Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, and LTS-2605 channel.
New Alpha Release 3165.0.0
Changes since Alpha 3139.0.0
Security fixes- Linux (CVE-2022-0492, CVE-2022-0516, CVE-2022-0435, CVE-2022-0487, CVE-2022-25375, CVE-2022-25258, CVE-2022-0847)
- Go (CVE-2022-23806, CVE-2022-23772, CVE-2022-23773)
- systemd (CVE-2021-3997)
- cifs-utils (CVE-2021-20208)
- expat (CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315)
- duktape (CVE-2021-46322)
- libarchive (CVE-2021-31566, CVE-2021-36976)
- libxml2 (CVE-2022-23308)
- shadow (CVE-2013-4235)
- vim (CVE-2021-3984, CVE-2021-4019, CVE-2021-4069, CVE-2021-4136, CVE-2021-4173, CVE-2021-4166, CVE-2021-4187, CVE-2021-4192, CVE-2021-4193, CVE-2022-0128, CVE-2022-0156, CVE-2022-0158, CVE-2022-0213, CVE-2022-0261, CVE-2022-0318, CVE-2022-0319, CVE-2022-0351, CVE-2022-0359, CVE-2022-0361, CVE-2022-0368, CVE-2022-0392, CVE-2022-0393, CVE-2022-0407, CVE-2022-0408, CVE-2022-0413, CVE-2022-0417, CVE-2022-0443)
- SDK: squashfs-tools (CVE-2021-40153, CVE-2021-41072)
Bug fixes- Disabled the systemd-networkd settings ManageForeignRoutes and ManageForeignRoutingPolicyRules
by default to ensure that CNIs like Cilium don’t get their routes or
routing policy rules discarded on network reconfiguration events (Flatcar#620).
- AWS: specify correct console (ttyS0) on kernel command line for ARM64 instances (coreos-overlay#1628)
- Prevented hitting races when creating filesystems in Ignition, these races caused boot failures like fsck[1343]: Failed to stat /dev/disk/by-label/ROOT: No such file or directory when creating a btrfs root filesystem (ignition#35)
- Reverted the Linux kernel change to forbid xfrm id 0 for IPSec state because it broke Cilium (Flatcar#626, coreos-overlay#1682)
- Added auditd.service but left it disabled by default, a custom configuration can be created by removing /etc/audit/auditd.conf and replacing it with an own file (coreos-overlay#1636)
Changes- The systemd-networkd ManageForeignRoutes and ManageForeignRoutingPolicyRules settings are now disabled through a drop-in file and thus can only be enabled again by a drop-in file under /etc/systemd/networkd.conf.d/ because drop-in files take precedence over /etc/systemd/networkd.conf (init#61)
- Bring in dependencies for NFS4 with Kerberos both in kernel and userspace. Tested against NFS4.1 server. (coreos-overlay#1664)
- Added support for switching back to CGroupsV1 without requiring a reboot. Create /etc/flatcar-cgroupv1 through ignition. (coreos-overlay#1666)
- Azure VHD disks are now created using subformat=fixed, which makes them suitable for immediate upload to Azure using any tool.
UpdatesNew Beta Release 3139.1.0
Changes since Alpha 3139.0.0
Security fixes- Linux (CVE-2022-0492, CVE-2022-0516, CVE-2022-0435, CVE-2022-0487, CVE-2022-25375, CVE-2022-25258, CVE-2022-0847)
- go (CVE-2022-23806, CVE-2022-23772, CVE-2022-23773)
- expat (CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315)
Bug fixes- Disabled the systemd-networkd settings ManageForeignRoutes and ManageForeignRoutingPolicyRules
by default to ensure that CNIs like Cilium don’t get their routes or
routing policy rules discarded on network reconfiguration events (Flatcar#620).
