Releases

Security fixes

• Linux
  • CVE-2020-27835
  • CVE-2020-29661
  • CVE-2020-29660
  • CVE-2020-27830
  • CVE-2020-28588

Bug fixes

• The sysctl net.ipv4.conf.*.rp_filter is set to 0 for the Cilium CNI plugin to work (kinvolk/Flatcar#181)
• Package downloads in the developer container now use the correct URL again (kinvolk/Flatcar#298)
• networkd: avoid managing MAC addresses for veth devices (kinvolk/init#33)

Changes

• The sysctl default config file is now applied under the prefix 60 which allows for custom sysctl config files to take effect when they start with a prefix of 70, 80, or 90 (kinvolk/baselayout#13)
• Containerd CRI plugin got enabled by default, only the containerd socket path needs to be specified as kubelet parameter for Kubernetes 1.20 to use containerd instead of Docker (kinvolk/Flatcar#283)
• For users with a custom update server a machine alias setting in update-engine allows to give human-friendly names to client instances (kinvolk/update-engine#8)

Updates

• Linux (5.9.16)
• containerd (1.4.3)
• Docker (19.03.14)

Security fixes:

• No changes since Alpha 2705.0.0

Bug fixes:

• No changes since Alpha 2705.0.0

Changes:

• No changes since Alpha 2705.0.0

Updates:

• No changes since Alpha 2705.0.0

Security fixes:

• Linux - CVE-2020-27194, CVE-2020-27152
• Go - CVE-2020-28362, CVE-2020-28367, CVE-2020-28366

Bug fixes:

• network: Restore KeepConfiguration=dhcp-on-stop (kinvolk/init#30)

Updates:

• Linux (5.8.18)
• Go (1.15.5)

Security fixes:

• Linux - CVE-2020-25645, CVE-2020-25643, CVE-2020-25211

Bug fixes:

• Ensured that the /etc/coreos to /etc/flatcar symlink always exists, relevant for the Container Linux Config transpiler (ct) when specifying directives for update: or locksmith: while also reformatting the rootfs (baselayout PR#7)

Updates:

• Linux 5.8.14

Security fixes:

• Linux: CVE-2020-25284, CVE-2020-14390

Bug fixes:

• Enabled missing systemd services (#191, PR #612)
• Fixed Docker torcx image unpacking error on machines with less than ~600 MB total RAM (#32)
• Solved adcli Kerberos Active Directory incompatibility (#194)
• Fixed the makefile path when building kernel modules with the developer container (#195)
• Removed the /etc/portage/savedconfig/ folder that contained a dump of the firmware config flatcar-linux/coreos-overlay#613

Changes:

• GCE: Improved oslogin support and added shell aliases to run a Python Docker image (PR #592)

Updates:

• Linux 5.8.11
• adcli 0.9.0
• GCE: oslogin 20200910.00

Bug fixes:

• Fix resetting of DNS nameservers in systemd-networkd units (PR#12)

Changes:

• Disable TX checksum offloading for the IP-in-IP tunl0 interface used by Calico (PR#26). This is a workaround for a Mellanox driver issue, currently tracked in Flatcar#183
• Set sysctl net.ipv4.conf.(all|*).rp_filter to 0 (instead of the systemd upstream value 2) to be less restrictive which some network solutions rely on (PR#11)
• flatcar-install allows installation to a multipath drive (PR#24)

Updates:

• Linux 5.4.65

Security fixes:

• Linux kernel: Fix AF_PACKET overflow in tpacket_rcv CVE-2020-14386

Updates:

• Linux 5.4.62

Changes from Alpha release 2605.1.0

Changes:

• Update public key to include new subkey

Security fixes:

• Bind: fixes for CVE-2020-8616, CVE-2020-8617, CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Bug fixes:

• etcd-wrapper: Adjust data dir permissions (flatcar-linux/coreos-overlay#536)

Updates:

• Linux 5.4.59
• bind-tools 9.11.22
• etcd-wrapper 3.3.24

Changes since the Alpha release 2513.1.0

Bug Fixes:

• The static IP address configuration in the initramfs works again in the format ip=<ip>::<gateway>:<netmask>:<hostname>:<iface>:none[:<dns1>[:<dns2>]] https://github.com/flatcar-linux/bootengine/pull/15

Updates:

• Linux 5.4.52

Flatcar updates

Security fixes:

• Fix the Intel Microcode vulnerabilities (CVE-2020-0543)

Changes:

• A source code and licensing overview is available under /usr/share/licenses/INFO

Updates:

• Linux 4.19.128
• intel-microcode 20200609

Flatcar updates

Security fixes:

• Fix e2fsprogs arbitrary code execution via crafted filesystem (CVE-2019-5094)
• Fix Git arbitrary path overwrite, credential leak from credential helpers, remote code execution in recursive clones, and arbitrary command execution via submodules (CVE-2019-1348, CVE-2019-1387, CVE-2019-19604, CVE-2020-11008, CVE-2020-5260)
• Fix libarchive crash or use-after-free via crafted RAR file (CVE-2019-18408, CVE-2020-9308)
• Fix libgcrypt ECDSA timing attack (CVE-2019-13627)
• Fix libidn2 domain impersonation (CVE-2019-12290)
• Fix NSS crashes and heap corruption (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698, CVE-2018-18508, CVE-2019-11745)
• Fix OpenSSL overflow in Montgomery squaring procedure (CVE-2019-1551)
• Fix SQLite crash and heap corruption (CVE-2019-16168, CVE-2019-5827)
• Fix unzip heap overflow or excessive resource consumption via crafted archive (CVE-2018-1000035, CVE-2019-13232)
• Fix vim arbitrary command execution via crafted file (CVE-2019-12735)

Bug fixes:

• When writing the update kernel, prefer /boot/coreos only if /boot/coreos/vmlinux-* exists (https://github.com/flatcar-linux/update_engine/pull/5)
• Fixed sysroot-boot initramfs service race which resulted in a warning that this service failed
• Use the correct BINHOST URLs in the development container to download binary packages

Changes:

• Support the CoreOS GRUB /boot/coreos/first_boot flag file (https://github.com/flatcar-linux/bootengine/pull/13)
• Fetch container images in docker format rather than ACI by default in etcd-member.service, flanneld.service, and kubelet-wrapper
• Use flatcar.autologin kernel command line parameter on Azure and VMware for auto login on the serial console
• Include conntrack (conntrack-tools)
• Include journalctl output, pstore kernel crash logs, and coredumpctl list output in the mayday report
• Update wa-linux-agent to 2.2.46 on Azure
• Support both coreos.config.* and flatcar.config.* guestinfo variables on VMware OEM

Updates:

• e2fsprogs 1.45.5
• etcd 3.3.20
• etcdctl 3.3.20
• Git 2.24.1
• Linux 4.19.124
• OpenSSL 1.0.2u
• vim 8.2.0360

Flatcar updates

Bug fixes:

• Use newest network interface naming scheme (https://github.com/flatcar-linux/Flatcar/issues/36)
  • It is a possible breaking change for some persistent network interface names
• Fix URL scheme in emerge-gitclone (https://github.com/flatcar-linux/coreos-overlay/issues/223)
• Fix coreos-cloudinit variable names (https://github.com/flatcar-linux/coreos-overlay/pull/206)
• Prefer /boot/coreos to write updates (https://github.com/flatcar-linux/update_engine/pull/2)
• Remove /boot/coreos/first_boot after a Ignition rerun on migration (https://github.com/flatcar-linux/bootengine/pull/10)
• Support coreos.config.url as kernel command line parameter for Ignition (https://github.com/flatcar-linux/ignition/pull/10)

Changes:

• Add kernel config for QEDE driver (https://github.com/flatcar-linux/coreos-overlay/pull/198)
• Add tracepath alongside traceroute6 (https://github.com/flatcar-linux/Flatcar/issues/50)

Updates:

• Linux 4.19.112

Flatcar updates

Bug fixes:

• Enable persistent network interface names already in the initramfs to fix https://github.com/coreos/bugs/issues/1767
• Fix backwards compatibility issues for users to migrate from CoreOS Container Linux. Support the kernel command line parameters coreos.oem.*, coreos.autologin, coreos.first_boot, and the QEMU firmware config path opt/com.coreos/config (https://github.com/flatcar-linux/Flatcar/issues/16 https://github.com/flatcar-linux/afterburn/pull/7 https://github.com/flatcar-linux/bootengine/pull/7 https://github.com/flatcar-linux/bootengine/pull/8 https://github.com/flatcar-linux/init/pull/16 https://github.com/flatcar-linux/init/pull/17 https://github.com/flatcar-linux/ignition/pull/8)

Upstream Container Linux updates

Updates:

• Linux 4.19.106

Flatcar updates

Bug fixes:

• Fix DNS resolution for the GCE metadata server (https://github.com/flatcar-linux/coreos-overlay/pull/160)
• Create symlink for /run/metadata/coreos (https://github.com/flatcar-linux/coreos-overlay/pull/166)
• Create symlink for flatcar-install (https://github.com/flatcar-linux/init/pull/14)

Upstream Container Linux updates:

Security fixes:

• Fix systemd use-after-free upon receiving crafted D-Bus message from local unprivileged attacker (CVE-2020-1712)

Changes:

• Enable qede kernel module

Updates:

• Linux 4.19.102

Upstream Container Linux updates:

Security fixes:

• Fix multiple Git vulnerabilities (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604)

Updates:

• Git 2.24.1
• Linux 4.19.95

Flatcar updates

Bug fixes:

• Fix a bug when creating RAID0 arrays by setting the default layout (https://github.com/flatcar-linux/baselayout/pull/2)
• Fix bug of unpacking tarballs failing when xattr is not supported (https://github.com/flatcar-linux/torcx/pull/2)

Updates:

• ldb 1.3.6
• samba 4.8.6
• talloc 2.1.11
• tdb 1.3.15
• tevent 0.9.37

Upstream Container Linux updates:

Updates:

• Linux 4.19.87

Upstream Container Linux updates:

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
• Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)

Bug fixes:

• Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)

Updates:

• intel-microcode 20191115
• Linux 4.19.84

Upstream Container Linux updates:

Bug fixes:

• Fix time zone for Brazil (#2627)

Updates:

• Linux 4.19.81
• timezone-data 2019c

Upstream Container Linux updates:

Updates:

• Linux 4.19.79

Upstream Container Linux updates:

Bug fixes:

• Fix kernel crash with CephFS mounts, introduced in 2247.3.0 (#2616)

Updates:

• Linux 4.19.78

Upstream Container Linux updates:

Security fixes:

• Fix kernel KVM guest escape (CVE-2019-14835)
• Fix race condition in Intel microprocessors (CVE-2019-11184)

Updates:

• intel-microcode 20190918
• Linux 4.19.75

Upstream Container Linux updates:

Updates:

• Linux 4.19.71

Upstream Container Linux updates:

Security fixes:

• Fix pam_systemd bug allowing authenticated remote users to perform polkit actions as if locally logged in (CVE-2019-3842)
• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix GCE agent crash loop in new installs (#2608)

Updates:

• Linux 4.19.69

Upstream Container Linux updates:

Security fixes:

• Fix wget buffer overflow allowing arbitrary code execution (CVE-2019-5953)

Updates:

• Linux 4.19.68
• wget 1.20.3

Upstream Container Linux updates:

Security fixes:

• Use secure_getenv to fix a vulnerability around XDG_SEAT in pam_systemd (https://github.com/coreos/systemd/pull/118) (CVE-2019-3842)

Updates:

• Linux 4.19.65

Flatcar updates

Bug fixes:

• Fix wrong key name for fw_cfg in ignition with QEMU (https://github.com/flatcar-linux/ignition/issues/2)
• Get SELinux context included in torcx tarballs (https://github.com/flatcar-linux/scripts/pull/16)
• Enable XattrPrivileged for untar to fix SELinux issue (https://github.com/flatcar-linux/torcx/pull/1)

Upstream Container Linux updates:

Security fixes:

• Fix Linux information leak attack vector via speculative side channel (CVE-2019-1125)

Updates:

• Linux 4.19.65

Flatcar updates

Changes:

• Add “-s” flag in flatcar-install to install to smallest disk (https://github.com/flatcar-linux/init/pull/7)

Upstream Container Linux updates:

• Linux 4.19.62

Upstream Container Linux updates:

No changes for beta promotion

Upstream Container Linux updates:

Bug fixes:

• Fix Ignition panic when no guestinfo.(coreos|ignition).config parameters are specified on VMware (coreos/ignition#821)

Updates:

• Ignition 0.33.0

Upstream Container Linux updates:

Updates:

• Linux 4.19.53

Upstream Container Linux updates:

Security fixes:

• Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Bug fixes:

• Fix invalid bzip2 compression of Container Linux release images (#2589)

Updates:

• Linux 4.19.50

Upstream Container Linux updates:

Updates:

• Linux 4.19.44

Upstream Container Linux updates:

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)

Updates:

• intel-microcode 20190514
• Linux 4.19.43

Upstream Container Linux updates:

Bug fixes:

• Fix systemd MountFlags=shared option (#2579)

Changes:

• Pin network interface naming to systemd v238 scheme (#2578)

Upstream Container Linux updates:

Bug fixes:

• Disable new sticky directory protections for backward compatibility (#2577)

Changes:

• Enable atlantic kernel module (#2576)

Updates:

• Linux 4.19.36

Upstream Container Linux updates:

Bug fixes:

• Disable new sticky directory protections for backwards compatibility (#2577)

Changes:

• Enable atlantic kernel module (#2576)

Updates:

• Linux 4.19.34

Upstream Container Linux updates:

Bug fixes:

• Fix systemd presets incorrectly handling escaped unit names (#2569)

Updates:

• Linux 4.19.31

Upstream Container Linux updates:

Bug fixes:

• Fix systemd-journald memory leak (#2564)

Updates:

• Linux 4.19.28

Upstream Container Linux updates:

Security fixes:

• Fix Linux use-after-free in sockfs_setattr (CVE-2019-8912)
• Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)

Updates:

• Linux 4.19.25

Upstream Container Linux updates:

Updates:

• Linux 4.19.23

Upstream Container Linux updates:

Security fixes:

• Fix runc container breakout (CVE-2019-5736)

Changes:

• Revert /sys/bus/rbd/add to Linux 4.14 behavior (#2544)

Updates:

• etcd 3.3.12
• etcdctl 3.3.12
• Linux 4.19.20

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in ECC (CVE-2019-6486)

Updates:

• Go 1.10.8
• Go 1.11.5
• Linux 4.19.18

Upstream Container Linux updates:

Updates:

• Linux 4.19.13

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
• Fix PolicyKit always authorizing UIDs greater than INT_MAX (CVE-2018-19788)

Updates:

• Go 1.10.6
• Go 1.11.3
• Linux 4.14.88

Upstream Container Linux updates:

Changes:

• Switch to the LTS Linux version 4.14.84 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)

Updates:

• Linux 4.14.81

Upstream Container Linux updates:

Security fixes:

• Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
• Fix systemd race allowing changing file permissions (CVE-2018-15687)
• Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)

Changes:

• Switch to the LTS Linux version 4.14.79 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Fix Git remote code execution during recursive clone (CVE-2018-17456)

Bug fixes:

• Fix missing kernel headers (#2505)

Updates:

• Git 2.16.5
• Linux 4.14.78

Flatcar updates

Changes:

• Add new image signing subkey to flatcar-install (flatcar-linux/init#4)

Bug fixes:

• Fix /usr/lib/coreos symlink for Container Linux compatibility (flatcar-linux/coreos-overlay#8)

Upstream Container Linux updates:

Changes:

• Switch to the LTS Linux version 4.14.74 for the beta channel

Upstream Container Linux updates:

Bug fixes:

• Fix Docker mounting named volumes (#2497)

Changes:

• Switch to the LTS Linux version 4.14.69 for the beta channel

Updates:

