Announcing new releases Alpha 3874.0.0, Beta 3850.1.0, Stable 3815.2.0, LTS 3510.3.2

32 views

Skip to first unread message

Flatcar Container Linux User

unread,

Feb 14, 2024, 8:20:57 AMFeb 14

to Flatcar Container Linux User

Hello,

We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, LTS-2023 channel.

New Alpha Release 3874.0.0

Changes since Alpha 3850.0.0

Security fixes:

Linux (CVE-2023-46838, CVE-2023-50431, CVE-2023-6610, CVE-2023-6915, CVE-2024-1085, CVE-2024-1086, CVE-2024-23849)
docker (CVE-2024-24557)
runc (CVE-2024-21626)

Bug fixes:

Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
Fixed the handling of OEM update payloads in a Nebraska response with self-hosted packages (ue-rs#49)
Forwarded the proxy environment variables of update-engine.service to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)

Changes:

Added a flatcar-update --oem-payloads <yes|no> flag to skip providing OEM payloads, e.g., for downgrades (init#114)

Updates:

Linux (6.6.16 (includes 6.6.15, 6.6.14, 6.6.13))
Linux Firmware (20240115)
afterburn (5.5.1)
ca-certificates (3.97)
containerd (1.7.13 (includes 1.7.12))
docker (24.0.9)
git (2.43.0 (includes 2.42.0))
iperf (3.16)
libuv (1.47.0)
runc (1.1.12)
SDK: make (4.4.1 (includes 4.4))
SDK: portage (3.0.61)

New Beta Release 3850.1.0

Changes since Beta 3815.1.0

Security fixes:

Linux (CVE-2022-27672, CVE-2022-36402, CVE-2022-36402, CVE-2022-40982, CVE-2022-4269, CVE-2022-45886, CVE-2022-45887, CVE-2022-45919, CVE-2022-48425, CVE-2023-0160, CVE-2023-0160, CVE-2023-0459, CVE-2023-1032, CVE-2023-1076, CVE-2023-1077, CVE-2023-1079, CVE-2023-1118, CVE-2023-1192, CVE-2023-1194, CVE-2023-1206, CVE-2023-1281, CVE-2023-1380, CVE-2023-1380, CVE-2023-1513, CVE-2023-1583, CVE-2023-1611, CVE-2023-1670, CVE-2023-1829, CVE-2023-1855, CVE-2023-1859, CVE-2023-1989, CVE-2023-1990, CVE-2023-1998, CVE-2023-2002, CVE-2023-2002, CVE-2023-20569, CVE-2023-20588, CVE-2023-20593, CVE-2023-2124, CVE-2023-21255, CVE-2023-21264, CVE-2023-2156, CVE-2023-2156, CVE-2023-2163, CVE-2023-2163, CVE-2023-2194, CVE-2023-2235, CVE-2023-2248, CVE-2023-2248, CVE-2023-2269, CVE-2023-2269, CVE-2023-2483, CVE-2023-25012, CVE-2023-25775, CVE-2023-25775, CVE-2023-2598, CVE-2023-26545, CVE-2023-28466, CVE-2023-28866, CVE-2023-2898, CVE-2023-2985, CVE-2023-30456, CVE-2023-30772, CVE-2023-3090, CVE-2023-31085, CVE-2023-3117, CVE-2023-31248, CVE-2023-3141, CVE-2023-31436, CVE-2023-31436, CVE-2023-3212, CVE-2023-3220, CVE-2023-32233, CVE-2023-32233, CVE-2023-32247, CVE-2023-32247, CVE-2023-32248, CVE-2023-32248, CVE-2023-32250, CVE-2023-32250, CVE-2023-32252, CVE-2023-32252, CVE-2023-32254, CVE-2023-32254, CVE-2023-32257, CVE-2023-32257, CVE-2023-32258, CVE-2023-32258, CVE-2023-3268, CVE-2023-3268, CVE-2023-3269, CVE-2023-3269, CVE-2023-3312, CVE-2023-3312, CVE-2023-3317, CVE-2023-33203, CVE-2023-33250, CVE-2023-33250, CVE-2023-33288, CVE-2023-3355, CVE-2023-3390, CVE-2023-33951, CVE-2023-33951, CVE-2023-33952, CVE-2023-33952, CVE-2023-34255, CVE-2023-34256, CVE-2023-34256, CVE-2023-34319, CVE-2023-34324, CVE-2023-35001, CVE-2023-35788, CVE-2023-35823, CVE-2023-35823, CVE-2023-35824, CVE-2023-35824, CVE-2023-35826, CVE-2023-35826, CVE-2023-35827, CVE-2023-35828, CVE-2023-35828, CVE-2023-35829, CVE-2023-35829, CVE-2023-3609, CVE-2023-3610, CVE-2023-3610, CVE-2023-3611, CVE-2023-37453, CVE-2023-37453, CVE-2023-3772, CVE-2023-3773, CVE-2023-3776, CVE-2023-3777, CVE-2023-38409, CVE-2023-38426, CVE-2023-38427, CVE-2023-38428, CVE-2023-38429, CVE-2023-38430, CVE-2023-38431, CVE-2023-38432, CVE-2023-38432, CVE-2023-3863, CVE-2023-3863, CVE-2023-3865, CVE-2023-3865, CVE-2023-3866, CVE-2023-3866, CVE-2023-3867, CVE-2023-39189, CVE-2023-39191, CVE-2023-39192, CVE-2023-39192, CVE-2023-39193, CVE-2023-39193, CVE-2023-39194, CVE-2023-39197, CVE-2023-39197, CVE-2023-39198, CVE-2023-4004, CVE-2023-4015, CVE-2023-40283, CVE-2023-40791, CVE-2023-4128, CVE-2023-4132, CVE-2023-4133, CVE-2023-4133, CVE-2023-4134, CVE-2023-4134, CVE-2023-4147, CVE-2023-4155, CVE-2023-4194, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208, CVE-2023-4244, CVE-2023-4273, CVE-2023-42752, CVE-2023-42752, CVE-2023-42753, CVE-2023-42753, CVE-2023-42754, CVE-2023-42756, CVE-2023-44466, CVE-2023-4563, CVE-2023-4569, CVE-2023-45862, CVE-2023-45863, CVE-2023-45871, CVE-2023-45871, CVE-2023-45898, CVE-2023-4610, CVE-2023-4611, CVE-2023-4623, CVE-2023-4623, CVE-2023-46343, CVE-2023-46813, CVE-2023-46838, CVE-2023-46838, CVE-2023-46862, CVE-2023-46862, CVE-2023-4881, CVE-2023-4921, CVE-2023-50431, CVE-2023-50431, CVE-2023-5090, CVE-2023-51042, CVE-2023-51043, CVE-2023-5158, CVE-2023-51779, CVE-2023-51780, CVE-2023-51781, CVE-2023-51782, CVE-2023-5197, CVE-2023-5345, CVE-2023-5633, CVE-2023-5717, CVE-2023-5972, CVE-2023-6039, CVE-2023-6111, CVE-2023-6121, CVE-2023-6176, CVE-2023-6200, CVE-2023-6531, CVE-2023-6546, CVE-2023-6560, CVE-2023-6606, CVE-2023-6610, CVE-2023-6610, CVE-2023-6622, CVE-2023-6817, CVE-2023-6915, CVE-2023-6915, CVE-2023-6931, CVE-2023-6932, CVE-2023-7192, CVE-2024-0193, CVE-2024-0443, CVE-2024-0565, CVE-2024-0582, CVE-2024-0584, CVE-2024-0607, CVE-2024-0607, CVE-2024-0639, CVE-2024-0641, CVE-2024-0646, CVE-2024-0775, CVE-2024-0775, CVE-2024-1085, CVE-2024-1085, CVE-2024-1086, CVE-2024-1086, CVE-2024-1312, CVE-2024-22705, CVE-2024-23849, CVE-2024-23849)
binutils (CVE-2023-1972)
curl (CVE-2023-46218, CVE-2023-46219)
docker (CVE-2024-24557)
gnutls (CVE-2023-5981)
intel-microcode (CVE-2023-23583)
libxml2 (CVE-2023-45322)
openssh (CVE-2023-48795, CVE-2023-51384, CVE-2023-51385)
openssl (CVE-2023-3817, CVE-2023-5363, CVE-2023-5678)
runc (CVE-2024-21626)
traceroute (CVE-2023-46316)
vim (CVE-2023-5344, CVE-2023-5441, CVE-2023-5535, CVE-2023-46246)
SDK: perl (CVE-2023-47038)

Bug fixes:

Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
Fixed the handling of OEM update payloads in a Nebraska response with self-hosted packages (ue-rs#49)
Forwarded the proxy environment variables of update-engine.service to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)

Changes:

Added a flatcar-update --oem-payloads <yes|no> flag to skip providing OEM payloads, e.g., for downgrades (init#114)
Update generation SLSA provenance info from v0.2 to v1.0.

