Announcing new Alpha 3346.0.0, Beta 3277.1.2, Stable 3227.2.2, LTS-2022 3033.3.5, LTS-2021 2605.31.1 releases

[Flatcar Container Linux User]

Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, LTS-2022, LTS-2021 channels.

The images are signed with a new image signing subkey. If you verify the images, you need to update it. The new key is also updated in the embedded flatcar-install script and you should use, e.g., the new PXE images to install the latest releases to disk.

NOTE LTS-2021 is near the designated end of its 18 month lifespan and will only receive 1 more update by the end of September. If you use a fixed LTS channel please switch to LTS-2022, the new LTS which has been published in May. After the next update by end of September there will be no more releases for the LTS-2021 channel as it will enter EOL. Please check your nodes’ GROUP= setting in /etc/flatcar/update.conf to determine if you need to take action:

• GROUP=lts points to the latest LTS release. No need to take action as you are already using LTS-2022, which is the latest release.
• GROUP=lts-2022 you have pinned your nodes to the LTS-2022 channel. No need to take action as you are already using the latest release (however, you will need to take action in about 12 months to switch to LTS-2023. Check the release notes of upcoming LTS releases to stay up to date).
• GROUP=lts-2021 you have pinned your nodes to the LTS-2021 channel. Nodes will receive one more update by the end of September; after that, LTS-2021 will be EOL. Please refer to the Flatcar documentation on switching channels to switch to LTS-2022.

New Alpha Release 3346.0.0

Changes since Alpha 3305.0.1

Security fixes:

• Linux (CVE-2022-1679, CVE-2022-2585, CVE-2022-2586, CVE-2022-2588, CVE-2022-26373, CVE-2022-36946)
• Go (CVE-2022-32189)
• binutils (CVE-2021-45078)
• git (CVE-2022-29187)
• gnutls (CVE-2022-2509)
• libtirpc (CVE-2021-46828)
• oniguruma (oss-fuzz issues fixed 2022-04-30)
• shadow (CVE-2013-4235)
• vim (CVE-2022-0629, CVE-2022-0685, CVE-2022-0714, CVE-2022-0729, CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-1616, CVE-2022-1619, CVE-2022-1620, CVE-2022-1621, CVE-2022-1629, CVE-2022-1674, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796, CVE-2022-1897, CVE-2022-1898, CVE-2022-1886, CVE-2022-1851, CVE-2022-1927, CVE-2022-1942, CVE-2022-1968, CVE-2022-2000)
• VMware: open-vm-tools (CVE-2022-31676)

Bug fixes:

• AWS: added EKS support for version 1.22 and 1.23. (coreos-overlay#2110, Flatcar#829)
• VMWare: excluded wireguard (and others) from systemd-networkd management. (init#80)

Changes:

• Added symlink from nc to ncat. -q option is not yet supported (flatcar#545)
• The new image signing subkey was added to the public key embedded into flatcar-install (the old expired on 10th August 2022), only an updated flatcar-install script can verify releases signed with the new key (init#79)
• AWS: Added AWS IMDSv2 support to coreos-cloudinit (flatcar-linux/coreos-cloudinit#13)

Updates:

• Linux (5.15.63 (includes 5.15.62, 5.15.61, 5.15.60, 5.15.59)
• Linux Firmware (20220815)
• binutils (2.38)
• boost (1.79)
• ca-certificates (3.82)
• containerd (1.6.8)
• Cyrus SASL (2.1.28)
• gcc (11.3.0)
• git (2.37.1)
• glib (2.72.3)
• gnutls (3.7.7)
• oniguruma (6.9.8)
• shadow (4.12.3)
• vim (8.2.5066)
• SDK: automake (1.16.5)
• SDK: bison (3.8.2)
• SDK: libtool (2.4.7)
• SDK: perl (5.34.1)
• SDK: pkgconf (1.8.0)
• SDK: Rust (1.63.0)
• VMware: open-vm-tools (12.1.0)

