010220)
- libbsd (CVE-2019-20367)
- rsync and zlib (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)
Bug fixes
- Added systemd-tmpfiles directives for /opt and /opt/bin to ensure that the folders have correct permissions even when /opt/ was once created by containerd (Flatcar#279)
- Make the automatic filesystem resizing more robust against a race and add more logging (kinvolk/init#31)
- Allow inactive network interfaces to be bound to a bonding interface, by encoding additional configuration for systemd-networkd-wait-online (afterburn PR #10)
- Do not configure ccache in Jenkins (scripts PR #100)
- Azure: Exclude bonded SR-IOV network interfaces with newer drivers from networkd (in addition to the old drivers) to prevent them being configured instead of just the bond interface (init PR#29, bootengine PR#19)
Changes:
- Update-engine now detects rollbacks and reports them as errors to the update server (PR#6)
- The zstd tools were added (version 1.4.4)
- The kernel config CONFIG_PSI was set to support Pressure Stall Information, more information also under https://facebookmicrosites.github.io/psi/docs/overview (Flatcar#162)
- The kernel config CONFIG_BPF_JIT_ALWAYS_ON was set to use the BPF just-in-time compiler by default for faster execution
- The kernel config CONFIG_POWER_SUPPLY was set
- The kernel configs CONFIG_OVERLAY_FS_METACOPY and CONFIG_OVERLAY_FS_REDIRECT_DIR were set. With the first overlayfs will only copy up metadata when a metadata-specific operation like chown/chmod is performed. The full file will be copied up later when the file is opened for write operations. With the second, which is equivalent to setting “redirect_dir=on” in the kernel command-line, overlayfs will copy up the directory first before the actual content (Flatcar#170).
- Remove unnecessary kernel module nf-conntrack-ipv4 (overlay PR#649)
- Compress kernel modules with xz (overlay PR#628)
- Add containerd-runc-shim-v* binaries required by kubelet custom CRI endpoints (overlay PR#623)
- Equinix Metal (Packet): Exclude unused network interfaces from networkd, disregard the state of the bonded interfaces for the network-online.target and only require the bond interface itself to have at least one active link instead of routable which requires both links to be active (afterburn PR#10)
- QEMU: Use flatcar.autologin kernel command line parameter for auto login on the console (Flatcar #71)
Updates:
- Linux (5.4.81)
- Linux firmware (20200918)
- systemd (246.6)
- glibc (2.32)
- Docker (19.03.14)
- containerd (1.4.3)
- tini (0.18)
- libseccomp (2.5.0)
- audit (2.8.5)
- bzip2 (1.0.8)
- c-ares (1.61.1)
- cryptsetup (2.3.2)
- cifs-utils (6.11)
- dbus-glib (0.110)
- dracut (050)
- elfutils (0.178)
- glib (2.64.5)
- json-c (0.15)
- jq (1.6)
- libuv (1.39.0)
- libxml2 (2.9.10)
- ntp (4.2.8_p15)
- open-iscsi (2.1.2)
- samba (4.11.13)
- shadow (4.8)
- sssd (2.3.1)
- strace (5.9)
- talloc (2.3.1)
- tar (1.32)
- tdb (1.4.3)
- tevent (0.10.2)
- SDK/developer container: GCC (9.3.0), binutils (2.35), gdb (9.2)
- Go (1.15.5, 1.12.17) (only in SDK)
- Rust (1.46.0) (only in SDK)
- file (5.39) (only in SDK)
- gdbus-codegen (2.64.5) (only in SDK)
- meson (0.55.3) (only in SDK)
- re2c (2.0.3) (only in SDK)
- VMware: open-vm-tools (11.2.0)
Release Date: Nov 19, 2020 amd64
ignition - 0.34.0
kernel - 5.4.77
systemd - 245
Security fixes:
- Linux - CVE-2020-27673, CVE-2020-27675
Bug fixes:
- network: Restore KeepConfiguration=dhcp-on-stop (kinvolk/init#30)
- systemd-stable-245.8: ingest latest fixes on top of upstream release (#1, #2, #3)
Updates:
Release Date: Oct 28, 2020 amd64
ignition - 0.34.0
kernel - 5.4.72
systemd - 245
Security fixes:
- Linux - CVE-2020-25645, CVE-2020-25643, CVE-2020-25211
Bug fixes:
- Ensured that the
/etc/coreos
to/etc/flatcar
symlink always exists, relevant for the Container Linux Config transpiler (ct) when specifying directives forupdate:
orlocksmith:
while also reformatting the rootfs (baselayout PR#7)
Updates:
- Linux 5.4.72
Release Date: Sep 30, 2020 amd64
ignition - 0.34.0
kernel - 5.4.67
systemd - 245
Bug fixes:
- Enabled missing systemd services (#191, PR #612)
- Fixed Docker torcx image unpacking error on machines with less than ~600 MB total RAM (#32)
- Solved adcli Kerberos Active Directory incompatibility (#194)
- Fixed the makefile path when building kernel modules with the developer container (#195)
- Removed the
/etc/portage/savedconfig/
folder that contained a dump of the firmware config flatcar-linux/coreos-overlay#613
Changes:
- GCE: Improved oslogin support and added shell aliases to run a Python Docker image (PR #592)
Updates:
- Linux 5.4.67
- adcli 0.9.0
- GCE: oslogin 20200910.00
Release Date: Sep 22, 2020 amd64
ignition - 0.34.0
kernel - 5.4.66
rkt - 1.30.0
systemd - 245
Security fixes:
- Linux kernel CVE-2020-14390 and the unassigned similar bug
- Linux kernel CVE-2020-25284
Updates:
- Linux 5.4.66
Release Date: Jan 28, 2021 amd64
ignition - 0.34.0
kernel - 5.4.92
systemd - 246
Security fixes
- linux - CVE-2020-28374, CVE-2020-36158
- go - CVE-2021-3114
- sudo - CVE-2021-3156, CVE-2021-23239
Bug fixes
/etc/iscsi/initiatorname.iscsi
is generated by the iscsi-init service (#321)- Prevent iscsiadm buffer overflow (#318)
Changes
- Revert to building docker and containerd with go1.13 instead of go1.15. This reduces the SIGURG log spam (Issue #315 PR #774)
- The containerd socket is now available in the default location (
/run/containerd/containerd.sock
) and also as a symlink in the previous location (/run/docker/libcontainerd/docker-containerd.sock
) (#771) - With the iscsi update, the service unit has changed from iscsid to iscsi (#791)
- AWS Pro: include scripts to facilitate setup of EKS workers (#794).
- Missed from earlier notes: with the previous open-iscsi update to 2.1.2, the service unit name changed from iscsid to iscsi (#682)
Updates
Release Date: Jan 12, 2021 amd64
ignition - 0.34.0
kernel - 5.4.87
systemd - 246
Security fixes
Bug fixes
- networkd: avoid managing MAC addresses for veth devices (kinvolk/init#33)
Updates
- Linux (5.4.87)
Release Date: Dec 16, 2020 amd64
ignition - 0.34.0
kernel - 5.4.83
systemd - 246
Security fixes:
Bug fixes:
- The sysctl
net.ipv4.conf.*.rp_filter
is set to0
for the Cilium CNI plugin to work (Flatcar#181) - Package downloads in the developer container now use the correct URL again (Flatcar#298)
Changes:
- The sysctl default config file is now applied under the prefix 60 which allows for custom sysctl config files to take effect when they start with a prefix of 70, 80, or 90 (baselayout#13)
- Containerd CRI plugin got enabled by default, only the containerd socket path needs to be specified as kubelet parameter for Kubernetes 1.20 to use containerd instead of Docker (Flatcar#283)
- For users with a custom update server a machine alias setting in update-engine allows to give human-friendly names to client instances (update-engine#8)
Updates:
- Linux (5.4.83)
Release Date: Sep 16, 2020 amd64
ignition - 0.34.0
kernel - 4.19.145
rkt - 1.30.0
systemd - 241
Release Date: Sep 7, 2020 amd64
ignition - 0.34.0
kernel - 4.19.143
rkt - 1.30.0
systemd - 241
Security fixes:
- Linux kernel: Fix AF_PACKET overflow in tpacket_rcv CVE-2020-14386
Updates:
- Linux 4.19.143
Release Date: Aug 20, 2020 amd64
ignition - 0.34.0
kernel - 4.19.140
rkt - 1.30.0
systemd - 241
Security fixes:
- Bind: fixes for CVE-2020-8616, CVE-2020-8617, CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
Bug fixes:
- The static IP address configuration in the initramfs works again in the format
ip=<ip>::<gateway>:<netmask>:<hostname>:<iface>:none[:<dns1>[:<dns2>]]
(flatcar-linux/bootengine#15) - app-admin/{kubelet, etcd, flannel}-wrapper: don’t overwrite the user supplied –insecure-options argument (flatcar-linux/coreos-overlay#426)
- etcd-wrapper: Adjust data dir permissions (flatcar-linux/coreos-overlay#536)
Changes:
- Vultr support in Ignition (flatcar-linux/ignition#13)
- VMware OVF settings default to ESXi 6.5 and Linux 3.x
Updates:
Release Date: Jun 17, 2020 amd64
ignition - 0.34.0
kernel - 4.19.128
rkt - 1.30.0
systemd - 241
Flatcar updates
Security fixes:
- Fix the Intel Microcode vulnerabilities (CVE-2020-0543)
Changes:
- A source code and licensing overview is available under
/usr/share/licenses/INFO
Updates:
Release Date: May 26, 2020 amd64
ignition - 0.34.0
kernel - 4.19.124
rkt - 1.30.0
systemd - 241
Flatcar updates
Security fixes:
- Fix e2fsprogs arbitrary code execution via crafted filesystem (CVE-2019-5094)
- Fix Git arbitrary path overwrite, credential leak from credential helpers, remote code execution in recursive clones, and arbitrary command execution via submodules (CVE-2019-1348, CVE-2019-1387, CVE-2019-19604, CVE-2020-11008, CVE-2020-5260)
- Fix libarchive crash or use-after-free via crafted RAR file (CVE-2019-18408, CVE-2020-9308)
- Fix libgcrypt ECDSA timing attack (CVE-2019-13627)
- Fix libidn2 domain impersonation (CVE-2019-12290)
- Fix NSS crashes and heap corruption (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698, CVE-2018-18508, CVE-2019-11745)
- Fix OpenSSL overflow in Montgomery squaring procedure (CVE-2019-1551)
- Fix SQLite crash and heap corruption (CVE-2019-16168, CVE-2019-5827)
- Fix unzip heap overflow or excessive resource consumption via crafted archive (CVE-2018-1000035, CVE-2019-13232)
- Fix vim arbitrary command execution via crafted file (CVE-2019-12735)
Bug fixes:
- When writing the update kernel, prefer
/boot/coreos
only if/boot/coreos/vmlinux-*
exists (https://github.com/flatcar/update_engine/pull/5) - Fixed sysroot-boot initramfs service race which resulted in a warning that this service failed
- Use the correct
BINHOST
URLs in the development container to download binary packages
Changes:
- Support the CoreOS GRUB
/boot/coreos/first_boot
flag file (https://github.com/flatcar/bootengine/pull/13) - Fetch container images in docker format rather than ACI by default in
etcd-member.service
,flanneld.service
, andkubelet-wrapper
- Use
flatcar.autologin
kernel command line parameter on Azure and VMware for auto login on the serial console - Include
conntrack
(conntrack-tools) - Include
journalctl
output,pstore
kernel crash logs, andcoredumpctl list
output in themayday
report - Update wa-linux-agent to 2.2.46 on Azure
- Support both
coreos.config.*
andflatcar.config.*
guestinfo variables on VMware OEM
Updates:
Release Date: Mar 31, 2020 amd64
ignition - 0.34.0
kernel - 4.19.107
rkt - 1.30.0
systemd - 241
Flatcar updates
Bug fixes:
- Use newest network interface naming scheme (https://github.com/flatcar/Flatcar/issues/36)
- It is a possible breaking change for some persistent network interface names
- Fix URL scheme in emerge-gitclone (https://github.com/flatcar/coreos-overlay/issues/223)
- Fix coreos-cloudinit variable names (https://github.com/flatcar/coreos-overlay/pull/206)
- Prefer /boot/coreos to write updates (https://github.com/flatcar/update_engine/pull/2)
- Remove /boot/coreos/first_boot after a Ignition rerun on migration (https://github.com/flatcar/bootengine/pull/10)
- Support coreos.config.url as kernel command line parameter for Ignition (https://github.com/flatcar/ignition/pull/10)
Changes:
- Add kernel config for QEDE driver (https://github.com/flatcar/coreos-overlay/pull/198)
- Add
tracepath
alongsidetraceroute6
(https://github.com/flatcar/Flatcar/issues/50)
Updates:
- Linux 4.19.107
Release Date: Mar 2, 2020 amd64
ignition - 0.33.0
kernel - 4.19.106
rkt - 1.30.0
systemd - 241
Flatcar updates
Bug fixes:
- Enable persistent network interface names already in the initramfs to fix https://github.com/coreos/bugs/issues/1767
- Fix backwards compatibility issues for users to migrate from CoreOS Container Linux. Support the kernel command line parameters
coreos.oem.*
,coreos.autologin
,coreos.first_boot
, and the QEMU firmware config pathopt/com.coreos/config
(https://github.com/flatcar/Flatcar/issues/16 https://github.com/flatcar/afterburn/pull/7 https://github.com/flatcar/bootengine/pull/7 https://github.com/flatcar/bootengine/pull/8 https://github.com/flatcar/init/pull/16 https://github.com/flatcar/init/pull/17 https://github.com/flatcar/ignition/pull/8)
Upstream Container Linux updates
Security fixes:
- Fix systemd use-after-free upon receiving crafted D-Bus message from local unprivileged attacker CVE-2020-1712
- Fix heap-based buffer over-read in libexpat (CVE-2019-15903)
- Fix multiple Git vulnerabilities (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604)
- Fix curl Kerberos FTP double free (CVE-2019-5481)
- Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5482)
- Fix OpenSSL key extraction attacks under non-default conditions (CVE-2019-1563, CVE-2019-1547)
Updates:
Release Date: Feb 10, 2020 amd64
ignition - 0.33.0
kernel - 4.19.95
rkt - 1.30.0
systemd - 241
Flatcar updates
Bug fixes:
- Fix DNS resolution for the GCE metadata server (https://github.com/flatcar/coreos-overlay/pull/160)
- Create symlink for /run/metadata/coreos (https://github.com/flatcar/coreos-overlay/pull/166)
- Create symlink for flatcar-install (https://github.com/flatcar/init/pull/14)
Upstream Container Linux updates:
Updates:
- Linux 4.19.95
Release Date: Dec 18, 2019 amd64
ignition - 0.33.0
kernel - 4.19.86
rkt - 1.30.0
systemd - 241
Flatcar updates
Bug fixes:
- Fix a bug when creating RAID0 arrays by setting the default layout (https://github.com/flatcar/baselayout/pull/2)
- Fix bug of unpacking tarballs failing when xattr is not supported (https://github.com/flatcar/torcx/pull/2)
Updates:
Release Date: Dec 5, 2019 amd64
ignition - 0.33.0
kernel - 4.19.86
rkt - 1.30.0
systemd - 241
Release Date: Nov 21, 2019 amd64
ignition - 0.33.0
kernel - 4.19.84
rkt - 1.30.0
systemd - 241
Upstream Container Linux updates:
Security fixes:
- Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
- Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)
Bug fixes:
- Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
Updates:
Release Date: Nov 11, 2019 amd64
ignition - 0.33.0
kernel - 4.19.78
rkt - 1.30.0
systemd - 241
Upstream Container Linux updates:
Bug fixes:
- Fix time zone for Brazil (#2627)
Updates:
- timezone-data 2019c
Release Date: Oct 17, 2019 amd64
ignition - 0.33.0
kernel - 4.19.78
rkt - 1.30.0
systemd - 241
Upstream Container Linux updates:
No changes for stable promotion
Release Date: Sep 5, 2019 amd64
ignition - 0.33.0
kernel - 4.19.68
rkt - 1.30.0
systemd - 241
Upstream Container Linux updates:
Security fixes:
- Fix pam_systemd bug allowing authenticated remote users to perform polkit actions as if locally logged in (CVE-2019-3842)
- Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)
Bug fixes:
- Fix GCE agent crash loop in new installs (#2608)
Updates:
- Linux 4.19.68
Release Date: Aug 30, 2019 amd64
ignition - 0.33.0
kernel - 4.19.66
rkt - 1.30.0
systemd - 241
Upstream Container Linux updates:
Security fixes:
- Fix wget buffer overflow allowing arbitrary code execution (CVE-2019-5953)
Updates:
Release Date: Aug 16, 2019 amd64
ignition - 0.33.0
kernel - 4.19.65
rkt - 1.30.0
systemd - 241
Upstream Container Linux updates:
Security fixes:
- Use secure_getenv to fix a vulnerability around XDG_SEAT in pam_systemd (https://github.com/coreos/systemd/pull/118) (CVE-2019-3842)
Updates:
- Linux 4.19.65
Flatcar updates
Bug fixes:
- Fix wrong key name for fw_cfg in ignition with QEMU (https://github.com/flatcar/ignition/issues/2)
- Get SELinux context included in torcx tarballs (https://github.com/flatcar/scripts/pull/16)
- Enable XattrPrivileged for untar to fix SELinux issue (https://github.com/flatcar/torcx/pull/1)
Changes:
- Add “-s” flag in flatcar-install to install to smallest disk (https://github.com/flatcar/init/pull/7)
Release Date: Aug 1, 2019 amd64
ignition - 0.33.0
kernel - 4.19.56
rkt - 1.30.0
systemd - 241
Release Date: Jul 3, 2019 amd64
ignition - 0.33.0
kernel - 4.19.50
rkt - 1.30.0
systemd - 241
Upstream Container Linux updates:
Bug fixes:
- Fix Ignition panic when no
guestinfo.(coreos|ignition).config
parameters are specified on VMware (coreos/ignition#821)
Updates:
- Ignition 0.33.0
Release Date: Jul 1, 2019 amd64
ignition - 0.32.0
kernel - 4.19.50
rkt - 1.30.0
systemd - 241
Upstream Container Linux updates:
No changes for stable promotion
Release Date: Jun 19, 2019 amd64
ignition - 0.31.0
kernel - 4.19.43
rkt - 1.30.0
systemd - 241
Upstream Container Linux updates:
Security fixes:
- Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)
Bug fixes:
- Fix invalid bzip2 compression of Container Linux release images (#2589)
Release Date: Jun 6, 2019 amd64
ignition - 0.31.0
kernel - 4.19.43
rkt - 1.30.0
systemd - 241
Upstream Container Linux updates:
Bug fixes:
- Fix systemd
MountFlags=shared
option (#2579)
Changes:
- Pin network interface naming to systemd v238 scheme (#2578)
Release Date: May 16, 2019 amd64
ignition - 0.31.0
kernel - 4.19.43
rkt - 1.30.0
systemd - 241
Upstream Container Linux updates:
Security fixes:
- Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)
Updates:
Release Date: Apr 26, 2019 amd64
ignition - 0.31.0
kernel - 4.19.34
rkt - 1.30.0
systemd - 241
Flatcar updates
Bug fixes:
- Fix a regression from the latest hotfix builds, about CROS_WORKON_COMMIT in coreos-overlay
Release Date: Apr 25, 2019 amd64
ignition - 0.31.0
kernel - 4.19.34
rkt - 1.30.0
systemd - 241
Release Date: Apr 24, 2019 amd64
ignition - 0.31.0
kernel - 4.19.34
rkt - 1.30.0
systemd - 241
Upstream Container Linux updates:
No changes for stable promotion
Release Date: Mar 12, 2019 amd64
ignition - 0.30.0
kernel - 4.19.25
rkt - 1.30.0
systemd - 238
Upstream Container Linux updates:
Security fixes:
- Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)
Bug fixes:
- Fix systemd-journald memory leak (#2564)
Updates:
- Linux 4.19.25
Release Date: Feb 27, 2019 amd64
ignition - 0.30.0
kernel - 4.19.23
rkt - 1.30.0
systemd - 238
Upstream Container Linux updates:
Security fixes:
- Fix Linux use-after-free in
sockfs_setattr
(CVE-2019-8912)
Release Date: Feb 21, 2019 amd64
ignition - 0.28.0
kernel - 4.14.96
rkt - 1.30.0
systemd - 238
Release Date: Feb 14, 2019 amd64
ignition - 0.28.0
kernel - 4.14.96
rkt - 1.30.0
systemd - 238
Release Date: Jan 30, 2019 amd64
ignition - 0.28.0
kernel - 4.14.96
rkt - 1.30.0
systemd - 238
Release Date: Jan 28, 2019 amd64
ignition - 0.28.0
kernel - 4.14.88
rkt - 1.30.0
systemd - 238
Upstream Container Linux updates:
No changes for stable promotion
Flatcar updates
Changes:
- Fix the previous update of Flatcar where instead of https://github.com/flatcar/init the upstream coreos-init package was referenced and used accidentally.
