Releases

Security fixes:

• Linux: CVE-2020-25284, CVE-2020-14390

Bug fixes:

• Enabled missing systemd services (#191, PR #612)
• Fixed Docker torcx image unpacking error on machines with less than ~600 MB total RAM (#32)
• Solved adcli Kerberos Active Directory incompatibility (#194)
• Fixed the makefile path when building kernel modules with the developer container (#195)
• Removed the /etc/portage/savedconfig/ folder that contained a dump of the firmware config flatcar-linux/coreos-overlay#613

Changes:

• GCE: Improved oslogin support and added shell aliases to run a Python Docker image (PR #592)

Updates:

• Linux 5.8.11
• adcli 0.9.0
• GCE: oslogin 20200910.00

Bug fixes:

• Fix resetting of DNS nameservers in systemd-networkd units (PR#12)

Changes:

• Disable TX checksum offloading for the IP-in-IP tunl0 interface used by Calico (PR#26). This is a workaround for a Mellanox driver issue, currently tracked in Flatcar#183
• Set sysctl net.ipv4.conf.(all|*).rp_filter to 0 (instead of the systemd upstream value 2) to be less restrictive which some network solutions rely on (PR#11)
• flatcar-install allows installation to a multipath drive (PR#24)

Updates:

• Linux 5.4.65

Security fixes:

• Linux kernel: Fix AF_PACKET overflow in tpacket_rcv CVE-2020-14386

Updates:

• Linux 5.4.62

Changes from Alpha release 2605.1.0

Changes:

• Update public key to include new subkey

Security fixes:

• Bind: fixes for CVE-2020-8616, CVE-2020-8617, CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Bug fixes:

• etcd-wrapper: Adjust data dir permissions (flatcar-linux/coreos-overlay#536)

Updates:

• Linux 5.4.59
• bind-tools 9.11.22
• etcd-wrapper 3.3.24

Changes since the Alpha release 2513.1.0

Bug Fixes:

• The static IP address configuration in the initramfs works again in the format ip=<ip>::<gateway>:<netmask>:<hostname>:<iface>:none[:<dns1>[:<dns2>]] https://github.com/flatcar-linux/bootengine/pull/15

Updates:

• Linux 5.4.52

Flatcar updates

Security fixes:

• Fix the Intel Microcode vulnerabilities (CVE-2020-0543)

Changes:

• A source code and licensing overview is available under /usr/share/licenses/INFO

Updates:

• Linux 4.19.128
• intel-microcode 20200609

Flatcar updates

Security fixes:

• Fix e2fsprogs arbitrary code execution via crafted filesystem (CVE-2019-5094)
• Fix Git arbitrary path overwrite, credential leak from credential helpers, remote code execution in recursive clones, and arbitrary command execution via submodules (CVE-2019-1348, CVE-2019-1387, CVE-2019-19604, CVE-2020-11008, CVE-2020-5260)
• Fix libarchive crash or use-after-free via crafted RAR file (CVE-2019-18408, CVE-2020-9308)
• Fix libgcrypt ECDSA timing attack (CVE-2019-13627)
• Fix libidn2 domain impersonation (CVE-2019-12290)
• Fix NSS crashes and heap corruption (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698, CVE-2018-18508, CVE-2019-11745)
• Fix OpenSSL overflow in Montgomery squaring procedure (CVE-2019-1551)
• Fix SQLite crash and heap corruption (CVE-2019-16168, CVE-2019-5827)
• Fix unzip heap overflow or excessive resource consumption via crafted archive (CVE-2018-1000035, CVE-2019-13232)
• Fix vim arbitrary command execution via crafted file (CVE-2019-12735)

Bug fixes:

• When writing the update kernel, prefer /boot/coreos only if /boot/coreos/vmlinux-* exists (https://github.com/flatcar-linux/update_engine/pull/5)
• Fixed sysroot-boot initramfs service race which resulted in a warning that this service failed
• Use the correct BINHOST URLs in the development container to download binary packages

Changes:

• Support the CoreOS GRUB /boot/coreos/first_boot flag file (https://github.com/flatcar-linux/bootengine/pull/13)
• Fetch container images in docker format rather than ACI by default in etcd-member.service, flanneld.service, and kubelet-wrapper
• Use flatcar.autologin kernel command line parameter on Azure and VMware for auto login on the serial console
• Include conntrack (conntrack-tools)
• Include journalctl output, pstore kernel crash logs, and coredumpctl list output in the mayday report
• Update wa-linux-agent to 2.2.46 on Azure
• Support both coreos.config.* and flatcar.config.* guestinfo variables on VMware OEM

Updates:

• e2fsprogs 1.45.5
• etcd 3.3.20
• etcdctl 3.3.20
• Git 2.24.1
• Linux 4.19.124
• OpenSSL 1.0.2u
• vim 8.2.0360

Flatcar updates

Bug fixes:

• Use newest network interface naming scheme (https://github.com/flatcar-linux/Flatcar/issues/36)
  • It is a possible breaking change for some persistent network interface names
• Fix URL scheme in emerge-gitclone (https://github.com/flatcar-linux/coreos-overlay/issues/223)
• Fix coreos-cloudinit variable names (https://github.com/flatcar-linux/coreos-overlay/pull/206)
• Prefer /boot/coreos to write updates (https://github.com/flatcar-linux/update_engine/pull/2)
• Remove /boot/coreos/first_boot after a Ignition rerun on migration (https://github.com/flatcar-linux/bootengine/pull/10)
• Support coreos.config.url as kernel command line parameter for Ignition (https://github.com/flatcar-linux/ignition/pull/10)

Changes:

• Add kernel config for QEDE driver (https://github.com/flatcar-linux/coreos-overlay/pull/198)
• Add tracepath alongside traceroute6 (https://github.com/flatcar-linux/Flatcar/issues/50)

Updates:

• Linux 4.19.112

Flatcar updates

Bug fixes:

• Enable persistent network interface names already in the initramfs to fix https://github.com/coreos/bugs/issues/1767
• Fix backwards compatibility issues for users to migrate from CoreOS Container Linux. Support the kernel command line parameters coreos.oem.*, coreos.autologin, coreos.first_boot, and the QEMU firmware config path opt/com.coreos/config (https://github.com/flatcar-linux/Flatcar/issues/16 https://github.com/flatcar-linux/afterburn/pull/7 https://github.com/flatcar-linux/bootengine/pull/7 https://github.com/flatcar-linux/bootengine/pull/8 https://github.com/flatcar-linux/init/pull/16 https://github.com/flatcar-linux/init/pull/17 https://github.com/flatcar-linux/ignition/pull/8)

Upstream Container Linux updates

Updates:

• Linux 4.19.106

Flatcar updates

Bug fixes:

• Fix DNS resolution for the GCE metadata server (https://github.com/flatcar-linux/coreos-overlay/pull/160)
• Create symlink for /run/metadata/coreos (https://github.com/flatcar-linux/coreos-overlay/pull/166)
• Create symlink for flatcar-install (https://github.com/flatcar-linux/init/pull/14)

Upstream Container Linux updates:

Security fixes:

• Fix systemd use-after-free upon receiving crafted D-Bus message from local unprivileged attacker (CVE-2020-1712)

Changes:

• Enable qede kernel module

Updates:

• Linux 4.19.102

Upstream Container Linux updates:

Security fixes:

• Fix multiple Git vulnerabilities (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604)

Updates:

• Git 2.24.1
• Linux 4.19.95

Flatcar updates

Bug fixes:

• Fix a bug when creating RAID0 arrays by setting the default layout (https://github.com/flatcar-linux/baselayout/pull/2)
• Fix bug of unpacking tarballs failing when xattr is not supported (https://github.com/flatcar-linux/torcx/pull/2)

Updates:

• ldb 1.3.6
• samba 4.8.6
• talloc 2.1.11
• tdb 1.3.15
• tevent 0.9.37

Upstream Container Linux updates:

Updates:

• Linux 4.19.87

Upstream Container Linux updates:

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
• Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)

Bug fixes:

• Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)

Updates:

• intel-microcode 20191115
• Linux 4.19.84

Upstream Container Linux updates:

Bug fixes:

• Fix time zone for Brazil (#2627)

Updates:

• Linux 4.19.81
• timezone-data 2019c

Upstream Container Linux updates:

Updates:

• Linux 4.19.79

Upstream Container Linux updates:

Bug fixes:

• Fix kernel crash with CephFS mounts, introduced in 2247.3.0 (#2616)

Updates:

• Linux 4.19.78

Upstream Container Linux updates:

Security fixes:

• Fix kernel KVM guest escape (CVE-2019-14835)
• Fix race condition in Intel microprocessors (CVE-2019-11184)

Updates:

• intel-microcode 20190918
• Linux 4.19.75

Upstream Container Linux updates:

Updates:

• Linux 4.19.71

Upstream Container Linux updates:

Security fixes:

• Fix pam_systemd bug allowing authenticated remote users to perform polkit actions as if locally logged in (CVE-2019-3842)
• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix GCE agent crash loop in new installs (#2608)

Updates:

• Linux 4.19.69

Upstream Container Linux updates:

Security fixes:

• Fix wget buffer overflow allowing arbitrary code execution (CVE-2019-5953)

Updates:

• Linux 4.19.68
• wget 1.20.3

Upstream Container Linux updates:

Security fixes:

• Use secure_getenv to fix a vulnerability around XDG_SEAT in pam_systemd (https://github.com/coreos/systemd/pull/118) (CVE-2019-3842)

Updates:

• Linux 4.19.65

Flatcar updates

Bug fixes:

• Fix wrong key name for fw_cfg in ignition with QEMU (https://github.com/flatcar-linux/ignition/issues/2)
• Get SELinux context included in torcx tarballs (https://github.com/flatcar-linux/scripts/pull/16)
• Enable XattrPrivileged for untar to fix SELinux issue (https://github.com/flatcar-linux/torcx/pull/1)

Upstream Container Linux updates:

Security fixes:

• Fix Linux information leak attack vector via speculative side channel (CVE-2019-1125)

Updates:

• Linux 4.19.65

Flatcar updates

Changes:

• Add “-s” flag in flatcar-install to install to smallest disk (https://github.com/flatcar-linux/init/pull/7)

Upstream Container Linux updates:

• Linux 4.19.62

Upstream Container Linux updates:

No changes for beta promotion

Upstream Container Linux updates:

Bug fixes:

• Fix Ignition panic when no guestinfo.(coreos|ignition).config parameters are specified on VMware (coreos/ignition#821)

Updates:

• Ignition 0.33.0

Upstream Container Linux updates:

Updates:

• Linux 4.19.53

Upstream Container Linux updates:

Security fixes:

• Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Bug fixes:

• Fix invalid bzip2 compression of Container Linux release images (#2589)

Updates:

• Linux 4.19.50

Upstream Container Linux updates:

Updates:

• Linux 4.19.44

Upstream Container Linux updates:

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)

Updates:

• intel-microcode 20190514
• Linux 4.19.43

Upstream Container Linux updates:

Bug fixes:

• Fix systemd MountFlags=shared option (#2579)

Changes:

• Pin network interface naming to systemd v238 scheme (#2578)

Upstream Container Linux updates:

Bug fixes:

• Disable new sticky directory protections for backward compatibility (#2577)

Changes:

• Enable atlantic kernel module (#2576)

Updates:

• Linux 4.19.36

Upstream Container Linux updates:

Bug fixes:

• Disable new sticky directory protections for backwards compatibility (#2577)

Changes:

• Enable atlantic kernel module (#2576)

Updates:

• Linux 4.19.34

Upstream Container Linux updates:

Bug fixes:

• Fix systemd presets incorrectly handling escaped unit names (#2569)

Updates:

• Linux 4.19.31

Upstream Container Linux updates:

Bug fixes:

• Fix systemd-journald memory leak (#2564)

Updates:

• Linux 4.19.28

Upstream Container Linux updates:

Security fixes:

• Fix Linux use-after-free in sockfs_setattr (CVE-2019-8912)
• Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)

Updates:

• Linux 4.19.25

Upstream Container Linux updates:

Updates:

• Linux 4.19.23

Upstream Container Linux updates:

Security fixes:

• Fix runc container breakout (CVE-2019-5736)

Changes:

• Revert /sys/bus/rbd/add to Linux 4.14 behavior (#2544)

Updates:

• etcd 3.3.12
• etcdctl 3.3.12
• Linux 4.19.20

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in ECC (CVE-2019-6486)

Updates:

• Go 1.10.8
• Go 1.11.5
• Linux 4.19.18

Upstream Container Linux updates:

Updates:

• Linux 4.19.13

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
• Fix PolicyKit always authorizing UIDs greater than INT_MAX (CVE-2018-19788)

Updates:

• Go 1.10.6
• Go 1.11.3
• Linux 4.14.88

Upstream Container Linux updates:

Changes:

• Switch to the LTS Linux version 4.14.84 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)

Updates:

• Linux 4.14.81

Upstream Container Linux updates:

Security fixes:

• Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
• Fix systemd race allowing changing file permissions (CVE-2018-15687)
• Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)

Changes:

• Switch to the LTS Linux version 4.14.79 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Fix Git remote code execution during recursive clone (CVE-2018-17456)

Bug fixes:

• Fix missing kernel headers (#2505)

Updates:

• Git 2.16.5
• Linux 4.14.78

Flatcar updates

Changes:

• Add new image signing subkey to flatcar-install (flatcar-linux/init#4)

Bug fixes:

• Fix /usr/lib/coreos symlink for Container Linux compatibility (flatcar-linux/coreos-overlay#8)

Upstream Container Linux updates:

Changes:

• Switch to the LTS Linux version 4.14.74 for the beta channel

Upstream Container Linux updates:

Bug fixes:

• Fix Docker mounting named volumes (#2497)

Changes:

• Switch to the LTS Linux version 4.14.69 for the beta channel

Updates:

• intel-microcode 20180807a

Upstream Container Linux updates:

Changes:

• Drop AWS PV images from regions which do not support PV

Updates:

• containerd 1.1.2
• Docker 18.06.1-ce
• intel-microcode 20180807a
• Linux 4.14.67

Upstream Container Linux updates:

Security fixes:

• Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
• Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)

Bug fixes:

• Fix PXE systems attempting to mount an ESP (#2491)

Changes:

• Switch to the LTS Linux version 4.14.63 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)

Bug fixes:

• Fix failure to mount large ext4 filesystems (#2485)

Updates:

• Linux 4.14.60

Upstream Container Linux updates:

Bug fixes:

• Fix kernel CIFS client (#2480)

Updates:

• Linux 4.14.59

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.57 for the beta channel

Upstream Container Linux updates:

Updates:

• Linux 4.14.55

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.50 for the beta channel

Upstream Container Linux updates:

Bug fixes:

• Fix TCP connection stalls (#2457)

Updates:

• Linux 4.14.49

Upstream Container Linux updates:

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Updates:

• Linux 4.14.48

Upstream Container Linux updates:

Security fixes:

• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix inadvertent change of network interface names (#2437)
• Fix failure to set network interface MTU (#2443)

Updates:

• Git 2.16.4
• Linux 4.14.47

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.42 for the beta channel

Updates:

• Ignition 0.24.1

Upstream Container Linux updates:

Security fixes:

• Fix ntp clock manipulation from ephemeral connections (CVE-2016-1549, CVE-2018-7170)
• Fix ntp denial of service from out of bounds read (CVE-2018-7182)
• Fix ntp denial of service from packets with timestamp 0 (CVE-2018-7184, CVE-2018-7185)
• Fix ntp remote code execution (CVE-2018-7183)

Updates:

• containerd 1.0.3
• Docker 18.03.1-ce
• Linux 4.14.39
• ntp 4.2.8p11

Upstream Container Linux updates:

Bug fixes:

• Fix docker2aci tar conversion (#2402)

Changes:

• Switch to the LTS Linux version 4.14.35 for the beta channel

Flatcar updates

Initial Flatcar release.

Bug fixes:

• Fix GRUB crash at boot (#2284)
• Fix poweroff problems (#8080)

Notes:

• Previous test images have been removed from the release servers. This is due to a new update key being generated using our updated security policy which we included in the first public image.

Upstream Container Linux updates:

Bug fixes:

• Fix kernel panic with vxlan (#2382)

Security fixes:

• Linux: CVE-2020-25284, CVE-2020-14390
• jq: CVE-2015-8863, CVE-2016-4074, ?
• sqlite: CVE-2020-11656, CVE-2020-9327, CVE-2020-11655, CVE-2020-13630, CVE-2020-13435, CVE-2020-13434, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358, ?
• tcpdump and libpcap: CVE-2018-10103, CVE-2018-10105, CVE-2018-16301, CVE-2019-15163, CVE-2018-14461, CVE-2018-14462, CVE-2018-14463, CVE-2018-14464, CVE-2018-14465, CVE-2018-14466, CVE-2018-14467, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14880, CVE-2018-14881, CVE-2018-14882, CVE-2018-16227, CVE-2018-16228, CVE-2018-16229, CVE-2018-16230, CVE-2018-16300, CVE-2018-16451, CVE-2018-16452, CVE-2019-15166, CVE-2018-19325, CVE-2018-14879, CVE-2017-16808, CVE-2018-19519, CVE-2019-15161, CVE-2019-15165, CVE-2019-15164, CVE-2019-1010220, ?
• libbsd: CVE-2019-20367, ?
• rsync: CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, ?