New Beta Release 3277.1.2

Changes since Beta 3277.1.1

Security fixes:

• Linux (CVE-2022-1679, CVE-2022-2585, CVE-2022-2586, CVE-2022-2588, CVE-2022-26373, CVE-2022-36946)

Bug fixes:

• AWS: added EKS support for version 1.22 and 1.23. (coreos-overlay#2110, Flatcar#829)
• VMWare: excluded wireguard (and others) from systemd-networkd management. (init#80)

Changes:

• The new image signing subkey was added to the public key embedded into flatcar-install (the old expired on 10th August 2022), only an updated flatcar-install script can verify releases signed with the new key (init#79)
• AWS: Added AWS IMDSv2 support to coreos-cloudinit (flatcar-linux/coreos-cloudinit#13)

Updates:

• Linux (5.15.63 (includes 5.15.62, 5.15.61, 5.15.60, 5.15.59)
• ca-certificates (3.82)

New Stable Release 3227.2.2

Note: The ARM64 AWS AMI of the Stable release has an unknown issue of corrupted images which we are still investigating. We will release the AMI as soon as we have resolved the issue. Follow #840 for more information

Changes since Stable 3227.2.1

Security fixes:

• Linux (CVE-2022-1679, CVE-2022-2585, CVE-2022-2586, CVE-2022-2588, CVE-2022-26373, CVE-2022-36946)

Bug fixes:

• AWS: added EKS support for version 1.22 and 1.23. (coreos-overlay#2110, Flatcar#829)
• VMWare: excluded wireguard (and others) from systemd-networkd management. (init#80)

Changes:

• The new image signing subkey was added to the public key embedded into flatcar-install (the old expired on 10th August 2022), only an updated flatcar-install script can verify releases signed with the new key (init#79)

Updates:

• Linux (5.15.63 (includes 5.15.62, 5.15.61, 5.15.60, 5.15.59)
• ca-certificates (3.82)

New LTS-2022 Release 3033.3.5

Changes since LTS 3033.3.4

Security fixes:

• Linux (CVE-2022-1679, CVE-2022-2153, CVE-2022-2585, CVE-2022-2586, CVE-2022-2588, CVE-2022-26373, CVE-2022-36946)

Changes:

• The new image signing subkey was added to the public key embedded into flatcar-install (the old expired on 10th August 2022), only an updated flatcar-install script can verify releases signed with the new key (init#79)

Updates:

• Linux (5.10.137 (includes 5.10.136, 5.10.135))
• ca-certificates (3.82)

New LTS-2021 Release 2605.31.1

NOTE LTS-2021 is near the designated end of its 18 month lifespan and will only receive 1 more update by the end of September. If you use a fixed LTS channel please switch to LTS-2022, the new LTS which has been published in May. After the next update by end of September there will be no more releases for the LTS-2021 channel. Please check your nodes’ GROUP= setting in /etc/flatcar/update.conf to determine if you need to take action. Please refer to the Flatcar documentation on switching channels to switch to LTS-2022.

Changes since LTS 2605.30.1

Security fixes:

• Linux (CVE-2021-4159, CVE-2022-1462, CVE-2022-20369, CVE-2022-21505, CVE-2022-26373, CVE-2022-36123, CVE-2022-36879, CVE-2022-36946)

Changes:

• The new image signing subkey was added to the public key embedded into flatcar-install (the old expired on 10th August 2022), only an updated flatcar-install script can verify releases signed with the new key (init#79)

Updates:

• Linux (5.4.210 (includes 5.4.209, 5.4.208, 5.4.207))
• ca-certificates (3.82)

Note: LTS 2605.32.1 i.e the next release to be release in the month of September would be the last release for LTS-2021. Post that there will be no more releases for the channel. Please upgrade your workloads to LTS-2022 as soon as possible.

Best,
The Flatcar Container Linux Maintainers