- Prevented hitting races when creating filesystems in Ignition, these races caused boot failures like fsck[1343]: Failed to stat /dev/disk/by-label/ROOT: No such file or directory when creating a btrfs root filesystem (ignition#35)
- Reverted the Linux kernel change to forbid xfrm id 0 for IPSec state because it broke Cilium (Flatcar#626, coreos-overlay#1682)
Changes- Added support for switching back to CGroupsV1 without requiring a reboot. Create /etc/flatcar-cgroupv1 through ignition. (coreos-overlay#1666)
UpdatesChanges since Beta 3066.1.2
Security fixes- GCC (CVE-2020-13844)
- Go (CVE-2021-44716, CVE-2021-44717, CVE-2022-23806, CVE-2022-23772, CVE-2022-23773)
- containerd (CVE-2021-43816)
- expat (CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315)
- ignition (CVE-2020-14040, CVE-2021-38561)
- krb5 (CVE-2021-37750)
- libarchive (libarchive-1565, libarchive-1566)
- openssh (CVE-2021-41617)
- openssl (CVE-2021-4044)
- torcx (CVE-2021-38561, CVE-2021-43565)
- vim (CVE-2021-3872, CVE-2021-3875, CVE-2021-3903, CVE-2021-3927, CVE-2021-3928, CVE-2021-3968, CVE-2021-3973, CVE-2021-3974)
- SDK: edk2-ovmf (CVE-2019-14584, CVE-2021-28210, CVE-2021-28211, CVE-2021-28213)
- SDK: libxslt (CVE-2021-30560)
- SDK: mantle (CVE-2021-3121, CVE-2021-38561, CVE-2021-43565)
- SDK: Rust (CVE-2022-21658)
- SDK: QEMU (CVE-2020-35504, CVE-2020-35505, CVE-2020-35506, CVE-2020-35517, CVE-2021-20203, CVE-2021-20255, CVE-2021-20257, CVE-2021-20263, CVE-2021-3409, CVE-2021-3416, CVE-2021-3527, CVE-2021-3544, CVE-2021-3545, CVE-2021-3546, CVE-2021-3582, CVE-2021-3607, CVE-2021-3608, CVE-2021-3682)
Bug fixes- Excluded
the Kubenet cbr0 interface from networkd’s DHCP config and set it to
Unmanaged to prevent interference and ensure that it is not part of the
network online check (init#55)
- Fixed the dracut emergency Ignition log printing that had a scripting error causing the cat command to fail (bootengine#33)
- network: Accept ICMPv6 Router Advertisements to fix IPv6 address assignment in the default DHCP setting (init#51, coreos-cloudinit#12, bootengine#30)
- flatcar-update: Stopped checking for the USER
environment variable which may not be set in all environments, causing
the script to fail unless a workaround was used like prepending an
additional sudo invocation (init#58)
- Disabled the systemd-networkd settings ManageForeignRoutes and ManageForeignRoutingPolicyRules
by default to ensure that CNIs like Cilium don’t get their routes or
routing policy rules discarded on network reconfiguration events (Flatcar#620).
- Prevented hitting races when creating filesystems in Ignition, these races caused boot failures like fsck[1343]: Failed to stat /dev/disk/by-label/ROOT: No such file or directory when creating a btrfs root filesystem (ignition#35)
- Reverted the Linux kernel change to forbid xfrm id 0 for IPSec state because it broke Cilium (Flatcar#626, coreos-overlay#1682)
Changes- Update-engine now creates the /run/reboot-required flag file for kured (update_engine#15)
- Excluded
special network interface devices like bridge, tunnel, vxlan, and veth
devices from the default DHCP configuration to prevent networkd
interference (init#56)
- Added
CONFIG_NF_CT_NETLINK_HELPER (for libnetfilter_cthelper), CONFIG_NET_VRF
(for virtual routing and forwarding) and CONFIG_KEY_DH_OPERATIONS (for
keyutils) to the kernel config (coreos-overlay#1524)
- Enabled the FIPS support for the Linux kernel, which users can now choose through a kernel parameter in grub.cfg (check it taking effect with cat /proc/sys/crypto/fips_enabled) (coreos-overlay#1602)
- Added support for switching back to CGroupsV1 without requiring a reboot. Create /etc/flatcar-cgroupv1 through ignition. (coreos-overlay#1666)
- Removed the pre-shipped /etc/flatcar/update.conf file, leaving it totally to the user to define the contents as it was unnecessarily overwriting the /use/share/flatcar/update.conf (flatcar-linux/scripts#212)
UpdatesNew Stable Release 3033.2.3
Changes since Stable 3033.2.2
Security fixes- Linux (CVE-2022-24448, CVE-2022-0617, CVE-2022-24959, CVE-2022-0492, CVE-2022-0516, CVE-2022-0435, CVE-2022-0487, CVE-2022-25375, CVE-2022-25258, CVE-2022-0847)
- go (CVE-2022-23806, CVE-2022-23772, CVE-2022-23773)
- ignition (CVE-2020-14040)
- expat (CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315)
Bug fixes- Disabled the systemd-networkd settings ManageForeignRoutes and ManageForeignRoutingPolicyRules
by default to ensure that CNIs like Cilium don’t get their routes or
routing policy rules discarded on network reconfiguration events (Flatcar#620).
- Prevented hitting races when creating filesystems in Ignition, these races caused boot failures like fsck[1343]: Failed to stat /dev/disk/by-label/ROOT: No such file or directory when creating a btrfs root filesystem (ignition#35)
- Reverted the Linux kernel change to forbid xfrm id 0 for IPSec state because it broke Cilium (Flatcar#626, coreos-overlay#1682)
UpdatesNew LTS-2605 Release 2605.26.1
Changes since LTS 2605.25.1
Security fixesUpdatesBest,
The Flatcar Container Linux Maintainers