Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, LTS-2023 channel.
New Alpha Release 3874.0.0Changes since Alpha 3850.0.0
Security fixes:Bug fixes:- Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
- Fixed the handling of OEM update payloads in a Nebraska response with self-hosted packages (ue-rs#49)
- Forwarded the proxy environment variables of update-engine.service to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)
Changes:- Added a flatcar-update --oem-payloads <yes|no> flag to skip providing OEM payloads, e.g., for downgrades (init#114)
Updates:New Beta Release 3850.1.0Changes since Beta 3815.1.0
Security fixes:- Linux (CVE-2022-27672, CVE-2022-36402, CVE-2022-36402, CVE-2022-40982, CVE-2022-4269, CVE-2022-45886, CVE-2022-45887, CVE-2022-45919, CVE-2022-48425, CVE-2023-0160, CVE-2023-0160, CVE-2023-0459, CVE-2023-1032, CVE-2023-1076, CVE-2023-1077, CVE-2023-1079, CVE-2023-1118, CVE-2023-1192, CVE-2023-1194, CVE-2023-1206, CVE-2023-1281, CVE-2023-1380, CVE-2023-1380, CVE-2023-1513, CVE-2023-1583, CVE-2023-1611, CVE-2023-1670, CVE-2023-1829, CVE-2023-1855, CVE-2023-1859, CVE-2023-1989, CVE-2023-1990, CVE-2023-1998, CVE-2023-2002, CVE-2023-2002, CVE-2023-20569, CVE-2023-20588, CVE-2023-20593, CVE-2023-2124, CVE-2023-21255, CVE-2023-21264, CVE-2023-2156, CVE-2023-2156, CVE-2023-2163, CVE-2023-2163, CVE-2023-2194, CVE-2023-2235, CVE-2023-2248, CVE-2023-2248, CVE-2023-2269, CVE-2023-2269, CVE-2023-2483, CVE-2023-25012, CVE-2023-25775, CVE-2023-25775, CVE-2023-2598, CVE-2023-26545, CVE-2023-28466, CVE-2023-28866, CVE-2023-2898, CVE-2023-2985, CVE-2023-30456, CVE-2023-30772, CVE-2023-3090, CVE-2023-31085, CVE-2023-3117, CVE-2023-31248, CVE-2023-3141, CVE-2023-31436, CVE-2023-31436, CVE-2023-3212, CVE-2023-3220, CVE-2023-32233, CVE-2023-32233, CVE-2023-32247, CVE-2023-32247, CVE-2023-32248, CVE-2023-32248, CVE-2023-32250, CVE-2023-32250, CVE-2023-32252, CVE-2023-32252, CVE-2023-32254, CVE-2023-32254, CVE-2023-32257, CVE-2023-32257, CVE-2023-32258, CVE-2023-32258, CVE-2023-3268, CVE-2023-3268, CVE-2023-3269, CVE-2023-3269, CVE-2023-3312, CVE-2023-3312, CVE-2023-3317, CVE-2023-33203, CVE-2023-33250, CVE-2023-33250, CVE-2023-33288, CVE-2023-3355, CVE-2023-3390, CVE-2023-33951, CVE-2023-33951, CVE-2023-33952, CVE-2023-33952, CVE-2023-34255, CVE-2023-34256, CVE-2023-34256, CVE-2023-34319, CVE-2023-34324, CVE-2023-35001, CVE-2023-35788, CVE-2023-35823, CVE-2023-35823, CVE-2023-35824, CVE-2023-35824, CVE-2023-35826, CVE-2023-35826, CVE-2023-35827, CVE-2023-35828, CVE-2023-35828, CVE-2023-35829, CVE-2023-35829, CVE-2023-3609, CVE-2023-3610, CVE-2023-3610, CVE-2023-3611, CVE-2023-37453, CVE-2023-37453, CVE-2023-3772, CVE-2023-3773, CVE-2023-3776, CVE-2023-3777, CVE-2023-38409, CVE-2023-38426, CVE-2023-38427, CVE-2023-38428, CVE-2023-38429, CVE-2023-38430, CVE-2023-38431, CVE-2023-38432, CVE-2023-38432, CVE-2023-3863, CVE-2023-3863, CVE-2023-3865, CVE-2023-3865, CVE-2023-3866, CVE-2023-3866, CVE-2023-3867, CVE-2023-39189, CVE-2023-39191, CVE-2023-39192, CVE-2023-39192, CVE-2023-39193, CVE-2023-39193, CVE-2023-39194, CVE-2023-39197, CVE-2023-39197, CVE-2023-39198, CVE-2023-4004, CVE-2023-4015, CVE-2023-40283, CVE-2023-40791, CVE-2023-4128, CVE-2023-4132, CVE-2023-4133, CVE-2023-4133, CVE-2023-4134, CVE-2023-4134, CVE-2023-4147, CVE-2023-4155, CVE-2023-4194, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208, CVE-2023-4244, CVE-2023-4273, CVE-2023-42752, CVE-2023-42752, CVE-2023-42753, CVE-2023-42753, CVE-2023-42754, CVE-2023-42756, CVE-2023-44466, CVE-2023-4563, CVE-2023-4569, CVE-2023-45862, CVE-2023-45863, CVE-2023-45871, CVE-2023-45871, CVE-2023-45898, CVE-2023-4610, CVE-2023-4611, CVE-2023-4623, CVE-2023-4623, CVE-2023-46343, CVE-2023-46813, CVE-2023-46838, CVE-2023