Release Date: Jan 28, 2019 amd64
ignition - 0.28.0
kernel - 4.14.88
rkt - 1.30.0
systemd - 238
Upstream Container Linux updates:
No changes for stable promotion
Release Date: Dec 21, 2018 amd64
ignition - 0.28.0
kernel - 4.14.84
rkt - 1.30.0
systemd - 238
Upstream Container Linux updates:
Security fixes:
- Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
- Fix PolicyKit always authorizing UIDs greater than
INT_MAX
(CVE-2018-19788)
Updates:
Release Date: Nov 27, 2018 amd64
ignition - 0.28.0
kernel - 4.14.81
rkt - 1.30.0
systemd - 238
Upstream Container Linux updates:
Security fixes:
- Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)
Updates:
- Linux 4.14.81
Release Date: Nov 8, 2018 amd64
ignition - 0.28.0
kernel - 4.14.78
rkt - 1.30.0
systemd - 238
Upstream Container Linux updates:
Security fixes:
- Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
- Fix systemd race allowing changing file permissions (CVE-2018-15687)
- Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)
Release Date: Oct 26, 2018 amd64
ignition - 0.26.0
kernel - 4.14.74
rkt - 1.30.0
systemd - 238
Upstream Container Linux updates:
Security fixes:
- Fix Git remote code execution during recursive clone (CVE-2018-17456)
Updates:
Release Date: Oct 11, 2018 amd64
ignition - 0.26.0
kernel - 4.14.67
rkt - 1.30.0
systemd - 238
Release Date: Sep 14, 2018 amd64
ignition - 0.26.0
kernel - 4.14.67
rkt - 1.30.0
systemd - 238
Release Date: Aug 17, 2018 amd64
ignition - 0.25.1
kernel - 4.14.63
rkt - 1.30.0
systemd - 238
Upstream Container Linux updates:
Security fixes:
- Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
- Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)
Updates:
Release Date: Aug 8, 2018 amd64
ignition - 0.25.1
kernel - 4.14.59
rkt - 1.30.0
systemd - 238
Upstream Container Linux updates:
Security fixes:
- Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)
Bug fixes:
- Fix failure to mount large ext4 filesystems (#2485)
Release Date: Jul 31, 2018 amd64
ignition - 0.25.1
kernel - 4.14.59
rkt - 1.30.0
systemd - 238
Release Date: Jul 26, 2018 amd64
ignition - 0.25.1
kernel - 4.14.55
rkt - 1.30.0
systemd - 238
Upstream Container Linux updates:
No changes for stable promotion
Release Date: Jun 15, 2018 amd64
ignition - 0.24.1
kernel - 4.14.48
rkt - 1.29.0
systemd - 238
Release Date: Jun 13, 2018 amd64
ignition - 0.24.1
kernel - 4.14.48
rkt - 1.29.0
systemd - 238
Upstream Container Linux updates:
Bug fixes:
- Fix Hyper-V network driver regression (#2454)
Updates:
- Linux 4.14.48
Release Date: Jun 1, 2018 amd64
ignition - 0.24.1
kernel - 4.14.44
rkt - 1.29.0
systemd - 238
Upstream Container Linux updates:
Security fixes:
- Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)
Bug fixes:
- Fix failure to set network interface MTU (#2443)
Updates:
Release Date: May 27, 2018 amd64
ignition - 0.24.1
kernel - 4.14.42
rkt - 1.29.0
systemd - 238
Upstream Container Linux updates:
Bug fixes:
- Fix inadvertent change of network interface names (#2437)
Release Date: May 26, 2018 amd64
ignition - 0.24.1
kernel - 4.14.42
rkt - 1.29.0
systemd - 238
Release Date: Apr 25, 2018 amd64
ignition - 0.22.0
kernel - 4.14.32
rkt - 1.29.0
systemd - 237
Flatcar updates
Initial Flatcar release.
Bug fixes:
- Fix GRUB crash at boot (#2284)
- Fix poweroff problems (#8080)
Notes:
- Previous test images have been removed from the release servers. This is due to a new update key being generated using our updated security policy which we included in the first public image.
Upstream Container Linux updates:
Bug fixes:
Avoid GRUB crash at boot (#2284)We’ve included the real fix for this.- Fix kernel panic with vxlan (#2382)
docker - 26.1.0
ignition - 2.19.0
kernel - 6.6.54
systemd - 255
Changes since Beta 4054.1.0
Security fixes:
- Linux (CVE-2024-46711, CVE-2024-46709, CVE-2024-46680, CVE-2024-46679, CVE-2024-46678, CVE-2024-46677, CVE-2024-46676, CVE-2024-46695, CVE-2024-46694, CVE-2024-46693, CVE-2024-46675, CVE-2024-46692, CVE-2024-46689, CVE-2024-46687, CVE-2024-46686, CVE-2024-46685, CVE-2024-46673, CVE-2024-46674, CVE-2024-46811, CVE-2024-46810, CVE-2024-46809, CVE-2024-46807, CVE-2024-46806, CVE-2024-46805, CVE-2024-46804, CVE-2024-46821, CVE-2024-46819, CVE-2024-46818, CVE-2024-46817, CVE-2024-46815, CVE-2024-46814, CVE-2024-46812, CVE-2024-46802, CVE-2024-46803, CVE-2024-46724, CVE-2024-46732, CVE-2024-46731, CVE-2024-46728, CVE-2024-46726, CVE-2024-46725, CVE-2024-46723, CVE-2024-46722, CVE-2024-46721, CVE-2024-46720, CVE-2024-46719, CVE-2024-46717, CVE-2024-46716, CVE-2024-46714, CVE-2024-46715, CVE-2024-46831, CVE-2024-46840, CVE-2024-46839, CVE-2024-46838, CVE-2024-46836, CVE-2024-46835, CVE-2024-46848, CVE-2024-46847, CVE-2024-46846, CVE-2024-46845, CVE-2024-46844, CVE-2024-46843, CVE-2024-46832, CVE-2024-46830, CVE-2024-46829, CVE-2024-46828, CVE-2024-46827, CVE-2024-46826, CVE-2024-46825, CVE-2024-46822, CVE-2024-46788, CVE-2024-46797, CVE-2024-46796, CVE-2024-46795, CVE-2024-46794, CVE-2024-46791, CVE-2024-46800, CVE-2024-46798, CVE-2024-46760, CVE-2024-46768, CVE-2024-46767, CVE-2024-46765, CVE-2024-46763, CVE-2024-46787, CVE-2024-46786, CVE-2024-46785, CVE-2024-46784, CVE-2024-46783, CVE-2024-46782, CVE-2024-46781, CVE-2024-46780, CVE-2024-46762, CVE-2024-46777, CVE-2024-46776, CVE-2024-46773, CVE-2024-46771, CVE-2024-46770, CVE-2024-46761, CVE-2024-46743, CVE-2024-46742, CVE-2024-46741, CVE-2024-46740, CVE-2024-46739, CVE-2024-46738, CVE-2024-46737, CVE-2024-46759, CVE-2024-46758, CVE-2024-46757, CVE-2024-46756, CVE-2024-46755, CVE-2024-46736, CVE-2024-46752, CVE-2024-46750, CVE-2024-46749, CVE-2024-46747, CVE-2024-46746, CVE-2024-46745, CVE-2024-46744, CVE-2024-46734, CVE-2024-46735, CVE-2024-46713, CVE-2024-46858, CVE-2024-46857, CVE-2024-46855, CVE-2024-46854, CVE-2024-46853, CVE-2024-46852, CVE-2024-46865, CVE-2024-46864, CVE-2024-46861, CVE-2024-46860, CVE-2024-46859, CVE-2024-46849)
- curl (CVE-2024-7264)
- expat (CVE-2024-45490)
- linux-firmware (CVE-2023-31315)
- SDK: re2c (CVE-2022-23901)
Bug fixes:
- CloudSigma: Disabled the new DHCP RapidCommit feature which is enabled by default since systemd 255. CloudSigma provides an incompatible implementation which results in cloud-init not being applied as no IP is issued. See: (flatcar/scripts#2016)
- Fixed the initrd option in the QEMU launcher script. It was -R, but this was already taken by the read-only pflash option, so use -r instead. (scripts#2239)
- Equinix Metal: fixed race condition on ‘mount’ Ignition stage (scripts#2308)
- Fixed slow boots PXE and ISO boots caused by the decrypt-root.service. (Flatcar#1514)
Changes:
- Azure, HyperV: Added daemons
kvp
,vss
, andfcopy
for better HyperV hypervisor integration with Flatcar guests (scripts#2309). - Enable mpi3mr kernel module for Broadcom Storage/RAID-Controllers (flatcar/scripts#2355)
- Replace nmap netcat with openbsd variant. The license didn’t get an exception from CNCF. Something about the definition of “derivative works” being too broad.
- The
docker build
command will now use buildx as its backend as the old one became deprecated and a loud “DEPRECATED” information is printed every time it’s used.
Updates:
- Go (1.21.13)
- Linux (6.6.54 (includes 6.6.53, 6.6.52, 6.6.51, 6.6.50, 6.6.49))
- Linux Firmware (20240811)
- Open-iSCSI (2.1.10)
- azure: azure-nvme-utils (0.2.0)
- ca-certificates (3.105)
- conntrack-tools (1.4.8)
- containerd (1.7.21)
- curl (8.9.1)
- dev: minicom (2.9)
- elfutils (0.191)
- expat (2.6.3)
- gce, sysext-python: setuptools (71.1.0 (includes 71.0.0))
- gce, sysext-python: setuptools (72.1.0)
- gflags (2.2.2)
- glog (0.6.0)
- libmicrohttpd (1.0.1 (inlcudes 1.0.0))
- lz4 (1.10.0)
- nghttp2 (1.62.1)
- npth (1.7)
- pahole (1.27)
- SDK: Rust (1.80.1)
- SDK: meson (1.5.1)
- sysext-python: more-itertools (10.4.0)
- sysext-python: pip (24.1.2)
- sysext-python: pip (24.2)
- sysext-python: wheel (0.44.0)
- sysext-zfs: zfs (2.2.5 (includes 2.2.4))
- tcpdump (4.99.4)
Changes since Alpha 4081.0.0
Security fixes:
- Linux (CVE-2024-46711, CVE-2024-46709, CVE-2024-46680, CVE-2024-46679, CVE-2024-46678, CVE-2024-46677, CVE-2024-46676, CVE-2024-46695, CVE-2024-46694, CVE-2024-46693, CVE-2024-46675, CVE-2024-46692, CVE-2024-46689, CVE-2024-46687, CVE-2024-46686, CVE-2024-46685, CVE-2024-46673, CVE-2024-46674, CVE-2024-46811, CVE-2024-46810, CVE-2024-46809, CVE-2024-46807, CVE-2024-46806, CVE-2024-46805, CVE-2024-46804, CVE-2024-46821, CVE-2024-46819, CVE-2024-46818, CVE-2024-46817, CVE-2024-46815, CVE-2024-46814, CVE-2024-46812, CVE-2024-46802, CVE-2024-46803, CVE-2024-46724, CVE-2024-46732, CVE-2024-46731, CVE-2024-46728, CVE-2024-46726, CVE-2024-46725, CVE-2024-46723, CVE-2024-46722, CVE-2024-46721, CVE-2024-46720, CVE-2024-46719, CVE-2024-46717, CVE-2024-46716, CVE-2024-46714, CVE-2024-46715, CVE-2024-46831, CVE-2024-46840, CVE-2024-46839, CVE-2024-46838, CVE-2024-46836, CVE-2024-46835, CVE-2024-46848, CVE-2024-46847, CVE-2024-46846, CVE-2024-46845, CVE-2024-46844, CVE-2024-46843, CVE-2024-46832, CVE-2024-46830, CVE-2024-46829, CVE-2024-46828, CVE-2024-46827, CVE-2024-46826, CVE-2024-46825, CVE-2024-46822, CVE-2024-46788, CVE-2024-46797, CVE-2024-46796, CVE-2024-46795, CVE-2024-46794, CVE-2024-46791, CVE-2024-46800, CVE-2024-46798, CVE-2024-46760, CVE-2024-46768, CVE-2024-46767, CVE-2024-46765, CVE-2024-46763, CVE-2024-46787, CVE-2024-46786, CVE-2024-46785, CVE-2024-46784, CVE-2024-46783, CVE-2024-46782, CVE-2024-46781, CVE-2024-46780, CVE-2024-46762, CVE-2024-46777, CVE-2024-46776, CVE-2024-46773, CVE-2024-46771, CVE-2024-46770, CVE-2024-46761, CVE-2024-46743, CVE-2024-46742, CVE-2024-46741, CVE-2024-46740, CVE-2024-46739, CVE-2024-46738, CVE-2024-46737, CVE-2024-46759, CVE-2024-46758, CVE-2024-46757, CVE-2024-46756, CVE-2024-46755, CVE-2024-46736, CVE-2024-46752, CVE-2024-46750, CVE-2024-46749, CVE-2024-46747, CVE-2024-46746, CVE-2024-46745, CVE-2024-46744, CVE-2024-46734, CVE-2024-46735, CVE-2024-46713, CVE-2024-46858, CVE-2024-46857, CVE-2024-46855, CVE-2024-46854, CVE-2024-46853, CVE-2024-46852, CVE-2024-46865, CVE-2024-46864, CVE-2024-46861, CVE-2024-46860, CVE-2024-46859, CVE-2024-46849)
- expat (CVE-2024-45490)
Bug fixes:
- CloudSigma: Disabled the new DHCP RapidCommit feature which is enabled by default since systemd 255. CloudSigma provides an incompatible implementation which results in cloud-init not being applied as no IP is issued. See: (flatcar/scripts#2016)
- Equinix Metal: fixed race condition on ‘mount’ Ignition stage (scripts#2308)
Changes:
- Azure, HyperV: Added daemons
kvp
,vss
, andfcopy
for better HyperV hypervisor integration with Flatcar guests (scripts#2309). - Enable mpi3mr kernel module for Broadcom Storage/RAID-Controllers (flatcar/scripts#2355)
Updates:
docker - 26.1.0
ignition - 2.19.0
kernel - 6.6.48
systemd - 255
Changes since Beta 4012.1.0
Security fixes:
- Linux (CVE-2024-44944, CVE-2024-43877, CVE-2024-43876, CVE-2024-43875, CVE-2024-43873, CVE-2024-43871, CVE-2024-43881, CVE-2024-43880, CVE-2024-43879, CVE-2024-43869, CVE-2024-43870, CVE-2024-43856, CVE-2024-43860, CVE-2024-43859, CVE-2024-43858, CVE-2024-43833, CVE-2024-43832, CVE-2024-43831, CVE-2024-43830, CVE-2024-43829, CVE-2024-43828, CVE-2024-43855, CVE-2024-43854, CVE-2024-43853, CVE-2024-43851, CVE-2024-43850, CVE-2024-43849, CVE-2024-43847, CVE-2024-43846, CVE-2024-43845, CVE-2024-43842, CVE-2024-43841, CVE-2024-43839, CVE-2024-43837, CVE-2024-43834, CVE-2024-43825, CVE-2024-43823, CVE-2024-43821, CVE-2024-43818, CVE-2024-43817, CVE-2024-42321, CVE-2024-42322, CVE-2024-42288, CVE-2024-42297, CVE-2024-42296, CVE-2024-42295, CVE-2024-42294, CVE-2024-42292, CVE-2024-42320, CVE-2024-42318, CVE-2024-42291, CVE-2024-42316, CVE-2024-42315, CVE-2024-42314, CVE-2024-42313, CVE-2024-42311, CVE-2024-42310, CVE-2024-42309, CVE-2024-42308, CVE-2024-42290, CVE-2024-42307, CVE-2024-42306, CVE-2024-42305, CVE-2024-42304, CVE-2024-42303, CVE-2024-42302, CVE-2024-42301, CVE-2024-42299, CVE-2024-42298, CVE-2024-42289, CVE-2024-42284, CVE-2024-42283, CVE-2024-42281, CVE-2024-42280, CVE-2024-42279, CVE-2024-42278, CVE-2024-42277, CVE-2024-42287, CVE-2024-42286, CVE-2024-42285, CVE-2023-52889, CVE-2024-42276, CVE-2024-43867, CVE-2024-43866, CVE-2024-43864, CVE-2024-43863, CVE-2024-42312, CVE-2024-42274, CVE-2024-42273, CVE-2024-42272, CVE-2024-42271, CVE-2024-42270, CVE-2024-42269, CVE-2024-42268, CVE-2024-42267, CVE-2024-42265, CVE-2024-43908, CVE-2024-44931, CVE-2024-43914, CVE-2024-43912, CVE-2024-44935, CVE-2024-44934, CVE-2024-43909, CVE-2024-43905, CVE-2024-43903, CVE-2024-43902, CVE-2024-43900, CVE-2024-43907, CVE-2024-43906, CVE-2024-43897, CVE-2024-43894, CVE-2024-43893, CVE-2024-43892, CVE-2024-43890, CVE-2024-43889, CVE-2024-43895, CVE-2024-43883, CVE-2024-43861, CVE-2024-42259, CVE-2024-44943, CVE-2024-44942, CVE-2024-44941, CVE-2024-44940, CVE-2024-44938, CVE-2024-44939, CVE-2024-43898, CVE-2024-43882, CVE-2024-44947, CVE-2024-44946)
- curl (CVE-2024-6197, CVE-2024-6874)
- docker (CVE-2024-29018)
- git (CVE-2024-32002, CVE-2024-32004, CVE-2024-32020, CVE-2024-32021, CVE-2024-32465)
- glib (CVE-2024-34397)
- go (CVE-2023-45288, CVE-2023-45289, CVE-2023-45290, CVE-2024-24783, CVE-2024-24784, CVE-2024-24785, CVE-2024-24788, CVE-2024-24789, CVE-2024-24790, CVE-2024-24791)
- intel-microcode (CVE-2023-45733, CVE-2023-45745, CVE-2023-46103, CVE-2023-47855)
- libarchive (CVE-2024-26256, CVE-2024-37407)
- libxml2 (CVE-2024-34459)
- mit-krb5 (CVE-2024-26461, CVE-2024-26462, CVE-2024-37370, CVE-2024-37371)
- sysext-podman: podman (CVE-2024-3727)
- tpm2-tools (CVE-2024-29038, CVE-2024-29039, CVE-2024-29040)
- wget (CVE-2024-38428)
- SDK: nasm (CVE-2019-6290, CVE-2019-6291, CVE-2019-8343, CVE-2020-21528, CVE-2021-33450, CVE-2021-33452, CVE-2022-44368, CVE-2022-44369, CVE-2022-44370)
Bug fixes:
- Fix ownership of systemd units shipped with built-in docker/containerd sysexts. The files shipped on production images were accidentally owned by 1000:1000 instead of 0:0. This uid/gid is not present on Flatcar images but would be assigned to the first created user. Due to contents of sysexts and /usr being readonly on Flatcar, the invalid permissions can’t be used to escalate privileges. (scripts#2266)
- Fixed bad usage of gpg that prevented flatcar-install from being used with custom signing keys (Flatcar#1471)
- Equinix Metal: Fixed oem-cloudinit.service. The availability check now uses the https://metadata.platformequinix.com/metadata endpoint. (scripts#2222)
Changes:
- As part of the update to Catalyst 4 (used to build the SDK), the coreos package repository has been renamed to coreos-overlay to match its directory name. This will be reflected in package listings and package manager output. (flatcar/scripts#2115)
- The kernel security module Landlock is now enabled for programs to sandbox themselves (flatcar/scripts#2158)
Updates:
- Linux (6.6.48 (includes 6.6.47, 6.6.46, 6.6.45, 6.6.44))
- Linux Firmware (20240709)
- audit (3.1.2)
- binutils (2.42)
- bpftool (6.9.2 (includes 6.8.2))
- btrfs-progs (6.9.2)
- c-ares (1.29.0 (includes 1.28.1, 1.28.0))
- cJSON (1.7.18)
- ca-certificates (3.104)
- containerd (1.7.20 (includes 1.7.19))
- cryptsetup (2.7.2 (includes 2.7.1 and 2.7.0))
- curl (8.9.0 (includes 8.8.0))
- docker (26.1.0, includes changes from 25.0)
- e2fsprogs (1.47.1)
- ethtool (6.9)
- findutils (4.10.0)
- gcc (13.3.1_p20240614)
- git (2.44.2 (includes 2.44.1, 2.44.0))
- glib (2.78.6 (includes 2.78.5, 2.78.4))
- gnupg (2.4.5)
- hwdata (0.383 (includes 0.382))
- intel-microcode (20240514_p20240514)
- iproute2 (6.8.0 (includes 6.7.0))
- ipset (7.22)
- kexec-tools (2.0.28)
- kmod (32)
- libarchive (3.7.4 (includes 3.7.3))
- libassuan (2.5.7)
- libcap (2.70)
- libcap-ng (0.8.5)
- libdnet (1.18.0)
- libgpg-error (1.49)
- libksba (1.6.7)
- libnl (3.9.0)
- libnvme (1.9)
- libpcre2 (10.43)
- libunwind (1.8.1 (includes 1.8.0))
- libusb (1.0.27)
- libxml2 (2.12.7 (includes 2.12.6))
- linux-pam (1.5.3)
- lshw (02.20.2b)
- mit-krb5 (1.21.3)
- multipath-tools (0.9.8)
- nmap (7.95)
- nvme-cli (2.9.1 (includes 2.9))
- pciutils (3.13.0 (includes 3.12.0))
- qemu-guest-agent (8.2.0)
- rsync (3.3.0)
- runc (1.1.13)
- sqlite (3.46.0 (includes 3.45.3))
- strace (6.9)
- sysext-podman: aardvark-dns (1.11.0)
- sysext-podman: containers-common (0.59.1)
- sysext-podman: podman (5.0.3)
- sysext-python: jaraco-text (3.12.1)
- sysext-python: setuptools (70.3.0 (includes 70.1.1, 70.1.0, 70.0.0, 69.5.1, 69.5.0, 69.4.2, 69.4.1, 69.4.0, 69.3.1, 69.3.0, 69.2.0))
- sysext-python: trove-classifiers (2024.7.2)
- systemd (255.8)
- talloc (2.4.1)
- tdb (1.4.9)
- tevent (0.15.0)
- tpm2-tools (5.7 (includes 5.6.1, 5.6))
- tpm2-tss (4.1.3 (includes changes from 4.0.2)
- util-linux (2.39.4)
- vim (9.1.0366 (includes changes from 9.1))
- wget (1.24.5)
- whois (5.5.21)
- xfsprogs (6.8.0 (includes changes from 6.6.0))
- xz-utils (5.6.2)
- zfs (2.2.3)
- zlib (1.3.1)
- zstd (1.5.6)
- VMware: open-vm-tools (12.4.5)
- SDK: Rust (1.80.0)
- SDK: go (1.21.12 includes changes from 1.21)
- SDK: nasm (2.16.01)
- SDK: portage (3.0.65 (includes changes from 3.0.63))
- SDK: qemu (8.2.3)
Changes since Alpha 4054.0.0
Security fixes:
- Linux (CVE-2024-44944, CVE-2024-43877, CVE-2024-43876, CVE-2024-43875, CVE-2024-43873, CVE-2024-43871, CVE-2024-43881, CVE-2024-43880, CVE-2024-43879, CVE-2024-43869, CVE-2024-43870, CVE-2024-43856, CVE-2024-43860, CVE-2024-43859, CVE-2024-43858, CVE-2024-43833, CVE-2024-43832, CVE-2024-43831, CVE-2024-43830, CVE-2024-43829, CVE-2024-43828, CVE-2024-43855, CVE-2024-43854, CVE-2024-43853, CVE-2024-43851, CVE-2024-43850, CVE-2024-43849, CVE-2024-43847, CVE-2024-43846, CVE-2024-43845, CVE-2024-43842, CVE-2024-43841, CVE-2024-43839, CVE-2024-43837, CVE-2024-43834, CVE-2024-43825, CVE-2024-43823, CVE-2024-43821, CVE-2024-43818, CVE-2024-43817, CVE-2024-42321, CVE-2024-42322, CVE-2024-42288, CVE-2024-42297, CVE-2024-42296, CVE-2024-42295, CVE-2024-42294, CVE-2024-42292, CVE-2024-42320, CVE-2024-42318, CVE-2024-42291, CVE-2024-42316, CVE-2024-42315, CVE-2024-42314, CVE-2024-42313, CVE-2024-42311, CVE-2024-42310, CVE-2024-42309, CVE-2024-42308, CVE-2024-42290, CVE-2024-42307, CVE-2024-42306, CVE-2024-42305, CVE-2024-42304, CVE-2024-42303, CVE-2024-42302, CVE-2024-42301, CVE-2024-42299, CVE-2024-42298, CVE-2024-42289, CVE-2024-42284, CVE-2024-42283, CVE-2024-42281, CVE-2024-42280, CVE-2024-42279, CVE-2024-42278, CVE-2024-42277, CVE-2024-42287, CVE-2024-42286, CVE-2024-42285, CVE-2023-52889, CVE-2024-42276, CVE-2024-43867, CVE-2024-43866, CVE-2024-43864, CVE-2024-43863, CVE-2024-42312, CVE-2024-42274, CVE-2024-42273, CVE-2024-42272, CVE-2024-42271, CVE-2024-42270, CVE-2024-42269, CVE-2024-42268, CVE-2024-42267, CVE-2024-42265, CVE-2024-43908, CVE-2024-44931, CVE-2024-43914, CVE-2024-43912, CVE-2024-44935, CVE-2024-44934, CVE-2024-43909, CVE-2024-43905, CVE-2024-43903, CVE-2024-43902, CVE-2024-43900, CVE-2024-43907, CVE-2024-43906, CVE-2024-43897, CVE-2024-43894, CVE-2024-43893, CVE-2024-43892, CVE-2024-43890, CVE-2024-43889, CVE-2024-43895, CVE-2024-43883, CVE-2024-43861, CVE-2024-42259, CVE-2024-44943, CVE-2024-44942, CVE-2024-44941, CVE-2024-44940, CVE-2024-44938, CVE-2024-44939, CVE-2024-43898, CVE-2024-43882, CVE-2024-44947, CVE-2024-44946)
Bug fixes:
- Fix ownership of systemd units shipped with built-in docker/containerd sysexts. The files shipped on production images were accidentally owned by 1000:1000 instead of 0:0. This uid/gid is not present on Flatcar images but would be assigned to the first created user. Due to contents of sysexts and /usr being readonly on Flatcar, the invalid permissions can’t be used to escalate privileges. (scripts#2266)
- Equinix Metal: Fixed oem-cloudinit.service. The availability check now uses the https://metadata.platformequinix.com/metadata endpoint. (scripts#2222)
Updates:
docker - 24.0.9
ignition - 2.19.0
kernel - 6.6.43
systemd - 255
Changes since Beta 3975.1.1
Security fixes:
- Linux (CVE-2024-42098, CVE-2024-42097, CVE-2024-42096, CVE-2024-42095, CVE-2024-42093, CVE-2024-42094, CVE-2024-42092, CVE-2024-42090, CVE-2024-42089, CVE-2024-42087, CVE-2024-42086, CVE-2024-42084, CVE-2024-42085, CVE-2024-42070, CVE-2024-42069, CVE-2024-42068, CVE-2024-42067, CVE-2024-42082, CVE-2024-42080, CVE-2024-42079, CVE-2024-42077, CVE-2024-42076, CVE-2024-42074, CVE-2024-42073, CVE-2023-52887, CVE-2024-42063, CVE-2024-41094, CVE-2024-41093, CVE-2024-41092, CVE-2024-41089, CVE-2024-41088, CVE-2024-41087, CVE-2024-41098, CVE-2024-41097, CVE-2024-41096, CVE-2024-41095, CVE-2024-41084, CVE-2024-41009, CVE-2024-39486, CVE-2024-42068, CVE-2024-42067, CVE-2024-42145, CVE-2024-42154, CVE-2024-42153, CVE-2024-42152, CVE-2024-42148, CVE-2024-42230, CVE-2024-42229, CVE-2024-42228, CVE-2024-42226, CVE-2024-42225, CVE-2024-42147, CVE-2024-42224, CVE-2024-42223, CVE-2024-42161, CVE-2024-42160, CVE-2024-42159, CVE-2024-42157, CVE-2024-42110, CVE-2024-42119, CVE-2024-42116, CVE-2024-42115, CVE-2024-42144, CVE-2024-42143, CVE-2024-42142, CVE-2024-42141, CVE-2024-42140, CVE-2024-42113, CVE-2024-42138, CVE-2024-42137, CVE-2024-42136, CVE-2024-42135, CVE-2024-42133, CVE-2024-42132, CVE-2024-42131, CVE-2024-42130, CVE-2024-42128, CVE-2024-42127, CVE-2024-42126, CVE-2024-42124, CVE-2024-42121, CVE-2024-42120, CVE-2023-52888, CVE-2024-42106, CVE-2024-42105, CVE-2024-42104, CVE-2024-42103, CVE-2024-42102, CVE-2024-42101, CVE-2024-42100, CVE-2024-42109, CVE-2024-40947, CVE-2024-41056, CVE-2024-41053, CVE-2024-41055, CVE-2024-41054, CVE-2024-41032, CVE-2024-41031, CVE-2024-41030, CVE-2024-41028, CVE-2024-41027, CVE-2024-41052, CVE-2024-41051, CVE-2024-41050, CVE-2024-41049, CVE-2024-41048, CVE-2024-41047, CVE-2024-41046, CVE-2024-41044, CVE-2024-41025, CVE-2024-41041, CVE-2024-41040, CVE-2024-41039, CVE-2024-41038, CVE-2024-41037, CVE-2024-41036, CVE-2024-41035, CVE-2024-41034, CVE-2024-41024, CVE-2024-41081, CVE-2024-41078, CVE-2024-41079, CVE-2024-41076, CVE-2024-41075, CVE-2024-41074, CVE-2024-41073, CVE-2024-41072, CVE-2024-41070, CVE-2024-41069, CVE-2024-41077, CVE-2024-41068, CVE-2024-41066, CVE-2024-41065, CVE-2024-41064, CVE-2024-41063, CVE-2024-41062, CVE-2024-41060, CVE-2024-41059, CVE-2024-41057, CVE-2024-41058, CVE-2024-41022, CVE-2024-41020, CVE-2024-41019, CVE-2024-41018, CVE-2024-41017, CVE-2024-41015, CVE-2024-41090, CVE-2024-41091, CVE-2024-36977, CVE-2024-36975, CVE-2024-36969, CVE-2024-36968, CVE-2024-36967, CVE-2024-36965, CVE-2024-36966, CVE-2024-41011, CVE-2024-36964, CVE-2024-36963, CVE-2024-36962, CVE-2024-36960, CVE-2024-36942, CVE-2024-36951, CVE-2024-36950, CVE-2024-36949, CVE-2024-36947, CVE-2024-36946, CVE-2024-36945, CVE-2024-36944, CVE-2024-36959, CVE-2024-36957, CVE-2024-36955, CVE-2024-36954, CVE-2024-36953, CVE-2024-36952, CVE-2024-36916, CVE-2024-36914, CVE-2024-36913, CVE-2024-36912, CVE-2024-36911, CVE-2024-36941, CVE-2024-36940, CVE-2024-36939, CVE-2024-36938, CVE-2024-36937, CVE-2024-36910, CVE-2024-36934, CVE-2024-36933, CVE-2024-36931, CVE-2024-36930, CVE-2024-36929, CVE-2024-36928, CVE-2024-36927, CVE-2024-36909, CVE-2024-36926, CVE-2024-36925, CVE-2024-36924, CVE-2024-36922, CVE-2024-36921, CVE-2024-36920, CVE-2024-36919, CVE-2024-36918, CVE-2024-36917, CVE-2024-36908, CVE-2024-36880, CVE-2024-36889, CVE-2024-36888, CVE-2024-36887, CVE-2024-36886, CVE-2024-36885, CVE-2024-36883, CVE-2024-36906, CVE-2024-36905, CVE-2024-36904, CVE-2024-36903, CVE-2024-36902, CVE-2024-36901, CVE-2024-36900, CVE-2024-36882, CVE-2024-36899, CVE-2024-36898, CVE-2024-36897, CVE-2024-36896, CVE-2024-36895, CVE-2024-36894, CVE-2024-36893, CVE-2024-