• intel-microcode 20180807a

Upstream Container Linux updates:

Changes:

• Drop AWS PV images from regions which do not support PV

Updates:

• containerd 1.1.2
• Docker 18.06.1-ce
• intel-microcode 20180807a
• Linux 4.14.67

Upstream Container Linux updates:

Security fixes:

• Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
• Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)

Bug fixes:

• Fix PXE systems attempting to mount an ESP (#2491)

Changes:

• Switch to the LTS Linux version 4.14.63 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)

Bug fixes:

• Fix failure to mount large ext4 filesystems (#2485)

Updates:

• Linux 4.14.60

Upstream Container Linux updates:

Bug fixes:

• Fix kernel CIFS client (#2480)

Updates:

• Linux 4.14.59

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.57 for the beta channel

Upstream Container Linux updates:

Updates:

• Linux 4.14.55

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.50 for the beta channel

Upstream Container Linux updates:

Bug fixes:

• Fix TCP connection stalls (#2457)

Updates:

• Linux 4.14.49

Upstream Container Linux updates:

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Updates:

• Linux 4.14.48

Upstream Container Linux updates:

Security fixes:

• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix inadvertent change of network interface names (#2437)
• Fix failure to set network interface MTU (#2443)

Updates:

• Git 2.16.4
• Linux 4.14.47

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.42 for the beta channel

Updates:

• Ignition 0.24.1

Upstream Container Linux updates:

Security fixes:

• Fix ntp clock manipulation from ephemeral connections (CVE-2016-1549, CVE-2018-7170)
• Fix ntp denial of service from out of bounds read (CVE-2018-7182)
• Fix ntp denial of service from packets with timestamp 0 (CVE-2018-7184, CVE-2018-7185)
• Fix ntp remote code execution (CVE-2018-7183)

Updates:

• containerd 1.0.3
• Docker 18.03.1-ce
• Linux 4.14.39
• ntp 4.2.8p11

Upstream Container Linux updates:

Bug fixes:

• Fix docker2aci tar conversion (#2402)

Changes:

• Switch to the LTS Linux version 4.14.35 for the beta channel

Flatcar updates

Initial Flatcar release.

Bug fixes:

• Fix GRUB crash at boot (#2284)
• Fix poweroff problems (#8080)

Notes:

• Previous test images have been removed from the release servers. This is due to a new update key being generated using our updated security policy which we included in the first public image.

Upstream Container Linux updates:

Bug fixes:

• Fix kernel panic with vxlan (#2382)

Security fixes

• Linux
  • CVE-2020-27815
  • CVE-2020-27830
  • CVE-2020-27835
  • CVE-2020-28588
  • CVE-2020-29568
  • CVE-2020-29569
  • CVE-2020-29660
  • CVE-2020-29661

Bug fixes

• afterburn (coreos-metadata): Restart on failure and keep coreos-metadata unit active (kinvolk/coreos-overlay#768)
• networkd: avoid managing MAC addresses for veth devices (kinvolk/init#33)

Changes

• Updated nsswitch.conf to use systemd-resolved (kinvolk/baselayout#10)
• Enabled systemd-resolved stub listeners (kinvolk/baselayout#11)
• systemd-resolved: Disabled DNSSEC for the mean time (kinvolk/baselayout#14)
• kernel: enabled CONFIG_DEBUG_INFO_BTF (kinvolk/coreos-overlay#753)
• containerd: Switched to default upstream socket location while keeping a symlink for the previous location in Flatcar (kinvolk/coreos-overlay#771)
• containerd: Disabled shim debug logs (kinvolk/coreos-overlay#766)

Updates

• Linux (5.10.4)
• Linux firmware (20201218)
• SDK: Rust (1.48.0)

Note: Please note that ARM images remain experimental for now.

Security fixes

• bsdiff
  • CVE-2014-9862
• containerd
  • CVE-2020-15257
• pam
  • CVE-2020-27780
• Linux
  • CVE-2020-29661
  • CVE-2020-29660
  • CVE-2020-27830
  • CVE-2020-28588 (only affects 32-bit systems, Flatcar Container Linux is not affected)
  • CVE-2020-27835 (only affects systems with Infiniband HF1 driver, Flatcar Container Linux is not affected)

Bug fixes

• The sysctl net.ipv4.conf.*.rp_filter is set to 0 for the Cilium CNI plugin to work (Flatcar#181)
• Package downloads in the developer container now use the correct URL again (Flatcar#298)

Changes

• A symlink vimdiff should not be created, if the USE flag minimal is enabled. (Flatcar/#221)
• The sysctl default config file is now applied under the prefix 60 which allows for custom sysctl config files to take effect when they start with a prefix of 70, 80, or 90 (baselayout#13)
• Containerd CRI plugin got enabled by default, only the containerd socket path needs to be specified as kubelet parameter for Kubernetes 1.20 to use containerd instead of Docker (Flatcar#283)
• For users with a custom update server a machine alias setting in update-engine allows to give human-friendly names to client instances (update-engine#8)
• Enable BCMGENET as a module on arm64_defconfig-5.9 (coreos-overlay#717)
• Enable BCM7XXX_PHY as a module on arm64_defconfig-5.9 for Raspberry Pi 4 (coreos-overlay#716)
• Disable jpeg USE flag from QEMU (coreos-overlay#729)
• flatcar_production_qemu.sh: Use more CPUs for ARM if available (scripts#91)

Updates

• Linux (5.9.14)
• Linux firmware (20201118)
• Docker (19.03.14)
• containerd (1.4.3)
• pam (1.5.1)
• sqlite (3.33)
• SDK: Rust (1.47.0)
• SDK: Go (1.15.6)
• SDK: repo (2.8)
• SDK: dwarves (1.19)

Note: Please note that ARM images remain experimental for now.

Security fixes

• glibc (CVE-2019-9169, CVE-2019-6488, CVE-2019-7309, CVE-2020-10029, CVE-2020-1751, CVE-2020-6096, CVE-2018-20796)

Bug fixes

• Added systemd-tmpfiles directives for /opt and /opt/bin to ensure that the folders have correct permissions even when /opt/ was once created by containerd (Flatcar#279)

Changes

• Enabled the kernel config HOTPLUG_PCI_ACPI for arm64 to support attaching EC2 volumes (PR#705)

Updates

• Linux (5.9.11)
• glibc (2.32)

Note: Please note that ARM images remain experimental for now.

Security fixes:

• Linux - (CVE-2020-27673, CVE-2020-27675)
• Go - (CVE-2020-28362, CVE-2020-28367, CVE-2020-28366)
• glib (CVE-2019-12450)
• open-iscsi (CVE-2017-17840)
• samba (CVE-2019-10197, CVE-2020-10704, CVE-2020-10745, CVE-2019-3880, CVE-2019-10218)
• shadow (CVE-2019-19882)
• sssd (CVE-2018-16883, CVE-2019-3811, CVE-2018-16838)
• trousers (CVE-2020-24330, CVE-2020-24331)
• cifs-utils (CVE-2020-14342)
• ntp (CVE-2020-11868, CVE-2020-13817, CVE-2018-8956, CVE-2020-15025)
• bzip2 (CVE-2019-12900)

Bug fixes:

• network: Restore KeepConfiguration=dhcp-on-stop (kinvolk/init#30)
• Make the automatic filesystem resizing more robust against a race and add more logging (kinvolk/init#31)
• Default again to waiting only for one network interface to be ready with systemd-networkd-wait-online which was missing in the initial systemd 246 update
• Default again to disabling IP Forwarding in systemd which was missing in the initial systemd 246 update
• Make systemd detect updates again when the /usr partition changes which was missing in the initial systemd 246 update
• Default again to set DefaultTasksMax=100% in systemd which was missing in the initial systemd 246 update
• Default again to disable SELinux permissions checks in systemd which was missing in the initial systemd 246 update

Changes:

• The zstd tools were added (version 1.4.4)
• The kernel config CONFIG_PSI was set to support Pressure Stall Information, more information also under https://facebookmicrosites.github.io/psi/docs/overview (Flatcar#162)
• The kernel config CONFIG_BPF_JIT_ALWAYS_ON was set to use the BPF just-in-time compiler by default for faster execution
• The kernel config CONFIG_DEBUG_INFO_BTF was set to support BTF metadata (BPF Type Format), one important piece for portability of BPF programs (CO-RE: Compile Once - Run Everywhere) through relocation
• The kernel config CONFIG_POWER_SUPPLY was set
• The kernel configs CONFIG_OVERLAY_FS_METACOPY and CONFIG_OVERLAY_FS_REDIRECT_DIR were set. With the first overlayfs will only copy up metadata when a metadata-specific operation like chown/chmod is performed. The full file will be copied up later when the file is opened for write operations. With the second, which is equivalent to setting “redirect_dir=on” in the kernel command-line, overlayfs will copy up the directory first before the actual content (Flatcar#170).