Updates:

Linux (6.6.16 (includes 6.6.15, 6.6.14, 6.6.13, 6.6.12, 6.6.11, 6.6.10, 6.6.9, 6.6.8, 6.6.7, 6.6))
Linux Firmware (20231211)
Go (1.20.13)
bash (5.2_p21)
binutils (2.41)
bpftool (6.5.7)
c-ares (1.21.0)
ca-certificates (3.97)
containerd (1.7.13 (includes 1.7.11))
coreutils (9.4)
curl (8.5.0)
docker (24.0.9)
elfutils (0.190)
gawk (5.3.0)
gentoolkit (0.6.3)
gettext (0.22.4)
glib (2.78.3)
gnutls (3.8.2)
groff (1.23.0)
hwdata (0.376)
intel-microcode (20231114_p20231114)
iproute2 (6.6.0)
ipset (7.19)
jq (1.7.1 (includes 1.7))
kbd (2.6.4)
kmod (31)
libarchive (3.7.2)
libdnet (1.16.4)
libksba (1.6.5)
libnsl (2.0.1)
libxslt (1.1.39)
lsof (4.99.0)
lz4 (1.9.4)
openssh (9.6p1)
openssl (3.0.12)
readline (8.2_p7)
runc (1.1.12)
selinux-base (2.20231002)
selinux-base-policy (2.20231002)
selinux-container (2.20231002)
selinux-dbus (2.20231002)
selinux-sssd (2.20231002)
selinux-unconfined (2.20231002)
sqlite (3.44.2)
strace (6.6)
traceroute (2.1.3)
usbutils (016)
util-linux (2.39.2)
vim (9.0.2092)
whois (5.5.20)
xmlsec (1.3.2)
xz-utils (5.4.5)
zlib (1.3)
SDK: perl (5.38.2)
SDK: portage (3.0.59)
SDK: python (3.11.7)
SDK: repo (2.37)
SDK: Rust (1.75.0 (includes 1.74.1))

Changes since Alpha 3850.0.0

Security fixes:

Linux (CVE-2023-46838, CVE-2023-50431, CVE-2023-6610, CVE-2023-6915, CVE-2024-1085, CVE-2024-1086, CVE-2024-23849)
docker (CVE-2024-24557)
runc (CVE-2024-21626)

Bug fixes:

Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
Fixed the handling of OEM update payloads in a Nebraska response with self-hosted packages (ue-rs#49)
Forwarded the proxy environment variables of update-engine.service to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)

Changes:

Added a flatcar-update --oem-payloads <yes|no> flag to skip providing OEM payloads, e.g., for downgrades (init#114)

Updates:

Linux (6.6.16 (includes 6.6.15, 6.6.14, 6.6.13))
ca-certificates (3.97)
containerd (1.7.13)
docker (24.0.9)
runc (1.1.12)

New Stable Release 3815.2.0

Changes since Stable 3760.2.0

Security fixes:

Linux (CVE-2023-46838, CVE-2023-50431, CVE-2023-6610, CVE-2023-6915, CVE-2024-1085, CVE-2024-1086, CVE-2024-23849)
Go (CVE-2023-39326, CVE-2023-45285)
VMWare: open-vm-tools (CVE-2023-34058, CVE-2023-34059)
docker (CVE-2024-24557)
nghttp2 (CVE-2023-44487)
runc (CVE-2024-21626)
samba (CVE-2023-4091)
zlib (CVE-2023-45853)

Bug fixes:

Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
Forwarded the proxy environment variables of update-engine.service to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)
Set TTY used for fetching server_context to RAW mode before running cloudinit on cloudsigma (scripts#1280)

Changes:

torcx was replaced by systemd-sysext in the OS image. Learn more about sysext and how to customise OS images here.
(which is now also a legacy option because systemd-sysext offers a more robust and better structured way of customisation, including OS independent updates).
- Torcx entered deprecation 2 years ago in favour of deploying plain Docker binaries
- Torcx has been removed entirely; if you use torcx to extend the Flatcar base OS image, please refer to our conversion script and to the sysext documentation mentioned above for migrating.
- Consequently, update_engine will not perform torcx sanity checks post-update anymore.
- Relevant changes: scripts#1216, update_engine#30, Mantle#466, Mantle#465.
NOTE: The docker btrfs storage driver has been de-prioritised; BTRFS backed storage will now default to the overlay2 driver
(changelog, upstream pr).
NOTE: If you are already using btrfs-backed Docker storage and are upgrading to this new version, Docker will automatically use the btrfs storage driver for backwards-compatibility with your deployment.
Docker will remove the btrfs driver entirely in a future version. Please consider migrating your deployments to the overlay2 driver.
Using the btrfs driver can still be enforced by creating a respective docker config at /etc/docker/daemon.json.
cri-tools, runc, containerd, docker, and docker-cli are now built from Gentoo upstream ebuilds. Docker received a major version upgrade - it was updated to Docker 24 (from Docker 20; see "updates").
GCP OEM images now use a systemd-sysext image for layering additional platform-specific software on top of /usr and being part of the OEM A/B updates (flatcar#1146)
Added a flatcar-update --oem-payloads <yes|no> flag to skip providing OEM payloads, e.g., for downgrades (init#114)