36891, CVE-2024-36890, CVE-2024-36881, CVE-2024-36032, CVE-2023-52882, CVE-2024-36031, CVE-2024-36028, CVE-2024-36017, CVE-2024-36011, CVE-2024-36012, CVE-2024-35947, CVE-2024-35848, CVE-2024-41006, CVE-2024-41005, CVE-2024-41004, CVE-2024-40996, CVE-2024-41002, CVE-2024-41001, CVE-2024-41000, CVE-2024-40998, CVE-2024-40997, CVE-2024-40994, CVE-2024-40993, CVE-2024-40992, CVE-2024-40990, CVE-2024-40989, CVE-2024-40988, CVE-2024-40987, CVE-2024-40995, CVE-2024-40983, CVE-2024-40984, CVE-2024-40970, CVE-2024-40978, CVE-2024-40977, CVE-2024-40976, CVE-2024-40974, CVE-2024-40973, CVE-2024-40982, CVE-2024-40981, CVE-2024-40980, CVE-2024-40971, CVE-2024-40955, CVE-2024-40954, CVE-2024-40953, CVE-2024-40952, CVE-2024-40951, CVE-2024-40969, CVE-2024-40968, CVE-2024-40967, CVE-2024-40966, CVE-2024-40948, CVE-2024-40964, CVE-2024-40963, CVE-2024-40962, CVE-2024-40961, CVE-2024-40960, CVE-2024-40959, CVE-2024-40958, CVE-2024-40957, CVE-2024-40956-CVE-2024-40929, CVE-2024-40938, CVE-2024-40937, CVE-2024-40936, CVE-2024-40935, CVE-2024-40934, CVE-2024-40932, CVE-2024-40931, CVE-2024-40945, CVE-2024-40944, CVE-2024-40943, CVE-2024-40942, CVE-2024-40941, CVE-2024-40940, CVE-2024-40939, CVE-2024-40922, CVE-2024-40921, CVE-2024-40920, CVE-2024-40919, CVE-2024-40918, CVE-2024-40916, CVE-2024-40915, CVE-2024-40928, CVE-2024-40927, CVE-2024-40925, CVE-2024-40924, CVE-2024-40923, CVE-2024-40913, CVE-2024-40914, CVE-2024-40912, CVE-2024-39503, CVE-2024-39502, CVE-2024-39501, CVE-2024-39500, CVE-2024-39499, CVE-2024-39497, CVE-2024-40911, CVE-2024-40910, CVE-2024-40909, CVE-2024-40908, CVE-2024-40906, CVE-2024-40905, CVE-2024-40904, CVE-2024-40903, CVE-2024-40902, CVE-2024-39496, CVE-2024-40901, CVE-2024-40900, CVE-2024-39509, CVE-2024-39508, CVE-2024-39507, CVE-2024-39506, CVE-2024-39505, CVE-2024-39504, CVE-2024-39494, CVE-2024-39495, CVE-2024-39469, CVE-2024-39298, CVE-2024-39371, CVE-2024-37078, CVE-2024-39493, CVE-2024-39476, CVE-2024-39485, CVE-2024-39484, CVE-2024-39483, CVE-2024-39482, CVE-2024-39481, CVE-2024-39480, CVE-2024-39479, CVE-2024-39475, CVE-2024-39473, CVE-2024-39474, CVE-2024-39471, CVE-2024-39470, CVE-2024-39468, CVE-2024-39467, CVE-2024-39466, CVE-2024-39464, CVE-2024-39461, CVE-2024-39463, CVE-2024-39462, CVE-2024-39296, CVE-2024-39276, CVE-2024-38661, CVE-2024-38385, CVE-2024-37354, CVE-2024-39362, CVE-2024-39301, CVE-2022-48772, CVE-2024-39491, CVE-2024-39490, CVE-2024-39489, CVE-2024-39488, CVE-2024-37021, CVE-2024-36479, CVE-2024-35247, CVE-2024-34030, CVE-2024-34027, CVE-2024-33847, CVE-2024-39292, CVE-2024-38667, CVE-2024-39291, CVE-2024-38384, CVE-2024-38664, CVE-2024-38663, CVE-2024-36481, CVE-2024-36477, CVE-2024-34777, CVE-2024-39277, CVE-2024-38662, CVE-2024-38780, CVE-2024-38659, CVE-2024-38634, CVE-2024-38637, CVE-2024-38636, CVE-2024-38635, CVE-2024-36484, CVE-2024-36286, CVE-2024-36281, CVE-2024-36270, CVE-2024-36244, CVE-2024-33621, CVE-2024-38633, CVE-2024-38632, CVE-2024-38630, CVE-2024-38629, CVE-2024-38628, CVE-2024-38627, CVE-2024-38625, CVE-2024-38624, CVE-2024-33619, CVE-2024-38623, CVE-2024-38622, CVE-2024-38621, CVE-2024-38391, CVE-2024-38390, CVE-2024-38388, CVE-2024-38381, CVE-2024-37356, CVE-2024-37353, CVE-2024-36489, CVE-2023-52884, CVE-2024-31076, CVE-2024-38620, CVE-2024-38617, CVE-2024-38616, CVE-2024-38615, CVE-2024-38614, CVE-2024-38613, CVE-2024-38612, CVE-2024-38611, CVE-2024-38610, CVE-2024-38618, CVE-2024-38607, CVE-2024-38605, CVE-2024-38604, CVE-2024-38603, CVE-2024-38601, CVE-2024-38602, CVE-2024-38598, CVE-2024-38597, CVE-2024-38596, CVE-2024-38593, CVE-2024-38591, CVE-2024-38600, CVE-2024-38599, CVE-2024-38589, CVE-2024-38590, CVE-2024-38575, CVE-2024-38584, CVE-2024-38583, CVE-2024-38582, CVE-2024-38581, CVE-2024-38580, CVE-2024-38579, CVE-2024-38578, CVE-2024-38577, CVE-2024-38588, CVE-2024-38587, CVE-2024-38586, CVE-2024-38585, CVE-2024-38576, CVE-2024-38568, CVE-2024-38573, CVE-2024-38572, CVE-2024-38571, CVE-2024-38570, CVE-2024-38569, CVE-2024-36979, CVE-2024-38546, CVE-2024-38545, CVE-2024-38544, CVE-2024-38543, CVE-2024-38541, CVE-2024-38567, CVE-2024-38540, CVE-2024-38566, CVE-2024-38565, CVE-2024-38564, CVE-2024-38562, CVE-2024-38561, CVE-2024-38560, CVE-2024-38559, CVE-2024-38558, CVE-2024-38557, CVE-2024-38539, CVE-2024-38556, CVE-2024-38555, CVE-2024-38554, CVE-2024-38553, CVE-2024-38552, CVE-2024-38551, CVE-2024-38550, CVE-2024-38549, CVE-2024-38548, CVE-2024-38547, CVE-2024-38538)
Bug fixes:
- Hetzner: Fixed duplicated prefix in the Afterburn metadata (scripts#2141)
Changes:
- Hetzner: Added
COREOS_HETZNER_PRIVATE_IPV4_0
Afterburn attribute for Hetzner private IPs (scripts#2141) - Provided a Python Flatcar extension as optional systemd-sysext image with the release. Write ‘python’ to
/etc/flatcar/enabled-sysext.conf
through Ignition and the sysext will be installed during provisioning (scripts#1979) - Added Akamai / Linode images (scripts#1806)
- Removed unused grub executable duplicate files and removed grub modules that are already assembled in the grub executable (scripts#1955).
- libcrypt is now provided by the libxcrypt library instead of glibc. Glibc libcrypt was deprecated long time ago.
Updates:
- Linux (6.6.43 (includes 6.6.42, 6.6.41, 6.6.40, 6.6.39, 6.6.38, 6.6.37, 6.6.36, 6.6.35, 6.6.34, 6.6.33, 6.6.32, 6.6.31))
- Linux Firmware (20240610)
- afterburn (5.6.0)
- ca-certificates (3.103 (includes 3.102, 3.102.1, 3.101.1))
- containerd (1.7.18)
- Ignition (2.19.0)
- SDK: Rust (1.79.0 (includes 1.78.0))
Changes since Alpha 4012.0.1
Security fixes
- Linux (CVE-2024-42098, CVE-2024-42097, CVE-2024-42096, CVE-2024-42095, CVE-2024-42093, CVE-2024-42094, CVE-2024-42092, CVE-2024-42090, CVE-2024-42089, CVE-2024-42087, CVE-2024-42086, CVE-2024-42084, CVE-2024-42085, CVE-2024-42070, CVE-2024-42069, CVE-2024-42068, CVE-2024-42067, CVE-2024-42082, CVE-2024-42080, CVE-2024-42079, CVE-2024-42077, CVE-2024-42076, CVE-2024-42074, CVE-2024-42073, CVE-2023-52887, CVE-2024-42063, CVE-2024-41094, CVE-2024-41093, CVE-2024-41092, CVE-2024-41089, CVE-2024-41088, CVE-2024-41087, CVE-2024-41098, CVE-2024-41097, CVE-2024-41096, CVE-2024-41095, CVE-2024-41084, CVE-2024-41009, CVE-2024-39486, CVE-2024-42068, CVE-2024-42067, CVE-2024-42145, CVE-2024-42154, CVE-2024-42153, CVE-2024-42152, CVE-2024-42148, CVE-2024-42230, CVE-2024-42229, CVE-2024-42228, CVE-2024-42226, CVE-2024-42225, CVE-2024-42147, CVE-2024-42224, CVE-2024-42223, CVE-2024-42161, CVE-2024-42160, CVE-2024-42159, CVE-2024-42157, CVE-2024-42110, CVE-2024-42119, CVE-2024-42116, CVE-2024-42115, CVE-2024-42144, CVE-2024-42143, CVE-2024-42142, CVE-2024-42141, CVE-2024-42140, CVE-2024-42113, CVE-2024-42138, CVE-2024-42137, CVE-2024-42136, CVE-2024-42135, CVE-2024-42133, CVE-2024-42132, CVE-2024-42131, CVE-2024-42130, CVE-2024-42128, CVE-2024-42127, CVE-2024-42126, CVE-2024-42124, CVE-2024-42121, CVE-2024-42120, CVE-2023-52888, CVE-2024-42106, CVE-2024-42105, CVE-2024-42104, CVE-2024-42103, CVE-2024-42102, CVE-2024-42101, CVE-2024-42100, CVE-2024-42109, CVE-2024-40947, CVE-2024-41056, CVE-2024-41053, CVE-2024-41055, CVE-2024-41054, CVE-2024-41032, CVE-2024-41031, CVE-2024-41030, CVE-2024-41028, CVE-2024-41027, CVE-2024-41052, CVE-2024-41051, CVE-2024-41050, CVE-2024-41049, CVE-2024-41048, CVE-2024-41047, CVE-2024-41046, CVE-2024-41044, CVE-2024-41025, CVE-2024-41041, CVE-2024-41040, CVE-2024-41039, CVE-2024-41038, CVE-2024-41037, CVE-2024-41036, CVE-2024-41035, CVE-2024-41034, CVE-2024-41024, CVE-2024-41081, CVE-2024-41078, CVE-2024-41079, CVE-2024-41076, CVE-2024-41075, CVE-2024-41074, CVE-2024-41073, CVE-2024-41072, CVE-2024-41070, CVE-2024-41069, CVE-2024-41077, CVE-2024-41068, CVE-2024-41066, CVE-2024-41065, CVE-2024-41064, CVE-2024-41063, CVE-2024-41062, CVE-2024-41060, CVE-2024-41059, CVE-2024-41057, CVE-2024-41058, CVE-2024-41022, CVE-2024-41020, CVE-2024-41019, CVE-2024-41018, CVE-2024-41017, CVE-2024-41015, CVE-2024-41090, CVE-2024-41091)
Bug fixes:
- Hetzner: Fixed duplicated prefix in the Afterburn metadata (scripts#2141)
Changes:
- Hetzner: Added
COREOS_HETZNER_PRIVATE_IPV4_0
Afterburn attribute for Hetzner private IPs (scripts#2141)
Updates:
docker - 24.0.9
ignition - 2.18.0
kernel - 6.6.36
systemd - 255
docker - 24.0.9
ignition - 2.18.0
kernel - 6.6.35
systemd - 255
Changes since Beta 3941.1.0
Security fixes:
- expat (CVE-2023-52425, CVE-2024-28757)
- gnutls (CVE-2024-28834, CVE-2024-28835)
- intel-microcode (CVE-2023-22655, CVE-2023-28746, CVE-2023-38575, CVE-2023-39368, CVE-2023-43490)
- less (CVE-2024-32487)
- SDK: python (CVE-2023-6597, CVE-2024-0450, gh-81194, gh-113659, gh-102388, gh-114572, gh-115243)
Bug fixes:
- Fixed issue file generation from
/etc/issue.d
(scripts#2018)
Changes:
- Added KubeVirt qcow2 image for amd64/arm64 (flatcar/scripts#1962)
- Added azure-nvme-utils to the image, which is used by udev to create symlinks for NVMe disks on Azure v6 instances under /dev/disk/azure/. (scripts#1950)
- Backported systemd-sysext mutable overlays functionality from yet-unreleased systemd v256. (flatcar/scripts#1753)
- Provided a Podman Flatcar extension as optional systemd-sysext image with the release. Write ‘podman’ to
/etc/flatcar/enabled-sysext.conf
through Ignition and the sysext will be installed during provisioning (scripts#1964) - OpenStack: Changed metadata hostname source order. The service first tries with the config drive then fallback on the metadata service. (bootengine#96)
Updates:
- Linux (6.6.35 (includes 6.6.34, 6.6.33, 6.6.32 and 6.6.31))
- Linux Firmware (20240513)
- Rust (1.77.2)
- ca-certificates (3.101)
- containerd (1.7.17 (includes 1.7.16))
- expat (2.6.2 (includes 2.6.1 and 2.6.0))
- gnutls (3.8.5 (includes 3.8.4))
- intel-microcode (20240312)
- libunistring (1.2)
- systemd (255.4)
- SDK: python (3.11.9)
Changes since Alpha 3975.0.0
Bug fixes:
- Fixed issue file generation from
/etc/issue.d
(scripts#2018)
Changes:
- OpenStack: Changed metadata hostname source order. The service first tries with the config drive then fallback on the metadata service. (bootengine#96)
Updates:
docker - 24.0.9
ignition - 2.18.0
kernel - 6.6.30
systemd - 255
Beta 3941.1.0
Changes since Beta 3913.1.0
Security fixes:
- Linux (CVE-2023-28746, CVE-2023-47233, CVE-2023-52639, CVE-2023-6270, CVE-2023-7042, CVE-2024-22099, CVE-2024-23307, CVE-2024-24861, CVE-2024-26642, CVE-2024-26643, CVE-2024-26651, CVE-2024-26652, CVE-2024-26654, CVE-2024-26656, CVE-2024-26783, CVE-2024-26809)
- c-ares (CVE-2024-25629)
- coreutils (coreutils-2024-03-28)
- curl (CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466)
- glibc (CVE-2024-2961, CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602)
- nghttp2 (CVE-2024-28182)
Bug fixes:
Changes:
- Added zram-generator package to the image (scripts#1772)
- Add Intel igc driver to support I225/I226 family NICs. (scripts#1786)
- Added Hetzner images (scripts#1880)
- Added Hyper-V VHDX image (scripts#1791)
- Enabled amd-pstate,amd-pstate-epp cpufreq drivers for some AMD CPUs in the kernel. (scripts#1770)
- Enabled ntpd by default on AWS & GCP, enabled chronyd by default on Azure. The native time sync source is used on each cloud. (scripts#1792)
- Enabled the ptp_vmw module in the kernel.
- Hyper-V images, both .vhd and .vhdx files are available as
zip
compressed, switching frombzip2
to a built-in available Windows compression -zip
(scripts#1878) - OpenStack, Brightbox: Added the
flatcar.autologin
kernel cmdline parameter by default as the hypervisor manages access to the console (scripts#1866) - Removed
actool
from the image andacbuild
from the SDK as these tools are deprecated and not used (scripts#1817) - Scaleway: images are now provided directly as
.qcow2
to ease the import on Scaleway (scripts#1953) - Switched ptp_kvm from kernel builtin to module.