Bug fixes:

• Enabled missing systemd services (#191, PR #612)
• Fixed Docker torcx image unpacking error on machines with less than ~600 MB total RAM (#32)
• Solved adcli Kerberos Active Directory incompatibility (#194)
• Fixed the makefile path when building kernel modules with the developer container (#195)
• Removed the /etc/portage/savedconfig/ folder that contained a dump of the firmware config flatcar-linux/coreos-overlay#613

Changes:

• GCE: Improved oslogin support and added shell aliases to run a Python Docker image (PR #592)

Updates:

• Linux 5.8.11
• Docker 19.03.13
• docker-runc 1.0.-rc92
• containerd 1.4.1
• adcli 0.9.0
• GCE: oslogin 20200910.00
• jq 1.6
• rsync 3.2.3
• tcpdump 4.9.3

Note: Please note that ARM images remain experimental for now.

Bug fixes:

• Fix resetting of DNS nameservers in systemd-networkd units (PR#12)

Changes:

• Disable TX checksum offloading for the IP-in-IP tunl0 interface used by Calico (PR#26). This is a workaround for a Mellanox driver issue, currently tracked in Flatcar#183
• Set sysctl net.ipv4.conf.(all|*).rp_filter to 0 (instead of the systemd upstream value 2) to be less restrictive which some network solutions rely on (PR#11)
• Update-engine now detects rollbacks and reports them as errors to the update server (PR#6)
• flatcar-install allows installation to a multipath drive (PR#24)
• Support the lockdown kernel command line parameter (PR#533)
• Update public key to include a new subkey

Updates:

• Linux 5.8.9
• linux-firmware 20200817
• Go 1.15.2
• Rust 1.46.0

Note: Please note that ARM images remain experimental for now.

Bug fixes:

• Resolve ipset API incompatibility Flatcar#174
• Fix udev rule warning about ignored value Flatcar#164
• Add missing render group Flatcar#169

Changes:

• Mount /sys/fs/bpf into the toolbox container and allow BPF syscalls (PR#544)
• Support loading BPF programs with tc Flatcar#172

Updates:

• Linux 5.4.61
• etcd-wrapper/etcdctl 3.3.25
• ipset 7.6
• iproute 5.8
• mdadm 4.1
• VMware: openvm-tools 11.1.5

Note: Please note that ARM images remain experimental for now.

Security fixes:

• Bind: fixes for CVE-2020-8616, CVE-2020-8617, CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Bug fixes:

• etcd-wrapper: Adjust data dir permissions https://github.com/flatcar-linux/coreos-overlay/pull/536

Changes:

• Add drivers for qedf, qedi, qla4xxx as kernel modules https://github.com/flatcar-linux/coreos-overlay/pull/528

Updates:

• Linux 5.4.59
• Bind-tools 9.16.6
• Openssl 1.1.1g
• etcd-wrapper 3.3.24
• sssd 1.16.3
• kerberos 1.18.2
• Containerd 1.3.7
• Go 1.13.15 used for compilation

Bug Fixes:

• Improved logic for GPT disk UUID randomization to fix booting on Packet c3.medium.x86 machines (flatcar-linux/bootengine#17)
• gpg: add patches for accepting keys without UIDs (flatcar-linux/coreos-overlay#381)
• The static IP address configuration in the initramfs works again in the format ip=<ip>::<gateway>:<netmask>:<hostname>:<iface>:none[:<dns1>[:<dns2>]] (flatcar-linux/bootengine#15)

Changes:

• Since version 245 systemd-networkd ignores network unit files with an empty [Match] section. Add a Name=* entry to match all interfaces.
• Weave network interfaces are excluded from systemd-networkd (flatcar-linux/init#22)
• Enabled the mmio and vsock virtio kernel modules for Firecracker (flatcar-linux/coreos-overlay#485)
• Enabled CONFIG_IKHEADERS to expose kernel headers under /sys/kernel/kheaders.tar.xz
• Vultr support in Ignition (flatcar-linux/ignition#13)
• VMware OVF settings default to ESXi 6.5 and Linux 3.x

Updates:

• Linux 5.4.55
• systemd v245
• Docker 19.03.12
• gnupg 2.2.20
• cryptsetup 2.0.3
• etcd 3.3.22
• etcdctl 3.3.22
• Go 1.13.14
• Rust 1.44.1

Note: Please note that ARM images remain experimental for now.

Security Fixes:

• Malicious URLs can cause Git to expose private credentials CVE-2020-5260
• Similar to CVE-2020-5260, Malicious URLs can cause Git to expose private credentials CVE-2020-11008

Bugfixes:

• Include dig binary in ARM flatcar-linux/Flatcar#123
• Fix the login prompt issue in the ISO flatcar-linux/Flatcar#131
• app-admin/{kubelet, etcd, flannel}-wrapper: don't overwrite the user supplied –insecure-options argument https://github.com/flatcar-linux/coreos-overlay/pull/426

Updates:

• Linux - 5.4.47
• Docker - 19.03.11
• Go - 1.13.12
• strace - 5.6
• git - 2.26.2

Note: Please note that ARM images remain experimental for now.

Flatcar updates

Security fixes:

• Fix the Intel Microcode vulnerabilities (CVE-2020-0543)

Changes:

• A source code and licensing overview is available under /usr/share/licenses/INFO

Updates:

• Linux 5.4.46
• intel-microcode 20200609

Flatcar updates

Security fixes:

• Fix e2fsprogs arbitrary code execution via crafted filesystem (CVE-2019-5094)
• Fix libarchive crash or use-after-free via crafted RAR file (CVE-2019-18408, CVE-2020-9308)
• Fix libgcrypt ECDSA timing attack (CVE-2019-13627)
• Fix libidn2 domain impersonation (CVE-2019-12290)
• Fix NSS crashes and heap corruption (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698, CVE-2018-18508, CVE-2019-11745)
• Fix OpenSSL overflow in Montgomery squaring procedure (CVE-2019-1551)
• Fix SQLite crash and heap corruption (CVE-2019-16168, CVE-2019-5827)
• Fix unzip heap overflow or excessive resource consumption via crafted archive (CVE-2018-1000035, CVE-2019-13232)
• Fix vim arbitrary command execution via crafted file (CVE-2019-12735)

Bug fixes:

• Revert adding the SELinux use flag for docker-runc until a regression is solved
• When writing the update kernel, prefer /boot/coreos only if /boot/coreos/vmlinux-* exists (https://github.com/flatcar-linux/update_engine/pull/5)
• Fixed sysroot-boot initramfs service race which resulted in a warning that this service failed

Changes:

• Support the CoreOS GRUB /boot/coreos/first_boot flag file (https://github.com/flatcar-linux/bootengine/pull/13)
• Fetch container images in docker format rather than ACI by default in etcd-member.service, flanneld.service, and kubelet-wrapper
• Add wireguard kernel module from wireguard-linux-compat
• Include wg (wireguard-tools)
• Enable regex support for jq
• Use flatcar.autologin kernel command line parameter on Azure for auto login on the serial console

Updates:

• e2fsprogs 1.45.5
• etcd 3.3.20
• etcdctl 3.3.20
• Linux 5.4.41
• OpenSSL 1.0.2u
• vim 8.2.0360
• systemd 243

Flatcar updates

Bug fixes:

• Support both guestinfo.ignition.config and guestinfo.coreos.config in coreos-cloudinit (https://github.com/flatcar-linux/coreos-cloudinit/pull/4)
• Fix VMware guestinfo variable retrieval and add missing variables in ignition (https://github.com/flatcar-linux/ignition/pull/11)
• Use flatcar.autologin for the console in oem-vmware (https://github.com/flatcar-linux/coreos-overlay/pull/308)
• Log list of coredumps with coredumpctl in mayday (https://github.com/flatcar-linux/mayday/pull/8)

Updates:

• Linux 5.4.35
• Go 1.13.10
• containerd 1.3.4
• conntrack-tools 1.4.5
• linux-firmware 20191022

