Releases

Flatcar updates

Security fixes:

• Fix a denial-of-service issue via malicious access to /dev/kvm (CVE-2019-19332)

Bug fixes:

• Fix a bug when creating RAID0 arrays by setting the default layout (https://github.com/flatcar-linux/baselayout/pull/2)
• Use rkt instead of docker in kubelet-wrapper (https://github.com/flatcar-linux/coreos-overlay/pull/148)

Changes:

• Support the default layout feature in mdadm (https://github.com/flatcar-linux/coreos-overlay/pull/146)

Updates:

• Linux 5.4.4
• containerd 1.3.2
• mdadm 4.1
• wireguard 20191212

Flatcar updates

This release is done for both amd64 and arm64.

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
• Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)
• Fix curl Kerberos FTP double free (CVE-2019-5481)
• Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5482)
• Fix openssl key extraction attacks under non-default conditions (CVE-2019-1563, CVE-2019-1547)
• Fix heap-based buffer over-read in libexpat (CVE-2019-15903)

Bug fixes:

• Fix cross-build issues around WAF by creating wrappers (https://github.com/flatcar-linux/coreos-overlay/pull/138)
• Fix rust-related issues around cross toolchains (https://github.com/flatcar-linux/scripts/pull/34)
• Fix time zone for Brazil (https://github.com/flatcar-linux/coreos-overlay/pull/118)

Changes:

• Support cross-builds for ARM64 (https://github.com/flatcar-linux/coreos-overlay/pull/122)

Updates:

• Linux 5.4.2
• curl 7.66.0
• docker 19.03.5
• etcd 3.3.18
• expat 2.2.8
• intel-microcode 20191115
• ldb 1.3.6
• openssl 1.0.2t
• samba 4.8.6
• talloc 2.1.11
• tdb 1.3.15
• tevent 0.9.37
• timezone-data 2019c

Flatcar updates

Bug fixes:

• Fix wrong CROS_WORKON_COMMIT values (https://github.com/flatcar-linux/coreos-overlay/pull/101)
• Fix bug of unpacking tarballs failing when xattr is not supported (https://github.com/flatcar-linux/torcx/pull/3)

Changes:

• Replace rkt with docker in scripts like kubelet-wrapper (https://github.com/flatcar-linux/coreos-overlay/pull/103)

Updates:

• docker 19.03.4
• containerd 1.3.0

Flatcar updates

Bug fixes:

• Fix issue of missing patches in grub (https://github.com/flatcar-linux/grub/pull/1)
• Fix issue of wrong commit IDs for repos like init

Flatcar updates

Security fixes:

• Fix panic caused by invalid DSA public keys in Go 1.12 and 1.13 (CVE-2019-17596)
• Fix AppArmor restriction bypass issue in runc 1.0.0-rc8 or older (CVE-2019-16884)
• Fix bypass of certain policy blacklists and session PAM modules in sudo 1.8.27 or older (CVE-2019-14287)

Bug fixes:

• Fix rkt fetch issue that does not work without docker:// prefix in URLs (https://github.com/flatcar-linux/coreos-overlay/pull/96)
• Multiple bug fixes from the upstream systemd-stable repo (https://github.com/flatcar-linux/coreos-overlay/pull/97)

Updates:

• Linux 5.3.7
• Go 1.12.12 and 1.13.3
• runc 1.0.0-rc9
• sudo 1.8.28

Flatcar updates

Security fixes:

• Fix dbus authentication bypass in non-default configurations (CVE-2019-12749)
• Fix kernel KVM guest escape (CVE-2019-14835)
• Fix race condition in Intel microprocessors (CVE-2019-11184)
• Fix invalid HTTP/1.1 handling in net/http of Go (CVE-2019-16276)

Bug fixes:

• Fix path prefix in crio-wipe.service in cri-o (https://github.com/flatcar-linux/coreos-overlay/pull/91)
• Fix ListenPort= in WireGuard section in systemd (https://github.com/flatcar-linux/systemd/pull/5)

Updates:

• Linux 5.3.1
• Go 1.12.10
• coreos-firmware 20190815 (https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20190815)
• cri-o 1.15.2
• cri-tools 1.16.1
• intel-microcode 20190918

Flatcar updates

Security fixes:

• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix commit ID to match with Manifest in coreos-firmware (https://github.com/flatcar-linux/coreos-overlay/pull/76)
• Use mantle/ignition versions which have the opt/org.flatcar-linux Ignition variable (https://github.com/flatcar-linux/coreos-overlay/pull/77)

Updates:

• Linux 5.2.13
• systemd v242 (https://github.com/flatcar-linux/coreos-overlay/pull/71)
• containerd 1.2.8
• cri-o 1.15.1
• docker 19.03.2

Flatcar updates

Security fixes:

• Fix secret leakage in libgcrypt (CVE-2018-6829)
• Fix denial of service in libtasn1 (CVE-2018-1000654)
• Fix bypass of a protection mechanism in libxslt (CVE-2019-11068)

Bug fixes:

• Fix an issue of oem-gce crashlooping in GCE images (https://github.com/flatcar-linux/coreos-overlay/pull/69)

Updates:

• Linux 5.2.11
• libgcrypt 1.8.3
• libtasn1 4.13
• libxslt 1.1.33

Flatcar updates

Security fixes:

• Fix denial of service in HTTP/2 implementations written in Go (CVE-2019-9512 CVE-2019-9514 CVE-2019-14809 )
• Fix arbitrary execution of code in libarchive ( CVE-2017-14166 CVE-2017-14501 CVE-2017-14502 CVE-2017-14503 )
• Fix privilege escalation issues in polkit (CVE-2018-1116 CVE-2018-19788 )
• Fix arbitrary execution of SQL statements in sqlite ( CVE-2019-5018 CVE-2019-9936 CVE-2019-9937 )
• Fix arbitrary execution of code in wget ( CVE-2019-5953 )
• Fix issues of secret leakage and nsswitch based config in Docker ( CVE-2019-13509 CVE-2019-14271 )

Bug fixes:

• Remove unnecessary dependency on Go 1.6 from cgroupid (https://github.com/flatcar-linux/coreos-overlay/commit/20f24ed14daf747e9b6923ee6baf2aa3635589e8)

Updates:

• Linux 5.2.9
• Binutils 2.32-r1
• Docker 19.03.1
• Go 1.12.9
• Libarchive 3.3.3
• Patch 2.7.6-r4
• Polkit 0.113-r5
• Rust 1.37.0
• Cargo 1.37.0 (https://github.com/rust-lang/cargo/releases/tag/0.38.0)
• Sqlite 3.29.0
• Wget 1.20.3

Upstream Container Linux updates:

Security fixes:

• Fix Linux information leak attack vector via speculative side channel (CVE-2019-1125)

Flatcar updates

Security fixes:

• Use secure_getenv to fix a vulnerability around XDG_SEAT in pam_systemd (https://github.com/flatcar-linux/coreos-overlay/pull/61) (CVE-2019-3842)

Bug fixes:

• Get SELinux context included in torcx tarballs (https://github.com/flatcar-linux/scripts/pull/16)
• Enable XattrPrivileged for untar to fix SELinux issue (https://github.com/flatcar-linux/torcx/pull/1)

Updates:

• Linux 5.2.7
• cri-o 1.15.0

Changes:

• Add “-s” flag in flatcar-install to install to smallest disk (https://github.com/flatcar-linux/init/pull/7)

Upstream Container Linux updates:

Bug fixes:

• Fix Ignition fetching from S3 URLs when network is slow to start (ignition#826)

Flatcar updates

Bug fixes:

• Fix cgroup v2 path for systemd hybrid mode in runc (https://github.com/flatcar-linux/coreos-overlay/pull/58)
• Fix issue of rsyslog not running with root directory in systemd (https://github.com/flatcar-linux/systemd/pull/3)

Updates:

• Linux 5.2.5

Changes:

• Enable SELinux for tar and coreutils for SDK profile (https://github.com/flatcar-linux/coreos-overlay/pull/55)

Flatcar updates

Bug fixes:

• Temporary workaround for runc on Flatcar: disable SELinux for runc v1.0.0-rc8
• Fix a bug in bind mount options in systemd

Updates:

• Upgrade runc to 1.0.0-rc8

Upstream Container Linux updates:

Bug fixes:

• Fix Docker device or resource busy error when creating overlay mounts, introduced in 2191.99.0

Flatcar updates

Updates:

• Linux 5.2.1

Flatcar updates

Bug fixes:

• Fix a bug in systemd not being able to activate netlink (https://github.com/flatcar-linux/coreos-overlay/pull/49)

Updates:

• Linux 5.2
• docker 18.09.7
• wireguard 0.0.20190702
• coreos-firmware 20190620

Upstream Container Linux updates:

Security fixes:

• Fix libexpat denial of service (CVE-2018-20843)

Bug fixes:

• Fix Ignition panic when no guestinfo.(coreos|ignition).config parameters are specified on VMware (https://github.com/coreos/ignition/issues/821)

Updates:

• expat 2.2.7
• Ignition 0.33.0

Flatcar updates

Bug fixes:

• make containerd listen on localhost (https://github.com/flatcar-linux/coreos-overlay/pull/41)

Updates:

• Linux 5.1.15
• cri-tools 1.14.0

Changes:

• Fix installation prefix of conmon in a cri-o example config (https://github.com/flatcar-linux/coreos-overlay/pull/43)

Flatcar updates

Security fixes:

• Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Updates:

• Linux 5.1.11
• cri-o 1.14.4

Flatcar updates

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)

Bug fixes:

• Fix kernel build path issues to build coreos-firmware (https://github.com/flatcar-linux/coreos-overlay/pull/36) (https://github.com/flatcar-linux/coreos-overlay/pull/31)

Updates:

• intel-microcode 20190514
• Linux 5.1.5

Initial release

This is the first release meant to be used by the public so all the Edge changes are listed.

Flatcar updates

Changes:

• Add bpftool (https://github.com/flatcar-linux/coreos-overlay/pull/24)
• Add wireguard (https://github.com/flatcar-linux/coreos-overlay/pull/32)
• Add a new package cri-o (https://github.com/flatcar-linux/coreos-overlay/pull/29)
• Add cgroupid and patch runc for OCI hooks (https://github.com/flatcar-linux/coreos-overlay/pull/23)
• Enable cgroup v2 via kernel command line (https://github.com/flatcar-linux/scripts/commit/271ec2423bc99c9d23faf4ab6ae722726f955966)
• Add missing OEM changes for cloud providers to enable cgroup v2 (https://github.com/flatcar-linux/coreos-overlay/commit/f4dde83caf457fc5b480edbbb54d550632c92cf3)
• Make docker and containerd support cgroup v2 (https://github.com/flatcar-linux/coreos-overlay/commit/8184af2518634c115dd6ef623959da5948be4cca)
• Add CFLAGS to prevent the Spectre v2 (https://github.com/flatcar-linux/coreos-overlay/pull/28)