- The default VM memory was bumped to 2 GB in the Qemu script and for VMware OVFs
Updates:
- Linux (6.6.30 (includes 6.6.29, 6.6.28, 6.6.27, 6.6.26, 6.6.25, 6.6.24, 6.6.23, 6.6.22))
- acl (2.3.2)
- attr (2.5.2)
- bpftool (6.7.6)
- c-ares (1.27.0 (includes 1.26.0))
- ca-certificates (3.100 (includes 3.99))
- containerd (1.7.15 includes (1.7.14))
- coreutils (9.5)
- curl (8.7.1 (includes 8.7.0))
- ethtool (6.7)
- git (2.43.2)
- inih (58)
- ipset (7.21 (includes 7.20))
- iputils (20240117 (includes 20231222)
- libnvme (1.8)
- nghttp2 (1.61.0 (includes 1.58.0, 1.59.0 and 1.60.0))
- nvme-cli (2.8)
- open-vm-tools (12.4.0)
- samba (4.18.9)
- selinux-refpolicy (2.20240226)
- SDK: libpng (1.6.43 (includes 1.6.42 and 1.6.41))
- SDK: Rust (1.77.1 (includes 1.77.0))
Changes since Alpha 3941.0.0
Security fixes:
- Linux (CVE-2023-28746, CVE-2023-47233, CVE-2023-52639, CVE-2023-6270, CVE-2023-7042, CVE-2024-22099, CVE-2024-23307, CVE-2024-24861, CVE-2024-26642, CVE-2024-26643, CVE-2024-26651, CVE-2024-26652, CVE-2024-26654, CVE-2024-26656, CVE-2024-26783, CVE-2024-26809)
- glibc (CVE-2024-2961, CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602)
Bug fixes:
Changes:
- Added Hetzner images (scripts#1880)
- Scaleway: images are now provided directly as
.qcow2
to ease the import on Scaleway (scripts#1953)
Updates:
docker - 24.0.9
ignition - 2.18.0
kernel - 6.6.21
systemd - 255
Changes since Beta 3874.1.0
Security fixes:
- Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor (CVE-2024-3094)
- coreutils (CVE-2024-0684)
- dnsmasq (CVE-2023-28450, CVE-2023-50387, CVE-2023-50868)
- gcc (CVE-2023-4039)
- glibc (CVE-2023-5156, CVE-2023-6246, CVE-2023-6779, CVE-2023-6780)
- gnupg (gnupg-2024-01-25)
- gnutls (CVE-2024-0567, CVE-2024-0553)
- libuv (CVE-2024-24806)
- libxml2 (CVE-2024-25062)
- openssl (CVE-2023-5678, CVE-2023-6129, CVE-2023-6237, CVE-2024-0727)
- sudo (CVE-2023-42465)
- vim (CVE-2023-48231, CVE-2023-48232, CVE-2023-48233, CVE-2023-48234, CVE-2023-48235, CVE-2023-48236, CVE-2023-48237, CVE-2023-48706)
Bug fixes:
- Disabled user-configdrive.service on OpenStack when config drive is used, which caused the hostname to be overwritten. The coreos-cloudinit.service unit already runs on OpenStack if the system is not configured via ignition. (Flatcar#1385)
- Fixed
toolbox
to prevent mountedctr
snapshots from being garbage-collected (toolbox#9) - Removed custom CloudSigma coreos-cloudinit service configuration since it will be called with the cloudsigma oem anyway. The restart of the service can also cause the serial port to be stuck in an nondeterministic state which breaks future runs.
Changes:
- A new format
qemu_uefi_secure
is introduced to test Flatcar for SecureBoot-enabled features. The format will be later merged intoqemu_uefi
. - Added Ignition Clevis support for encrypted disks unlocked with a TPM2 device or a Tang server (scripts#1560)
- Added Scaleway images (flatcar/scripts#1683)
- Added support for unlocking the rootfs with a TPM set up by systemd-cryptenroll (bootengine#93)
- Disabled real-time priority for multipathd as it prevents the cgroups2 cpu controller from working. (flatcar/scripts#1771)
- Enabled the GRUB TPM2 module to measure the boot code path and files into PCR 8+9 in UEFI (scripts#1861)
- Provided a ZFS-2.2.2 Flatcar extension as optional systemd-sysext image with the release. Write ‘zfs’ to
/etc/flatcar/enabled-sysext.conf
through Ignition and the sysext will be installed during provisioning. ZFS support is experimental and ZFS is not supported for the root partition. (flatcar/scripts#1742) - Removed Linux drivers for Mellanox Technologies Switch ASICs family and Spectrum/Spectrum-2/Spectrum-3/Spectrum-4 Ethernet Switch ASICs to reduce the initrd size on AMD64 by ~5MB (flatcar/scripts#1734). This change is part of the effort to reduce the initrd size (flatcar#1381).
- Removed coreos-cloudinit support for automatic keys conversion (e.g
reboot-strategy
->reboot_strategy
) (scripts#1687) - SDK: Unified qemu image formats, so that the
qemu_uefi
build target provides the regularqemu
and theqemu_uefi_secure
artifacts (scripts#1847)
Updates:
- Go (1.20.14)
- Ignition (2.18.0 (includes 2.17.0, 2.16.2, 2.16.1 and 2.16.0))
- Linux Firmware (20240312 (includes 20240220))
- audit (3.1.1)
- bind-tools (9.16.48)
- c-ares (1.25.0)
- cJSON (1.7.17)
- ca-certificates (3.99)
- checkpolicy (3.6)
- curl (8.6.0)
- ethtool (6.6)
- glibc (2.38)
- gnupg (2.4.4 (includes 2.2.42))
- less (643)
- libbsd (0.11.8)
- libcap-ng (0.8.4)
- libgcrypt (1.10.3)
- libidn2 (2.3.7 (includes https://gitlab.com/libidn/libidn2/-/releases/v2.3.4)))
- libksba (1.6.6)
- libnvme (1.7.1 (includes 1.7))
- libpsl (0.21.5)
- libseccomp (2.5.5)
- libselinux (3.6)
- libsemanage (3.6)
- libsepol (3.6)
- libuv (1.48.0)
- libverto (0.3.2)
- libxml2 (2.12.5 (includes 2.12.4))
- lsof (4.99.3 (includes 4.99.2 and 4.99.1))
- mime-types (2.1.54)
- multipath-tools (0.9.7)
- nvme-cli (2.7.1 (includes 2.7))
- openssl (3.2.1)
- policycoreutils (3.6)
- semodule-utils (3.6)
- shim (15.8)
- sqlite (3.45.1)
- sudo (1.9.15p5)
- systemd (255.3 (from 252.11))
- thin-provisioning-tools (1.0.10)
- traceroute (2.1.5 (includes 2.1.4))
- usbutils (017)
- util-linux (2.39.3)
- vim (9.0.2167)
- xmlsec (1.3.3)
- SDK: python (3.11.8)
- SDK: qemu (8.1.5)
- SDK: Rust (1.76.0)
Changes since Alpha 3913.0.0
Security fixes:
- Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor (CVE-2024-3094)
Bug fixes:
- Disabled user-configdrive.service on OpenStack when config drive is used, which caused the hostname to be overwritten. The coreos-cloudinit.service unit already runs on OpenStack if the system is not configured via ignition. (Flatcar#1385)
- Fixed
toolbox
to prevent mountedctr
snapshots from being garbage-collected (toolbox#9)
Changes:
- Added support for unlocking the rootfs with a TPM set up by systemd-cryptenroll (bootengine#93)
- Disabled real-time priority for multipathd as it prevents the cgroups2 cpu controller from working. (scripts#1771)
- Enabled the GRUB TPM2 module to measure the boot code path and files into PCR 8+9 in UEFI (scripts#1861)
- SDK: Unified qemu image formats, so that the
qemu_uefi
build target provides the regularqemu
and theqemu_uefi_secure
artifacts (scripts#1847)
Updates:
- ca-certificates (3.99)
docker - 24.0.9
ignition - 2.15.0
kernel - 6.6.21
systemd - 252
Changes since Beta 3850.1.0
Security fixes:
- Linux (CVE-2023-52429, CVE-2024-1151, CVE-2024-23850, CVE-2024-23851, CVE-2024-26581, CVE-2024-26582, CVE-2024-26583, CVE-2024-26584, CVE-2024-26585, CVE-2024-26593)
Bug fixes:
- Fixed that systemd-sysext images can extend directories where Flatcar extensions are also shipping files, e.g., that the sysext-bakery Kubernetes extension works when OEM extensions are present (sysext-bakery#50)
- Fixed kubevirt vm creation by ensuring that /dev/vhost-net exists (Flatcar#1336)
- Resolved kmod static nodes creation in bootengine (bootengine#85)
- Restored support for custom OEMs supplied in the PXE boot where
/usr/share/oem
brings the OEM partition contents (Flatcar#1376)
Updates:
- Linux (6.6.21 (includes 6.6.20, 6.6.19, 6.6.18, 6.6.17))
- Linux Firmware (20240115)
- afterburn (5.5.1)
- ca-certificates (3.98)
- containerd (1.7.13 (includes 1.7.12))
- docker (24.0.9)
- git (2.43.0 (includes 2.42.0))
- iperf (3.16)
- keyutils (1.6.3 (includes 1.6.2))
- libuv (1.47.0)
- runc (1.1.12)
- SDK: make (4.4.1 (includes 4.4))
- SDK: portage (3.0.61)
Changes since Alpha 3874.0.0
Security fixes:
- Linux (CVE-2023-52429, CVE-2024-1151, CVE-2024-23850, CVE-2024-23851, CVE-2024-26581, CVE-2024-26582, CVE-2024-26583, CVE-2024-26584, CVE-2024-26585, CVE-2024-26593)
Bug fixes:
- Fixed that systemd-sysext images can extend directories where Flatcar extensions are also shipping files, e.g., that the sysext-bakery Kubernetes extension works when OEM extensions are present (sysext-bakery#50)
- Fixed kubevirt vm creation by ensuring that /dev/vhost-net exists (Flatcar#1336)
- Resolved kmod static nodes creation in bootengine (bootengine#85)
- Restored support for custom OEMs supplied in the PXE boot where
/usr/share/oem
brings the OEM partition contents (Flatcar#1376)
Updates:
docker - 24.0.9
ignition - 2.15.0
kernel - 6.6.16
systemd - 252
Changes since Beta 3815.1.0
Security fixes:
- Linux (CVE-2022-27672, CVE-2022-36402, CVE-2022-36402, CVE-2022-40982, CVE-2022-4269, CVE-2022-45886, CVE-2022-45887, CVE-2022-45919, CVE-2022-48425, CVE-2023-0160, CVE-2023-0160, CVE-2023-0459, CVE-2023-1032, CVE-2023-1076, CVE-2023-1077, CVE-2023-1079, CVE-2023-1118, CVE-2023-1192, CVE-2023-1194, CVE-2023-1206, CVE-2023-1281, CVE-2023-1380, CVE-2023-1380, CVE-2023-1513, CVE-2023-1583, CVE-2023-1611, CVE-2023-1670, CVE-2023-1829, CVE-2023-1855, CVE-2023-1859, CVE-2023-1989, CVE-2023-1990, CVE-2023-1998, CVE-2023-2002, CVE-2023-2002, CVE-2023-20569, CVE-2023-20588, CVE-2023-20593, CVE-2023-2124, CVE-2023-21255, CVE-2023-21264, CVE-2023-2156, CVE-2023-2156, CVE-2023-2163, CVE-2023-2163, CVE-2023-2194, CVE-2023-2235, CVE-2023-2248, CVE-2023-2248, CVE-2023-2269, CVE-2023-2269, CVE-2023-2483, CVE-2023-25012, CVE-2023-25775, CVE-2023-25775, CVE-2023-2598, CVE-2023-26545, CVE-2023-28466, CVE-2023-28866, CVE-2023-2898, CVE-2023-2985, CVE-2023-30456, CVE-2023-30772, CVE-2023-3090, CVE-2023-31085, CVE-2023-3117, CVE-2023-31248, CVE-2023-3141, CVE-2023-31436, CVE-2023-31436, CVE-2023-3212, CVE-2023-3220, CVE-2023-32233, CVE-2023-32233, CVE-2023-32247, CVE-2023-32247, CVE-2023-32248, CVE-2023-32248, CVE-2023-32250, CVE-2023-32250, CVE-2023-32252, CVE-2023-32252, CVE-2023-32254, CVE-2023-32254, CVE-2023-32257, CVE-2023-32257, CVE-2023-32258, CVE-2023-32258, CVE-2023-3268, CVE-2023-3268, CVE-2023-3269, CVE-2023-3269, CVE-2023-3312, CVE-2023-3312, CVE-2023-3317, CVE-2023-33203, CVE-2023-33250, CVE-2023-33250, CVE-2023-33288, CVE-2023-3355, CVE-2023-3390, CVE-2023-33951, CVE-2023-33951, CVE-2023-33952, CVE-2023-33952, CVE-2023-34255, CVE-2023-34256, CVE-2023-34256, CVE-2023-34319, CVE-2023-34324, CVE-2023-35001, CVE-2023-35788, CVE-2023-35823, CVE-2023-35823, CVE-2023-35824, CVE-2023-35824, CVE-2023-35826, CVE-2023-35826, CVE-2023-35827, CVE-2023-35828, CVE-2023-35828, CVE-2023-35829, CVE-2023-35829, CVE-2023-3609, CVE-2023-3610, CVE-2023-3610, CVE-2023-3611, CVE-2023-37453, CVE-2023-37453, CVE-2023-3772, CVE-2023-3773, CVE-2023-3776, CVE-2023-3777, CVE-2023-38409, CVE-2023-38426, CVE-2023-38427, CVE-2023-38428, CVE-2023-38429, CVE-2023-38430, CVE-2023-38431, CVE-2023-38432, CVE-2023-38432, CVE-2023-3863, CVE-2023-3863, CVE-2023-3865, CVE-2023-3865, CVE-2023-3866, CVE-2023-3866, CVE-2023-3867, CVE-2023-39189, CVE-2023-39191, CVE-2023-39192, CVE-2023-39192, CVE-2023-39193, CVE-2023-39193, CVE-2023-39194, CVE-2023-39197, CVE-2023-39197, CVE-2023-39198, CVE-2023-4004, CVE-2023-4015, CVE-2023-40283, CVE-2023-40791, CVE-2023-4128, CVE-2023-4132, CVE-2023-4133, CVE-2023-4133, CVE-2023-4134, CVE-2023-4134, CVE-2023-4147, CVE-2023-4155, CVE-2023-4194, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208, CVE-2023-4244, CVE-2023-4273, CVE-2023-42752, CVE-2023-42752, CVE-2023-42753, CVE-2023-42753, CVE-2023-42754, CVE-2023-42756, CVE-2023-44466, CVE-2023-4563, CVE-2023-4569, CVE-2023-45862, CVE-2023-45863, CVE-2023-45871, CVE-2023-45871, CVE-2023-45898, CVE-2023-4610, CVE-2023-4611, CVE-2023-4623, CVE-2023-4623, CVE-2023-46343, CVE-2023-46813, CVE-2023-46838, CVE-2023-46838, CVE-2023-46862, CVE-2023-46862, CVE-2023-4881, CVE-2023-4921, CVE-2023-50431, CVE-2023-50431, CVE-2023-5090, CVE-2023-51042, CVE-2023-51043, CVE-2023-5158, CVE-2023-51779, CVE-2023-51780, CVE-2023-51781, CVE-2023-51782, CVE-2023-5197, CVE-2023-5345, CVE-2023-5633, CVE-2023-5717, CVE-2023-5972, CVE-2023-6039, CVE-2023-6111, CVE-2023-6121, CVE-2023-6176, CVE-2023-6200, CVE-2023-6531, CVE-2023-6546, CVE-2023-6560, CVE-2023-6606, CVE-2023-6610, CVE-2023-6610, CVE-2023-6622, CVE-2023-6817, CVE-2023-6915, CVE-2023-6915, CVE-2023-6931, CVE-2023-6932, CVE-2023-7192, CVE-2024-0193, CVE-2024-0443, CVE-2024-0565, CVE-2024-0582, CVE-2024-0584, CVE-2024-0607, CVE-2024-0607, CVE-2024-0639, CVE-2024-0641, CVE-2024-0646, CVE-2024-0775, CVE-2024-0775, CVE-2024-1085, CVE-2024-1085, CVE-2024-1086, CVE-2024-1086, CVE-2024-1312, CVE-2024-22705, CVE-2024-23849, CVE-2024-23849)
- binutils (CVE-2023-1972)
- curl (CVE-2023-46218, CVE-2023-46219)
- docker (CVE-2024-24557)
- gnutls (CVE-2023-5981)
- intel-microcode (CVE-2023-23583)
- libxml2 (CVE-2023-45322)
- openssh (CVE-2023-48795, CVE-2023-51384, CVE-2023-51385)
- openssl (CVE-2023-3817, CVE-2023-5363, CVE-2023-5678)
- runc (CVE-2024-21626)
- traceroute (CVE-2023-46316)
- vim (CVE-2023-5344, CVE-2023-5441, CVE-2023-5535, CVE-2023-46246)
- SDK: perl (CVE-2023-47038)
Bug fixes:
- Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
- Fixed the handling of OEM update payloads in a Nebraska response with self-hosted packages (ue-rs#49)
- Forwarded the proxy environment variables of
update-engine.service
to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)
Changes:
- Added a
flatcar-update --oem-payloads <yes|no>
flag to skip providing OEM payloads, e.g., for downgrades (init#114) - Update generation SLSA provenance info from v0.2 to v1.0.