Updates:

Linux (6.1.77 (includes 6.1.76, 6.1.75, 6.1.74))
Linux Firmware (20231111 (includes 20231030))
Go (1.20.12)
Azure: WALinuxAgent (v2.9.1.1)
DEV: Azure (3.11.6)
DEV: iperf (3.15)
DEV: smartmontools (7.4)
SDK: Rust (1.73.0)
SDK: Python (3.11.0 (includes 23.2))
VMWare: open-vm-tools (12.3.5)
acpid (2.0.34)
ca-certificates (3.97)
containerd (1.7.9 (includes 1.7.8, 1.7.13, 1.7.10))
cri-tools (1.27.0)
ding-libs (0.6.2)
docker (24.0.9 (includes 24.0.6, 23.0))
efibootmgr (18)
efivar (38)
ethtool (6.5)
hwdata (v0.375 (includes 0.374))
iproute2 (6.5.0)
ipvsadm (1.31 (includes 1.30, 1.29, 1.28))
json-c (0.17)
libffi (3.4.4 (includes 3.4.3, 3.4.2))
liblinear (246)
libmnl (1.0.5)
libnetfilter_conntrack (1.0.9)
libnetfilter_cthelper (1.0.1)
libnetfilter_cttimeout (1.0.1)
libnfnetlink (1.0.2)
libsodium (1.0.19)
libunistring (1.1)
libunwind (1.7.2 (includes 1.7.0))
liburing (2.3)
mpc (1.3.1 (includes 1.3.0))
mpfr (4.2.1)
nghttp2 (1.57.0 (includes 1.56.0, 1.55.1, 1.55.0, 1.54.0, 1.53.0, 1.52.0))
nspr (4.35)
ntp (4.2.8p17)
nvme-cli (v2.6 (includes v1.6))
protobuf (21.12 (includes 21.11, 21.10))
runc (1.1.12)
samba (4.18.8)
sqlite (3.43.2)
squashfs-tools (4.6.1 (includes 4.6))
thin-provisioning-tools (1.0.6)

Changes since Beta 3815.1.0

Security fixes:

Linux (CVE-2023-46838, CVE-2023-50431, CVE-2023-6610, CVE-2023-6915, CVE-2024-1085, CVE-2024-1086, CVE-2024-23849)
docker (CVE-2024-24557)
runc (CVE-2024-21626)

Bug fixes:

Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
Forwarded the proxy environment variables of update-engine.service to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)

Changes:

Added a flatcar-update --oem-payloads <yes|no> flag to skip providing OEM payloads, e.g., for downgrades (init#114)

Updates:

Linux (6.1.77 (includes 6.1.76, 6.1.75, 6.1.74))
ca-certificates (3.97)
containerd (1.7.13)
docker (24.0.9)
runc (1.1.12)

New LTS-2023 Release

Changes since LTS 3510.3.1

Security fixes:

Bug fixes:

Forwarded the proxy environment variables of update-engine.service to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)

Changes:

Added a flatcar-update --oem-payloads <yes|no> flag to skip providing OEM payloads, e.g., for downgrades (init#114)
Backported the OEM payload support to update-engine to avoid the fallback download path for clients on a restricted network and rather use the URLs passed from flatcar-update -E or with self-hosted Nebraska payloads (Flatcar#1332, Flatcar#1326)
Brightbox: The regular OpenStack image should now be used, it includes Afterburn for instance metadata attributes
OpenStack: An uncompressed image is provided for simpler import (since the images use qcow2 inline compression, there is no benefit in using the .gz or .bz2 images)

Updates:

Linux (5.15.148 (includes 5.15.147, 5.15.146, 5.15.145, 5.15.144, 5.15.143, 5.15.142, 5.15.141, 5.15.140, 5.15.139, 5.15.138, 5.15.137))
ca-certificates (3.97 (includes 3.96.1, 3.96, 3.95))
runc (1.1.12)