Flatcar updates

Bug fixes:

• Use newest network interface naming scheme (https://github.com/flatcar-linux/Flatcar/issues/36)
  • It is a possible breaking change for some persistent network interface names
• Fix coreos-cloudinit variable names (https://github.com/flatcar-linux/coreos-overlay/pull/206)
• Prefer /boot/coreos to write updates (https://github.com/flatcar-linux/update_engine/pull/2)
• Build a download URL in a safer way (https://github.com/flatcar-linux/update_engine/issues/3)
• Remove /boot/coreos/first_boot after a Ignition rerun on migration (https://github.com/flatcar-linux/bootengine/pull/10)
• Support coreos.config.url as kernel command line parameter for Ignition (https://github.com/flatcar-linux/ignition/pull/10)
• Make flannel cross-node traffic work with systemd > 242 (https://github.com/coreos/flannel/issues/1155, https://github.com/flatcar-linux/coreos-overlay/pull/279)

Changes:

• Add tracepath alongside traceroute6 (https://github.com/flatcar-linux/Flatcar/issues/50)
• Extend logging capabilities of mayday (https://github.com/flatcar-linux/Flatcar/issues/61)

Updates:

• Linux 4.19.113
• Docker 19.03.8
• open-vm-tools 11.0.5
• openssh 8.1
• WAAgent 2.2.46

Flatcar updates

Bug fixes:

• Enable persistent network interface names already in the initramfs to fix https://github.com/coreos/bugs/issues/1767
• Do not error out in runc if SELinux is disabled on the system (https://github.com/flatcar-linux/coreos-overlay/pull/189)
• Bring back runc 1.0-rc2 for Docker 17.03 (https://github.com/flatcar-linux/coreos-overlay/pull/191)
• Use correct branch name format in developer container tools (https://github.com/flatcar-linux/dev-util/pull/2)

Updates:

• Linux 4.19.106

Flatcar updates

Security fixes:

• Fix stack-based buffer overflow in sudo (CVE-2019-18634)
• Fix incorrect access control leading to privileges escalation in runc (CVE-2019-19921)
• Fix systemd use-after-free upon receiving crafted D-Bus message from local unprivileged attacker (CVE-2020-1712)

Bug fixes:

• Fix DNS resolution for the GCE metadata server (https://github.com/flatcar-linux/coreos-overlay/pull/160)
• Use correct URLs for flatcar-linux in emerge-gitclone and scripts (https://github.com/flatcar-linux/dev-util/pull/1) (https://github.com/flatcar-linux/scripts/pull/50)
• Fix a wrong profile reference in torcx (https://github.com/flatcar-linux/coreos-overlay/pull/162)
• Create symlink for /run/metadata/coreos (https://github.com/flatcar-linux/coreos-overlay/pull/166)
• Create symlink for flatcar-install (https://github.com/flatcar-linux/init/pull/14)
• Fix backwards compatibility issues for users to migrate from CoreOS Container Linux (https://github.com/flatcar-linux/Flatcar/issues/16 https://github.com/flatcar-linux/afterburn/pull/7 https://github.com/flatcar-linux/bootengine/pull/7 https://github.com/flatcar-linux/bootengine/pull/8 https://github.com/flatcar-linux/init/pull/16 https://github.com/flatcar-linux/init/pull/17 https://github.com/flatcar-linux/ignition/pull/8)

Changes:

• Build Flatcar tarballs to be used by containers (https://github.com/flatcar-linux/scripts/pull/51)
• Enable qede kernel module

Updates:

• Linux 4.19.102
• runc 1.0.0-rc10
• sudo 1.8.31

Upstream Container Linux updates:

Security fixes:

• Fix multiple Git vulnerabilities (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604)

Updates:

• Git 2.24.1
• Ignition 0.34.0

Flatcar updates

• Linux 4.19.97

Flatcar updates

Security fixes:

• Fix a denial-of-service issue via malicious access to /dev/kvm (CVE-2019-19332)

Bug fixes:

• Fix a bug when creating RAID0 arrays by setting the default layout (https://github.com/flatcar-linux/baselayout/pull/2)

Updates:

• Linux 4.19.89

Flatcar updates

It is the first release done for both amd64 and arm64.

Bug fixes:

• Fix cross-build issues around WAF by creating wrappers (https://github.com/flatcar-linux/coreos-overlay/pull/137 https://github.com/flatcar-linux/coreos-overlay/pull/139)

Updates:

• ldb 1.3.6
• samba 4.8.6
• talloc 2.1.11
• tdb 1.3.15
• tevent 0.9.37

Flatcar updates

Security fixes:

• Fix heap-based buffer over-read in libexpat (CVE-2019-15903)
• Fix code injection around dynamic libraries in docker (CVE-2019-14271)

Bug fixes:

• Fix cross-build issues in rust by storing shell scripts under the source directory (https://github.com/flatcar-linux/coreos-overlay/pull/125)
• Fix bug in dealing with xattrs when unpacking torcx tarballs (https://github.com/flatcar-linux/torcx/pull/2)

Updates:

• Linux 4.19.87
• docker 19.03.5
• etcd 3.3.18
• expat 2.2.8

Flatcar updates

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
• Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)
• Fix curl Kerberos FTP double free (CVE-2019-5481)
• Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5482)
• Fix OpenSSL key extraction attacks under non-default conditions (CVE-2019-1563, CVE-2019-1547)
• Fix panic caused by invalid DSA public keys in Go 1.12 and 1.13 (CVE-2019-17596)

Bug fixes:

• Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
• Fix time zone for Brazil (#2627)

Updates:

• Go 1.12.12 and 1.13.3
• curl 7.66.0
• intel-microcode 20191115
• Linux 4.19.84
• OpenSSL 1.0.2t
• timezone-data 2019c

Upstream Container Linux updates:

Bug fixes:

• Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
• Fix time zone for Brazil (#2627)

Updates:

• Linux 4.19.81
• timezone-data 2019c

Upstream Container Linux updates:

Changes:

• Pin rkt to Go 1.12

Updates:

• Go 1.12.10
• Go 1.13.2
• Linux 4.19.80

Upstream Container Linux updates:

Security fixes:

• Fix sudo allowing a user to run commands as root if configured to permit the user to run commands as everyone other than root (CVE-2019-14287)

Bug fixes:

• Fix kernel crash with CephFS mounts, introduced in 2275.0.0 (#2616)

Updates:

• etcd 3.3.17
• etcdctl 3.3.17
• Go 1.12.9
• Linux 4.19.79
• sudo 1.8.28

Upstream Container Linux updates:

Bug fixes:

• Fix kernel crash with CephFS mounts, introduced in 2275.0.0 (#2616)

Updates:

• Linux 4.19.78

Upstream Container Linux updates:

Security fixes:

• Fix dbus authentication bypass in non-default configurations (CVE-2019-12749)
• Fix kernel KVM guest escape (CVE-2019-14835)
• Fix race condition in Intel microprocessors (CVE-2019-11184)

Updates:

• intel-microcode 20190918
• Linux 4.19.75

Upstream Container Linux updates:

Security fixes:

• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix GCE agent crash loop in new installs (#2608)

Updates:

• Linux 4.19.71

Upstream Container Linux updates:

Security fixes:

• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix GCE agent crash loop in new installs (#2608)

Updates:

• Linux 4.19.69

Upstream Container Linux updates:

Security fixes:

• Fix libarchive out of bounds reads (CVE-2017-14166, CVE-2017-14501, CVE-2017-14502, CVE-2017-14503)
• Fix pam_systemd bug allowing authenticated remote users to perform polkit actions as if locally logged in (CVE-2019-3842)
• Fix polkit information disclosure and denial of service (CVE-2018-1116)
• Fix SQLite multiple vulnerabilities, the worst of which allows code execution (CVE-2019-5018, CVE-2019-9936, CVE-2019-9937)
• Fix wget buffer overflow allowing arbitrary code execution (CVE-2019-5953)

Updates:

• etcd 3.3.15
• etcdctl 3.3.15
• Go 1.12.7
• Linux 4.19.68
• wget 1.20.3

Upstream Container Linux updates:

Security fixes:

• Use secure_getenv to fix a vulnerability around XDG_SEAT in pam_systemd (https://github.com/coreos/systemd/pull/118) (CVE-2019-3842)

Updates:

• Linux 4.19.65

Flatcar updates

Bug fixes:

• Fix wrong key name for fw_cfg in ignition with QEMU (https://github.com/flatcar-linux/ignition/issues/2)
• Get SELinux context included in torcx tarballs (https://github.com/flatcar-linux/scripts/pull/16)
• Enable XattrPrivileged for untar to fix SELinux issue (https://github.com/flatcar-linux/torcx/pull/1)

Upstream Container Linux updates:

Security fixes:

• Fix Linux information leak attack vector via speculative side channel (CVE-2019-1125)

Updates:

• Linux 4.19.65

Flatcar updates

Changes:

• Add “-s” flag in flatcar-install to install to smallest disk (https://github.com/flatcar-linux/init/pull/7)

Upstream Container Linux updates:

Bug fixes:

• Fix Ignition fetching from S3 URLs when network is slow to start (ignition#826)

Updates:

• Linux 4.19.62

Upstream Container Linux updates:

Bug fixes:

• Fix Docker device or resource busy error when creating overlay mounts, introduced in 2191.0.0

Updates:

• Linux 4.19.58

Upstream Container Linux updates:

Security fixes:

• Fix libexpat denial of service (CVE-2018-20843)

Bug fixes:

• Fix Ignition panic when no guestinfo.(coreos|ignition).config parameters are specified on VMware (coreos/ignition#821)

Updates:

• expat 2.2.7
• Ignition 0.33.0
• Linux 4.19.56

Upstream Container Linux updates:

Bug fixes:

• Temporarily revert bunzip2 change in 2163.0.0 causing decompression failures for invalid archives created by older versions of lbzip2, including Container Linux release images (#2589)

Updates:

• intel-microcode 20190618
• Linux 4.19.55

Upstream Container Linux updates:

Security fixes:

• Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Updates:

• Linux 4.19.50

Upstream Container Linux updates:

Bug fixes:

• Temporarily revert bunzip2 change in 2163.0.0 causing decompression failures for invalid archives created by older versions of lbzip2, including Container Linux release images (#2589)

Upstream Container Linux updates:

Security fixes:

• Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5436)

Updates:

• coreutils 8.30
• curl 7.65.0
• GCC 8.3.0
• glibc 2.29
• Linux 4.19.47
• Rust 1.35.0

Upstream Container Linux updates:

Updates:

• etcd 3.3.13
• etcdctl 3.3.13
• Go 1.12.5
• intel-microcode 20190514
• Linux 4.19.44

Upstream Container Linux updates:

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)

Updates:

• intel-microcode 20190514
• Linux 4.19.43

Upstream Container Linux updates:

Security fixes:

• Fix SQLite remote code execution (CVE-2018-20346)
• Fix GLib multiple vulnerabilities

Bug fixes:

• Fix systemd MountFlags=shared option (#2579)

Changes:

• Use Amazon's recommended NVMe timeout for new EC2 installs (#2484)
• Pin network interface naming to systemd v238 scheme (#2578)
• Enable XDP sockets (#2580)

Updates:

• Linux 4.19.37
• Rust 1.34.1

Upstream Container Linux updates:

Security fixes:

• Fix libseccomp privilege escalation (CVE-2019-9893)

Bug fixes:

• Disable new sticky directory protections for backward compatibility (#2577)

Changes:

• Enable atlantic kernel module (#2576)

Updates:

• Go 1.12.4
• Ignition 0.32.0
• libseccomp 2.4.0
• Linux 4.19.36
• Rust 1.34.0
• tini 0.18.0

Upstream Container Linux updates:

Security fixes:

• Fix libmspack vulnerabilities in the VMware agent for new installs (CVE-2018-14679, CVE-2018-14680, CVE-2018-14681, CVE-2018-14682, CVE-2018-18584, CVE-2018-18585, CVE-2018-18586)

Updates:

• Afterburn (formerly coreos-metadata) 4.0.0
• Git 2.21.0
• Go 1.12.2
• Linux 4.19.34

Upstream Container Linux updates:

Security fixes:

• Fix OpenSSH scp allowing remote servers to change target directory permissions (CVE-2018-20685)
• Fix OpenSSH outputting ANSI control codes from remote servers (CVE-2019-6109, CVE-2019-6110)
• Fix OpenSSH scp allowing remote servers to overwrite arbitrary files (CVE-2019-6111)
• Fix OpenSSL side-channel timing attack (CVE-2018-5407)
• Fix OpenSSL padding oracle attack in misbehaving applications (CVE-2019-1559)
• Fix ntp ntpd denial of service by authenticated user (CVE-2019-8936)
• Fix ntp buffer overflow in ntpq and ntpdc (CVE-2018-12327)

Bug fixes:

• Fix systemd presets incorrectly handling escaped unit names (#2569)

Updates:

• GCC 8.2.0
• Go 1.12.1
• IANA timezone database 2018i
• Linux 4.19.31
• ntp 4.2.8p13
• OpenSSH 7.9p1
• OpenSSL 1.0.2r
• Update Engine 0.4.10

Upstream Container Linux updates:

Security fixes:

• Fix tar local denial of service with --sparse option (CVE-2018-20482)
• Fix wget local information leak (CVE-2018-20483)

Bug fixes:

• Fix systemd-journald memory leak (#2564)

Changes:

• Enable vhost_vsock kernel module (#2563)

Updates:

• Go 1.12
• Linux 4.19.28
• Rust 1.33.0
• systemd 241
• tar 1.31
• wget 1.20.1

Upstream Container Linux updates:

Security fixes:

• Fix curl vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-2018-16842, CVE-2018-16890, CVE-2019-3822, CVE-2019-3823)
• Fix Linux use-after-free in sockfs_setattr (CVE-2019-8912)
• Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)

Updates:

• curl 7.64.0
• Docker 18.06.3-ce
• Ignition 0.31.0
• Linux 4.19.25

Upstream Container Linux updates:

Security fixes:

• Fix runc container breakout (CVE-2019-5736)

Changes:

• Revert /sys/bus/rbd/add to Linux 4.14 behavior (#2544)
• Add a new subkey for signing release images

Updates:

• etcd 3.3.12
• etcdctl 3.3.12
• flannel 0.11.0
• Linux 4.19.20

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in ECC (CVE-2019-6486)

Updates:

• btrfs-progs 4.19
• e2fsprogs 1.44.5
• glibc 2.27
• Go 1.10.8
• Go 1.11.5
• Linux 4.19.18
• Rust 1.32.0
• util-linux 2.33
• xfsprogs 4.17.0

Upstream Container Linux updates:

Security fixes:

• Fix systemd-journald privilege escalation (CVE-2018-16864, CVE-2018-16865)
• Fix systemd-journald out of bounds read (CVE-2018-16866)
• Fix ntpq, ntpdc buffer overflow (CVE-2018-12327)
• Fix etcd improper authentication with RBAC and client certs (CVE-2018-16886)

Changes:

• Add ip_vs_mh kernel module (#2542)

Updates:

• etcd 3.3.11
• etcdctl 3.3.11
• Linux 4.19.15
• ntp 4.2.8p12
• sudo 1.8.25p1

Upstream Container Linux updates:

Bug fixes:

• Fix monitoring process events over netlink (#2537)

Updates:

• Ignition 0.30.0
• Go 1.10.7
• Go 1.11.4
• Linux 4.19.13

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
• Fix PolicyKit always authorizing UIDs greater than INT_MAX (CVE-2018-19788)

Bug fixes:

• Fix AWS, Azure, and GCE disk aliases in the initramfs for Ignition (#2531)

Updates:

• Go 1.10.6
• Go 1.11.3
• Ignition 0.29.1
• Linux 4.19.9
• Rust 1.31.0
• wa-linux-agent 2.2.32

Upstream Container Linux updates:

Updates:

• Linux 4.19.6
• iptables 1.6.2

Upstream Container Linux updates:

Security fixes:

• Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)
• Fix curl buffer overrun in NTLM authentication code (CVE-2018-14618)
• Fix OpenSSL TLS client denial of service (CVE-2018-0732)
• Fix OpenSSL timing side channel in DSA signature generation (CVE-2018-0734)
• Fix OpenSSL timing side channel via SMT port contention (CVE-2018-5407)

Updates:

• coreos-metadata 3.0.2
• curl 7.61.1
• Go 1.10.5
• Go 1.11.2
• Linux 4.19.2
• OpenSSL 1.0.2p
• Rust 1.30.1

Upstream Container Linux updates:

Security fixes:

• Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
• Fix systemd race allowing changing file permissions (CVE-2018-15687)
• Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)

Bug fixes:

• Add AWS and GCE disk aliases in the initramfs for Ignition (#2481)
• Add compatibility nf_conntrack_ipv4 kernel module to fix kube-proxy IPVS on Linux 4.19 (#2518)