Updates:
- Linux (6.6.16 (includes 6.6.15, 6.6.14, 6.6.13, 6.6.12, 6.6.11, 6.6.10, 6.6.9, 6.6.8, 6.6.7, 6.6))
- Linux Firmware (20231211)
- Go (1.20.13)
- bash (5.2_p21)
- binutils (2.41)
- bpftool (6.5.7)
- c-ares (1.21.0)
- ca-certificates (3.97)
- containerd (1.7.13 (includes 1.7.11))
- coreutils (9.4)
- curl (8.5.0)
- docker (24.0.9)
- elfutils (0.190)
- gawk (5.3.0)
- gentoolkit (0.6.3)
- gettext (0.22.4)
- glib (2.78.3)
- gnutls (3.8.2)
- groff (1.23.0)
- hwdata (0.376)
- intel-microcode (20231114_p20231114)
- iproute2 (6.6.0)
- ipset (7.19)
- jq (1.7.1 (includes 1.7))
- kbd (2.6.4)
- kmod (31)
- libarchive (3.7.2)
- libdnet (1.16.4)
- libksba (1.6.5)
- libnsl (2.0.1)
- libxslt (1.1.39)
- lsof (4.99.0)
- lz4 (1.9.4)
- openssh (9.6p1)
- openssl (3.0.12)
- readline (8.2_p7)
- runc (1.1.12)
- selinux-base (2.20231002)
- selinux-base-policy (2.20231002)
- selinux-container (2.20231002)
- selinux-dbus (2.20231002)
- selinux-sssd (2.20231002)
- selinux-unconfined (2.20231002)
- sqlite (3.44.2)
- strace (6.6)
- traceroute (2.1.3)
- usbutils (016)
- util-linux (2.39.2)
- vim (9.0.2092)
- whois (5.5.20)
- xmlsec (1.3.2)
- xz-utils (5.4.5)
- zlib (1.3)
- SDK: perl (5.38.2)
- SDK: portage (3.0.59)
- SDK: python (3.11.7)
- SDK: repo (2.37)
- SDK: Rust (1.75.0 (includes 1.74.1))
Changes since Alpha 3850.0.0
Security fixes:
- Linux (CVE-2023-46838, CVE-2023-50431, CVE-2023-6610, CVE-2023-6915, CVE-2024-1085, CVE-2024-1086, CVE-2024-23849)
- docker (CVE-2024-24557)
- runc (CVE-2024-21626)
Bug fixes:
- Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
- Fixed the handling of OEM update payloads in a Nebraska response with self-hosted packages (ue-rs#49)
- Forwarded the proxy environment variables of
update-engine.service
to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)
Changes:
- Added a
flatcar-update --oem-payloads <yes|no>
flag to skip providing OEM payloads, e.g., for downgrades (init#114)
Updates:
docker - 24.0.6
ignition - 2.15.0
kernel - 6.1.73
systemd - 252
Changes since Beta 3760.1.1
Security fixes:
- Linux (CVE-2023-1193, CVE-2023-51779, CVE-2023-51780, CVE-2023-51781, CVE-2023-51782, CVE-2023-6531, CVE-2023-6606, CVE-2023-6622, CVE-2023-6817, CVE-2023-6931)
- Go (CVE-2023-39326, CVE-2023-45285)
- VMWare: open-vm-tools (CVE-2023-34058, CVE-2023-34059)
- nghttp2 (CVE-2023-44487)
- samba (CVE-2023-4091)
- zlib (CVE-2023-45853)
Bug fixes:
- AWS: Fixed the Amazon SSM agent that was crashing. (Flatcar#1307)
- Fixed a bug resulting in coreos-cloudinit resetting the instance hostname to ‘localhost’ if no metadata could be found (coreos-cloudinit#25, Flatcar#1262), with contributions from MichaelEischer
- Fixed supplying extension update payloads with a custom base URL in Nebraska (Flatcar#1281)
- Set TTY used for fetching server_context to RAW mode before running cloudinit on cloudsigma (scripts#1280)
Changes:
- Torcx, the mechanism to provide a custom Docker version, was replaced by systemd-sysext in the OS image. Learn more about sysext and how to customise OS images here and read the blogpost about the replacement here.
- Torcx entered deprecation 2 years ago in favour of deploying plain Docker binaries (which is now also a legacy option because systemd-sysext offers a more robust and better structured way of customisation, including OS independent updates).
- Torcx has been removed entirely; if you use Torcx to extend the Flatcar base OS image, please refer to our conversion script and to the sysext documentation mentioned above for migrating.
- Consequently,
update_engine
will not perform torcx sanity checks post-update anymore. - Relevant changes: scripts#1216, update_engine#30, Mantle#466, Mantle#465.
- cri-tools, runc, containerd, docker, and docker-cli are now built from Gentoo upstream ebuilds. Docker received a major version upgrade - it was updated to Docker 24 (from Docker 20; see “updates”).
- NOTE: The docker btrfs storage driver has been de-prioritised; BTRFS backed storage will now default to the
overlay2
driver (changelog, upstream pr). Using the btrfs driver can still be enforced by creating a respective docker config at/etc/docker/daemon.json
. - NOTE: If you are already using btrfs-backed Docker storage and are upgrading to this new version, Docker will automatically use the
btrfs
storage driver for backwards-compatibility with your deployment.- Docker will remove the
btrfs
driver entirely in a future version. Please consider migrating your deployments to theoverlay2
driver.
- Docker will remove the
- NOTE: The docker btrfs storage driver has been de-prioritised; BTRFS backed storage will now default to the
- GCP OEM images now use a systemd-sysext image for layering additional platform-specific software on top of
/usr
and being part of the OEM A/B updates (flatcar#1146)
Updates:
- Azure: WALinuxAgent (v2.9.1.1)
- DEV, AZURE: python (3.11.6)
- DEV: iperf (3.15)
- DEV: smartmontools (7.4)
- Go (1.20.12 (includes 1.20.11))
- Linux (6.1.73 (includes 6.1.72, 6.1.71, 6.1.70, 6.1.69, 6.1.68, 6.1.67, 6.1.60 and 6.1.59))
- Linux Firmware (20231111 (includes 20231030))
- SDK: Rust (1.73.0)
- SDK: python packaging (23.2), platformdirs (3.11.0)
- VMWare: open-vm-tools (12.3.5)
- acpid (2.0.34)
- ca-certificates (3.96.1 (includes 3.96))
- containerd (1.7.10 includes (1.7.9 and 1.7.8))
- cri-tools (1.27.0)
- ding-libs (0.6.2)
- docker (24.0.6, includes changes from 23.0)
- efibootmgr (18)
- efivar (38)
- ethtool (6.5)
- hwdata (0.375 includes (0.374))
- iproute2 (6.5.0)
- ipvsadm (1.31 (includes 1.28, 1.29 and 1.30))
- json-c (0.17)
- libffi (3.4.4 (includes 3.4.2 and 3.4.3))
- liblinear (246)
- libmnl (1.0.5)
- libnetfilter_conntrack (1.0.9)
- libnetfilter_cthelper (1.0.1)
- libnetfilter_cttimeout (1.0.1)
- libnfnetlink (1.0.2)
- libsodium (1.0.19)
- libunistring (1.1)
- libunwind (1.7.2 (includes 1.7.0))
- liburing (2.3)
- mpc (1.3.1 (includes 1.3.0)
- mpfr (4.2.1)
- nghttp2 (1.57.0 (includes 1.52.0, 1.53.0, 1.54.0, 1.55.0, 1.55.1 and 1.56.0))
- nspr (4.35)
- ntp (4.2.8p17)
- nvme-cli (v2.6, libnvme v1.6)
- protobuf (21.12 (includes 21.10 and 21.11))
- samba (4.18.8)
- sqlite (3.43.2)
- squashfs-tools (4.6.1 (includes 4.6))
- thin-provisioning-tools (1.0.6)
Changes since Alpha 3815.0.0
Security fixes:
- Linux (CVE-2023-1193, CVE-2023-51779, CVE-2023-51780, CVE-2023-51781, CVE-2023-51782, CVE-2023-6531, CVE-2023-6606, CVE-2023-6622, CVE-2023-6817, CVE-2023-6931)
Bug fixes:
- AWS: Fixed the Amazon SSM agent that was crashing. (Flatcar#1307)
- Fixed a bug resulting in coreos-cloudinit resetting the instance hostname to ‘localhost’ if no metadata could be found (coreos-cloudinit#25, Flatcar#1262), with contributions from MichaelEischer
- Fixed supplying extension update payloads with a custom base URL in Nebraska (Flatcar#1281)
Updates:
docker - 20.10.24
ignition - 2.15.0
kernel - 6.1.66
systemd - 252
Changes since Beta 3760.1.0
Security fixes:
- Linux (CVE-2023-6121)
Bug fixes:
- Deleted files in
/etc
that have a tmpfiles rule that normally would recreate them will now show up again through the/etc
lowerdir (Flatcar#1265, bootengine#79) - Fixed the missing
/etc/extensions/
symlinks for the inbuilt Docker/containerd systemd-sysext images on update from Beta 3760.1.0 (update_engine#32) - GCP: Fixed OS Login enabling (scripts#1445)
Changes:
- linux kernel: added zstd support for squashfs kernel module (scripts#1297)
Updates:
docker - 20.10.24
ignition - 2.15.0
kernel - 6.1.62
systemd - 252
⚠️ From Alpha 3794.0.0 Torcx has been removed - please assert that you don’t rely on specific Torcx mechanism but now use systemd-sysext. See here for more information.
Changes since Beta 3745.1.0
Security fixes:
- Linux (CVE-2023-35827, CVE-2023-46813, CVE-2023-46862, CVE-2023-5178, CVE-2023-5717)
- curl (CVE-2023-38545, CVE-2023-38546)
- glibc (CVE-2023-4911)
- go (CVE-2023-39325, CVE-2023-39325)
- grub (CVE-2023-4692, CVE-2023-4693)
- libtirpc (libtirpc-rhbg-2138317, libtirpc-rhbg-2150611, libtirpc-rhbg-2224666)
Bug fixes:
- Added AWS EKS support for versions 1.24-1.28. Fixed
/usr/share/amazon/eks/download-kubelet.sh
to include download paths for these versions. (scripts#1210) - Fixed iterating over the OEM update payload signatures which prevented the AWS OEM update to 3745.x.y (update-engine#31)
- Fixed quotes handling for update-engine (Flatcar#1209)
- Made
sshkeys.service
more robust to only run[email protected]
when not masked and also retry on failure (init#112)
Changes:
- Brightbox: The regular OpenStack image should now be used, it includes Afterburn for instance metadata attributes
- OpenStack: An uncompressed image is provided for simpler import (since the images use qcow2 inline compression, there is no benefit in using the
.gz
or.bz2
images)
Updates:
- Go (1.20.10 (includes 1.20.9))
- Linux (6.1.62 (includes 6.1.61, 6.1.60 and includes 6.1.59))
- containerd (1.7.7)
- curl (8.4.0)
- libnl (3.8.0)
- libtirpc (1.3.4)
- libxml2 (2.11.5)
- openssh (9.5p1)
- pigz (2.8)
- strace(6.4)
- whois (5.5.18)
Changes since Alpha 3760.0.0
Security fixes:
Bug fixes:
- Fixed iterating over the OEM update payload signatures which prevented the AWS OEM update to 3745.x.y (update-engine#31)
- Made
sshkeys.service
more robust to only run[email protected]
when not masked and also retry on failure (init#112)
Changes:
- Brightbox: The regular OpenStack image should now be used, it includes Afterburn for instance metadata attributes
- OpenStack: An uncompressed image is provided for simpler import (since the images use qcow2 inline compression, there is no benefit in using the
.gz
or.bz2
images)
Updates:
docker - 20.10.24
ignition - 2.15.0
kernel - 6.1.58
systemd - 252
Changes since Beta 3732.1.0
Security fixes:
- curl (CVE-2023-38039, CVE-2023-38545, CVE-2023-38546)
- glibc (CVE-2023-4527, CVE-2023-4806)
- lua (CVE-2022-33099)
- mit-krb5 (CVE-2023-36054)
- procps (CVE-2023-4016)
- samba (CVE-2021-44142, CVE-2022-1615)
Bug fixes:
- Disabled systemd-networkd’s RoutesToDNS setting by default to fix provisioning failures observed in VMs with multiple network interfaces on Azure (scripts#1206)
- Fixed the postinstall hook failure when updating from Azure instances without OEM systemd-sysext images to Flatcar Alpha 3745.x.y (update_engine#29)
Changes:
- AWS OEM images now use a systemd-sysext image for layering additional platform-specific software on top of
/usr
- Reworked the VMware OEM software to be shipped as A/B updated systemd-sysext image
- SDK: Experimental support for prefix builds to create distro independent, portable, self-contained applications w/ all dependencies included. With contributions from chewi and HappyTobi.
- Started shipping default ssh client and ssh daemon configs in
/etc/ssh/ssh_config
and/etc/ssh/sshd_config
which include config snippets in/etc/ssh/ssh_config.d
and/etc/ssh/sshd_config.d
, respectively. - The open-vm-tools package in VMware OEM now comes with vmhgfs-fuse, udev rules, pam and vgauth
- To make Kubernetes work by default,
/usr/libexec/kubernetes/kubelet-plugins/volume/exec
is now a symlink to the writable folder/var/kubernetes/kubelet-plugins/volume/exec
(Flatcar#1193)
Updates:
- Linux (6.1.58 (includes 6.1.57, 6.1.56))
- Linux Firmware (20230919)
- bind-tools (9.16.42)
- ca-certificates (3.94)
- checkpolicy (3.5)
- curl (8.3.0)
- gcc (13.2)
- gzip (1.13)
- libgcrypt (1.10.2)
- libselinux (3.5)
- libsemanage (3.5)
- libsepol (3.5)
- lua (5.4.6)
- mit-krb5 (1.21.2)
- openssh (9.4p1)
- policycoreutils (3.5)
- procps (4.0.4 (includes 4.0.3 and 4.0.0))
- rpcsvc-proto (1.4.4)
- samba (4.18.4)
- selinux-base (2.20221101)
- selinux-base-policy (2.20221101)
- selinux-container (2.20221101)
- selinux-sssd (2.20221101)
- selinux-unconfined (2.20221101)
- semodule-utils (3.5)
- SDK: Rust (1.72.1)
- VMWARE: libdnet (1.16.2 (includes 1.16))
Changes since Alpha 3745.0.0
Security fixes:
- curl (CVE-2023-38545, CVE-2023-38546)
Bug fixes:
- Disabled systemd-networkd’s RoutesToDNS setting by default to fix provisioning failures observed in VMs with multiple network interfaces on Azure (scripts#1206)
- Fixed the postinstall hook failure when updating from Azure instances without OEM systemd-sysext images to Flatcar Alpha 3745.x.y (update_engine#29)
Changes:
- To make Kubernetes work by default,
/usr/libexec/kubernetes/kubelet-plugins/volume/exec
is now a symlink to the writable folder/var/kubernetes/kubelet-plugins/volume/exec
(Flatcar#1193)
Updates:
docker - 20.10.24
ignition - 2.15.0
kernel - 6.1.55
systemd - 252
Changes since Alpha 3732.0.0
Security fixes:
- Linux (CVE-2023-42755)
Bug fixes:
- Triggered re-reading of partition table to fix adding partitions to the boot disk (scripts#1202)
Changes:
- Use qcow2 compressed format instead of additional compression layer in Qemu images (Flatcar#1135, scripts#1132)
Updates:
- Linux (6.1.55)
Changes compared to Beta 3602.1.6
Security fixes:
- Linux (CVE-2020-36516,CVE-2021-26401,CVE-2021-33135,CVE-2021-33655,CVE-2021-3923,CVE-2021-4155,CVE-2021-4197,CVE-2021-43976,CVE-2021-44879,CVE-2021-45469,CVE-2022-0001,CVE-2022-0002,CVE-2022-0168,CVE-2022-0185,CVE-2022-0330,CVE-2022-0382,CVE-2022-0433,CVE-2022-0435,CVE-2022-0487,CVE-2022-0492,CVE-2022-0494,CVE-2022-0500,CVE-2022-0516,CVE-2022-0617,CVE-2022-0742,CVE-2022-0847,CVE-2022-0995,CVE-2022-1011,CVE-2022-1012,CVE-2022-1015,CVE-2022-1016,CVE-2022-1048,CVE-2022-1055,CVE-2022-1158,CVE-2022-1184,CVE-2022-1198,CVE-2022-1199,CVE-2022-1204,CVE-2022-1205,CVE-2022-1263,CVE-2022-1353,CVE-2022-1462,CVE-2022-1516,CVE-2022-1651,CVE-2022-1652,CVE-2022-1671,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1789,CVE-2022-1852,CVE-2022-1882,CVE-2022-1943,CVE-2022-1973,CVE-2022-1974,CVE-2022-1975,CVE-2022-1976,CVE-2022-1998,CVE-2022-20008,CVE-2022-20158,CVE-2022-20368,CVE-2022-20369,CVE-2022-20421,CVE-2022-20422,CVE-2022-20423,CVE-2022-20566,CVE-2022-20572,CVE-2022-2078,CVE-2022-21123,CVE-2022-21125,CVE-2022-21166,CVE-2022-21499,CVE-2022-21505,CVE-2022-2153,CVE-2022-2196,CVE-2022-22942,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-2308,CVE-2022-2318,CVE-2022-23222,CVE-2022-2380,CVE-2022-23960,CVE-2022-24448,CVE-2022-24958,CVE-2022-24959,CVE-2022-2503,CVE-2022-25258,CVE-2022-25375,CVE-2022-25636,CVE-2022-2585,CVE-2022-2586,CVE-2022-2588,CVE-2022-2590,CVE-2022-2602,CVE-2022-26365,CVE-2022-26373,CVE-2022-2639,CVE-2022-26490,CVE-2022-2663,CVE-2022-26966,CVE-2022-27223,CVE-2022-27666,CVE-2022-27672,CVE-2022-2785,CVE-2022-27950,CVE-2022-28356,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390,CVE-2022-2873,CVE-2022-28796,CVE-2022-28893,CVE-2022-2905,CVE-2022-29156,CVE-2022-2938,CVE-2022-29581,CVE-2022-29582,CVE-2022-2959,CVE-2022-2964,CVE-2022-2977,CVE-2022-2978,CVE-2022-29900,CVE-2022-29901,CVE-2022-29968,CVE-2022-3028,CVE-2022-30594,CVE-2022-3077,CVE-2022-3078,CVE-2022-3104,CVE-2022-3105,CVE-2022-3107,CVE-2022-3108,CVE-2022-3110,CVE-2022-3111,CVE-2022-3112,CVE-2022-3113,CVE-2022-3115,CVE-2022-3169,CVE-2022-3202,CVE-2022-32250,CVE-2022-32296,CVE-2022-3239,CVE-2022-32981,CVE-2022-3303,CVE-2022-3344,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33743,CVE-2022-33744,CVE-2022-33981,CVE-2022-3424,CVE-2022-3435,CVE-2022-34494,CVE-2022-34495,CVE-2022-34918,CVE-2022-3521,CVE-2022-3524,CVE-2022-3526,CVE-2022-3534,CVE-2022-3541,CVE-2022-3543,CVE-2022-3564,CVE-2022-3565,CVE-2022-3577,CVE-2022-3586,CVE-2022-3594,CVE-2022-3595,CVE-2022-36123,CVE-2022-3619,CVE-2022-3621,CVE-2022-3623,CVE-2022-3625,CVE-2022-3628,CVE-2022-36280,CVE-2022-3635,CVE-2022-3640,CVE-2022-3643,CVE-2022-3646,CVE-2022-3649,CVE-2022-36879,CVE-2022-36946,CVE-2022-3707,CVE-2022-38457,CVE-2022-3910,CVE-2022-39189,CVE-2022-39190,CVE-2022-3977,CVE-2022-40133,CVE-2022-40307,CVE-2022-40768,CVE-2022-4095,CVE-2022-40982,CVE-2022-41218,CVE-2022-4128,CVE-2022-4139,CVE-2022-41674,CVE-2022-41849,CVE-2022-41850,CVE-2022-41858,CVE-2022-42328,CVE-2022-42329,CVE-2022-42432,CVE-2022-4269,CVE-2022-42703,CVE-2022-42719,CVE-2022-42720,CVE-2022-42721,CVE-2022-42722,CVE-2022-42895,CVE-2022-42896,CVE-2022-43750,CVE-2022-4378,CVE-2022-4379,CVE-2022-4382,CVE-2022-43945,CVE-2022-45869,CVE-2022-45886,CVE-2022-45887,CVE-2022-45919,CVE-2022-45934,CVE-2022-4662,CVE-2022-47518,CVE-2022-47519,CVE-2022-47520,CVE-2022-47521,CVE-2022-47929,CVE-2022-47938,CVE-2022-47939,CVE-2022-47940,CVE-2022-47941,CVE-2022-47942,CVE-2022-47943,CVE-2022-4842,CVE-2022-48423,CVE-2022-48424,CVE-2022-48425,CVE-2022-48502,CVE-2023-0045,CVE-2023-0160,CVE-2023-0179,CVE-2023-0210,CVE-2023-0266,CVE-2023-0386,CVE-2023-0394,CVE-2023-0458,CVE-2023-0459,CVE-2023-0461,CVE-2023-0468,CVE-2023-0469,CVE-2023-0590,CVE-2023-0615,CVE-2023-1032,CVE-2023-1073,CVE-2023-1074,CVE-2023-1075,CVE-2023-1076,CVE-2023-1077,CVE-2023-1078,CVE-2023-1079,CVE-2023-1095,CVE-2023-1118,CVE-2023-1192,CVE-2023-1194,CVE-2023-1206,CVE-2023-1249,CVE-2023-1281,CVE-2023-1380,CVE-2023-1382,CVE-2023-1513,CVE-2023-1582,CVE-2023-1583,CVE-2023-1611,CVE-2023-1637,CVE-2023-1652,CVE-2023-1670,CVE-2023-1829,CVE-2023-1838,CVE-2023-1855,CVE-2023-1859,CVE-2023-1872,CVE-2023-1989,CVE-2023-1990,CVE-2023-1998,CVE-2023-2002,CVE-2023-2006,CVE-2023-2008,CVE-2023-2019,CVE-2023-20569,CVE-2023-20588,CVE-2023-20593,CVE-2023-20928,CVE-2023-20938,CVE-2023-21102,CVE-2023-21106,CVE-2023-2124,CVE-2023-21255,CVE-2023-2156,CVE-2023-2162,CVE-2023-2163,CVE-2023-2166,CVE-2023-2177,CVE-2023-2194,CVE-2023-2235,CVE-2023-2236,CVE-2023-2269,CVE-2023-22996,CVE-2023-22997,CVE-2023-22998,CVE-2023-22999,CVE-2023-23001,CVE-2023-23002,CVE-2023-23454,CVE-2023-23455,CVE-2023-23559,CVE-2023-2430,CVE-2023-25012,CVE-2023-2513,CVE-2023-25775,CVE-2023-26544,CVE-2023-26545,CVE-2023-26606,CVE-2023-26607,CVE-2023-28327,CVE-2023-28328,CVE-2023-28410,CVE-2023-28466,CVE-2023-28866,CVE-2023-2898,CVE-2023-2985,CVE-2023-3006,CVE-2023-30456,CVE-2023-30772,CVE-2023-3090,CVE-2023-3111,CVE-2023-31248,CVE-2023-3141,CVE-2023-31436,CVE-2023-3159,CVE-2023-3161,CVE-2023-3212,CVE-2023-3220,CVE-2023-32233,CVE-2023-32247,CVE-2023-32248,CVE-2023-32250,CVE-2023-32252,CVE-2023-32254,CVE-2023-32257,CVE-2023-32258,CVE-2023-32269,CVE-2023-3268,CVE-2023-3269,CVE-2023-33203,CVE-2023-33288,CVE-2023-3355,CVE-2023-3357,CVE-2023-3358,CVE-2023-3359,CVE-2023-3390,CVE-2023-33951,CVE-2023-33952,CVE-2023-34319,CVE-2023-3439,CVE-2023-35001,CVE-2023-3567,CVE-2023-35788,CVE-2023-35823,CVE-2023-35824,CVE-2023-35826,CVE-2023-35828,CVE-2023-35829,CVE-2023-3609,CVE-2023-3610,CVE-2023-3611,CVE-2023-3772,CVE-2023-3773,CVE-2023-3776,CVE-2023-3777,CVE-2023-3812,CVE-2023-38409,CVE-2023-38426,CVE-2023-38427,CVE-2023-38428,CVE-2023-38429,CVE-2023-38430,CVE-2023-38431,CVE-2023-38432,CVE-2023-3863,CVE-2023-3865,CVE-2023-3866,CVE-2023-3867,CVE-2023-4004,CVE-2023-4015,CVE-2023-40283,CVE-2023-4128,CVE-2023-4132,CVE-2023-4147,CVE-2023-4155,CVE-2023-4206,CVE-2023-4207,CVE-2023-4208,CVE-2023-4273,CVE-2023-42752,CVE-2023-42753,CVE-2023-42755,CVE-2023-4385,CVE-2023-4387,CVE-2023-4389,CVE-2023-4394,CVE-2023-4459,CVE-2023-4569,CVE-2023-4623,CVE-2023-4921, CVE-2022-40982, CVE-2022-41804, CVE-2023-20569, CVE-2023-23908)
- Go (CVE-2023-29402, CVE-2023-29403, CVE-2023-29404, CVE-2023-29405, CVE-2023-29406,CVE-2023-29409,CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322)
- binutils (CVE-2022-38533, CVE-2022-4285, CVE-2023-1579)
- c-ares (CVE-2023-31124, CVE-2023-31130, CVE-2023-31147, CVE-2023-32067)
- curl (CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322)
- git (CVE-2023-25652, CVE-2023-25815, CVE-2023-29007)
- grub (CVE-2020-10713, CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2021-3981, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734, CVE-2022-28735, CVE-2022-28736, CVE-2022-28737, CVE-2022-2601, CVE-2022-3775)
- intel-microcode (CVE-2022-40982, CVE-2022-41804, CVE-2023-23908)
- libarchive (libarchive-20230729)
- libcap (CVE-2023-2602, CVE-2023-2603)
- libmicrohttpd (CVE-2023-27371)
- libxml2 (libxml2-20230428)
- ncurses (CVE-2023-29491)
- nvidia-drivers (CVE-2023-25515, CVE-2023-25516)
- openldap (CVE-2023-2953)
- OpenSSL (CVE-2023-2650, CVE-2023-2975, CVE-2023-3446)
- protobuf (CVE-2022-1941)
- shadow (CVE-2023-29383)
- sudo (CVE-2023-27320, CVE-2023-28486, CVE-2023-28487)
- torcx (CVE-2022-28948)
- vim (CVE-2023-2609, CVE-2023-2610, CVE-2023-2426)
- SDK: Python (CVE-2023-40217, CVE-2023-41105)
- SDK: qemu (CVE-2023-0330, CVE-2023-2861)
- SDK: Rust (CVE-2023-38497)
- VMware: open-vm-tools (CVE-2023-20867, CVE-2023-20900)
Bug fixes:
- Fix the RemainAfterExit clause in nvidia.service (Flatcar#1169)
- Fixed bug in handling renamed network interfaces when generating login issue (init#102)
- Triggered re-reading of partition table to fix adding partitions to the boot disk (scripts#1202)
Changes:
- :warning: Dropped support for niftycloud and interoute. For interoute we haven’t been generating the images for some time already. (scripts#971) :warning:
- Added TLS Kernel module (scripts#865)
- Added support for multipart MIME userdata in coreos-cloudinit. Ignition now detects multipart userdata and delegates execution to coreos-cloudinit. (scripts#873)
- Azure and QEMU OEM images now use systemd-sysext images for layering additional platform-specific software on top of
/usr
. For Azure images this also means that the image has a normal Python installation available through the sysext image. The OEM software is still not updated but this will be added soon. - Change nvidia.service to type oneshot (from the default “simple”) so the subsequent services (configured with “Requires/After”) are executed after the driver installation is successfully finished (flatcar/Flatcar#1136)
- Enabled the virtio GPU driver (scripts#830)
- Migrate to Type=notify in containerd.service. Changed the unit to Type=notify, utilizing the existing containerd support for sd_notify call after socket setup.
- Migrated the NVIDIA installer from the Azure/AWS OEM partition to
/usr
to make it available on all platforms (scripts#932, Flatcar#1077) - Moved a mountpoint of the OEM partition from
/usr/share/oem
to/oem
./usr/share/oem
became a symlink to/oem
for backward compatibility. Despite the move, the initrd images providing files through/usr/share/oem
should keep using/usr/share/oem
. The move was done to enable activating the OEM sysext images that are placed in the OEM partition. - OEM vendor tools are now A/B updated if they are shipped as systemd-sysext images, the migration happens when both partitions require a systemd-sysext OEM image - note that this will delete the
nvidia.service
from/etc
on Azure because it’s now part of/usr
(Flatcar#60) - Updated locksmith to use non-deprecated resource control options in the systemd unit (Locksmith#20)
- Use qcow2 compressed format instead of additional compression layer in Qemu images (Flatcar#1135, scripts#1132)
Updates:
- Linux (6.1.55 (includes 6.1.54, 6.1.53,6.1.52, 6.1.51, 6.1.50, 6.1.49, 6.1.48, 6.1.47, 6.1.46, 6.1.45, 6.1.44, 6.1.43, 6.1.42, 6.1.41, 6.1.40, 6.1.39, 6.1.38, 6.1.37, 6.1.36, 6.1.35, 6.1.34, 6.1.33, 6.1.32, 6.1.31, 6.1.30, 6.1.29, 6.1.28, 6.1.27, 6.1))
- Linux Firmware (20230804 (includes 20230625, 20230515))
- Go (1.20.8 (includes 1.20.7, 1.20.6, 1.20.5, 1.20.4, 1.19.13, 1.19.12, 1.19.11, 1.19.10))
- bind tools (9.16.41)
- binutils (2.40)
- bpftool (6.3)
- c-ares (1.19.1)
- cJSON (1.7.16)
- cifs-utils (7.0)
- containerd (1.7.6 (includes 1.7.5,1.7.4, 1.7.3, 1.7.2))
- coreutils (9.3 (includes 9.1))
- cryptsetup (2.6.1 (includes 2.6.0 and 2.5.0))
- curl (8.2.1 (includes 8.2.0, 8.1.2, 8.1.0))
- debianutils (5.7)
- diffutils (3.10)
- elfutils (0.189)
- ethtool (6.4 (includes 6.3, 6.2))
- gawk (5.2.2)
- gdb (13.2)
- gdbm (1.23)
- git (2.41.0 (includes 2.39.3))
- glib (2.76.4 (includes 2.76.3, 2.76.2))
- glibc (2.37)
- gmp (6.3.0)
- gptfdisk (1.0.9)
- grep (3.11 (includes 3.8))
- grub (2.06)
- hwdata (0.373 (includes 0.372, 0.371, 0.367))
- inih (57 (includes 56))
- intel-microcode (20230808 (includes 20230613, 20230512))
- iperf (3.14)
- iproute2 (6.4.0 (includes 6.3.0, 6.2))
- ipset (7.17)
- kbd (2.6.1 (includes 2.6.0, 2.5.1))
- kmod (30)
- ldb (2.4.4 (includes 2.4.3, 2.4.2))
- less (633 (includes 632))
- libarchive (3.7.1 (includes 3.7.0))
- libassuan (2.5.6)
- libbsd (0.11.7)
- libcap (2.69)
- libgcrypt (1.10.1)
- libgpg-error (1.47 (includes 1.46))
- libksba (1.6.4)
- libmd (1.1.0)
- libmicrohttpd (0.9.77 (includes 0.9.76))
- libnftnl (1.2.6 (includes 1.2.5))
- libnvme (1.5)
- libpcap (1.10.4)
- libpcre (8.45)
- libpipeline (1.5.7)
- libusb (1.0.26)
- libuv (1.46.0 (includes 1.45.0))
- libxml2 (2.11.4)
- libxslt (1.1.38)
- lsof (4.98.0)
- lua (5.4.4)
- multipath-tools (0.9.5)
- ncurses (6.4)
- nettle (3.9.1)
- nmap (7.94)
- nvidia-drivers (535.104.05)
- nvme-cli (2.5 (includes 2.3))
- open-isns (0.102)
- openldap (2.6.4 (includes 2.6.3, 2.6, 2.5.14, 2.5))
- OpenSSL (3.0.9)
- parted (3.6)
- pax-utils (1.3.7)
- pciutils (3.10.0 (includes 3.9.0))
- popt (1.19)
- protobuf (21.9)
- psmisc (23.6)
- qemu guest agent (8.0.3 (includes 8.0.0))
- quota (4.09)
- runc (1.1.9 (includes 1.1.8))
- sed (4.9)
- smartmontools (7.3)
- sqlite (3.42.0)
- strace (6.3 (includes 6.2))
- sudo (1.9.13p3)
- talloc (2.4.0 (includes 2.3.4))
- tar (1.35)
- tdb (1.4.8 (includes 1.4.7, 1.4.6))
- tevent (0.14.1 (includes 0.14.0, 0.13.0, 0.12.1, 0.12.0))
- usbutils (015)
- userspace-rcu (0.14.0)
- util-linux (2.38.1)
- vim (9.0.1678 includes (9.0.1677, 9.0.1503))
- wget (1.21.4)
- whois (5.5.17)
- xfsprogs (6.4.0 (includes (6.3.0))
- XZ utils (5.4.3)
- zstandard (1.5.5)
- AWS: amazon-ssm-agent (3.2.985.0)
- SDK: file (5.45)
- SDK: gnuconfig (20230731)
- SDK: kexec-tools (2.0.24)
- SDK: man-db (2.11.2)
- SDK: man-pages (6.03)
- SDK: pahole (1.25)
- SDK: perf (6.3)
- SDK: perl (5.36.1)
- SDK: portage (3.0.49 (includes 3.0.46))
- SDK: python (3.11.5 (includes 3.11.3, 3.10.12, 3.10.11))
- SDK: qemu (8.0.4 (includes 8.0.3, 7.2.3))
- SDK: Rust (1.72.0 (includes (1.71.1, 1.71.0, 1.70.0))
- VMware: open-vm-tools (12.3.0 (includes 12.2.5))
docker - 20.10.24
ignition - 2.15.0
kernel - 5.15.132
systemd - 252
Changes since Beta 3602.1.5
Changes:
- Azure: Add support for Microsoft Azure Network Adapter (MANA) NICs on Azure (scripts#1131)
Updates:
docker - 20.10.24
ignition - 2.15.0
kernel - 5.15.129
systemd - 252
Changes since Beta 3602.1.4
Security fixes:
- Linux (CVE-2022-40982, CVE-2022-41804, CVE-2023-20569, CVE-2023-20588, CVE-2023-40283, CVE-2023-4128, CVE-2023-23908)
Bug fixes:
- Fixed the restart of Systemd services when the main process is being killed by a SIGHUP signal (flatcar#1157)
Updates:
docker - 20.10.24
ignition - 2.15.0
kernel - 5.15.124
systemd - 252
Changes since Beta 3602.1.3
Security fixes:
- Linux (CVE-2022-48502, CVE-2023-20593, CVE-2023-2898, CVE-2023-31248, CVE-2023-35001, CVE-2023-3611, CVE-2023-3776, CVE-2023-38432, CVE-2023-3863)
- OpenSSH (CVE-2023-38408)
- linux-firmware (CVE-2023-20593)
Updates:
docker - 20.10.24
ignition - 2.15.0
kernel - 5.15.120
systemd - 252
docker - 20.10.24
ignition - 2.15.0
kernel - 5.15.119
systemd - 252
Changes since Beta 3602.1.1
Security fixes:
- Linux (CVE-2023-3338, CVE-2023-3390)
Bug fixes:
- Ensured that the folder
/var/log/sssd
is created if it doesn’t exist, required forsssd.service
(Flatcar#1096) - Worked around a bash regression in
flatcar-install
and added error reporting for disk write failures (Flatcar#1059)
Changes:
- Changed ext4 inode size of root partition to 256 bytes. This improves compatibility with applications and is necessary for 2038 readiness (Flatcar#1082)
Updates:
docker - 20.10.24
ignition - 2.15.0
kernel - 5.15.117
systemd - 252
Changes since Beta 3602.1.0