Updates:

• Linux (5.9.8)
• Linux firmware (20200918)
• systemd (246.6)
• bzip2 (1.0.8)
• cifs-utils (6.11)
• dbus-glib (0.110)
• elfutils (0.178)
• glib (2.64.5)
• ntp (4.2.8_p15)
• open-iscsi (2.1.2)
• samba (4.11.13)
• shadow (4.8)
• sssd (2.3.1)
• strace (5.9)
• talloc (2.3.1)
• tdb (1.4.3)
• tevent (0.10.2)
• SDK/developer container: GCC (9.3.0), binutils (2.35), gdb (9.2)
• SDK: Go (1.15.5)
• VMware: open-vm-tools (11.2.0)

Security fixes:

• Linux - CVE-2020-27194
• c-ares - CVE-2017-1000381
• file - CVE-2019-18218
• json-c - CVE-2020-12762
• libuv - CVE-2020-8252
• libxml2 - CVE-2019-20388 CVE-2020-7595
• re2c - CVE-2020-11958
• tar - CVE-2019-9923

Bug fixes:

• Ensured that the /etc/coreos to /etc/flatcar symlink always exists, relevant for the Container Linux Config transpiler (ct) when specifying directives for update: or locksmith: while also reformatting the rootfs (baselayout PR#7)
• Allow inactive network interfaces to be bound to a bonding interface, by encoding additional configuration for systemd-networkd-wait-online (afterburn PR #10)
• Azure: Exclude bonded SR-IOV driver mlx5-core from network interfaces managed by systemd-networkd (bootengine PR #19) (init PR #29)
• Do not configure ccache in Jenkins (scripts PR #100)

Changes:

• Remove unnecessary kernel module nf-conntrack-ipv4 (overlay PR#649)

Updates:

• Linux 5.8.16
• c-ares 1.61.1
• cryptsetup 2.3.2
• json-c 0.15
• libuv 1.39.0
• libxml2 2.9.10
• tar 1.32
• Go 1.15.3, 1.12.17 (only in SDK)
• file 5.39 (only in SDK)
• gdbus-codegen 2.64.5 (only in SDK)
• meson 0.55.3 (only in SDK)
• re2c 2.0.3 (only in SDK)

Note: Please note that ARM images remain experimental for now.

Security fixes:

• Linux - CVE-2020-25645, CVE-2020-25643, CVE-2020-25211

Bug fixes:

• Ensured that the /etc/coreos to /etc/flatcar symlink always exists, relevant for the Container Linux Config transpiler (ct) when specifying directives for update: or locksmith: while also reformatting the rootfs (baselayout PR#7)
• Azure: Exclude bonded SR-IOV network interfaces with newer drivers from networkd (in addition to the old drivers) to prevent them being configured instead of just the bond interface (init PR#29, bootengine PR#19)

Changes:

• Compress kernel modules with xz (overlay PR#628)
• Add containerd-runc-shim-v* binaries required by kubelet custom CRI endpoints (overlay PR#623)
• AWS arm64: Enable elastic network adapter module (overlay PR#631)
• Equinix Metal (Packet): Exclude unused network interfaces from networkd, disregard the state of the bonded interfaces for the network-online.target and only require the bond interface itself to have at least one active link instead of routable which requires both links to be active (afterburn PR#10)
• QEMU: Use flatcar.autologin kernel command line parameter for auto login on the console (Flatcar #71)

Updates:

• Linux 5.8.14
• systemd 246
• tini 0.18
• libseccomp 2.5.0
• audit 2.8.5
• dracut 050

Security fixes:

• Linux: CVE-2020-25284, CVE-2020-14390
• jq: CVE-2015-8863, CVE-2016-4074
• sqlite: CVE-2020-11656, CVE-2020-9327, CVE-2020-11655, CVE-2020-13630, CVE-2020-13435, CVE-2020-13434, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358
• tcpdump and libpcap: CVE-2018-10103, CVE-2018-10105, CVE-2018-16301, CVE-2019-15163, CVE-2018-14461, CVE-2018-14462, CVE-2018-14463, CVE-2018-14464, CVE-2018-14465, CVE-2018-14466, CVE-2018-14467, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14880, CVE-2018-14881, CVE-2018-14882, CVE-2018-16227, CVE-2018-16228, CVE-2018-16229, CVE-2018-16230, CVE-2018-16300, CVE-2018-16451, CVE-2018-16452, CVE-2019-15166, CVE-2018-19325, CVE-2018-14879, CVE-2017-16808, CVE-2018-19519, CVE-2019-15161, CVE-2019-15165, CVE-2019-15164, CVE-2019-1010220
• libbsd: CVE-2019-20367
• rsync: CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843

Bug fixes:

• Enabled missing systemd services (#191, PR #612)
• Fixed Docker torcx image unpacking error on machines with less than ~600 MB total RAM (#32)
• Solved adcli Kerberos Active Directory incompatibility (#194)
• Fixed the makefile path when building kernel modules with the developer container (#195)
• Removed the /etc/portage/savedconfig/ folder that contained a dump of the firmware config flatcar-linux/coreos-overlay#613

Changes:

• GCE: Improved oslogin support and added shell aliases to run a Python Docker image (PR #592)

Updates:

• Linux 5.8.11
• Docker 19.03.13
• docker-runc 1.0.-rc92
• containerd 1.4.1
• adcli 0.9.0
• GCE: oslogin 20200910.00
• jq 1.6
• rsync 3.2.3
• tcpdump 4.9.3

Note: Please note that ARM images remain experimental for now.

Bug fixes:

• Fix resetting of DNS nameservers in systemd-networkd units (PR#12)

Changes:

• Disable TX checksum offloading for the IP-in-IP tunl0 interface used by Calico (PR#26). This is a workaround for a Mellanox driver issue, currently tracked in Flatcar#183
• Set sysctl net.ipv4.conf.(all|*).rp_filter to 0 (instead of the systemd upstream value 2) to be less restrictive which some network solutions rely on (PR#11)
• Update-engine now detects rollbacks and reports them as errors to the update server (PR#6)
• flatcar-install allows installation to a multipath drive (PR#24)
• Support the lockdown kernel command line parameter (PR#533)
• Update public key to include a new subkey

Updates:

• Linux 5.8.9
• linux-firmware 20200817
• Go 1.15.2
• Rust 1.46.0

Note: Please note that ARM images remain experimental for now.

Bug fixes:

• Resolve ipset API incompatibility Flatcar#174
• Fix udev rule warning about ignored value Flatcar#164
• Add missing render group Flatcar#169

Changes:

• Mount /sys/fs/bpf into the toolbox container and allow BPF syscalls (PR#544)
• Support loading BPF programs with tc Flatcar#172

Updates:

• Linux 5.4.61
• etcd-wrapper/etcdctl 3.3.25
• ipset 7.6
• iproute 5.8
• mdadm 4.1
• VMware: openvm-tools 11.1.5

Note: Please note that ARM images remain experimental for now.