Updates:

• Linux 5.1.0

Flatcar updates

Changes:

• add a new package cri-o (https://github.com/flatcar-linux/coreos-overlay/pull/29)
• add CFLAGS to prevent the Spectre v2 (https://github.com/flatcar-linux/coreos-overlay/pull/28)

Updates:

• Linux 5.0.9

Flatcar updates

Changes:

• add cgroupid and patch runc for OCI hooks (https://github.com/flatcar-linux/coreos-overlay/pull/23)
• add bpftool (https://github.com/flatcar-linux/coreos-overlay/pull/24)

Updates:

• Linux 5.0.7

Flatcar updates

Updates:

• Linux 5.0.1

Flatcar updates

Bug fixes:

• Add missing OEM changes for cloud providers to enable cgroup v2 (https://github.com/flatcar-linux/coreos-overlay/commit/f4dde83caf457fc5b480edbbb54d550632c92cf3)

Flatcar updates

Changes:

• enable cgroup v2 via kernel command line (https://github.com/flatcar-linux/scripts/commit/271ec2423bc99c9d23faf4ab6ae722726f955966)
• make docker and containerd support cgroup v2 (https://github.com/flatcar-linux/coreos-overlay/commit/8184af2518634c115dd6ef623959da5948be4cca)

Upstream Container Linux updates:

Security fixes:

• Fix multiple Git vulnerabilities (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604)

Updates:

• Git 2.24.1
• Linux 4.19.95

Flatcar updates

Bug fixes:

• Fix a bug when creating RAID0 arrays by setting the default layout (https://github.com/flatcar-linux/baselayout/pull/2)

Updates:

• ldb 1.3.6
• samba 4.8.6
• talloc 2.1.11
• tdb 1.3.15
• tevent 0.9.37

Upstream Container Linux updates:

Updates:

• Linux 4.19.87

Upstream Container Linux updates:

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
• Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)

Bug fixes:

• Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)

Updates:

• intel-microcode 20191115
• Linux 4.19.84

Upstream Container Linux updates:

Bug fixes:

• Fix time zone for Brazil (#2627)

Updates:

• Linux 4.19.81
• timezone-data 2019c

Upstream Container Linux updates:

Updates:

• Linux 4.19.79

Upstream Container Linux updates:

Bug fixes:

• Fix kernel crash with CephFS mounts, introduced in 2247.3.0 (#2616)

Updates:

• Linux 4.19.78

Upstream Container Linux updates:

Security fixes:

• Fix kernel KVM guest escape (CVE-2019-14835)
• Fix race condition in Intel microprocessors (CVE-2019-11184)

Updates:

• intel-microcode 20190918
• Linux 4.19.75

Upstream Container Linux updates:

Updates:

• Linux 4.19.71

Upstream Container Linux updates:

Security fixes:

• Fix pam_systemd bug allowing authenticated remote users to perform polkit actions as if locally logged in (CVE-2019-3842)
• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix GCE agent crash loop in new installs (#2608)

Updates:

• Linux 4.19.69

Upstream Container Linux updates:

Security fixes:

• Fix wget buffer overflow allowing arbitrary code execution (CVE-2019-5953)

Updates:

• Linux 4.19.68
• wget 1.20.3

Upstream Container Linux updates:

Security fixes:

• Use secure_getenv to fix a vulnerability around XDG_SEAT in pam_systemd (https://github.com/coreos/systemd/pull/118) (CVE-2019-3842)

Updates:

• Linux 4.19.65

Flatcar updates

Bug fixes:

• Fix wrong key name for fw_cfg in ignition with QEMU (https://github.com/flatcar-linux/ignition/issues/2)
• Get SELinux context included in torcx tarballs (https://github.com/flatcar-linux/scripts/pull/16)
• Enable XattrPrivileged for untar to fix SELinux issue (https://github.com/flatcar-linux/torcx/pull/1)

Upstream Container Linux updates:

Security fixes:

• Fix Linux information leak attack vector via speculative side channel (CVE-2019-1125)

Updates:

• Linux 4.19.65

Flatcar updates

Changes:

• Add “-s” flag in flatcar-install to install to smallest disk (https://github.com/flatcar-linux/init/pull/7)

Upstream Container Linux updates:

• Linux 4.19.62

Upstream Container Linux updates:

No changes for beta promotion

Upstream Container Linux updates:

Bug fixes:

• Fix Ignition panic when no guestinfo.(coreos|ignition).config parameters are specified on VMware (coreos/ignition#821)

Updates:

• Ignition 0.33.0

Upstream Container Linux updates:

Updates:

• Linux 4.19.53

Upstream Container Linux updates:

Security fixes:

• Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Bug fixes:

• Fix invalid bzip2 compression of Container Linux release images (#2589)

Updates:

• Linux 4.19.50

Upstream Container Linux updates:

Updates:

• Linux 4.19.44

Upstream Container Linux updates:

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)

Updates:

• intel-microcode 20190514
• Linux 4.19.43

Upstream Container Linux updates:

Bug fixes:

• Fix systemd MountFlags=shared option (#2579)

Changes:

• Pin network interface naming to systemd v238 scheme (#2578)

Upstream Container Linux updates:

Bug fixes:

• Disable new sticky directory protections for backward compatibility (#2577)

Changes:

• Enable atlantic kernel module (#2576)

Updates:

• Linux 4.19.36

Upstream Container Linux updates:

Bug fixes:

• Disable new sticky directory protections for backwards compatibility (#2577)

Changes:

• Enable atlantic kernel module (#2576)

Updates:

• Linux 4.19.34

Upstream Container Linux updates:

Bug fixes:

• Fix systemd presets incorrectly handling escaped unit names (#2569)

Updates:

• Linux 4.19.31

Upstream Container Linux updates:

Bug fixes:

• Fix systemd-journald memory leak (#2564)

Updates:

• Linux 4.19.28

Upstream Container Linux updates:

Security fixes:

• Fix Linux use-after-free in sockfs_setattr (CVE-2019-8912)
• Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)

Updates:

• Linux 4.19.25

Upstream Container Linux updates:

Updates:

• Linux 4.19.23

Upstream Container Linux updates:

Security fixes:

• Fix runc container breakout (CVE-2019-5736)

Changes:

• Revert /sys/bus/rbd/add to Linux 4.14 behavior (#2544)

Updates:

• etcd 3.3.12
• etcdctl 3.3.12
• Linux 4.19.20

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in ECC (CVE-2019-6486)

Updates:

• Go 1.10.8
• Go 1.11.5
• Linux 4.19.18

Upstream Container Linux updates:

Updates:

• Linux 4.19.13

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
• Fix PolicyKit always authorizing UIDs greater than INT_MAX (CVE-2018-19788)

Updates:

• Go 1.10.6
• Go 1.11.3
• Linux 4.14.88

Upstream Container Linux updates:

Changes:

• Switch to the LTS Linux version 4.14.84 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)

Updates:

• Linux 4.14.81

Upstream Container Linux updates:

Security fixes:

• Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
• Fix systemd race allowing changing file permissions (CVE-2018-15687)
• Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)

Changes:

• Switch to the LTS Linux version 4.14.79 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Fix Git remote code execution during recursive clone (CVE-2018-17456)

Bug fixes:

• Fix missing kernel headers (#2505)

Updates:

• Git 2.16.5
• Linux 4.14.78

Flatcar updates

Changes:

• Add new image signing subkey to flatcar-install (flatcar-linux/init#4)

Bug fixes:

• Fix /usr/lib/coreos symlink for Container Linux compatibility (flatcar-linux/coreos-overlay#8)

Upstream Container Linux updates:

Changes:

• Switch to the LTS Linux version 4.14.74 for the beta channel

Upstream Container Linux updates:

Bug fixes:

• Fix Docker mounting named volumes (#2497)

Changes:

• Switch to the LTS Linux version 4.14.69 for the beta channel

Updates:

• intel-microcode 20180807a

Upstream Container Linux updates:

Changes:

• Drop AWS PV images from regions which do not support PV

Updates:

• containerd 1.1.2
• Docker 18.06.1-ce
• intel-microcode 20180807a
• Linux 4.14.67

Upstream Container Linux updates:

Security fixes:

• Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
• Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)

Bug fixes:

• Fix PXE systems attempting to mount an ESP (#2491)

Changes:

• Switch to the LTS Linux version 4.14.63 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)

Bug fixes:

• Fix failure to mount large ext4 filesystems (#2485)

Updates:

• Linux 4.14.60

Upstream Container Linux updates:

Bug fixes:

• Fix kernel CIFS client (#2480)

Updates:

• Linux 4.14.59

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.57 for the beta channel

Upstream Container Linux updates:

Updates:

• Linux 4.14.55

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.50 for the beta channel

Upstream Container Linux updates:

Bug fixes:

• Fix TCP connection stalls (#2457)

Updates:

• Linux 4.14.49

Upstream Container Linux updates:

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Updates:

• Linux 4.14.48

Upstream Container Linux updates:

Security fixes:

• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix inadvertent change of network interface names (#2437)
• Fix failure to set network interface MTU (#2443)

Updates:

• Git 2.16.4
• Linux 4.14.47

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.42 for the beta channel

Updates:

• Ignition 0.24.1

Upstream Container Linux updates:

Security fixes:

• Fix ntp clock manipulation from ephemeral connections (CVE-2016-1549, CVE-2018-7170)
• Fix ntp denial of service from out of bounds read (CVE-2018-7182)
• Fix ntp denial of service from packets with timestamp 0 (CVE-2018-7184, CVE-2018-7185)
• Fix ntp remote code execution (CVE-2018-7183)

Updates:

• containerd 1.0.3
• Docker 18.03.1-ce
• Linux 4.14.39
• ntp 4.2.8p11

Upstream Container Linux updates:

Bug fixes:

• Fix docker2aci tar conversion (#2402)

Changes:

• Switch to the LTS Linux version 4.14.35 for the beta channel

Flatcar updates

Initial Flatcar release.

Bug fixes:

• Fix GRUB crash at boot (#2284)
• Fix poweroff problems (#8080)

Notes:

• Previous test images have been removed from the release servers. This is due to a new update key being generated using our updated security policy which we included in the first public image.

Upstream Container Linux updates:

Bug fixes:

• Fix kernel panic with vxlan (#2382)

Flatcar updates

Security fixes:

• Fix a denial-of-service issue via malicious access to /dev/kvm (CVE-2019-19332)

Bug fixes:

• Fix a bug when creating RAID0 arrays by setting the default layout (https://github.com/flatcar-linux/baselayout/pull/2)

Updates:

• Linux 4.19.89

Flatcar updates

It is the first release done for both amd64 and arm64.