Bug fixes:
- Resolved the conflicting FD usage of libselinux and systemd which caused, e.g., a systemd crash on certain watchdog interaction during shutdown (patch in systemd 252.11)
Updates:
docker - 20.10.24
ignition - 2.15.0
kernel - 5.15.113
systemd - 252
Changes since Beta 3572.1.0
Security fixes:
- Linux (CVE-2022-48425)
- Go (CVE-2023-24539, CVE-2023-24540, CVE-2023-29400)
- OpenSSH (CVE-2023-28531)
- OpenSSL (CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-1255)
- bash (CVE-2022-3715)
- c-ares (CVE-2022-4904)
- curl (CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536, CVE-2023-27537, CVE-2023-27538)
- libxml2 (CVE-2023-28484, CVE-2023-29469)
Bug fixes:
- Restored the reboot warning and delay for non-SSH console sessions (locksmith#21)
Changes:
- Changed coreos-cloudinit to now set the short hostname instead of the FQDN when fetched from the metadata service (coreos-cloudinit#19)
Updates:
- Linux (5.15.113 (includes 5.15.112))
- Go (1.19.9)
- OpenSSH (9.3)
- bash (5.2)
- bpftool (6.2.1)
- c-ares (1.19.0)
- containerd (1.6.21)
- curl (8.0.1)
- e2fsprogs (1.47.0)
- gdb (13.1.90)
- GLib (2.74.6)
- libarchive (3.6.2)
- libxml2 (2.10.4)
- multipath-tools (0.9.4)
- pinentry (1.2.1)
- readline (8.2)
- runc (1.1.7)
- sqlite (3.41.2)
- XZ utils (5.4.2)
- SDK: nano (7.2)
Changes since Alpha 3602.0.0
Security fixes:
- Linux (CVE-2022-48425)
Bug fixes:
Changes:
Updates:
docker - 20.10.24
ignition - 2.15.0
kernel - 5.15.111
systemd - 252
Changes since Beta 3549.1.1
Security fixes:
- Linux (CVE-2023-1380, CVE-2023-2002, CVE-2023-31436)
- Docker (CVE-2023-28840, CVE-2023-28841, CVE-2023-28842)
- Go (CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538)
- runc (CVE-2023-25809, CVE-2023-27561, CVE-2023-28642)
- tar (CVE-2022-48303)
- vim (CVE-2023-1127, CVE-2023-1175, CVE-2023-1170)
Bug fixes:
- Fixed a miscompilation of getfacl causing it to dump core when executed (scripts#809)
Changes:
- Improved the OS reset tool to offer preview, backup and restore (init#94)
Updates:
- Linux (5.15.111 (includes 5.15.110, 5.15.109))
- Linux Firmware (20230404)
- ca-certificates (3.89.1)
- containerd (1.6.20)
- docker (20.10.24)
- go (1.19.8)
- iperf (3.13)
- runc (1.1.5)
- vim (9.0.1403)
- zstandard (1.5.4)
- SDK: pahole (1.24)
- SDK: rust (1.68.2)
Changes since Alpha 3572.0.1
Security fixes:
- Linux (CVE-2023-1380, CVE-2023-2002, CVE-2023-31436)
Bug fixes:
- Fixed a miscompilation of getfacl causing it to dump core when executed (scripts#809)
Updates:
docker - 20.10.23
ignition - 2.15.0
kernel - 5.15.108
systemd - 252
Changes since Beta 3549.1.0
Security fixes:
- nvidia-drivers (CVE-2022-31607, CVE-2022-31608, CVE-2022-31615, CVE-2022-34665, CVE-2022-34666, CVE-2022-34670, CVE-2022-34673, CVE-2022-34674, CVE-2022-34676, CVE-2022-34677, CVE-2022-34678, CVE-2022-34679, CVE-2022-34680, CVE-2022-34682, CVE-2022-34684, CVE-2022-42254, CVE-2022-42255, CVE-2022-42256, CVE-2022-42257, CVE-2022-42258, CVE-2022-42259, CVE-2022-42260, CVE-2022-42261, CVE-2022-42263, CVE-2022-42264, CVE-2022-42265)
Bug fixes:
- Fixed systemd journal logs persistency on the first boot (flatcar#1005)
- Fixed the broken emerge-gitclone in the dev-container owing to the missing migration action around the unification of the Flatcar core repositories
Changes:
- The package upgrade for nvidia-drivers might result in not supporting a few of the older NVIDIA Tesla GPUs. If you are facing issues, set
NVIDIA_DRIVER_VERSION=460.106.00
in/etc/flatcar/nvidia-metadata
Updates:
- Linux (5.15.108 (includes 5.15.107))
- nvidia-drivers (525.105.17)
docker - 20.10.23
ignition - 2.15.0
kernel - 5.15.106
systemd - 252
Changes since Beta 3510.1.0
Security fixes:
- Linux (CVE-2022-4269, CVE-2022-4379, CVE-2023-1076, CVE-2023-1077, CVE-2023-1079, CVE-2023-1118, CVE-2023-1611, CVE-2023-1670, CVE-2023-1829, CVE-2023-1855, CVE-2023-1989, CVE-2023-1990, CVE-2023-23004, CVE-2023-25012, CVE-2023-28466, CVE-2023-30456, CVE-2023-30772)
- containerd (CVE-2023-25153, CVE-2023-25173)
- curl (CVE-2023-23914, CVE-2023-23915, CVE-2023-23916)
- e2fsprogs (CVE-2022-1304)
- git (CVE-2023-22490, CVE-2023-23946)
- GnuTLS (CVE-2023-0361)
- Go (CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532)
- intel-microcode (CVE-2022-21216, CVE-2022-33196, CVE-2022-38090)
- less (CVE-2022-46663)
- OpenSSH (CVE-2023-25136)
- OpenSSL (CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0216, CVE-2023-0217, CVE-2023-0286, CVE-2023-0401)
- torcx (CVE-2022-32149)
- vim (CVE-2023-0288, CVE-2023-0433)
- SDK: dnsmasq (CVE-2022-0934)
- SDK: pkgconf (CVE-2023-24056)
- SDK: python (CVE-2023-24329)
Bug fixes:
- Ensured that
/var/log/journal/
is created early enough for systemd-journald to persist the logs on first boot (bootengine#60, baselayout#29) - Fixed
journalctl --user
permission issue (Flatcar#989) - Restored the support to specify OEM partition files in Ignition when
/usr/share/oem
is given as initrd mount point (bootengine#58)
Changes:
- Added a new
flatcar-reset
tool and boot logic for selective OS resets to reconfigure the system with Ignition while avoiding config drift (bootengine#55, init#91) - Added new image signing pub key to
flatcar-install
, needed for download verification of releases built from July 2023 onwards, if you have copies offlatcar-install
or the image signing pub key, you need to update them as well (init#92) - Added
pigz
to the image, a parallel gzip implementation, which is useful to speed up the (de)compression for large container image imports/exports (coreos-overlay#2504) - Enabled elfutils support in systemd-coredump. A backtrace will now appear in the journal for any program that dumps core (coreos-overlay#2489)
/etc
is now set up as overlayfs with the original/etc
folder being the store for changed files/directories and/usr/share/flatcar/etc
providing the lower default directory tree (bootengine#53, scripts#666)- On boot any files in
/etc
that are the same as provided by the booted/usr/share/flatcar/etc
default for the overlay mount on/etc
are deleted to ensure that future updates of/usr/share/flatcar/etc
are propagated - to opt out create/etc/.no-dup-update
in case you want to keep an unmodified config file as is or because you fear that a future Flatcar version may use the same file as you at which point your copy is cleaned up and any other future Flatcar changes would be applied (bootengine#54) - Specifying the OEM filesystem in Ignition to write files to
/usr/share/oem
is not needed anymore (bootengine#58) - Switched systemd log reporting to the combined format of both unit description, as before, and now the unit name to easily find the unit (coreos-overlay#2436)
Updates:
- Linux (5.15.106 (includes 5.15.105, 5.15.104, 5.15.103 5.15.102, 5.15.101, 5.15.100, 5.15.99))
- Linux Firmware (20230310 (includes 20230210))
- bind tools (9.16.37)
- btrfs-progs (6.0.2 (includes 6.0))
- ca-certificates (3.89)
- containerd (1.6.19 (includes 1.6.18))
- curl (7.88.1 (includes 7.88.0))
- diffutils (3.9)
- e2fsprogs (1.46.6)
- findutils (4.9.0)
- Go (1.19.7 (includes 1.19.6))
- gcc (12.2.1)
- git (2.39.2)
- GLib (2.74.5)
- GnuTLS (3.8.0)
- ignition (2.15.0)
- intel-microcode (20230214)
- iputils (20221126)
- less (608)
- libpcap (1.10.3 (includes 1.10.2))
- libpcre2 (10.42)
- OpenSSH (9.2)
- OpenSSL (3.0.8)
- qemu guest agent (7.1.0)
- socat (1.7.4.4)
- strace (6.1)
- traceroute (2.1.1)
- vim (9.0.1363)
- SDK: cmake (3.25.2)
- SDK: dnsmasq (2.89)
- SDK: portage (3.0.44)
- SDK: python (3.10.10 (includes 3.10.9, 3.10))
- SDK: Rust (1.68.0 (includes 1.67.1))
- VMware: open-vm-tools (12.2.0)
Changes since Alpha 3549.0.0
Security fixes:
- Linux (CVE-2022-4269, CVE-2022-4379, CVE-2023-1611, CVE-2023-1670, CVE-2023-1855, CVE-2023-1989, CVE-2023-1990, CVE-2023-28466, CVE-2023-30456, CVE-2023-30772)
Bug fixes:
- Ensured that
/var/log/journal/
is created early enough for systemd-journald to persist the logs on first boot (bootengine#60, baselayout#29) - Fixed
journalctl --user
permission issue (Flatcar#989)
Changes:
Updates:
docker - 20.10.23
ignition - 2.14.0
kernel - 5.15.98
systemd - 252
Changes since Beta 3493.1.0
Security fixes:
- Linux (CVE-2022-2196, CVE-2022-27672, CVE-2022-3707, CVE-2023-1078, CVE-2023-26545)
- curl (CVE-2022-43551, CVE-2022-43552)
- sudo (CVE-2023-22809)
- vim (CVE-2023-0049, CVE-2023-0051, CVE-2023-0054)
- SDK: qemu (CVE-2022-4172)
Bug fixes:
- Excluded the special Kubernetes network interfaces
nodelocaldns
andkube-ipvs0
from being managed with systemd-networkd which interfered with the setup (init#89).
Updates:
- Linux (5.15.98 (includes 5.15.97, 5.15.96, 5.15.95, 5.15.94, 5.15.93))
- Docker (20.10.23)
- bind tools (9.16.36 (includes 9.16.34 and 9.16.35))
- bpftool (5.19.12)
- ca-certificates (3.88.1)
- containerd (1.6.16)
- curl (7.87.0)
- git (2.39.1 (includes 2.39.0))
- iptables (1.8.8)
- sudo (1.9.12_p2)
- systemd (252.5)
- vim (9.0.1157)
- XZ utils (5.4.1 (includes 5.4.0))
- SDK: boost (1.81.0)
- SDK: file (5.44)
- SDK: portage (3.0.43 (includes 3.0.42))
- SDK: qemu (7.2.0)
- SDK: Rust (1.67.0)
Changes since Alpha 3510.0.0
Security fixes:
Bug fixes:
- Excluded the special Kubernetes network interfaces
nodelocaldns
andkube-ipvs0
from being managed with systemd-networkd which interfered with the setup (init#89).
Updates:
docker - 20.10.22
ignition - 2.14.0
kernel - 5.15.92
systemd - 251
Changes since Beta 3446.1.1
Security fixes:
- Linux (CVE-2022-4129, CVE-2022-4382, CVE-2022-4842, CVE-2023-23559)
- Go (CVE-2022-41717)
- containerd (CVE-2022-23471)
- git (CVE-2022-23521, CVE-2022-41903)
- glib (fixes to normal form handling in GVariant)
- libarchive (CVE-2022-36227)
- systemd (CVE-2022-3821, CVE-2022-4415)
- vim (CVE-2022-3491, CVE-2022-3520, CVE-2022-3591, CVE-2022-4141, CVE-2022-4292, CVE-2022-4293)
- SDK: Python (CVE-2015-20107, CVE-2020-10735, CVE-2021-3654, CVE-2022-37454, CVE-2022-42919, CVE-2022-45061)
- SDK: qemu (CVE-2020-14394, CVE-2022-0216, CVE-2022-3872)
- SDK: rust (CVE-2022-46176)
Updates:
- Linux (5.15.92 (includes 5.15.91, 5.15.90))
- Linux Firmware (20230117)
- Docker (20.10.22)
- adcli (0.9.2)
- binutils (2.39)
- containerd (1.6.15 (includes 1.6.14, 1.6.13, 1.6.12))
- cri-tools (1.24.2)
- elfutils (0.188 (includes 0.187)
- file (5.43)
- gawk (5.2.1 (includes 5.2.0))
- git (2.38.3)
- glib (2.74.4)
- GNU C Library (2.36)
- Go (1.19.5)
- I2C tools (4.3)
- Intel Microcode Package (20221108)
- libcap-ng (0.8.3)
- libseccomp (2.5.4 (includes 2.5.2, 2.5.3))
- MIT Kerberos V (1.20.1)
- nettle (3.8.1)
- rsync (3.2.7)
- shadow (4.13)
- sqlite (3.40.1 (includes 3.40.0))
- systemd (251.10 (includes 251))
- vim (9.0.1000)
- XZ utils (5.2.10)
- OEM: python-oem (3.9.16)
- SDK: libpng (1.6.39 (includes 1.6.38))
- SDK: perl (5.36.0)
- SDK: portage (3.0.41)
- SDK: qemu (7.1.0)
- SDK: Rust (1.66.1)
Changes since Alpha 3493.0.0
Security fixes:
- Linux (CVE-2022-4129, CVE-2022-4382, CVE-2022-4842, CVE-2023-23559)
Bug fixes:
Changes:
Updates:
docker - 20.10.21
ignition - 2.14.0
kernel - 5.15.89
systemd - 250
Changes since Beta 3446.1.0
Security fixes:
- Linux (CVE-2022-36280, CVE-2022-41218, CVE-2022-47929, CVE-2023-0210, CVE-2023-0266, CVE-2023-0394, CVE-2023-23454, CVE-2023-23455)
- git (CVE-2022-23521, CVE-2022-41903)
Bug fixes:
- Fixed a regression (in Alpha/Beta) where machines failed to boot if they didn’t have the
core
user or group in/etc/passwd
or/etc/group
(baselayout#26)
Changes:
Updates:
docker - 20.10.21
ignition - 2.14.0
kernel - 5.15.86
systemd - 250
Changes since Beta 3432.1.0
Security fixes:
- Linux (CVE-2022-3424, CVE-2022-3534, CVE-2022-3545, CVE-2022-3643, CVE-2022-4378, CVE-2022-45869, CVE-2022-45934)
- sudo (CVE-2022-43995)
- libksba (CVE-2022-47629)
Bug fixes:
- Added back Ignition support for Vagrant (coreos-overlay#2351)
- The rootfs setup in the initrd now runs systemd-tmpfiles on every boot, not only when Ignition runs, to fix a dbus failure due to missing files (Flatcar#944)
Updates:
- Linux (5.15.86 (includes 5.15.85, 5.15.84, 5.15.83, 5.15.82))
- ca-certificates (3.87)
- sudo (1.9.12_p1)
- GnuTLS (3.7.8)
- XZ utils (5.2.8)
- gettext (0.21.1)
- libksba (1.6.3)
- VMware: open-vm-tools (12.1.5)
Changes since Alpha 3446.0.0
Security fixes:
- Linux (CVE-2022-3424, CVE-2022-3534, CVE-2022-3545, CVE-2022-3643, CVE-2022-4378, CVE-2022-45869, CVE-2022-45934)
- libksba (CVE-2022-47629)
Bug fixes:
- Added back Ignition support for Vagrant (coreos-overlay#2351)
- The rootfs setup in the initrd now runs systemd-tmpfiles on every boot, not only when Ignition runs, to fix a dbus failure due to missing files (Flatcar#944)
Updates:
docker - 20.10.21
ignition - 2.14.0
kernel - 5.15.81
systemd - 250
Changes since Beta 3417.1.0
Security fixes:
- Linux (CVE-2022-3169, CVE-2022-3521)
- cpio (CVE-2021-38185)
- curl (CVE-2022-32221, CVE-2022-35260, CVE-2022-42915, CVE-2022-42916)
- expat (CVE-2022-43680)
- libksba (CVE-2022-3515)
- vim (CVE-2022-3705)
Bug fixes:
- Added support for hardware security keys in update-ssh-keys (update-ssh-keys#7)
- Fix “ext4 deadlock under heavy I/O load” kernel issue. The patch for this is included provisionally while we wait for it to be merged pstream (Flatcar#847, coreos-overlay#2315)
Updates:
- Linux (5.15.81 (includes 5.15.80))
- Linux Firmware (20221109)
- OpenSSH (9.1)
- containerd (1.6.10)
- cpio (2.13)
- curl (7.86)
- Expat (2.5.0)
- glib (2.74.1)
- libcap (2.66)
- libksba (1.6.2)
- sqlite (3.39.4)
- vim (9.0.0828)
- whois (5.5.14)
- XZ utils (5.2.7)
- SDK: Rust (1.65.0)
Changes since Alpha 3432.0.0
Security fixes:
- Linux (CVE-2022-3169, CVE-2022-3521)
Bug fixes:
- Fix “ext4 deadlock under heavy I/O load” kernel issue. The patch for this is included provisionally while we wait for it to be merged upstream (Flatcar#847, coreos-overlay#2315)