Security fixes:

• Bind: fixes for CVE-2020-8616, CVE-2020-8617, CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Bug fixes:

• etcd-wrapper: Adjust data dir permissions https://github.com/flatcar-linux/coreos-overlay/pull/536

Changes:

• Add drivers for qedf, qedi, qla4xxx as kernel modules https://github.com/flatcar-linux/coreos-overlay/pull/528

Updates:

• Linux 5.4.59
• Bind-tools 9.16.6
• Openssl 1.1.1g
• etcd-wrapper 3.3.24
• sssd 1.16.3
• kerberos 1.18.2
• Containerd 1.3.7
• Go 1.13.15 used for compilation

Bug Fixes:

• Improved logic for GPT disk UUID randomization to fix booting on Packet c3.medium.x86 machines (flatcar-linux/bootengine#17)
• gpg: add patches for accepting keys without UIDs (flatcar-linux/coreos-overlay#381)
• The static IP address configuration in the initramfs works again in the format ip=<ip>::<gateway>:<netmask>:<hostname>:<iface>:none[:<dns1>[:<dns2>]] (flatcar-linux/bootengine#15)

Changes:

• Since version 245 systemd-networkd ignores network unit files with an empty [Match] section. Add a Name=* entry to match all interfaces.
• Weave network interfaces are excluded from systemd-networkd (flatcar-linux/init#22)
• Enabled the mmio and vsock virtio kernel modules for Firecracker (flatcar-linux/coreos-overlay#485)
• Enabled CONFIG_IKHEADERS to expose kernel headers under /sys/kernel/kheaders.tar.xz
• Vultr support in Ignition (flatcar-linux/ignition#13)
• VMware OVF settings default to ESXi 6.5 and Linux 3.x

Updates:

• Linux 5.4.55
• systemd v245
• Docker 19.03.12
• gnupg 2.2.20
• cryptsetup 2.0.3
• etcd 3.3.22
• etcdctl 3.3.22
• Go 1.13.14
• Rust 1.44.1

Note: Please note that ARM images remain experimental for now.

Security Fixes:

• Malicious URLs can cause Git to expose private credentials CVE-2020-5260
• Similar to CVE-2020-5260, Malicious URLs can cause Git to expose private credentials CVE-2020-11008

Bugfixes:

• Include dig binary in ARM flatcar-linux/Flatcar#123
• Fix the login prompt issue in the ISO flatcar-linux/Flatcar#131
• app-admin/{kubelet, etcd, flannel}-wrapper: don't overwrite the user supplied –insecure-options argument https://github.com/flatcar-linux/coreos-overlay/pull/426

Updates:

• Linux - 5.4.47
• Docker - 19.03.11
• Go - 1.13.12
• strace - 5.6
• git - 2.26.2

Note: Please note that ARM images remain experimental for now.

Flatcar updates

Security fixes:

• Fix the Intel Microcode vulnerabilities (CVE-2020-0543)

Changes:

• A source code and licensing overview is available under /usr/share/licenses/INFO

Updates:

• Linux 5.4.46
• intel-microcode 20200609

Flatcar updates

Security fixes:

• Fix e2fsprogs arbitrary code execution via crafted filesystem (CVE-2019-5094)
• Fix libarchive crash or use-after-free via crafted RAR file (CVE-2019-18408, CVE-2020-9308)
• Fix libgcrypt ECDSA timing attack (CVE-2019-13627)
• Fix libidn2 domain impersonation (CVE-2019-12290)
• Fix NSS crashes and heap corruption (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698, CVE-2018-18508, CVE-2019-11745)
• Fix OpenSSL overflow in Montgomery squaring procedure (CVE-2019-1551)
• Fix SQLite crash and heap corruption (CVE-2019-16168, CVE-2019-5827)
• Fix unzip heap overflow or excessive resource consumption via crafted archive (CVE-2018-1000035, CVE-2019-13232)
• Fix vim arbitrary command execution via crafted file (CVE-2019-12735)

Bug fixes:

• Revert adding the SELinux use flag for docker-runc until a regression is solved
• When writing the update kernel, prefer /boot/coreos only if /boot/coreos/vmlinux-* exists (https://github.com/flatcar-linux/update_engine/pull/5)
• Fixed sysroot-boot initramfs service race which resulted in a warning that this service failed

Changes:

• Support the CoreOS GRUB /boot/coreos/first_boot flag file (https://github.com/flatcar-linux/bootengine/pull/13)
• Fetch container images in docker format rather than ACI by default in etcd-member.service, flanneld.service, and kubelet-wrapper
• Add wireguard kernel module from wireguard-linux-compat
• Include wg (wireguard-tools)
• Enable regex support for jq
• Use flatcar.autologin kernel command line parameter on Azure for auto login on the serial console

Updates:

• e2fsprogs 1.45.5
• etcd 3.3.20
• etcdctl 3.3.20
• Linux 5.4.41
• OpenSSL 1.0.2u
• vim 8.2.0360
• systemd 243

Flatcar updates

Bug fixes:

• Support both guestinfo.ignition.config and guestinfo.coreos.config in coreos-cloudinit (https://github.com/flatcar-linux/coreos-cloudinit/pull/4)
• Fix VMware guestinfo variable retrieval and add missing variables in ignition (https://github.com/flatcar-linux/ignition/pull/11)
• Use flatcar.autologin for the console in oem-vmware (https://github.com/flatcar-linux/coreos-overlay/pull/308)
• Log list of coredumps with coredumpctl in mayday (https://github.com/flatcar-linux/mayday/pull/8)

Updates:

• Linux 5.4.35
• Go 1.13.10
• containerd 1.3.4
• conntrack-tools 1.4.5
• linux-firmware 20191022

Flatcar updates

Bug fixes:

• Use newest network interface naming scheme (https://github.com/flatcar-linux/Flatcar/issues/36)
  • It is a possible breaking change for some persistent network interface names
• Fix coreos-cloudinit variable names (https://github.com/flatcar-linux/coreos-overlay/pull/206)
• Prefer /boot/coreos to write updates (https://github.com/flatcar-linux/update_engine/pull/2)
• Build a download URL in a safer way (https://github.com/flatcar-linux/update_engine/issues/3)
• Remove /boot/coreos/first_boot after a Ignition rerun on migration (https://github.com/flatcar-linux/bootengine/pull/10)
• Support coreos.config.url as kernel command line parameter for Ignition (https://github.com/flatcar-linux/ignition/pull/10)
• Make flannel cross-node traffic work with systemd > 242 (https://github.com/coreos/flannel/issues/1155, https://github.com/flatcar-linux/coreos-overlay/pull/279)

Changes:

• Add tracepath alongside traceroute6 (https://github.com/flatcar-linux/Flatcar/issues/50)
• Extend logging capabilities of mayday (https://github.com/flatcar-linux/Flatcar/issues/61)

Updates:

• Linux 4.19.113
• Docker 19.03.8
• open-vm-tools 11.0.5
• openssh 8.1
• WAAgent 2.2.46

Flatcar updates

Bug fixes:

• Enable persistent network interface names already in the initramfs to fix https://github.com/coreos/bugs/issues/1767
• Do not error out in runc if SELinux is disabled on the system (https://github.com/flatcar-linux/coreos-overlay/pull/189)
• Bring back runc 1.0-rc2 for Docker 17.03 (https://github.com/flatcar-linux/coreos-overlay/pull/191)
• Use correct branch name format in developer container tools (https://github.com/flatcar-linux/dev-util/pull/2)

Updates:

• Linux 4.19.106

Flatcar updates

Security fixes:

• Fix stack-based buffer overflow in sudo (CVE-2019-18634)
• Fix incorrect access control leading to privileges escalation in runc (CVE-2019-19921)
• Fix systemd use-after-free upon receiving crafted D-Bus message from local unprivileged attacker (CVE-2020-1712)

Bug fixes:

• Fix DNS resolution for the GCE metadata server (https://github.com/flatcar-linux/coreos-overlay/pull/160)
• Use correct URLs for flatcar-linux in emerge-gitclone and scripts (https://github.com/flatcar-linux/dev-util/pull/1) (https://github.com/flatcar-linux/scripts/pull/50)
• Fix a wrong profile reference in torcx (https://github.com/flatcar-linux/coreos-overlay/pull/162)
• Create symlink for /run/metadata/coreos (https://github.com/flatcar-linux/coreos-overlay/pull/166)
• Create symlink for flatcar-install (https://github.com/flatcar-linux/init/pull/14)
• Fix backwards compatibility issues for users to migrate from CoreOS Container Linux (https://github.com/flatcar-linux/Flatcar/issues/16 https://github.com/flatcar-linux/afterburn/pull/7 https://github.com/flatcar-linux/bootengine/pull/7 https://github.com/flatcar-linux/bootengine/pull/8 https://github.com/flatcar-linux/init/pull/16 https://github.com/flatcar-linux/init/pull/17 https://github.com/flatcar-linux/ignition/pull/8)

Changes:

• Build Flatcar tarballs to be used by containers (https://github.com/flatcar-linux/scripts/pull/51)
• Enable qede kernel module

Updates:

• Linux 4.19.102
• runc 1.0.0-rc10
• sudo 1.8.31

Upstream Container Linux updates:

Security fixes:

• Fix multiple Git vulnerabilities (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604)

Updates:

• Git 2.24.1
• Ignition 0.34.0

Flatcar updates

• Linux 4.19.97

Flatcar updates

Security fixes:

• Fix a denial-of-service issue via malicious access to /dev/kvm (CVE-2019-19332)

Bug fixes:

• Fix a bug when creating RAID0 arrays by setting the default layout (https://github.com/flatcar-linux/baselayout/pull/2)

Updates:

• Linux 4.19.89

Flatcar updates

It is the first release done for both amd64 and arm64.

Bug fixes:

• Fix cross-build issues around WAF by creating wrappers (https://github.com/flatcar-linux/coreos-overlay/pull/137 https://github.com/flatcar-linux/coreos-overlay/pull/139)

Updates:

• ldb 1.3.6
• samba 4.8.6
• talloc 2.1.11
• tdb 1.3.15
• tevent 0.9.37

Flatcar updates

Security fixes:

• Fix heap-based buffer over-read in libexpat (CVE-2019-15903)
• Fix code injection around dynamic libraries in docker (CVE-2019-14271)

Bug fixes:

• Fix cross-build issues in rust by storing shell scripts under the source directory (https://github.com/flatcar-linux/coreos-overlay/pull/125)
• Fix bug in dealing with xattrs when unpacking torcx tarballs (https://github.com/flatcar-linux/torcx/pull/2)

Updates:

• Linux 4.19.87
• docker 19.03.5
• etcd 3.3.18
• expat 2.2.8

Flatcar updates

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
• Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)
• Fix curl Kerberos FTP double free (CVE-2019-5481)
• Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5482)
• Fix OpenSSL key extraction attacks under non-default conditions (CVE-2019-1563, CVE-2019-1547)
• Fix panic caused by invalid DSA public keys in Go 1.12 and 1.13 (CVE-2019-17596)

Bug fixes:

• Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
• Fix time zone for Brazil (#2627)

Updates:

• Go 1.12.12 and 1.13.3
• curl 7.66.0
• intel-microcode 20191115
• Linux 4.19.84
• OpenSSL 1.0.2t
• timezone-data 2019c

Upstream Container Linux updates:

Bug fixes:

• Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
• Fix time zone for Brazil (#2627)

Updates:

• Linux 4.19.81
• timezone-data 2019c

Upstream Container Linux updates:

Changes:

• Pin rkt to Go 1.12

Updates:

• Go 1.12.10
• Go 1.13.2
• Linux 4.19.80

Upstream Container Linux updates:

Security fixes:

• Fix sudo allowing a user to run commands as root if configured to permit the user to run commands as everyone other than root (CVE-2019-14287)

Bug fixes:

• Fix kernel crash with CephFS mounts, introduced in 2275.0.0 (#2616)

Updates:

• etcd 3.3.17
• etcdctl 3.3.17
• Go 1.12.9
• Linux 4.19.79
• sudo 1.8.28

Upstream Container Linux updates:

Bug fixes:

• Fix kernel crash with CephFS mounts, introduced in 2275.0.0 (#2616)

Updates:

• Linux 4.19.78

Upstream Container Linux updates:

Security fixes:

• Fix dbus authentication bypass in non-default configurations (CVE-2019-12749)
• Fix kernel KVM guest escape (CVE-2019-14835)
• Fix race condition in Intel microprocessors (CVE-2019-11184)

Updates:

• intel-microcode 20190918
• Linux 4.19.75

Upstream Container Linux updates:

Security fixes:

• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix GCE agent crash loop in new installs (#2608)

Updates:

• Linux 4.19.71

Upstream Container Linux updates:

Security fixes:

• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix GCE agent crash loop in new installs (#2608)

Updates:

• Linux 4.19.69

Upstream Container Linux updates:

Security fixes:

• Fix libarchive out of bounds reads (CVE-2017-14166, CVE-2017-14501, CVE-2017-14502, CVE-2017-14503)
• Fix pam_systemd bug allowing authenticated remote users to perform polkit actions as if locally logged in (CVE-2019-3842)
• Fix polkit information disclosure and denial of service (CVE-2018-1116)
• Fix SQLite multiple vulnerabilities, the worst of which allows code execution (CVE-2019-5018, CVE-2019-9936, CVE-2019-9937)
• Fix wget buffer overflow allowing arbitrary code execution (CVE-2019-5953)

Updates:

• etcd 3.3.15
• etcdctl 3.3.15
• Go 1.12.7
• Linux 4.19.68
• wget 1.20.3

Upstream Container Linux updates:

Security fixes:

• Use secure_getenv to fix a vulnerability around XDG_SEAT in pam_systemd (https://github.com/coreos/systemd/pull/118) (CVE-2019-3842)

Updates:

• Linux 4.19.65

Flatcar updates

Bug fixes:

• Fix wrong key name for fw_cfg in ignition with QEMU (https://github.com/flatcar-linux/ignition/issues/2)
• Get SELinux context included in torcx tarballs (https://github.com/flatcar-linux/scripts/pull/16)
• Enable XattrPrivileged for untar to fix SELinux issue (https://github.com/flatcar-linux/torcx/pull/1)

Upstream Container Linux updates:

Security fixes:

• Fix Linux information leak attack vector via speculative side channel (CVE-2019-1125)

Updates:

• Linux 4.19.65

Flatcar updates

Changes:

• Add “-s” flag in flatcar-install to install to smallest disk (https://github.com/flatcar-linux/init/pull/7)

Upstream Container Linux updates:

Bug fixes:

• Fix Ignition fetching from S3 URLs when network is slow to start (ignition#826)

Updates:

• Linux 4.19.62

Upstream Container Linux updates:

Bug fixes:

• Fix Docker device or resource busy error when creating overlay mounts, introduced in 2191.0.0

Updates:

• Linux 4.19.58

Upstream Container Linux updates:

Security fixes:

• Fix libexpat denial of service (CVE-2018-20843)

Bug fixes:

• Fix Ignition panic when no guestinfo.(coreos|ignition).config parameters are specified on VMware (coreos/ignition#821)

Updates:

• expat 2.2.7
• Ignition 0.33.0
• Linux 4.19.56

Upstream Container Linux updates:

Bug fixes:

• Temporarily revert bunzip2 change in 2163.0.0 causing decompression failures for invalid archives created by older versions of lbzip2, including Container Linux release images (#2589)

Updates:

• intel-microcode 20190618
• Linux 4.19.55

Upstream Container Linux updates:

Security fixes:

• Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Updates:

• Linux 4.19.50

Upstream Container Linux updates:

Bug fixes:

• Temporarily revert bunzip2 change in 2163.0.0 causing decompression failures for invalid archives created by older versions of lbzip2, including Container Linux release images (#2589)

Upstream Container Linux updates:

Security fixes:

• Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5436)

Updates:

• coreutils 8.30
• curl 7.65.0
• GCC 8.3.0
• glibc 2.29
• Linux 4.19.47
• Rust 1.35.0

Upstream Container Linux updates:

Updates:

• etcd 3.3.13
• etcdctl 3.3.13
• Go 1.12.5
• intel-microcode 20190514
• Linux 4.19.44

Upstream Container Linux updates:

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)

Updates:

• intel-microcode 20190514
• Linux 4.19.43

Upstream Container Linux updates:

Security fixes:

• Fix SQLite remote code execution (CVE-2018-20346)
• Fix GLib multiple vulnerabilities

Bug fixes:

• Fix systemd MountFlags=shared option (#2579)

Changes:

• Use Amazon's recommended NVMe timeout for new EC2 installs (#2484)
• Pin network interface naming to systemd v238 scheme (#2578)
• Enable XDP sockets (#2580)

Updates:

• Linux 4.19.37
• Rust 1.34.1

Upstream Container Linux updates:

Security fixes:

• Fix libseccomp privilege escalation (CVE-2019-9893)

Bug fixes:

• Disable new sticky directory protections for backward compatibility (#2577)

Changes:

• Enable atlantic kernel module (#2576)

Updates:

• Go 1.12.4
• Ignition 0.32.0
• libseccomp 2.4.0
• Linux 4.19.36
• Rust 1.34.0
• tini 0.18.0

Upstream Container Linux updates:

Security fixes:

• Fix libmspack vulnerabilities in the VMware agent for new installs (CVE-2018-14679, CVE-2018-14680, CVE-2018-14681, CVE-2018-14682, CVE-2018-18584, CVE-2018-18585, CVE-2018-18586)

Updates:

• Afterburn (formerly coreos-metadata) 4.0.0
• Git 2.21.0
• Go 1.12.2
• Linux 4.19.34

Upstream Container Linux updates:

Security fixes:

• Fix OpenSSH scp allowing remote servers to change target directory permissions (CVE-2018-20685)
• Fix OpenSSH outputting ANSI control codes from remote servers (CVE-2019-6109, CVE-2019-6110)
• Fix OpenSSH scp allowing remote servers to overwrite arbitrary files (CVE-2019-6111)
• Fix OpenSSL side-channel timing attack (CVE-2018-5407)
• Fix OpenSSL padding oracle attack in misbehaving applications (CVE-2019-1559)
• Fix ntp ntpd denial of service by authenticated user (CVE-2019-8936)
• Fix ntp buffer overflow in ntpq and ntpdc (CVE-2018-12327)

Bug fixes:

• Fix systemd presets incorrectly handling escaped unit names (#2569)

Updates:

• GCC 8.2.0
• Go 1.12.1
• IANA timezone database 2018i
• Linux 4.19.31
• ntp 4.2.8p13
• OpenSSH 7.9p1
• OpenSSL 1.0.2r
• Update Engine 0.4.10

Upstream Container Linux updates:

Security fixes:

• Fix tar local denial of service with --sparse option (CVE-2018-20482)
• Fix wget local information leak (CVE-2018-20483)

Bug fixes:

• Fix systemd-journald memory leak (#2564)

Changes:

• Enable vhost_vsock kernel module (#2563)

Updates:

• Go 1.12
• Linux 4.19.28
• Rust 1.33.0
• systemd 241
• tar 1.31
• wget 1.20.1

Upstream Container Linux updates:

Security fixes:

• Fix curl vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-2018-16842, CVE-2018-16890, CVE-2019-3822, CVE-2019-3823)
• Fix Linux use-after-free in sockfs_setattr (CVE-2019-8912)
• Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)

Updates:

• curl 7.64.0
• Docker 18.06.3-ce
• Ignition 0.31.0
• Linux 4.19.25

Upstream Container Linux updates:

Security fixes:

• Fix runc container breakout (CVE-2019-5736)

Changes:

• Revert /sys/bus/rbd/add to Linux 4.14 behavior (#2544)
• Add a new subkey for signing release images

Updates:

• etcd 3.3.12
• etcdctl 3.3.12
• flannel 0.11.0
• Linux 4.19.20

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in ECC (CVE-2019-6486)

Updates:

• btrfs-progs 4.19
• e2fsprogs 1.44.5
• glibc 2.27
• Go 1.10.8
• Go 1.11.5
• Linux 4.19.18
• Rust 1.32.0
• util-linux 2.33
• xfsprogs 4.17.0

Upstream Container Linux updates:

Security fixes:

• Fix systemd-journald privilege escalation (CVE-2018-16864, CVE-2018-16865)
• Fix systemd-journald out of bounds read (CVE-2018-16866)
• Fix ntpq, ntpdc buffer overflow (CVE-2018-12327)
• Fix etcd improper authentication with RBAC and client certs (CVE-2018-16886)

Changes:

• Add ip_vs_mh kernel module (#2542)

Updates:

• etcd 3.3.11
• etcdctl 3.3.11
• Linux 4.19.15
• ntp 4.2.8p12
• sudo 1.8.25p1

Upstream Container Linux updates:

Bug fixes:

• Fix monitoring process events over netlink (#2537)

Updates:

• Ignition 0.30.0
• Go 1.10.7
• Go 1.11.4
• Linux 4.19.13

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
• Fix PolicyKit always authorizing UIDs greater than INT_MAX (CVE-2018-19788)

Bug fixes:

• Fix AWS, Azure, and GCE disk aliases in the initramfs for Ignition (#2531)

Updates:

• Go 1.10.6
• Go 1.11.3
• Ignition 0.29.1
• Linux 4.19.9
• Rust 1.31.0
• wa-linux-agent 2.2.32

Upstream Container Linux updates:

Updates:

• Linux 4.19.6
• iptables 1.6.2

Upstream Container Linux updates:

Security fixes:

• Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)
• Fix curl buffer overrun in NTLM authentication code (CVE-2018-14618)
• Fix OpenSSL TLS client denial of service (CVE-2018-0732)
• Fix OpenSSL timing side channel in DSA signature generation (CVE-2018-0734)
• Fix OpenSSL timing side channel via SMT port contention (CVE-2018-5407)

Updates:

• coreos-metadata 3.0.2
• curl 7.61.1
• Go 1.10.5
• Go 1.11.2
• Linux 4.19.2
• OpenSSL 1.0.2p
• Rust 1.30.1

Upstream Container Linux updates:

Security fixes:

• Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
• Fix systemd race allowing changing file permissions (CVE-2018-15687)
• Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)

Bug fixes:

• Add AWS and GCE disk aliases in the initramfs for Ignition (#2481)
• Add compatibility nf_conntrack_ipv4 kernel module to fix kube-proxy IPVS on Linux 4.19 (#2518)

Updates:

• IANA timezone database 2018e
• kexec-tools 2.0.17
• Linux 4.19.1

Upstream Container Linux updates:

Security fixes:

• Fix Git remote code execution during recursive clone (CVE-2018-17456)
• Fix OpenSSH user enumeration (CVE-2018-15473)
• Fix Rust standard library integer overflow (CVE-2018-1000810)

Bug fixes:

• Fix missing kernel headers (#2505)

Updates:

• coreos-metadata 3.0.1
• etcd-wrapper 3.3.10
• etcdctl 3.3.10
• Git 2.18.1
• Linux 4.19
• linux-firmware 20181001
• OpenSSH 7.7p1
• Rust 1.29.1

Flatcar updates

Changes:

• Add new image signing subkey to flatcar-install (flatcar-linux/init#4)

Bug fixes:

• Fix /usr/lib/coreos symlink for Container Linux compatibility (flatcar-linux/coreos-overlay#8)

Upstream Container Linux updates:

Updates:

• glibc 2.26
• Go 1.11.1
• Linux 4.18.12
• nfs-utils 2.3.1
• open-vm-tools 10.3.0

Upstream Container Linux updates:

Bug fixes:

• Fix Google Compute Engine OS Login activation (#2503)

Updates:

• Linux 4.18.9

Upstream Container Linux updates:

Bug fixes:

• Fix Docker mounting named volumes (#2497)
• Fix Azure disk detection in Ignition (#2481)

Changes:

• Add support for Google Compute Engine OS Login
• Enable support for Mellanox Ethernet switches