Bug fixes:

• Fix cross-build issues around WAF by creating wrappers (https://github.com/flatcar-linux/coreos-overlay/pull/137 https://github.com/flatcar-linux/coreos-overlay/pull/139)

Updates:

• ldb 1.3.6
• samba 4.8.6
• talloc 2.1.11
• tdb 1.3.15
• tevent 0.9.37

Flatcar updates

Security fixes:

• Fix heap-based buffer over-read in libexpat (CVE-2019-15903)
• Fix code injection around dynamic libraries in docker (CVE-2019-14271)

Bug fixes:

• Fix cross-build issues in rust by storing shell scripts under the source directory (https://github.com/flatcar-linux/coreos-overlay/pull/125)
• Fix bug in dealing with xattrs when unpacking torcx tarballs (https://github.com/flatcar-linux/torcx/pull/2)

Updates:

• Linux 4.19.87
• docker 19.03.5
• etcd 3.3.18
• expat 2.2.8

Flatcar updates

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
• Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)
• Fix curl Kerberos FTP double free (CVE-2019-5481)
  • Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5482)
  • Fix OpenSSL key extraction attacks under non-default conditions (CVE-2019-1563, CVE-2019-1547)
• Fix panic caused by invalid DSA public keys in Go 1.12 and 1.13 (CVE-2019-17596)

Bug fixes:

• Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
• Fix time zone for Brazil (#2627)

Updates:

• Go 1.12.12 and 1.13.3
• curl 7.66.0
• intel-microcode 20191115
• Linux 4.19.84
• OpenSSL 1.0.2t
• timezone-data 2019c

Upstream Container Linux updates:

Bug fixes:

• Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
• Fix time zone for Brazil (#2627)

Updates:

• Linux 4.19.81
• timezone-data 2019c

Upstream Container Linux updates:

Changes:

• Pin rkt to Go 1.12

Updates:

• Go 1.12.10
• Go 1.13.2
• Linux 4.19.80

Upstream Container Linux updates:

Security fixes:

• Fix sudo allowing a user to run commands as root if configured to permit the user to run commands as everyone other than root (CVE-2019-14287)

Bug fixes:

• Fix kernel crash with CephFS mounts, introduced in 2275.0.0 (#2616)

Updates:

• etcd 3.3.17
• etcdctl 3.3.17
• Go 1.12.9
• Linux 4.19.79
• sudo 1.8.28

Upstream Container Linux updates:

Bug fixes:

• Fix kernel crash with CephFS mounts, introduced in 2275.0.0 (#2616)

Updates:

• Linux 4.19.78

Upstream Container Linux updates:

Security fixes:

• Fix dbus authentication bypass in non-default configurations (CVE-2019-12749)
• Fix kernel KVM guest escape (CVE-2019-14835)
• Fix race condition in Intel microprocessors (CVE-2019-11184)

Updates:

• intel-microcode 20190918
• Linux 4.19.75

Upstream Container Linux updates:

Security fixes:

• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix GCE agent crash loop in new installs (#2608)

Updates:

• Linux 4.19.71

Upstream Container Linux updates:

Security fixes:

• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix GCE agent crash loop in new installs (#2608)

Updates:

• Linux 4.19.69

Upstream Container Linux updates:

Security fixes:

• Fix libarchive out of bounds reads (CVE-2017-14166, CVE-2017-14501, CVE-2017-14502, CVE-2017-14503)
• Fix pam_systemd bug allowing authenticated remote users to perform polkit actions as if locally logged in (CVE-2019-3842)
• Fix polkit information disclosure and denial of service (CVE-2018-1116)
• Fix SQLite multiple vulnerabilities, the worst of which allows code execution (CVE-2019-5018, CVE-2019-9936, CVE-2019-9937)
• Fix wget buffer overflow allowing arbitrary code execution (CVE-2019-5953)

Updates:

• etcd 3.3.15
• etcdctl 3.3.15
• Go 1.12.7
• Linux 4.19.68
• wget 1.20.3

Upstream Container Linux updates:

Security fixes:

• Use secure_getenv to fix a vulnerability around XDG_SEAT in pam_systemd (https://github.com/coreos/systemd/pull/118) (CVE-2019-3842)

Updates:

• Linux 4.19.65

Flatcar updates

Bug fixes:

• Fix wrong key name for fw_cfg in ignition with QEMU (https://github.com/flatcar-linux/ignition/issues/2)
• Get SELinux context included in torcx tarballs (https://github.com/flatcar-linux/scripts/pull/16)
• Enable XattrPrivileged for untar to fix SELinux issue (https://github.com/flatcar-linux/torcx/pull/1)

Upstream Container Linux updates:

Security fixes:

• Fix Linux information leak attack vector via speculative side channel (CVE-2019-1125)

Updates:

• Linux 4.19.65

Flatcar updates

Changes:

• Add “-s” flag in flatcar-install to install to smallest disk (https://github.com/flatcar-linux/init/pull/7)

Upstream Container Linux updates:

Bug fixes:

• Fix Ignition fetching from S3 URLs when network is slow to start (ignition#826)

Updates:

• Linux 4.19.62

Upstream Container Linux updates:

Bug fixes:

• Fix Docker device or resource busy error when creating overlay mounts, introduced in 2191.0.0

Updates:

• Linux 4.19.58

Upstream Container Linux updates:

Security fixes:

• Fix libexpat denial of service (CVE-2018-20843)

Bug fixes:

• Fix Ignition panic when no guestinfo.(coreos|ignition).config parameters are specified on VMware (coreos/ignition#821)

Updates:

• expat 2.2.7
• Ignition 0.33.0
• Linux 4.19.56

Upstream Container Linux updates:

Bug fixes:

• Temporarily revert bunzip2 change in 2163.0.0 causing decompression failures for invalid archives created by older versions of lbzip2, including Container Linux release images (#2589)

Updates:

• intel-microcode 20190618
• Linux 4.19.55

Upstream Container Linux updates:

Security fixes:

• Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Updates:

• Linux 4.19.50

Upstream Container Linux updates:

Bug fixes:

• Temporarily revert bunzip2 change in 2163.0.0 causing decompression failures for invalid archives created by older versions of lbzip2, including Container Linux release images (#2589)

Upstream Container Linux updates:

Security fixes:

• Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5436)

Updates:

• coreutils 8.30
• curl 7.65.0
• GCC 8.3.0
• glibc 2.29
• Linux 4.19.47
• Rust 1.35.0

Upstream Container Linux updates:

Updates:

• etcd 3.3.13
• etcdctl 3.3.13
• Go 1.12.5
• intel-microcode 20190514
• Linux 4.19.44

Upstream Container Linux updates:

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)

Updates:

• intel-microcode 20190514
• Linux 4.19.43

Upstream Container Linux updates:

Security fixes:

• Fix SQLite remote code execution (CVE-2018-20346)
• Fix GLib multiple vulnerabilities

Bug fixes:

• Fix systemd MountFlags=shared option (#2579)

Changes:

• Use Amazon’s recommended NVMe timeout for new EC2 installs (#2484)
• Pin network interface naming to systemd v238 scheme (#2578)
• Enable XDP sockets (#2580)

Updates:

• Linux 4.19.37
• Rust 1.34.1

Upstream Container Linux updates:

Security fixes:

• Fix libseccomp privilege escalation (CVE-2019-9893)

Bug fixes:

• Disable new sticky directory protections for backward compatibility (#2577)

Changes:

• Enable atlantic kernel module (#2576)

Updates:

• Go 1.12.4
• Ignition 0.32.0
• libseccomp 2.4.0
• Linux 4.19.36
• Rust 1.34.0
• tini 0.18.0

Upstream Container Linux updates:

Security fixes:

• Fix libmspack vulnerabilities in the VMware agent for new installs (CVE-2018-14679, CVE-2018-14680, CVE-2018-14681, CVE-2018-14682, CVE-2018-18584, CVE-2018-18585, CVE-2018-18586)

Updates:

• Afterburn (formerly coreos-metadata) 4.0.0
• Git 2.21.0
• Go 1.12.2
• Linux 4.19.34

Upstream Container Linux updates:

Security fixes:

• Fix OpenSSH scp allowing remote servers to change target directory permissions (CVE-2018-20685)
• Fix OpenSSH outputting ANSI control codes from remote servers (CVE-2019-6109, CVE-2019-6110)
• Fix OpenSSH scp allowing remote servers to overwrite arbitrary files (CVE-2019-6111)
• Fix OpenSSL side-channel timing attack (CVE-2018-5407)
• Fix OpenSSL padding oracle attack in misbehaving applications (CVE-2019-1559)
• Fix ntp ntpd denial of service by authenticated user (CVE-2019-8936)
• Fix ntp buffer overflow in ntpq and ntpdc (CVE-2018-12327)

Bug fixes:

• Fix systemd presets incorrectly handling escaped unit names (#2569)

Updates:

• GCC 8.2.0
• Go 1.12.1
• IANA timezone database 2018i
• Linux 4.19.31
• ntp 4.2.8p13
• OpenSSH 7.9p1
• OpenSSL 1.0.2r
• Update Engine 0.4.10

Upstream Container Linux updates:

Security fixes:

• Fix tar local denial of service with --sparse option (CVE-2018-20482)
• Fix wget local information leak (CVE-2018-20483)

Bug fixes:

• Fix systemd-journald memory leak (#2564)

Changes:

• Enable vhost_vsock kernel module (#2563)

Updates:

• Go 1.12
• Linux 4.19.28
• Rust 1.33.0
• systemd 241
• tar 1.31
• wget 1.20.1

Upstream Container Linux updates:

Security fixes:

• Fix curl vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-2018-16842, CVE-2018-16890, CVE-2019-3822, CVE-2019-3823)
• Fix Linux use-after-free in sockfs_setattr (CVE-2019-8912)
• Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)

Updates:

• curl 7.64.0
• Docker 18.06.3-ce
• Ignition 0.31.0
• Linux 4.19.25

Upstream Container Linux updates:

Security fixes:

• Fix runc container breakout (CVE-2019-5736)

Changes:

• Revert /sys/bus/rbd/add to Linux 4.14 behavior (#2544)
• Add a new subkey for signing release images

Updates:

• etcd 3.3.12
• etcdctl 3.3.12
• flannel 0.11.0
• Linux 4.19.20

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in ECC (CVE-2019-6486)

Updates:

• btrfs-progs 4.19
• e2fsprogs 1.44.5
• glibc 2.27
• Go 1.10.8
• Go 1.11.5
• Linux 4.19.18
• Rust 1.32.0
• util-linux 2.33
• xfsprogs 4.17.0

Upstream Container Linux updates:

Security fixes:

• Fix systemd-journald privilege escalation (CVE-2018-16864, CVE-2018-16865)
• Fix systemd-journald out of bounds read (CVE-2018-16866)
• Fix ntpq, ntpdc buffer overflow (CVE-2018-12327)
• Fix etcd improper authentication with RBAC and client certs (CVE-2018-16886)

Changes:

• Add ip_vs_mh kernel module (#2542)

Updates:

• etcd 3.3.11
• etcdctl 3.3.11
• Linux 4.19.15
• ntp 4.2.8p12
• sudo 1.8.25p1

Upstream Container Linux updates:

Bug fixes:

• Fix monitoring process events over netlink (#2537)

Updates:

• Ignition 0.30.0
• Go 1.10.7
• Go 1.11.4
• Linux 4.19.13

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
• Fix PolicyKit always authorizing UIDs greater than INT_MAX (CVE-2018-19788)

Bug fixes:

• Fix AWS, Azure, and GCE disk aliases in the initramfs for Ignition (#2531)

Updates:

• Go 1.10.6
• Go 1.11.3
• Ignition 0.29.1
• Linux 4.19.9
• Rust 1.31.0
• wa-linux-agent 2.2.32

Upstream Container Linux updates:

Updates:

• Linux 4.19.6
• iptables 1.6.2

Upstream Container Linux updates:

Security fixes:

• Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)
• Fix curl buffer overrun in NTLM authentication code (CVE-2018-14618)
• Fix OpenSSL TLS client denial of service (CVE-2018-0732)
• Fix OpenSSL timing side channel in DSA signature generation (CVE-2018-0734)
• Fix OpenSSL timing side channel via SMT port contention (CVE-2018-5407)

Updates:

• coreos-metadata 3.0.2
• curl 7.61.1
• Go 1.10.5
• Go 1.11.2
• Linux 4.19.2
• OpenSSL 1.0.2p
• Rust 1.30.1

Upstream Container Linux updates:

Security fixes:

• Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
• Fix systemd race allowing changing file permissions (CVE-2018-15687)
• Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)

Bug fixes:

• Add AWS and GCE disk aliases in the initramfs for Ignition (#2481)
• Add compatibility nf_conntrack_ipv4 kernel module to fix kube-proxy IPVS on Linux 4.19 (#2518)

Updates:

• IANA timezone database 2018e
• kexec-tools 2.0.17
• Linux 4.19.1

Upstream Container Linux updates:

Security fixes:

• Fix Git remote code execution during recursive clone (CVE-2018-17456)
• Fix OpenSSH user enumeration (CVE-2018-15473)
• Fix Rust standard library integer overflow (CVE-2018-1000810)

Bug fixes:

• Fix missing kernel headers (#2505)

Updates:

• coreos-metadata 3.0.1
• etcd-wrapper 3.3.10
• etcdctl 3.3.10
• Git 2.18.1
• Linux 4.19
• linux-firmware 20181001
• OpenSSH 7.7p1
• Rust 1.29.1

Flatcar updates

Changes:

• Add new image signing subkey to flatcar-install (flatcar-linux/init#4)

Bug fixes:

• Fix /usr/lib/coreos symlink for Container Linux compatibility (flatcar-linux/coreos-overlay#8)

Upstream Container Linux updates:

Updates:

• glibc 2.26
• Go 1.11.1
• Linux 4.18.12
• nfs-utils 2.3.1
• open-vm-tools 10.3.0

Upstream Container Linux updates:

Bug fixes:

• Fix Google Compute Engine OS Login activation (#2503)

Updates:

• Linux 4.18.9

Upstream Container Linux updates:

Bug fixes:

• Fix Docker mounting named volumes (#2497)
• Fix Azure disk detection in Ignition (#2481)

Changes:

• Add support for Google Compute Engine OS Login
• Enable support for Mellanox Ethernet switches

Updates:

• coreos-metadata 3.0.0
• Go 1.10.4
• Go 1.11
• intel-microcode 20180807a
• Linux 4.18.7
• update-ssh-keys 0.3.0

Upstream Container Linux updates:

Changes:

• Add CIFS userspace utilities (#571)
• Drop AWS PV images from regions which do not support PV

Updates:

• containerd 1.1.2
• Docker 18.06.1-ce
• Ignition 0.28.0
• Linux 4.18.5
• Rust 1.28.0

Upstream Container Linux updates:

Security fixes:

• Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
• Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)
• Fix curl SMTP buffer overflow (CVE-2018-0500)

Bug fixes:

• Fix PXE systems attempting to mount an ESP (#2491)

Updates:

• coreos-metadata 2.0.0
• curl 7.61.0
• Ignition 0.27.0
• Linux 4.17.15
• update-ssh-keys 0.2.1

Upstream Container Linux updates:

Security fixes:

• Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)

Bug fixes:

• Fix failure to mount large ext4 filesystems (#2485)

Updates:

• Linux 4.17.12

Upstream Container Linux updates:

Changes:

• Remove ARM64 architecture
• Remove developer image from SDK

Updates:

• etcd 3.3.9
• etcdctl 3.3.9
• Linux 4.17.11

Upstream Container Linux updates:

Changes:

• Add torcx remotes support

Updates:

• containerd 1.1.1
• Docker 18.06.0-ce
• intel-microcode 20180703
• Linux 4.17.9
• Update Engine 0.4.9

Upstream Container Linux updates:

Security fixes:

• Fix curl buffer overflows (CVE-2018-1000300, CVE-2018-1000301)
• Fix Linux random seed during early boot (CVE-2018-1108)

Changes:

• Reads of /dev/urandom early in boot will block until entropy pool is fully initialized
• Support friendly AWS EBS NVMe device names (#2399)

Updates:

• cryptsetup 1.7.5
• curl 7.60.0
• etcd-wrapper 3.3.8
• etcdctl 3.3.8
• intel-microcode 20180616
• kmod 25
• Linux 4.17.3
• linux-firmware 20180606
• Locksmith 0.6.2
• OpenSSL 1.0.2o