-46838, CVE-2023-46862, CVE-2023-46862, CVE-2023-4881, CVE-2023-4921, CVE-2023-50431, CVE-2023-50431, CVE-2023-5090, CVE-2023-51042, CVE-2023-51043, CVE-2023-5158, CVE-2023-51779, CVE-2023-51780, CVE-2023-51781, CVE-2023-51782, CVE-2023-5197, CVE-2023-5345, CVE-2023-5633, CVE-2023-5717, CVE-2023-5972, CVE-2023-6039, CVE-2023-6111, CVE-2023-6121, CVE-2023-6176, CVE-2023-6200, CVE-2023-6531, CVE-2023-6546, CVE-2023-6560, CVE-2023-6606, CVE-2023-6610, CVE-2023-6610, CVE-2023-6622, CVE-2023-6817, CVE-2023-6915, CVE-2023-6915, CVE-2023-6931, CVE-2023-6932, CVE-2023-7192, CVE-2024-0193, CVE-2024-0443, CVE-2024-0565, CVE-2024-0582, CVE-2024-0584, CVE-2024-0607, CVE-2024-0607, CVE-2024-0639, CVE-2024-0641, CVE-2024-0646, CVE-2024-0775, CVE-2024-0775, CVE-2024-1085, CVE-2024-1085, CVE-2024-1086, CVE-2024-1086, CVE-2024-1312, CVE-2024-22705, CVE-2024-23849, CVE-2024-23849)
- binutils (CVE-2023-1972)
- curl (CVE-2023-46218, CVE-2023-46219)
- docker (CVE-2024-24557)
- gnutls (CVE-2023-5981)
- intel-microcode (CVE-2023-23583)
- libxml2 (CVE-2023-45322)
- openssh (CVE-2023-48795, CVE-2023-51384, CVE-2023-51385)
- openssl (CVE-2023-3817, CVE-2023-5363, CVE-2023-5678)
- runc (CVE-2024-21626)
- traceroute (CVE-2023-46316)
- vim (CVE-2023-5344, CVE-2023-5441, CVE-2023-5535, CVE-2023-46246)
- SDK: perl (CVE-2023-47038)
Bug fixes:- Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
- Fixed the handling of OEM update payloads in a Nebraska response with self-hosted packages (ue-rs#49)
- Forwarded the proxy environment variables of update-engine.service to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)
Changes:- Added a flatcar-update --oem-payloads <yes|no> flag to skip providing OEM payloads, e.g., for downgrades (init#114)
- Update generation SLSA provenance info from v0.2 to v1.0.
Updates:Changes since Alpha 3850.0.0
Security fixes:Bug fixes:- Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
- Fixed the handling of OEM update payloads in a Nebraska response with self-hosted packages (ue-rs#49)
- Forwarded the proxy environment variables of update-engine.service to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)
Changes:- Added a flatcar-update --oem-payloads <yes|no> flag to skip providing OEM payloads, e.g., for downgrades (init#114)
Updates:New Stable Release 3815.2.0Changes since Stable 3760.2.0
Security fixes:Bug fixes:- Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
- Forwarded the proxy environment variables of update-engine.service to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)
- Set TTY used for fetching server_context to RAW mode before running cloudinit on cloudsigma (scripts#1280)
Changes:- torcx was replaced by systemd-sysext in the OS image. Learn more about sysext and how to customise OS images here.
(which is now also a legacy
option because systemd-sysext offers a more robust and better structured
way of customisation, including OS independent updates).
- NOTE: The docker btrfs storage driver has been de-prioritised; BTRFS backed storage will now default to the overlay2 driver
(changelog, upstream pr). - NOTE: If you are already using btrfs-backed Docker storage and are upgrading to this new version, Docker will automatically use the btrfs storage driver for backwards-compatibility with your deployment.
- Docker will remove the btrfs driver entirely in a future version. Please consider migrating your deployments to the overlay2 driver.
Using the btrfs driver can still be enforced by creating a respective docker config at /etc/docker/daemon.json. - cri-tools,
runc, containerd, docker, and docker-cli are now built from Gentoo
upstream ebuilds. Docker received a major version upgrade - it was
updated to Docker 24 (from Docker 20; see "updates").