Updates:

• coreos-metadata 3.0.0
• Go 1.10.4
• Go 1.11
• intel-microcode 20180807a
• Linux 4.18.7
• update-ssh-keys 0.3.0

Upstream Container Linux updates:

Changes:

• Add CIFS userspace utilities (#571)
• Drop AWS PV images from regions which do not support PV

Updates:

• containerd 1.1.2
• Docker 18.06.1-ce
• Ignition 0.28.0
• Linux 4.18.5
• Rust 1.28.0

Upstream Container Linux updates:

Security fixes:

• Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
• Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)
• Fix curl SMTP buffer overflow (CVE-2018-0500)

Bug fixes:

• Fix PXE systems attempting to mount an ESP (#2491)

Updates:

• coreos-metadata 2.0.0
• curl 7.61.0
• Ignition 0.27.0
• Linux 4.17.15
• update-ssh-keys 0.2.1

Upstream Container Linux updates:

Security fixes:

• Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)

Bug fixes:

• Fix failure to mount large ext4 filesystems (#2485)

Updates:

• Linux 4.17.12

Upstream Container Linux updates:

Changes:

• Remove ARM64 architecture
• Remove developer image from SDK

Updates:

• etcd 3.3.9
• etcdctl 3.3.9
• Linux 4.17.11

Upstream Container Linux updates:

Changes:

• Add torcx remotes support

Updates:

• containerd 1.1.1
• Docker 18.06.0-ce
• intel-microcode 20180703
• Linux 4.17.9
• Update Engine 0.4.9

Upstream Container Linux updates:

Security fixes:

• Fix curl buffer overflows (CVE-2018-1000300, CVE-2018-1000301)
• Fix Linux random seed during early boot (CVE-2018-1108)

Changes:

• Reads of /dev/urandom early in boot will block until entropy pool is fully initialized
• Support friendly AWS EBS NVMe device names (#2399)

Updates:

• cryptsetup 1.7.5
• curl 7.60.0
• etcd-wrapper 3.3.8
• etcdctl 3.3.8
• intel-microcode 20180616
• kmod 25
• Linux 4.17.3
• linux-firmware 20180606
• Locksmith 0.6.2
• OpenSSL 1.0.2o

Upstream Container Linux updates:

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Changes:

• Drop obsolete cros_sdk method of entering SDK

Updates:

• etcd 3.3.7
• etcdctl 3.3.7
• Go 1.9.7
• Go 1.10.3
• Ignition 0.26.0
• Linux 4.16.16
• torcx 0.2.0

Upstream Container Linux updates:

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Upstream Container Linux updates:

Security fixes:

• Fix multiple procps vulnerabilities (CVE-2018-1120, CVE-2018-1121, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126, CVE-2018-1120, CVE-2018-1121, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1126)
• Fix shadow privilege escalation (CVE-2018-7169)
• Fix samba man-in-the-middle attack (CVE-2016-2119)
• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix failure to set network interface MTU (#2443)
• Fix inadvertent change of network interface names (#2437)
• Fix Docker bind mounts from root filesystem (#2440)

Changes:

• Update VMware virtual hardware version to 11 (ESXi > 6.0)

Updates:

• etcd 3.3.6
• etcdctl 3.3.6
• Git 2.16.4
• Linux 4.16.14
• open-vm-tools 10.2.5
• procps 3.3.15
• samba 4.5.16
• shadow 4.6

Upstream Container Linux updates:

Security fixes:

• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix failure to set network interface MTU (#2443)

Updates:

• Git 2.16.4
• Linux 4.16.13

Upstream Container Linux updates:

Bug fixes:

• Fix inadvertent change of network interface names (#2437)
• Fix Docker bind mounts from root filesystem (#2440)

Upstream Container Linux updates:

Security fixes:

• Fix ncurses denial of service and arbitrary code execution (CVE-2017-10684, CVE-2017-10685, CVE-2017-11112, CVE-2017-11113, CVE-2017-13728, CVE-2017-13729, CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13733, CVE-2017-13734, CVE-2017-16879)
• Fix rsync arbitrary command execution (CVE-2018-5764)
• Fix wget cookie injection (CVE-2018-0494)

Changes:

• Enable QLogic FCoE offload support (#2367)
• Enable hardware RNG kernel drivers (#2430)
• Add notrap to ntpd default access restrictions (#2220)
• Allow booting default GRUB menu entry if GRUB password is enabled (#1597)
• coreos-install -i no longer modifies grub.cfg (#2291)
• QEMU wrapper script now enables VirtIO RNG device

Updates:

• bind-tools 9.11.2-P1
• Docker 18.05.0-ce
• etcd-wrapper 3.3.5
• etcdctl 3.3.5
• GnuPG 2.2.7
• GPT fdisk 1.0.3
• Ignition 0.25.1
• Less 529
• Linux 4.16.10
• rsync 3.1.3
• Rust 1.26
• util-linux 2.32
• vim 8.0.1298
• wget 1.19.5

Upstream Container Linux updates:

Bug fixes:

• Fix GRUB free magic error on existing systems (#2400)

Changes:

• Support storing sudoers in SSSD and LDAP
• No longer publish Oracle Cloud release images

Updates:

• audit 2.7.1
• coreutils 8.28
• etcd-wrapper 3.3.4
• etcdctl 3.3.4
• Go 1.9.6
• Go 1.10.2
• Linux 4.16.7
• sudo 1.8.23
• Update Engine 0.4.7
• wa-linux-agent 2.2.25

Upstream Container Linux updates:

Security fixes:

• Fix ntp clock manipulation from ephemeral connections (CVE-2016-1549, CVE-2018-7170)
• Fix ntp denial of service from out of bounds read (CVE-2018-7182)
• Fix ntp denial of service from packets with timestamp 0 (CVE-2018-7184, CVE-2018-7185)
• Fix ntp remote code execution (CVE-2018-7183)

Bug fixes:

• Pass /etc/machine-id from the host to the kubelet
• Fix docker2aci tar conversion (#2402)
• Switch /boot from FAT16 to FAT32 (#2246)

Changes:

• Make Ignition failures more visible on the console

Updates:

• containerd 1.0.3
• coreos-cloudinit 1.14.0
• coreos-metadata 1.0.6
• Docker 18.04.0-ce
• Go 1.9.5
• Go 1.10.1
• Linux 4.16.3
• ntp 4.2.8p11
• rkt 1.30.0
• Rust 1.25.0
• torcx 0.1.3
• update-ssh-keys 0.1.2

Flatcar updates

Initial Flatcar release.

Notes:

• Previous test images have been removed from the release servers. This is due to a new update key being generated using our updated security policy which we included in the first public image.

Upstream Container Linux updates:

Security fixes:

• Fix curl out of bounds read (CVE-2018-1000005)
• Fix curl authentication data leak (CVE-2018-1000007)
• Fix curl buffer overflow (CVE-2018-1000120)
• Fix glibc integer overflow in libcidn (CVE-2017-14062)
• Fix glibc memory issues in glob() with ~ (CVE-2017-15670, CVE-2017-15671, CVE-2017-15804)
• Fix glibc mishandling RPATHs with $ORIGIN on setuid binaries (CVE-2017-16997)
• Fix glibc buffer underflow in realpath() (CVE-2018-1000001)
• Fix glibc integer overflow and heap corruption in memalign() (CVE-2018-6485)

Bug fixes:

• Fix GRUB crash at boot (#2284)

Updates:

• curl 7.59.0
• etcd-wrapper 3.3.3
• etcdctl 3.3.3
• glibc 2.25
• Ignition 0.24.0
• Linux 4.15.15
• Update Engine 0.4.6

Changes:

• The Linux kernel is compiled with FIPS support
• Containerd CRI plugin got enabled by default, only the containerd socket path needs to be specified as kubelet parameter for Kubernetes 1.20 to use containerd instead of Docker (Flatcar#283)

Updates:

• Linux (5.4.83)
• Docker (19.03.14)
• containerd (1.4.3)
• systemd (246.6)