Releases

Upstream Container Linux updates:

Bug fixes:

• Disable new sticky directory protections for backwards compatibility (#2577)

Changes:

• Enable atlantic kernel module (#2576)

Updates:

• Linux 4.19.34

Upstream Container Linux updates:

Bug fixes:

• Fix systemd presets incorrectly handling escaped unit names (#2569)

Updates:

• Linux 4.19.31

Upstream Container Linux updates:

Bug fixes:

• Fix systemd-journald memory leak (#2564)

Updates:

• Linux 4.19.28

Upstream Container Linux updates:

Security fixes:

• Fix Linux use-after-free in sockfs_setattr (CVE-2019-8912)
• Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)

Updates:

• Linux 4.19.25

Upstream Container Linux updates:

Updates:

• Linux 4.19.23

Upstream Container Linux updates:

Security fixes:

• Fix runc container breakout (CVE-2019-5736)

Changes:

• Revert /sys/bus/rbd/add to Linux 4.14 behavior (#2544)

Updates:

• etcd 3.3.12
• etcdctl 3.3.12
• Linux 4.19.20

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in ECC (CVE-2019-6486)

Updates:

• Go 1.10.8
• Go 1.11.5
• Linux 4.19.18

Upstream Container Linux updates:

Updates:

• Linux 4.19.13

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
• Fix PolicyKit always authorizing UIDs greater than INT_MAX (CVE-2018-19788)

Updates:

• Go 1.10.6
• Go 1.11.3
• Linux 4.14.88

Upstream Container Linux updates:

Changes:

• Switch to the LTS Linux version 4.14.84 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)

Updates:

• Linux 4.14.81

Upstream Container Linux updates:

Security fixes:

• Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
• Fix systemd race allowing changing file permissions (CVE-2018-15687)
• Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)

Changes:

• Switch to the LTS Linux version 4.14.79 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Fix Git remote code execution during recursive clone (CVE-2018-17456)

Bug fixes:

• Fix missing kernel headers (#2505)

Updates:

• Git 2.16.5
• Linux 4.14.78

Flatcar updates

Changes:

• Add new image signing subkey to flatcar-install (flatcar-linux/init#4)

Bug fixes:

• Fix /usr/lib/coreos symlink for Container Linux compatibility (flatcar-linux/coreos-overlay#8)

Upstream Container Linux updates:

Changes:

• Switch to the LTS Linux version 4.14.74 for the beta channel

Upstream Container Linux updates:

Bug fixes:

• Fix Docker mounting named volumes (#2497)

Changes:

• Switch to the LTS Linux version 4.14.69 for the beta channel

Updates:

• intel-microcode 20180807a

Upstream Container Linux updates:

Changes:

• Drop AWS PV images from regions which do not support PV

Updates:

• containerd 1.1.2
• Docker 18.06.1-ce
• intel-microcode 20180807a
• Linux 4.14.67

Upstream Container Linux updates:

Security fixes:

• Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
• Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)

Bug fixes:

• Fix PXE systems attempting to mount an ESP (#2491)

Changes:

• Switch to the LTS Linux version 4.14.63 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)

Bug fixes:

• Fix failure to mount large ext4 filesystems (#2485)

Updates:

• Linux 4.14.60

Upstream Container Linux updates:

Bug fixes:

• Fix kernel CIFS client (#2480)

Updates:

• Linux 4.14.59

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.57 for the beta channel

Upstream Container Linux updates:

Updates:

• Linux 4.14.55

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.50 for the beta channel

Upstream Container Linux updates:

Bug fixes:

• Fix TCP connection stalls (#2457)

Updates:

• Linux 4.14.49

Upstream Container Linux updates:

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Updates:

• Linux 4.14.48

Upstream Container Linux updates:

Security fixes:

• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix inadvertent change of network interface names (#2437)
• Fix failure to set network interface MTU (#2443)

Updates:

• Git 2.16.4
• Linux 4.14.47

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.42 for the beta channel

Updates:

• Ignition 0.24.1

Upstream Container Linux updates:

Security fixes:

• Fix ntp clock manipulation from ephemeral connections (CVE-2016-1549, CVE-2018-7170)
• Fix ntp denial of service from out of bounds read (CVE-2018-7182)
• Fix ntp denial of service from packets with timestamp 0 (CVE-2018-7184, CVE-2018-7185)
• Fix ntp remote code execution (CVE-2018-7183)

Updates:

• containerd 1.0.3
• Docker 18.03.1-ce
• Linux 4.14.39
• ntp 4.2.8p11

Upstream Container Linux updates:

Bug fixes:

• Fix docker2aci tar conversion (#2402)

Changes:

• Switch to the LTS Linux version 4.14.35 for the beta channel

Flatcar updates

Initial Flatcar release.

Bug fixes:

• Fix GRUB crash at boot (#2284)
• Fix poweroff problems (#8080)

Notes:

• Previous test images have been removed from the release servers. This is due to a new update key being generated using our updated security policy which we included in the first public image.

Upstream Container Linux updates:

Bug fixes:

• Fix kernel panic with vxlan (#2382)

Upstream Container Linux updates:

Security fixes:

• Fix libmspack vulnerabilities in the VMware agent for new installs (CVE-2018-14679, CVE-2018-14680, CVE-2018-14681, CVE-2018-14682, CVE-2018-18584, CVE-2018-18585, CVE-2018-18586)

Updates:

• Afterburn (formerly coreos-metadata) 4.0.0
• Git 2.21.0
• Go 1.12.2
• Linux 4.19.34

Upstream Container Linux updates:

Security fixes:

• Fix OpenSSH scp allowing remote servers to change target directory permissions (CVE-2018-20685)
• Fix OpenSSH outputting ANSI control codes from remote servers (CVE-2019-6109, CVE-2019-6110)
• Fix OpenSSH scp allowing remote servers to overwrite arbitrary files (CVE-2019-6111)
• Fix OpenSSL side-channel timing attack (CVE-2018-5407)
• Fix OpenSSL padding oracle attack in misbehaving applications (CVE-2019-1559)
• Fix ntp ntpd denial of service by authenticated user (CVE-2019-8936)
• Fix ntp buffer overflow in ntpq and ntpdc (CVE-2018-12327)

Bug fixes:

• Fix systemd presets incorrectly handling escaped unit names (#2569)

Updates:

• GCC 8.2.0
• Go 1.12.1
• IANA timezone database 2018i
• Linux 4.19.31
• ntp 4.2.8p13
• OpenSSH 7.9p1
• OpenSSL 1.0.2r
• Update Engine 0.4.10

Upstream Container Linux updates:

Security fixes:

• Fix tar local denial of service with --sparse option (CVE-2018-20482)
• Fix wget local information leak (CVE-2018-20483)

Bug fixes:

• Fix systemd-journald memory leak (#2564)

Changes:

• Enable vhost_vsock kernel module (#2563)

Updates:

• Go 1.12
• Linux 4.19.28
• Rust 1.33.0
• systemd 241
• tar 1.31
• wget 1.20.1

Upstream Container Linux updates:

Security fixes:

• Fix curl vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-2018-16842, CVE-2018-16890, CVE-2019-3822, CVE-2019-3823)
• Fix Linux use-after-free in sockfs_setattr (CVE-2019-8912)
• Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)

Updates:

• curl 7.64.0
• Docker 18.06.3-ce
• Ignition 0.31.0
• Linux 4.19.25

Upstream Container Linux updates:

Security fixes:

• Fix runc container breakout (CVE-2019-5736)

Changes:

• Revert /sys/bus/rbd/add to Linux 4.14 behavior (#2544)
• Add a new subkey for signing release images

Updates:

• etcd 3.3.12
• etcdctl 3.3.12
• flannel 0.11.0
• Linux 4.19.20

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in ECC (CVE-2019-6486)

Updates:

• btrfs-progs 4.19
• e2fsprogs 1.44.5
• glibc 2.27
• Go 1.10.8
• Go 1.11.5
• Linux 4.19.18
• Rust 1.32.0
• util-linux 2.33
• xfsprogs 4.17.0

Upstream Container Linux updates:

Security fixes:

• Fix systemd-journald privilege escalation (CVE-2018-16864, CVE-2018-16865)
• Fix systemd-journald out of bounds read (CVE-2018-16866)
• Fix ntpq, ntpdc buffer overflow (CVE-2018-12327)
• Fix etcd improper authentication with RBAC and client certs (CVE-2018-16886)

Changes:

• Add ip_vs_mh kernel module (#2542)

Updates:

• etcd 3.3.11
• etcdctl 3.3.11
• Linux 4.19.15
• ntp 4.2.8p12
• sudo 1.8.25p1

Upstream Container Linux updates:

Bug fixes:

• Fix monitoring process events over netlink (#2537)

Updates:

• Ignition 0.30.0
• Go 1.10.7
• Go 1.11.4
• Linux 4.19.13

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
• Fix PolicyKit always authorizing UIDs greater than INT_MAX (CVE-2018-19788)

Bug fixes:

• Fix AWS, Azure, and GCE disk aliases in the initramfs for Ignition (#2531)

Updates:

• Go 1.10.6
• Go 1.11.3
• Ignition 0.29.1
• Linux 4.19.9
• Rust 1.31.0
• wa-linux-agent 2.2.32

Upstream Container Linux updates:

Updates:

• Linux 4.19.6
• iptables 1.6.2

Upstream Container Linux updates:

Security fixes:

• Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)
• Fix curl buffer overrun in NTLM authentication code (CVE-2018-14618)
• Fix OpenSSL TLS client denial of service (CVE-2018-0732)
• Fix OpenSSL timing side channel in DSA signature generation (CVE-2018-0734)
• Fix OpenSSL timing side channel via SMT port contention (CVE-2018-5407)

Updates:

• coreos-metadata 3.0.2
• curl 7.61.1
• Go 1.10.5
• Go 1.11.2
• Linux 4.19.2
• OpenSSL 1.0.2p
• Rust 1.30.1

Upstream Container Linux updates:

Security fixes:

• Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
• Fix systemd race allowing changing file permissions (CVE-2018-15687)
• Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)

Bug fixes:

• Add AWS and GCE disk aliases in the initramfs for Ignition (#2481)
• Add compatibility nf_conntrack_ipv4 kernel module to fix kube-proxy IPVS on Linux 4.19 (#2518)

Updates:

• IANA timezone database 2018e
• kexec-tools 2.0.17
• Linux 4.19.1

Upstream Container Linux updates:

Security fixes:

• Fix Git remote code execution during recursive clone (CVE-2018-17456)
• Fix OpenSSH user enumeration (CVE-2018-15473)
• Fix Rust standard library integer overflow (CVE-2018-1000810)

Bug fixes:

• Fix missing kernel headers (#2505)

Updates:

• coreos-metadata 3.0.1
• etcd-wrapper 3.3.10
• etcdctl 3.3.10
• Git 2.18.1
• Linux 4.19
• linux-firmware 20181001
• OpenSSH 7.7p1
• Rust 1.29.1

Flatcar updates

Changes:

• Add new image signing subkey to flatcar-install (flatcar-linux/init#4)

Bug fixes:

• Fix /usr/lib/coreos symlink for Container Linux compatibility (flatcar-linux/coreos-overlay#8)

Upstream Container Linux updates:

Updates:

• glibc 2.26
• Go 1.11.1
• Linux 4.18.12
• nfs-utils 2.3.1
• open-vm-tools 10.3.0

Upstream Container Linux updates:

Bug fixes:

• Fix Google Compute Engine OS Login activation (#2503)

Updates:

• Linux 4.18.9

Upstream Container Linux updates:

Bug fixes:

• Fix Docker mounting named volumes (#2497)
• Fix Azure disk detection in Ignition (#2481)

Changes:

• Add support for Google Compute Engine OS Login
• Enable support for Mellanox Ethernet switches

Updates:

• coreos-metadata 3.0.0
• Go 1.10.4
• Go 1.11
• intel-microcode 20180807a
• Linux 4.18.7
• update-ssh-keys 0.3.0

Upstream Container Linux updates:

Changes:

• Add CIFS userspace utilities (#571)
• Drop AWS PV images from regions which do not support PV

Updates:

• containerd 1.1.2
• Docker 18.06.1-ce
• Ignition 0.28.0
• Linux 4.18.5
• Rust 1.28.0

Upstream Container Linux updates:

Security fixes:

• Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
• Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)
• Fix curl SMTP buffer overflow (CVE-2018-0500)

Bug fixes:

• Fix PXE systems attempting to mount an ESP (#2491)

Updates:

• coreos-metadata 2.0.0
• curl 7.61.0
• Ignition 0.27.0
• Linux 4.17.15
• update-ssh-keys 0.2.1

Upstream Container Linux updates:

Security fixes:

• Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)

Bug fixes:

• Fix failure to mount large ext4 filesystems (#2485)

Updates:

• Linux 4.17.12

Upstream Container Linux updates:

Changes:

• Remove ARM64 architecture
• Remove developer image from SDK

Updates:

• etcd 3.3.9
• etcdctl 3.3.9
• Linux 4.17.11

Upstream Container Linux updates:

Changes:

• Add torcx remotes support

Updates:

• containerd 1.1.1
• Docker 18.06.0-ce
• intel-microcode 20180703
• Linux 4.17.9
• Update Engine 0.4.9

Upstream Container Linux updates:

Security fixes:

• Fix curl buffer overflows (CVE-2018-1000300, CVE-2018-1000301)
• Fix Linux random seed during early boot (CVE-2018-1108)

Changes:

• Reads of /dev/urandom early in boot will block until entropy pool is fully initialized
• Support friendly AWS EBS NVMe device names (#2399)

Updates:

• cryptsetup 1.7.5
• curl 7.60.0
• etcd-wrapper 3.3.8
• etcdctl 3.3.8
• intel-microcode 20180616
• kmod 25
• Linux 4.17.3
• linux-firmware 20180606
• Locksmith 0.6.2
• OpenSSL 1.0.2o

Upstream Container Linux updates:

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Changes:

• Drop obsolete cros_sdk method of entering SDK

Updates:

• etcd 3.3.7
• etcdctl 3.3.7
• Go 1.9.7
• Go 1.10.3
• Ignition 0.26.0
• Linux 4.16.16
• torcx 0.2.0

Upstream Container Linux updates:

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Upstream Container Linux updates:

Security fixes:

• Fix multiple procps vulnerabilities (CVE-2018-1120, CVE-2018-1121, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126, CVE-2018-1120, CVE-2018-1121, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1126)
• Fix shadow privilege escalation (CVE-2018-7169)
• Fix samba man-in-the-middle attack (CVE-2016-2119)
• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix failure to set network interface MTU (#2443)
• Fix inadvertent change of network interface names (#2437)
• Fix Docker bind mounts from root filesystem (#2440)

Changes:

• Update VMware virtual hardware version to 11 (ESXi > 6.0)

Updates:

• etcd 3.3.6
• etcdctl 3.3.6
• Git 2.16.4
• Linux 4.16.14
• open-vm-tools 10.2.5
• procps 3.3.15
• samba 4.5.16
• shadow 4.6

Upstream Container Linux updates:

Security fixes:

• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix failure to set network interface MTU (#2443)

Updates:

• Git 2.16.4
• Linux 4.16.13

Upstream Container Linux updates:

Bug fixes:

• Fix inadvertent change of network interface names (#2437)
• Fix Docker bind mounts from root filesystem (#2440)

Upstream Container Linux updates:

Security fixes:

• Fix ncurses denial of service and arbitrary code execution (CVE-2017-10684, CVE-2017-10685, CVE-2017-11112, CVE-2017-11113, CVE-2017-13728, CVE-2017-13729, CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13733, CVE-2017-13734, CVE-2017-16879)
• Fix rsync arbitrary command execution (CVE-2018-5764)
• Fix wget cookie injection (CVE-2018-0494)

Changes:

• Enable QLogic FCoE offload support (#2367)
• Enable hardware RNG kernel drivers (#2430)
• Add notrap to ntpd default access restrictions (#2220)
• Allow booting default GRUB menu entry if GRUB password is enabled (#1597)
• coreos-install -i no longer modifies grub.cfg (#2291)
• QEMU wrapper script now enables VirtIO RNG device

Updates:

• bind-tools 9.11.2-P1
• Docker 18.05.0-ce
• etcd-wrapper 3.3.5
• etcdctl 3.3.5
• GnuPG 2.2.7
• GPT fdisk 1.0.3
• Ignition 0.25.1
• Less 529
• Linux 4.16.10
• rsync 3.1.3
• Rust 1.26
• util-linux 2.32
• vim 8.0.1298
• wget 1.19.5

Upstream Container Linux updates:

Bug fixes:

• Fix GRUB free magic error on existing systems (#2400)

Changes:

• Support storing sudoers in SSSD and LDAP
• No longer publish Oracle Cloud release images

Updates:

• audit 2.7.1
• coreutils 8.28
• etcd-wrapper 3.3.4
• etcdctl 3.3.4
• Go 1.9.6
• Go 1.10.2
• Linux 4.16.7
• sudo 1.8.23
• Update Engine 0.4.7
• wa-linux-agent 2.2.25

Upstream Container Linux updates:

Security fixes:

• Fix ntp clock manipulation from ephemeral connections (CVE-2016-1549, CVE-2018-7170)
• Fix ntp denial of service from out of bounds read (CVE-2018-7182)
• Fix ntp denial of service from packets with timestamp 0 (CVE-2018-7184, CVE-2018-7185)
• Fix ntp remote code execution (CVE-2018-7183)

Bug fixes:

• Pass /etc/machine-id from the host to the kubelet
• Fix docker2aci tar conversion (#2402)
• Switch /boot from FAT16 to FAT32 (#2246)

Changes:

• Make Ignition failures more visible on the console

Updates:

• containerd 1.0.3
• coreos-cloudinit 1.14.0
• coreos-metadata 1.0.6
• Docker 18.04.0-ce
• Go 1.9.5
• Go 1.10.1
• Linux 4.16.3
• ntp 4.2.8p11
• rkt 1.30.0
• Rust 1.25.0
• torcx 0.1.3
• update-ssh-keys 0.1.2

Flatcar updates

Initial Flatcar release.

Notes:

• Previous test images have been removed from the release servers. This is due to a new update key being generated using our updated security policy which we included in the first public image.

Upstream Container Linux updates:

Security fixes:

• Fix curl out of bounds read (CVE-2018-1000005)
• Fix curl authentication data leak (CVE-2018-1000007)
• Fix curl buffer overflow (CVE-2018-1000120)
• Fix glibc integer overflow in libcidn (CVE-2017-14062)
• Fix glibc memory issues in glob() with ~ (CVE-2017-15670, CVE-2017-15671, CVE-2017-15804)
• Fix glibc mishandling RPATHs with $ORIGIN on setuid binaries (CVE-2017-16997)
• Fix glibc buffer underflow in realpath() (CVE-2018-1000001)
• Fix glibc integer overflow and heap corruption in memalign() (CVE-2018-6485)

Bug fixes:

• Fix GRUB crash at boot (#2284)

Updates:

• curl 7.59.0
• etcd-wrapper 3.3.3
• etcdctl 3.3.3
• glibc 2.25
• Ignition 0.24.0
• Linux 4.15.15
• Update Engine 0.4.6