- GCP OEM images now use a systemd-sysext image for layering additional platform-specific software on top of /usr and being part of the OEM A/B updates (flatcar#1146)
- Added a flatcar-update --oem-payloads <yes|no> flag to skip providing OEM payloads, e.g., for downgrades (init#114)
Updates:- Linux (6.1.77 (includes 6.1.76, 6.1.75, 6.1.74))
- Linux Firmware (20231111 (includes 20231030))
- Go (1.20.12)
- Azure: WALinuxAgent (v2.9.1.1)
- DEV: Azure (3.11.6)
- DEV: iperf (3.15)
- DEV: smartmontools (7.4)
- SDK: Rust (1.73.0)
- SDK: Python (3.11.0 (includes 23.2))
- VMWare: open-vm-tools (12.3.5)
- acpid (2.0.34)
- ca-certificates (3.97)
- containerd (1.7.9 (includes 1.7.8, 1.7.13, 1.7.10))
- cri-tools (1.27.0)
- ding-libs (0.6.2)
- docker (24.0.9 (includes 24.0.6, 23.0))
- efibootmgr (18)
- efivar (38)
- ethtool (6.5)
- hwdata (v0.375 (includes 0.374))
- iproute2 (6.5.0)
- ipvsadm (1.31 (includes 1.30, 1.29, 1.28))
- json-c (0.17)
- libffi (3.4.4 (includes 3.4.3, 3.4.2))
- liblinear (246)
- libmnl (1.0.5)
- libnetfilter_conntrack (1.0.9)
- libnetfilter_cthelper (1.0.1)
- libnetfilter_cttimeout (1.0.1)
- libnfnetlink (1.0.2)
- libsodium (1.0.19)
- libunistring (1.1)
- libunwind (1.7.2 (includes 1.7.0))
- liburing (2.3)
- mpc (1.3.1 (includes 1.3.0))
- mpfr (4.2.1)
- nghttp2 (1.57.0 (includes 1.56.0, 1.55.1, 1.55.0, 1.54.0, 1.53.0, 1.52.0))
- nspr (4.35)
- ntp (4.2.8p17)
- nvme-cli (v2.6 (includes v1.6))
- protobuf (21.12 (includes 21.11, 21.10))
- runc (1.1.12)
- samba (4.18.8)
- sqlite (3.43.2)
- squashfs-tools (4.6.1 (includes 4.6))
- thin-provisioning-tools (1.0.6)
Changes since Beta 3815.1.0
Security fixes:Bug fixes:- Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
- Forwarded the proxy environment variables of update-engine.service to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)
Changes:- Added a flatcar-update --oem-payloads <yes|no> flag to skip providing OEM payloads, e.g., for downgrades (init#114)
Updates:New LTS-2023 ReleaseChanges since LTS 3510.3.1
Security fixes:- Linux (CVE-2022-47940, CVE-2023-1193, CVE-2023-1194, CVE-2023-25775, CVE-2023-32247, CVE-2023-32250, CVE-2023-32252, CVE-2023-32254, CVE-2023-32257, CVE-2023-32258, CVE-2023-38427, CVE-2023-38430, CVE-2023-38431, CVE-2023-3867, CVE-2023-46343, CVE-2023-46813, CVE-2023-46838, CVE-2023-46862, CVE-2023-51779, CVE-2023-51780, CVE-2023-51781, CVE-2023-51782, CVE-2023-52340, CVE-2023-5717, CVE-2023-6040, CVE-2023-6121, CVE-2023-6606, CVE-2023-6622, CVE-2023-6817, CVE-2023-6915, CVE-2023-6931, CVE-2023-6932, CVE-2024-0584, CVE-2024-0607, CVE-2024-0646, CVE-2024-1085, CVE-2024-22705)
- runc (CVE-2024-21626)
Bug fixes:- Forwarded the proxy environment variables of update-engine.service to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)
Changes:- Added a flatcar-update --oem-payloads <yes|no> flag to skip providing OEM payloads, e.g., for downgrades (init#114)
- Backported
the OEM payload support to update-engine to avoid the fallback download
path for clients on a restricted network and rather use the URLs passed
from flatcar-update -E or with self-hosted Nebraska payloads (Flatcar#1332, Flatcar#1326)
- Brightbox: The regular OpenStack image should now be used, it includes Afterburn for instance metadata attributes
- OpenStack:
An uncompressed image is provided for simpler import (since the images
use qcow2 inline compression, there is no benefit in using the .gz or .bz2 images)
Updates:- Linux (5.15.148 (includes 5.15.147, 5.15.146, 5.15.145, 5.15.144, 5.15.143, 5.15.142, 5.15.141, 5.15.140, 5.15.139, 5.15.138, 5.15.137))
- ca-certificates (3.97 (includes 3.96.1, 3.96, 3.95))
- runc (1.1.12)
Best,
The Flatcar Container Linux Maintainers