alpha-3850.0.0

Changes since Alpha 3815.0.0

Security fixes:

• Linux (CVE-2022-27672, CVE-2022-40982, CVE-2022-4269, CVE-2022-45886, CVE-2022-45887, CVE-2022-45919, CVE-2022-48425, CVE-2023-0160, CVE-2023-0459, CVE-2023-1032, CVE-2023-1076, CVE-2023-1077, CVE-2023-1079, CVE-2023-1118, CVE-2023-1192, CVE-2023-1193, CVE-2023-1194, CVE-2023-1206, CVE-2023-1281, CVE-2023-1380, CVE-2023-1513, CVE-2023-1583, CVE-2023-1611, CVE-2023-1670, CVE-2023-1829, CVE-2023-1855, CVE-2023-1859, CVE-2023-1989, CVE-2023-1990, CVE-2023-1998, CVE-2023-2002, CVE-2023-20569, CVE-2023-20588, CVE-2023-20593, CVE-2023-2124, CVE-2023-21255, CVE-2023-21264, CVE-2023-2156, CVE-2023-2163, CVE-2023-2194, CVE-2023-2235, CVE-2023-2269, CVE-2023-25012, CVE-2023-25775, CVE-2023-2598, CVE-2023-26545, CVE-2023-28466, CVE-2023-28866, CVE-2023-2898, CVE-2023-2985, CVE-2023-30456, CVE-2023-30772, CVE-2023-3090, CVE-2023-31085, CVE-2023-31248, CVE-2023-3141, CVE-2023-31436, CVE-2023-3212, CVE-2023-3220, CVE-2023-32233, CVE-2023-32233, CVE-2023-32247, CVE-2023-32248, CVE-2023-32250, CVE-2023-32252, CVE-2023-32254, CVE-2023-32257, CVE-2023-32258, CVE-2023-3268, CVE-2023-3269, CVE-2023-3312, CVE-2023-3317, CVE-2023-33203, CVE-2023-33250, CVE-2023-33288, CVE-2023-3355, CVE-2023-3390, CVE-2023-33951, CVE-2023-33951, CVE-2023-33952, CVE-2023-34256, CVE-2023-34319, CVE-2023-34324, CVE-2023-35001, CVE-2023-35788, CVE-2023-35823, CVE-2023-35824, CVE-2023-35826, CVE-2023-35826, CVE-2023-35827, CVE-2023-35828, CVE-2023-35829, CVE-2023-3609, CVE-2023-3610, CVE-2023-3611, CVE-2023-37453, CVE-2023-3772, CVE-2023-3773, CVE-2023-3776, CVE-2023-3777, CVE-2023-38409, CVE-2023-38426, CVE-2023-38427, CVE-2023-38428, CVE-2023-38429, CVE-2023-38430, CVE-2023-38431, CVE-2023-38432, CVE-2023-3863, CVE-2023-3865, CVE-2023-3866, CVE-2023-3867, CVE-2023-39189, CVE-2023-39191, CVE-2023-39192, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-39197, CVE-2023-39198, CVE-2023-4004, CVE-2023-4015, CVE-2023-40283, CVE-2023-40791, CVE-2023-4132, CVE-2023-4133, CVE-2023-4134, CVE-2023-4147, CVE-2023-4155, CVE-2023-4194, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208, CVE-2023-4244, CVE-2023-4273, CVE-2023-42752, CVE-2023-42752, CVE-2023-42753, CVE-2023-42754, CVE-2023-42756, CVE-2023-44466, CVE-2023-4569, CVE-2023-45862, CVE-2023-45863, CVE-2023-45871, CVE-2023-45871, CVE-2023-45898, CVE-2023-4611, CVE-2023-4623, CVE-2023-46813, [CVE-2023-4686...

stable-3602.2.3

Changes since Stable 3602.2.2

Security fixes:

• Linux (CVE-2023-46862, CVE-2023-6121)

Bug fixes:

• Deleted files in /etc that have a tmpfiles rule that normally would recreate them will now show up again through the /etc lowerdir (Flatcar#1265, bootengine#79)

Updates:

• Linux (5.15.142 (includes 5.15.141, 5.15.140, 5.15.139))
• ca-certificates (3.95)

beta-3760.1.1

Changes since Beta 3760.1.0

Security fixes:

• Linux (CVE-2023-6121)

Bug fixes:

• Deleted files in /etc that have a tmpfiles rule that normally would recreate them will now show up again through the /etc lowerdir (Flatcar#1265, bootengine#79)
• Fixed the missing /etc/extensions/ symlinks for the inbuilt Docker/containerd systemd-sysext images on update from Beta 3760.1.0 (update_engine#32)
• GCP: Fixed OS Login enabling (scripts#1445)

Changes:

• linux kernel: added zstd support for squashfs kernel module (scripts#1297)

Updates:

• Linux (6.1.66 (includes 6.1.65, 6.1.64, 6.1.63))
• afterburn (5.5.0)
• ca-certificates (3.95)

alpha-3815.0.0

Changes since Alpha 3794.0.0

Security fixes:

• Linux (CVE-2023-6121)
• Go (CVE-2023-39326, CVE-2023-45285)

Bug fixes:

• Deleted files in /etc that have a tmpfiles rule that normally would recreate them will now show up again through the /etc lowerdir (Flatcar#1265, bootengine#79)
• Fixed the missing /etc/extensions/ symlinks for the inbuilt Docker/containerd systemd-sysext images on update from Beta 3760.1.0 (update_engine#32)
• GCP: Fixed OS Login enabling (scripts#1445)

Changes:

• GCP OEM images now use a systemd-sysext image for layering additional platform-specific software on top of /usr and being part of the OEM A/B updates (flatcar#1146)

Updates:

• Linux (6.1.66 (includes 6.1.65, 6.1.64, 6.1.63))
• Go (1.20.12)
• acpid (2.0.34)
• afterburn (5.5.0)
• ca-certificates (3.95)
• containerd (1.7.10)
• efibootmgr (18)
• efivar (38)
• ipvsadm (1.31 (includes 1.28, 1.29 and 1.30))
• libmnl (1.0.5)
• libnetfilter_conntrack (1.0.9)
• libnetfilter_cthelper (1.0.1)
• libnetfilter_cttimeout (1.0.1)
• libnfnetlink (1.0.2)
• libunwind (1.7.2 (includes 1.7.0))
• liburing (2.3)
• SDK: squashfs-tools (4.6.1 (includes 4.6))

stable-3602.2.2

⚠️ From Alpha 3794.0.0 Torcx has been removed - please assert that you don't rely on specific Torcx mechanism but now use systemd-sysext. See here for more information.

Changes since Stable 3602.2.1

Security fixes:

• Linux (CVE-2023-46813, CVE-2023-5178, CVE-2023-5717)

Changes:

• Brightbox: The regular OpenStack image should now be used, it includes Afterburn for instance metadata attributes
• OpenStack: An uncompressed image is provided for simpler import (since the images use qcow2 inline compression, there is no benefit in using the .gz or .bz2 images)
• linux kernel: added zstd support for squashfs kernel module (scripts#1297)

Updates:

• Linux (5.15.138 (includes 5.15.137))

beta-3760.1.0

⚠️ From Alpha 3794.0.0 Torcx has been removed - please assert that you don't rely on specific Torcx mechanism but now use systemd-sysext. See here for more information.

Changes since Beta 3745.1.0

Security fixes:

• Linux (CVE-2023-35827, CVE-2023-46813, CVE-2023-46862, CVE-2023-5178, CVE-2023-5717)
• curl (CVE-2023-38545, CVE-2023-38546)
• glibc (CVE-2023-4911)
• go (CVE-2023-39325, CVE-2023-39325)
• grub (CVE-2023-4692, CVE-2023-4693)
• libtirpc (libtirpc-rhbg-2138317, libtirpc-rhbg-2150611, libtirpc-rhbg-2224666)

Bug fixes:

• Added AWS EKS support for versions 1.24-1.28. Fixed /usr/share/amazon/eks/download-kubelet.sh to include download paths for these versions. (scripts#1210)
• Fixed iterating over the OEM update payload signatures which prevented the AWS OEM update to 3745.x.y (update-engine#31)
• Fixed quotes handling for update-engine (Flatcar#1209)
• Made sshkeys.service more robust to only run coreos-metadata-sshkeys@core.service when not masked and also retry on failure (init#112)

Changes:

• Brightbox: The regular OpenStack image should now be used, it includes Afterburn for instance metadata attributes
• OpenStack: An uncompressed image is provided for simpler import (since the images use qcow2 inline compression, there is no benefit in using the .gz or .bz2 images)

Updates:

• Go (1.20.10 (includes 1.20.9))
• Linux (6.1.62 (includes 6.1.61, 6.1.60 and includes 6.1.59))
• containerd (1.7.7)
• curl (8.4.0)
• libnl (3.8.0)
• libtirpc (1.3.4)
• libxml2 (2.11.5)
• openssh (9.5p1)
• pigz (2.8)
• strace(6.4)
• whois (5.5.18)

Changes since Alpha 3760.0.0

Security fixes:

• Linux (CVE-2023-35827, CVE-2023-46813, CVE-2023-46862, CVE-2023-5178, CVE-2023-5717)

Bug fixes:

• Fixed iterating over the OEM update payload signatures which prevented the AWS OEM update to 3745.x.y (update-engine#31)
• Made sshkeys.service more robust to only run coreos-metadata-sshkeys@core.service when not masked and also retry on failure (init#112)

Changes:

• Brightbox: The regular OpenStack image should now be used, it includes Afterburn for instance metadata attributes
• OpenStack: An uncompressed image is provided for simpler import (since the images use qcow2 inline compression, there is no benefit in using the .gz or .bz2 images)

Updates:

• Linux (6.1.62 (includes 6.1.61, 6.1.60 and includes 6.1.59))

alpha-3794.0.0

This release removes the legacy "torcx" image customisation and replaces this feature with systemd-sysext. Torcx enabled users to deploy custom docker versions; however, it required special packaging using the Flatcar SDK. Please refer to the "Changes" section below for details.

This release ships a major Docker update: Docker was upgraded to version 24 (from version 20 in the previous release). Please see the "Changes" section below for details.

Changes since Alpha 3760.0.0

Security fixes:

• Linux (CVE-2023-35827, CVE-2023-46813, CVE-2023-46862, CVE-2023-5178, CVE-2023-5717)
• VMWare: open-vm-tools (CVE-2023-34058, CVE-2023-34059)
• nghttp2 (CVE-2023-44487)
• samba (CVE-2023-4091)
• zlib (CVE-2023-45853)

Bug fixes:

• Fixed iterating over the OEM update payload signatures which prevented the AWS OEM update to 3745.x.y (update-engine#31)
• Made sshkeys.service more robust to only run coreos-metadata-sshkeys@core.service when not masked and also retry on failure (init#112)
• Set TTY used for fetching server_context to RAW mode before running cloudinit on cloudsigma (scripts#1280)

Known issues:

• docker and containerd packages information are missing from flatcar_production_image_packages.txt (flatcar#1260)

Changes:

• Torcx, the mechanism to provide a custom Docker version, was replaced by systemd-sysext in the OS image. Learn more about sysext and how to customise OS images here.
  • Torcx entered deprecation 2 years ago in favour of deploying plain Docker binaries
    (which is now also a legacy option because systemd-sysext offers a more robust and better structured way of customisation, including OS independent updates).
  • Torcx has been removed entirely; if you use Torcx to extend the Flatcar base OS image, please refer to our conversion script and to the sysext documentation mentioned above for migrating.
  • Consequently, update_engine will not perform torcx sanity checks post-update anymore.
  • Relevant changes: scripts#1216, update_engine#30, Mantle#466, Mantle#465.
• cri-tools, runc, containerd, docker, and docker-cli are now built from Gentoo upstream ebuilds. Docker received a major version upgrade - it was updated to Docker 24 (from Docker 20; see "updates").
  • NOTE: The docker btrfs storage driver has been de-prioritised; BTRFS backed storage will now default to the overlay2 driver
    (changelog, upstream pr).
    Using the btrfs driver can still be enforced by creating a respective docker config at /etc/docker/daemon.json.
  • NOTE: If you are already using btrfs-backed Docker storage and are upgrading to this new version, Docker will automatically use the btrfs storage driver for backwards-compatibility with your deployment.
    • Docker will remove the btrfs driver entirely in a future version. Please consider migrating your deployments to the overlay2 driver.
• Brightbox: The regular OpenStack image should now be used, it includes Afterburn for instance metadata attributes
• OpenStack: An uncompressed image is provided for simpler import (since the images use qcow2 inline compression, there is no benefit in using the .gz or .bz2 images)