Updates:

• IANA timezone database 2018e
• kexec-tools 2.0.17
• Linux 4.19.1

Upstream Container Linux updates:

Security fixes:

• Fix Git remote code execution during recursive clone (CVE-2018-17456)
• Fix OpenSSH user enumeration (CVE-2018-15473)
• Fix Rust standard library integer overflow (CVE-2018-1000810)

Bug fixes:

• Fix missing kernel headers (#2505)

Updates:

• coreos-metadata 3.0.1
• etcd-wrapper 3.3.10
• etcdctl 3.3.10
• Git 2.18.1
• Linux 4.19
• linux-firmware 20181001
• OpenSSH 7.7p1
• Rust 1.29.1

Flatcar updates

Changes:

• Add new image signing subkey to flatcar-install (flatcar-linux/init#4)

Bug fixes:

• Fix /usr/lib/coreos symlink for Container Linux compatibility (flatcar-linux/coreos-overlay#8)

Upstream Container Linux updates:

Updates:

• glibc 2.26
• Go 1.11.1
• Linux 4.18.12
• nfs-utils 2.3.1
• open-vm-tools 10.3.0

Upstream Container Linux updates:

Bug fixes:

• Fix Google Compute Engine OS Login activation (#2503)

Updates:

• Linux 4.18.9

Upstream Container Linux updates:

Bug fixes:

• Fix Docker mounting named volumes (#2497)
• Fix Azure disk detection in Ignition (#2481)

Changes:

• Add support for Google Compute Engine OS Login
• Enable support for Mellanox Ethernet switches

Updates:

• coreos-metadata 3.0.0
• Go 1.10.4
• Go 1.11
• intel-microcode 20180807a
• Linux 4.18.7
• update-ssh-keys 0.3.0

Upstream Container Linux updates:

Changes:

• Add CIFS userspace utilities (#571)
• Drop AWS PV images from regions which do not support PV

Updates:

• containerd 1.1.2
• Docker 18.06.1-ce
• Ignition 0.28.0
• Linux 4.18.5
• Rust 1.28.0

Upstream Container Linux updates:

Security fixes:

• Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
• Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)
• Fix curl SMTP buffer overflow (CVE-2018-0500)

Bug fixes:

• Fix PXE systems attempting to mount an ESP (#2491)

Updates:

• coreos-metadata 2.0.0
• curl 7.61.0
• Ignition 0.27.0
• Linux 4.17.15
• update-ssh-keys 0.2.1

Upstream Container Linux updates:

Security fixes:

• Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)

Bug fixes:

• Fix failure to mount large ext4 filesystems (#2485)

Updates:

• Linux 4.17.12

Upstream Container Linux updates:

Changes:

• Remove ARM64 architecture
• Remove developer image from SDK

Updates:

• etcd 3.3.9
• etcdctl 3.3.9
• Linux 4.17.11

Upstream Container Linux updates:

Changes:

• Add torcx remotes support

Updates:

• containerd 1.1.1
• Docker 18.06.0-ce
• intel-microcode 20180703
• Linux 4.17.9
• Update Engine 0.4.9

Upstream Container Linux updates:

Security fixes:

• Fix curl buffer overflows (CVE-2018-1000300, CVE-2018-1000301)
• Fix Linux random seed during early boot (CVE-2018-1108)

Changes:

• Reads of /dev/urandom early in boot will block until entropy pool is fully initialized
• Support friendly AWS EBS NVMe device names (#2399)

Updates:

• cryptsetup 1.7.5
• curl 7.60.0
• etcd-wrapper 3.3.8
• etcdctl 3.3.8
• intel-microcode 20180616
• kmod 25
• Linux 4.17.3
• linux-firmware 20180606
• Locksmith 0.6.2
• OpenSSL 1.0.2o

Upstream Container Linux updates:

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Changes:

• Drop obsolete cros_sdk method of entering SDK

Updates:

• etcd 3.3.7
• etcdctl 3.3.7
• Go 1.9.7
• Go 1.10.3
• Ignition 0.26.0
• Linux 4.16.16
• torcx 0.2.0

Upstream Container Linux updates:

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Upstream Container Linux updates:

Security fixes:

• Fix multiple procps vulnerabilities (CVE-2018-1120, CVE-2018-1121, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126, CVE-2018-1120, CVE-2018-1121, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1126)
• Fix shadow privilege escalation (CVE-2018-7169)
• Fix samba man-in-the-middle attack (CVE-2016-2119)
• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix failure to set network interface MTU (#2443)
• Fix inadvertent change of network interface names (#2437)
• Fix Docker bind mounts from root filesystem (#2440)

Changes:

• Update VMware virtual hardware version to 11 (ESXi > 6.0)

Updates:

• etcd 3.3.6
• etcdctl 3.3.6
• Git 2.16.4
• Linux 4.16.14
• open-vm-tools 10.2.5
• procps 3.3.15
• samba 4.5.16
• shadow 4.6

Upstream Container Linux updates:

Security fixes:

• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix failure to set network interface MTU (#2443)

Updates:

• Git 2.16.4
• Linux 4.16.13

Upstream Container Linux updates:

Bug fixes:

• Fix inadvertent change of network interface names (#2437)
• Fix Docker bind mounts from root filesystem (#2440)

Upstream Container Linux updates:

Security fixes:

• Fix ncurses denial of service and arbitrary code execution (CVE-2017-10684, CVE-2017-10685, CVE-2017-11112, CVE-2017-11113, CVE-2017-13728, CVE-2017-13729, CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13733, CVE-2017-13734, CVE-2017-16879)
• Fix rsync arbitrary command execution (CVE-2018-5764)
• Fix wget cookie injection (CVE-2018-0494)

Changes:

• Enable QLogic FCoE offload support (#2367)
• Enable hardware RNG kernel drivers (#2430)
• Add notrap to ntpd default access restrictions (#2220)
• Allow booting default GRUB menu entry if GRUB password is enabled (#1597)
• coreos-install -i no longer modifies grub.cfg (#2291)
• QEMU wrapper script now enables VirtIO RNG device

Updates:

• bind-tools 9.11.2-P1
• Docker 18.05.0-ce
• etcd-wrapper 3.3.5
• etcdctl 3.3.5
• GnuPG 2.2.7
• GPT fdisk 1.0.3
• Ignition 0.25.1
• Less 529
• Linux 4.16.10
• rsync 3.1.3
• Rust 1.26
• util-linux 2.32
• vim 8.0.1298
• wget 1.19.5

Upstream Container Linux updates:

Bug fixes:

• Fix GRUB free magic error on existing systems (#2400)

Changes:

• Support storing sudoers in SSSD and LDAP
• No longer publish Oracle Cloud release images

Updates:

• audit 2.7.1
• coreutils 8.28
• etcd-wrapper 3.3.4
• etcdctl 3.3.4
• Go 1.9.6
• Go 1.10.2
• Linux 4.16.7
• sudo 1.8.23
• Update Engine 0.4.7
• wa-linux-agent 2.2.25

Upstream Container Linux updates:

Security fixes:

• Fix ntp clock manipulation from ephemeral connections (CVE-2016-1549, CVE-2018-7170)
• Fix ntp denial of service from out of bounds read (CVE-2018-7182)
• Fix ntp denial of service from packets with timestamp 0 (CVE-2018-7184, CVE-2018-7185)
• Fix ntp remote code execution (CVE-2018-7183)

Bug fixes:

• Pass /etc/machine-id from the host to the kubelet
• Fix docker2aci tar conversion (#2402)
• Switch /boot from FAT16 to FAT32 (#2246)

Changes:

• Make Ignition failures more visible on the console

Updates:

• containerd 1.0.3
• coreos-cloudinit 1.14.0
• coreos-metadata 1.0.6
• Docker 18.04.0-ce
• Go 1.9.5
• Go 1.10.1
• Linux 4.16.3
• ntp 4.2.8p11
• rkt 1.30.0
• Rust 1.25.0
• torcx 0.1.3
• update-ssh-keys 0.1.2

Flatcar updates

Initial Flatcar release.

Notes:

• Previous test images have been removed from the release servers. This is due to a new update key being generated using our updated security policy which we included in the first public image.