Upstream Container Linux updates:

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Changes:

• Drop obsolete cros_sdk method of entering SDK

Updates:

• etcd 3.3.7
• etcdctl 3.3.7
• Go 1.9.7
• Go 1.10.3
• Ignition 0.26.0
• Linux 4.16.16
• torcx 0.2.0

Upstream Container Linux updates:

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Upstream Container Linux updates:

Security fixes:

• Fix multiple procps vulnerabilities (CVE-2018-1120, CVE-2018-1121, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126, CVE-2018-1120, CVE-2018-1121, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1126)
• Fix shadow privilege escalation (CVE-2018-7169)
• Fix samba man-in-the-middle attack (CVE-2016-2119)
• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix failure to set network interface MTU (#2443)
• Fix inadvertent change of network interface names (#2437)
• Fix Docker bind mounts from root filesystem (#2440)

Changes:

• Update VMware virtual hardware version to 11 (ESXi > 6.0)

Updates:

• etcd 3.3.6
• etcdctl 3.3.6
• Git 2.16.4
• Linux 4.16.14
• open-vm-tools 10.2.5
• procps 3.3.15
• samba 4.5.16
• shadow 4.6

Upstream Container Linux updates:

Security fixes:

• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix failure to set network interface MTU (#2443)

Updates:

• Git 2.16.4
• Linux 4.16.13

Upstream Container Linux updates:

Bug fixes:

• Fix inadvertent change of network interface names (#2437)
• Fix Docker bind mounts from root filesystem (#2440)

Upstream Container Linux updates:

Security fixes:

• Fix ncurses denial of service and arbitrary code execution (CVE-2017-10684, CVE-2017-10685, CVE-2017-11112, CVE-2017-11113, CVE-2017-13728, CVE-2017-13729, CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13733, CVE-2017-13734, CVE-2017-16879)
• Fix rsync arbitrary command execution (CVE-2018-5764)
• Fix wget cookie injection (CVE-2018-0494)

Changes:

• Enable QLogic FCoE offload support (#2367)
• Enable hardware RNG kernel drivers (#2430)
• Add notrap to ntpd default access restrictions (#2220)
• Allow booting default GRUB menu entry if GRUB password is enabled (#1597)
• coreos-install -i no longer modifies grub.cfg (#2291)
• QEMU wrapper script now enables VirtIO RNG device

Updates:

• bind-tools 9.11.2-P1
• Docker 18.05.0-ce
• etcd-wrapper 3.3.5
• etcdctl 3.3.5
• GnuPG 2.2.7
• GPT fdisk 1.0.3
• Ignition 0.25.1
• Less 529
• Linux 4.16.10
• rsync 3.1.3
• Rust 1.26
• util-linux 2.32
• vim 8.0.1298
• wget 1.19.5

Upstream Container Linux updates:

Bug fixes:

• Fix GRUB free magic error on existing systems (#2400)

Changes:

• Support storing sudoers in SSSD and LDAP
• No longer publish Oracle Cloud release images

Updates:

• audit 2.7.1
• coreutils 8.28
• etcd-wrapper 3.3.4
• etcdctl 3.3.4
• Go 1.9.6
• Go 1.10.2
• Linux 4.16.7
• sudo 1.8.23
• Update Engine 0.4.7
• wa-linux-agent 2.2.25

Upstream Container Linux updates:

Security fixes:

• Fix ntp clock manipulation from ephemeral connections (CVE-2016-1549, CVE-2018-7170)
• Fix ntp denial of service from out of bounds read (CVE-2018-7182)
• Fix ntp denial of service from packets with timestamp 0 (CVE-2018-7184, CVE-2018-7185)
• Fix ntp remote code execution (CVE-2018-7183)

Bug fixes:

• Pass /etc/machine-id from the host to the kubelet
• Fix docker2aci tar conversion (#2402)
• Switch /boot from FAT16 to FAT32 (#2246)

Changes:

• Make Ignition failures more visible on the console

Updates:

• containerd 1.0.3
• coreos-cloudinit 1.14.0
• coreos-metadata 1.0.6
• Docker 18.04.0-ce
• Go 1.9.5
• Go 1.10.1
• Linux 4.16.3
• ntp 4.2.8p11
• rkt 1.30.0
• Rust 1.25.0
• torcx 0.1.3
• update-ssh-keys 0.1.2

Flatcar updates

Initial Flatcar release.

Notes:

• Previous test images have been removed from the release servers. This is due to a new update key being generated using our updated security policy which we included in the first public image.

Upstream Container Linux updates:

Security fixes:

• Fix curl out of bounds read (CVE-2018-1000005)
• Fix curl authentication data leak (CVE-2018-1000007)
• Fix curl buffer overflow (CVE-2018-1000120)
• Fix glibc integer overflow in libcidn (CVE-2017-14062)
• Fix glibc memory issues in glob() with ~ (CVE-2017-15670, CVE-2017-15671, CVE-2017-15804)
• Fix glibc mishandling RPATHs with $ORIGIN on setuid binaries (CVE-2017-16997)
• Fix glibc buffer underflow in realpath() (CVE-2018-1000001)
• Fix glibc integer overflow and heap corruption in memalign() (CVE-2018-6485)

Bug fixes:

• Fix GRUB crash at boot (#2284)

Updates:

• curl 7.59.0
• etcd-wrapper 3.3.3
• etcdctl 3.3.3
• glibc 2.25
• Ignition 0.24.0
• Linux 4.15.15
• Update Engine 0.4.6