Updates:

• Azure: WALinuxAgent (v2.9.1.1)
• DEV, AZURE: python (3.11.6)
• DEV: iperf (3.15)
• DEV: smartmontools (7.4)
• Go (1.20.11)
• Linux (6.1.62 (includes 6.1.61, 6.1.60 and 6.1.59))
• Linux Firmware (20231111 (includes 20231030))
• SDK: Rust (1.73.0)
• SDK: python packaging (23.2), platformdirs (3.11.0)
• VMWare: open-vm-tools (12.3.5)
• containerd (1.7.9 (includes 1.7.8))
• cri-tools (1.27.0)
• ding-libs (0.6.2)
• docker (24.0.6, includes changes from 23.0)
• ethtool (6.5)
• hwdata (v0.375 (includes 0.374))
• iproute2 (6.5.0)
• json-c (0.17)
• libffi (3.4.4 (includes 3.4.2 and 3.4.3))
• liblinear (246)
• libsodium (1.0.19)
• libunistring (1.1)
• mpc (1.3.1 (includes 1.3.0)
• mpfr (4.2.1)
• nghttp2 (1.57.0 (includes 1.52.0, 1.53.0, 1.54.0, 1.55.0, 1.55.1 and 1.56.0))
• nspr (4.35)
• ntp (4.2.8p17)
• nvme-cli (v2.6, libnvme v1.6)
• protobuf (21.12 (includes 21.10 and 21.11))
• samba (4.18.8)
• sqlite (3.43.2)
• thin-provisioning-tools (1.0.6)

stable-3602.2.1

Changes since Stable 3602.2.0

Security fixes:

• Linux (CVE-2023-31085, CVE-2023-34324, CVE-2023-4244, CVE-2023-42754, CVE-2023-5197)
• curl (CVE-2023-38545, CVE-2023-38546)

Bug fixes:

• Disabled systemd-networkd's RoutesToDNS setting by default to fix provisioning failures observed in VMs with multiple network interfaces on Azure (scripts#1206)
• Fixed a regression in Docker resulting in file permissions being dropped from exported container images. (scripts#1231)

Changes:

• To make Kubernetes work by default, /usr/libexec/kubernetes/kubelet-plugins/volume/exec is now a symlink to the writable folder /var/kubernetes/kubelet-plugins/volume/exec (Flatcar#1193)

Updates:

• Linux (5.15.136 (includes 5.15.135, 5.15.134))
• ca-certificates (3.94)

lts-3510.3.1

Changes since LTS 3510.3.0

Security fixes:

• Linux (CVE-2023-31085, CVE-2023-34324, CVE-2023-4244, CVE-2023-42754, CVE-2023-42755, CVE-2023-5197)
• curl (CVE-2023-38545, CVE-2023-38546)

Bug fixes:

• Disabled systemd-networkd's RoutesToDNS setting by default to fix provisioning failures observed in VMs with multiple network interfaces on Azure (scripts#1206)
• Triggered re-reading of partition table to fix adding partitions to the boot disk (scripts#1202)

Changes:

• To make Kubernetes work by default, /usr/libexec/kubernetes/kubelet-plugins/volume/exec is now a symlink to the writable folder /var/kubernetes/kubelet-plugins/volume/exec (Flatcar#1193)

Updates:

• Linux (5.15.136 (includes 5.15.135, 5.15.134, 5.15.133))
• ca-certificates (3.94)

lts-3033.3.18

Changes since LTS 3033.3.17

Security fixes:

• Linux (CVE-2023-31085, CVE-2023-34324, CVE-2023-39189, CVE-2023-39192, CVE-2023-39193, CVE-2023-4244, CVE-2023-42752, CVE-2023-42753, CVE-2023-42754, CVE-2023-42755, CVE-2023-45871, CVE-2023-4623, CVE-2023-4921, CVE-2023-5197)
• curl (CVE-2023-38545, CVE-2023-38546)

Bug fixes:

Changes:

• Add support for Microsoft Azure Network Adapter (MANA) NICs on Azure (scripts#1131)

Updates:

• ca-certificates (3.94)
• Linux (5.10.198 (includes 5.10.197, 5.10.196, 5.10.195, 5.10.194))