Upstream Container Linux updates:

Security fixes:

• Fix curl out of bounds read (CVE-2018-1000005)
• Fix curl authentication data leak (CVE-2018-1000007)
• Fix curl buffer overflow (CVE-2018-1000120)
• Fix glibc integer overflow in libcidn (CVE-2017-14062)
• Fix glibc memory issues in glob() with ~ (CVE-2017-15670, CVE-2017-15671, CVE-2017-15804)
• Fix glibc mishandling RPATHs with $ORIGIN on setuid binaries (CVE-2017-16997)
• Fix glibc buffer underflow in realpath() (CVE-2018-1000001)
• Fix glibc integer overflow and heap corruption in memalign() (CVE-2018-6485)

Bug fixes:

• Fix GRUB crash at boot (#2284)

Updates:

• curl 7.59.0
• etcd-wrapper 3.3.3
• etcdctl 3.3.3
• glibc 2.25
• Ignition 0.24.0
• Linux 4.15.15
• Update Engine 0.4.6

Flatcar updates

Bug fixes:

• Use newest network interface naming scheme (https://github.com/flatcar-linux/Flatcar/issues/36)
  • It is a possible breaking change for some persistent network interface names
• Fix coreos-cloudinit variable names (https://github.com/flatcar-linux/coreos-overlay/pull/206)
• Prefer /boot/coreos to write updates (https://github.com/flatcar-linux/update_engine/pull/2)
• Build a download URL in a safer way (https://github.com/flatcar-linux/update_engine/issues/3)
• Remove /boot/coreos/first_boot after a Ignition rerun on migration (https://github.com/flatcar-linux/bootengine/pull/10)
• Support coreos.config.url as kernel command line parameter for Ignition (https://github.com/flatcar-linux/ignition/pull/10)
• Make flannel cross-node traffic work with systemd > 242 (https://github.com/coreos/flannel/issues/1155, https://github.com/flatcar-linux/coreos-overlay/pull/279)

Changes:

• Add tracepath alongside traceroute6 (https://github.com/flatcar-linux/Flatcar/issues/50)
• Extend logging capabilities of mayday (https://github.com/flatcar-linux/Flatcar/issues/61)

Updates:

• Linux 5.6.2
  • An occasional lockup issue can happen at crypto_wait_for_test (https://bugzilla.kernel.org/show_bug.cgi?id=207159)
• Docker 19.03.8
• open-vm-tools 11.0.5
• openssh 8.1
• WAAgent 2.2.46

Flatcar updates

Bug fixes:

• Enable persistent network interface names already in the initramfs to fix https://github.com/coreos/bugs/issues/1767
• Make systemd-hostnamed work again by updating systemd to v243 (https://github.com/flatcar-linux/systemd/pull/7)
• Use correct branch name format in developer container tools (https://github.com/flatcar-linux/dev-util/pull/2)

Updates:

• Linux 5.5.6
• systemd 243

Flatcar updates

Security fixes:

• Fix incorrect access control leading to privileges escalation in runc (CVE-2019-19921)
• Fix systemd use-after-free upon receiving crafted D-Bus message from local unprivileged attacker (CVE-2020-1712)

Bug fixes:

• Fix backwards compatibility issues for users to migrate from CoreOS Container Linux (https://github.com/flatcar-linux/Flatcar/issues/16 https://github.com/flatcar-linux/afterburn/pull/7 https://github.com/flatcar-linux/bootengine/pull/7 https://github.com/flatcar-linux/bootengine/pull/8 https://github.com/flatcar-linux/init/pull/16 https://github.com/flatcar-linux/init/pull/17 https://github.com/flatcar-linux/ignition/pull/8)

Changes:

• Build Flatcar tarballs to be used by containers (https://github.com/flatcar-linux/scripts/pull/51)
• Enable qede kernel module
• Enable kernel config for BTF (BPF Type Format)

Updates:

• Linux 5.5.2
• coreos-firmware 20200122 (https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20200122)
• runc 1.0.0-rc10

Flatcar updates

Security fixes:

• Fix stack-based buffer overflow in sudo (CVE-2019-18634)

Bug fixes:

• Fix DNS resolution for the GCE metadata server (https://github.com/flatcar-linux/coreos-overlay/pull/160)
• Use correct URLs for flatcar-linux in emerge-gitclone and scripts (https://github.com/flatcar-linux/dev-util/pull/1) (https://github.com/flatcar-linux/scripts/pull/50)
• Fix a wrong profile reference in torcx (https://github.com/flatcar-linux/coreos-overlay/pull/162)
• Use rkt again instead of docker in wrappers (https://github.com/flatcar-linux/coreos-overlay/pull/163)
• Create symlink for /run/metadata/coreos (https://github.com/flatcar-linux/coreos-overlay/pull/166)
• Create symlink for flatcar-install (https://github.com/flatcar-linux/init/pull/14)
• Build static libraries for elfutils (https://github.com/flatcar-linux/coreos-overlay/pull/169)

Updates:

• Linux 5.4.16
• dwarves 1.16
• elfutils 0.178
• sudo 1.8.31
• wireguard 20200128

Flatcar updates

Security fixes:

• Fix a denial-of-service issue via malicious access to /dev/kvm (CVE-2019-19332)

Bug fixes:

• Fix a bug when creating RAID0 arrays by setting the default layout (https://github.com/flatcar-linux/baselayout/pull/2)
• Use rkt instead of docker in kubelet-wrapper (https://github.com/flatcar-linux/coreos-overlay/pull/148)

Changes:

• Support the default layout feature in mdadm (https://github.com/flatcar-linux/coreos-overlay/pull/146)

Updates:

• Linux 5.4.4
• containerd 1.3.2
• mdadm 4.1
• wireguard 20191212

Flatcar updates

This release is done for both amd64 and arm64.

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
• Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)
• Fix curl Kerberos FTP double free (CVE-2019-5481)
• Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5482)
• Fix openssl key extraction attacks under non-default conditions (CVE-2019-1563, CVE-2019-1547)
• Fix heap-based buffer over-read in libexpat (CVE-2019-15903)

Bug fixes:

• Fix cross-build issues around WAF by creating wrappers (https://github.com/flatcar-linux/coreos-overlay/pull/138)
• Fix rust-related issues around cross toolchains (https://github.com/flatcar-linux/scripts/pull/34)
• Fix time zone for Brazil (https://github.com/flatcar-linux/coreos-overlay/pull/118)

Changes:

• Support cross-builds for ARM64 (https://github.com/flatcar-linux/coreos-overlay/pull/122)

Updates:

• Linux 5.4.2
• curl 7.66.0
• docker 19.03.5
• etcd 3.3.18
• expat 2.2.8
• intel-microcode 20191115
• ldb 1.3.6
• openssl 1.0.2t
• samba 4.8.6
• talloc 2.1.11
• tdb 1.3.15
• tevent 0.9.37
• timezone-data 2019c

Flatcar updates

Bug fixes:

• Fix wrong CROS_WORKON_COMMIT values (https://github.com/flatcar-linux/coreos-overlay/pull/101)
• Fix bug of unpacking tarballs failing when xattr is not supported (https://github.com/flatcar-linux/torcx/pull/3)

Changes:

• Replace rkt with docker in scripts like kubelet-wrapper (https://github.com/flatcar-linux/coreos-overlay/pull/103)

Updates:

• docker 19.03.4
• containerd 1.3.0

Flatcar updates

Bug fixes:

• Fix issue of missing patches in grub (https://github.com/flatcar-linux/grub/pull/1)
• Fix issue of wrong commit IDs for repos like init

Flatcar updates

Security fixes:

• Fix panic caused by invalid DSA public keys in Go 1.12 and 1.13 (CVE-2019-17596)
• Fix AppArmor restriction bypass issue in runc 1.0.0-rc8 or older (CVE-2019-16884)
• Fix bypass of certain policy blacklists and session PAM modules in sudo 1.8.27 or older (CVE-2019-14287)

Bug fixes:

• Fix rkt fetch issue that does not work without docker:// prefix in URLs (https://github.com/flatcar-linux/coreos-overlay/pull/96)
• Multiple bug fixes from the upstream systemd-stable repo (https://github.com/flatcar-linux/coreos-overlay/pull/97)

Updates:

• Linux 5.3.7
• Go 1.12.12 and 1.13.3
• runc 1.0.0-rc9
• sudo 1.8.28

Flatcar updates

Security fixes:

• Fix dbus authentication bypass in non-default configurations (CVE-2019-12749)
• Fix kernel KVM guest escape (CVE-2019-14835)
• Fix race condition in Intel microprocessors (CVE-2019-11184)
• Fix invalid HTTP/1.1 handling in net/http of Go (CVE-2019-16276)

Bug fixes:

• Fix path prefix in crio-wipe.service in cri-o (https://github.com/flatcar-linux/coreos-overlay/pull/91)
• Fix ListenPort= in WireGuard section in systemd (https://github.com/flatcar-linux/systemd/pull/5)

Updates:

• Linux 5.3.1
• Go 1.12.10
• coreos-firmware 20190815 (https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20190815)
• cri-o 1.15.2
• cri-tools 1.16.1
• intel-microcode 20190918

Flatcar updates

Security fixes:

• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix commit ID to match with Manifest in coreos-firmware (https://github.com/flatcar-linux/coreos-overlay/pull/76)
• Use mantle/ignition versions which have the opt/org.flatcar-linux Ignition variable (https://github.com/flatcar-linux/coreos-overlay/pull/77)

Updates:

• Linux 5.2.13
• systemd v242 (https://github.com/flatcar-linux/coreos-overlay/pull/71)
• containerd 1.2.8
• cri-o 1.15.1
• docker 19.03.2

Flatcar updates

Security fixes:

• Fix secret leakage in libgcrypt (CVE-2018-6829)
• Fix denial of service in libtasn1 (CVE-2018-1000654)
• Fix bypass of a protection mechanism in libxslt (CVE-2019-11068)

Bug fixes:

• Fix an issue of oem-gce crashlooping in GCE images (https://github.com/flatcar-linux/coreos-overlay/pull/69)

Updates:

• Linux 5.2.11
• libgcrypt 1.8.3
• libtasn1 4.13
• libxslt 1.1.33

Flatcar updates

Security fixes:

• Fix denial of service in HTTP/2 implementations written in Go (CVE-2019-9512 CVE-2019-9514 CVE-2019-14809 )
• Fix arbitrary execution of code in libarchive ( CVE-2017-14166 CVE-2017-14501 CVE-2017-14502 CVE-2017-14503 )
• Fix privilege escalation issues in polkit (CVE-2018-1116 CVE-2018-19788 )
• Fix arbitrary execution of SQL statements in sqlite ( CVE-2019-5018 CVE-2019-9936 CVE-2019-9937 )
• Fix arbitrary execution of code in wget ( CVE-2019-5953 )
• Fix issues of secret leakage and nsswitch based config in Docker ( CVE-2019-13509 CVE-2019-14271 )

Bug fixes:

• Remove unnecessary dependency on Go 1.6 from cgroupid (https://github.com/flatcar-linux/coreos-overlay/commit/20f24ed14daf747e9b6923ee6baf2aa3635589e8)

Updates:

• Linux 5.2.9
• Binutils 2.32-r1
• Docker 19.03.1
• Go 1.12.9
• Libarchive 3.3.3
• Patch 2.7.6-r4
• Polkit 0.113-r5
• Rust 1.37.0
• Cargo 1.37.0 (https://github.com/rust-lang/cargo/releases/tag/0.38.0)
• Sqlite 3.29.0
• Wget 1.20.3

Upstream Container Linux updates:

Security fixes:

• Fix Linux information leak attack vector via speculative side channel (CVE-2019-1125)

Flatcar updates

Security fixes:

• Use secure_getenv to fix a vulnerability around XDG_SEAT in pam_systemd (https://github.com/flatcar-linux/coreos-overlay/pull/61) (CVE-2019-3842)

Bug fixes:

• Get SELinux context included in torcx tarballs (https://github.com/flatcar-linux/scripts/pull/16)
• Enable XattrPrivileged for untar to fix SELinux issue (https://github.com/flatcar-linux/torcx/pull/1)

Updates:

• Linux 5.2.7
• cri-o 1.15.0

Changes:

• Add “-s” flag in flatcar-install to install to smallest disk (https://github.com/flatcar-linux/init/pull/7)

Upstream Container Linux updates:

Bug fixes:

• Fix Ignition fetching from S3 URLs when network is slow to start (ignition#826)

Flatcar updates

Bug fixes:

• Fix cgroup v2 path for systemd hybrid mode in runc (https://github.com/flatcar-linux/coreos-overlay/pull/58)
• Fix issue of rsyslog not running with root directory in systemd (https://github.com/flatcar-linux/systemd/pull/3)

Updates:

• Linux 5.2.5

Changes:

• Enable SELinux for tar and coreutils for SDK profile (https://github.com/flatcar-linux/coreos-overlay/pull/55)

Flatcar updates

Bug fixes:

• Temporary workaround for runc on Flatcar: disable SELinux for runc v1.0.0-rc8
• Fix a bug in bind mount options in systemd

Updates:

• Upgrade runc to 1.0.0-rc8

Upstream Container Linux updates:

Bug fixes:

• Fix Docker device or resource busy error when creating overlay mounts, introduced in 2191.99.0

Flatcar updates

Updates:

• Linux 5.2.1

Flatcar updates

Bug fixes:

• Fix a bug in systemd not being able to activate netlink (https://github.com/flatcar-linux/coreos-overlay/pull/49)

Updates:

• Linux 5.2
• docker 18.09.7
• wireguard 0.0.20190702
• coreos-firmware 20190620

Upstream Container Linux updates:

Security fixes:

• Fix libexpat denial of service (CVE-2018-20843)

Bug fixes:

• Fix Ignition panic when no guestinfo.(coreos|ignition).config parameters are specified on VMware (https://github.com/coreos/ignition/issues/821)

Updates:

• expat 2.2.7
• Ignition 0.33.0

Flatcar updates

Bug fixes:

• make containerd listen on localhost (https://github.com/flatcar-linux/coreos-overlay/pull/41)

Updates:

• Linux 5.1.15
• cri-tools 1.14.0

Changes:

• Fix installation prefix of conmon in a cri-o example config (https://github.com/flatcar-linux/coreos-overlay/pull/43)

Flatcar updates

Security fixes:

• Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Updates:

• Linux 5.1.11
• cri-o 1.14.4

Flatcar updates

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)

Bug fixes:

• Fix kernel build path issues to build coreos-firmware (https://github.com/flatcar-linux/coreos-overlay/pull/36) (https://github.com/flatcar-linux/coreos-overlay/pull/31)

Updates:

• intel-microcode 20190514
• Linux 5.1.5

Initial release

This is the first release meant to be used by the public so all the Edge changes are listed.

Flatcar updates

Changes:

• Add bpftool (https://github.com/flatcar-linux/coreos-overlay/pull/24)
• Add wireguard (https://github.com/flatcar-linux/coreos-overlay/pull/32)
• Add a new package cri-o (https://github.com/flatcar-linux/coreos-overlay/pull/29)
• Add cgroupid and patch runc for OCI hooks (https://github.com/flatcar-linux/coreos-overlay/pull/23)
• Enable cgroup v2 via kernel command line (https://github.com/flatcar-linux/scripts/commit/271ec2423bc99c9d23faf4ab6ae722726f955966)
• Add missing OEM changes for cloud providers to enable cgroup v2 (https://github.com/flatcar-linux/coreos-overlay/commit/f4dde83caf457fc5b480edbbb54d550632c92cf3)
• Make docker and containerd support cgroup v2 (https://github.com/flatcar-linux/coreos-overlay/commit/8184af2518634c115dd6ef623959da5948be4cca)
• Add CFLAGS to prevent the Spectre v2 (https://github.com/flatcar-linux/coreos-overlay/pull/28)

Updates:

• Linux 5.1.0

Flatcar updates

Changes:

• add a new package cri-o (https://github.com/flatcar-linux/coreos-overlay/pull/29)
• add CFLAGS to prevent the Spectre v2 (https://github.com/flatcar-linux/coreos-overlay/pull/28)

Updates:

• Linux 5.0.9

Flatcar updates

Changes:

• add cgroupid and patch runc for OCI hooks (https://github.com/flatcar-linux/coreos-overlay/pull/23)
• add bpftool (https://github.com/flatcar-linux/coreos-overlay/pull/24)

Updates:

• Linux 5.0.7

Flatcar updates

Updates:

• Linux 5.0.1

Flatcar updates

Bug fixes:

• Add missing OEM changes for cloud providers to enable cgroup v2 (https://github.com/flatcar-linux/coreos-overlay/commit/f4dde83caf457fc5b480edbbb54d550632c92cf3)

Flatcar updates

Changes:

• enable cgroup v2 via kernel command line (https://github.com/flatcar-linux/scripts/commit/271ec2423bc99c9d23faf4ab6ae722726f955966)
• make docker and containerd support cgroup v2 (https://github.com/flatcar-linux/coreos-overlay/commit/8184af2518634c115dd6ef623959da5948be4cca)