Announcing new releases Alpha 3941.0.0, Beta 3913.1.0, Stable 3815.2.2, LTS 3510.3.3

[Flatcar Container Linux User]

Hello,

We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, LTS channel.

New Alpha Release 3941.0.0

Changes since Alpha 3913.0.0

Security fixes:

• Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor (CVE-2024-3094)
• c-ares (CVE-2024-25629)
• coreutils (coreutils-2024-03-28)
• curl (CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466)

• nghttp2 (CVE-2024-28182)

  Bug fixes:

• Disabled user-configdrive.service on OpenStack when config drive is used, which caused the hostname to be overwritten. The coreos-cloudinit.service unit already runs on OpenStack if the system is not configured via ignition. (Flatcar#1385)

• Fixed toolbox to prevent mounted ctr snapshots from being garbage-collected (toolbox#9)

  Changes:

• Added zram-generator package to the image (scripts#1772)

• Add Intel igc driver to support I225/I226 family NICs. (flatcar/scripts#1786)
• Added Hyper-V VHDX image (flatcar/scripts#1791)
• Added support for unlocking the rootfs with a TPM set up by systemd-cryptenroll (bootengine#93)
• Disabled real-time priority for multipathd as it prevents the cgroups2 cpu controller from working. (flatcar/scripts#1771)
• Enabled amd-pstate,amd-pstate-epp cpufreq drivers for some AMD CPUs in the kernel. (flatcar/scripts#1770)
• Enabled ntpd by default on AWS & GCP, enabled chronyd by default on Azure. The native time sync source is used on each cloud. (scripts#1792)
  • Enabled the ptp_vmw module in the kernel.
  • Switched ptp_kvm from kernel builtin to module.
• Enabled the GRUB TPM2 module to measure the boot code path and files into PCR 8+9 in UEFI (scripts#1861)
• Hyper-V images, both .vhd and .vhdx files are available as zip compressed, switching from bzip2 to a built-in available Windows compression - zip (scripts#1878)
• OpenStack, Brightbox: Added the flatcar.autologin kernel cmdline parameter by default as the hypervisor manages access to the console (scripts#1866)
• Removed actool from the image and acbuild from the SDK as these tools are deprecated and not used (scripts#1817)
• SDK: Unified qemu image formats, so that the qemu_uefi build target provides the regular qemu and the qemu_uefi_secure artifacts (scripts#1847)

• The default VM memory was bumped to 2 GB in the Qemu script and for VMware OVFs (scripts#1827)

  Updates:

• Linux Firmware (20240410)

• acl (2.3.2)
• attr (2.5.2)
• bpftool (6.7.6)
• c-ares (1.27.0 (includes 1.26.0))
• ca-certificates (3.99)
• containerd (1.7.15 (includes 1.7.14))
• coreutils (9.5)
• curl (8.7.1 (includes 8.7.0))
• ethtool (6.7)
• git (2.43.2)
• inih (58)
• ipset (7.21 (includes 7.20))
• iputils (20240117 (includes 20231222)
• libnvme (1.8)
• nghttp2 (1.61.0 (includes 1.58.0, 1.59.0 and 1.60.0))
• nvme-cli (2.8)
• open-vm-tools (12.4.0)
• samba (4.18.9)
• selinux-refpolicy (2.20240226)
• SDK: libpng (1.6.43 (includes 1.6.42 and 1.6.41))
• SDK: Rust (1.77.1 (includes 1.77.0))

New Beta Release 3913.1.0

Changes since Beta 3874.1.0

Security fixes:

• Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor (CVE-2024-3094)
• coreutils (CVE-2024-0684)
• dnsmasq (CVE-2023-28450, CVE-2023-50387, CVE-2023-50868)
• gcc (CVE-2023-4039)
• glibc (CVE-2023-5156, CVE-2023-6246, CVE-2023-6779, CVE-2023-6780)
• gnupg (gnupg-2024-01-25)
• gnutls (CVE-2024-0567, CVE-2024-0553)
• libuv (CVE-2024-24806)
• libxml2 (CVE-2024-25062)
• openssl (CVE-2023-5678, CVE-2023-6129, CVE-2023-6237, CVE-2024-0727)
• sudo (CVE-2023-42465)

• vim (CVE-2023-48231, CVE-2023-48232, CVE-2023-48233, CVE-2023-48234, CVE-2023-48235, CVE-2023-48236, CVE-2023-48237, CVE-2023-48706)

  Bug fixes:

• Disabled user-configdrive.service on OpenStack when config drive is used, which caused the hostname to be overwritten. The coreos-cloudinit.service unit already runs on OpenStack if the system is not configured via ignition. (Flatcar#1385)

• Fixed toolbox to prevent mounted ctr snapshots from being garbage-collected (toolbox#9)

• Removed custom CloudSigma coreos-cloudinit service configuration since it will be called with the cloudsigma oem anyway. The restart of the service can also cause the serial port to be stuck in an nondeterministic state which breaks future runs.

  Changes:

• A new format qemu_uefi_secure is introduced to test Flatcar for SecureBoot-enabled features. The format will be later merged into qemu_uefi.

• Added Ignition Clevis support for encrypted disks unlocked with a TPM2 device or a Tang server (scripts#1560)
• Added Scaleway images (flatcar/scripts#1683)
• Added support for unlocking the rootfs with a TPM set up by systemd-cryptenroll (bootengine#93)
• Disabled real-time priority for multipathd as it prevents the cgroups2 cpu controller from working. (flatcar/scripts#1771)
• Enabled the GRUB TPM2 module to measure the boot code path and files into PCR 8+9 in UEFI (scripts#1861)
• Provided a ZFS-2.2.2 Flatcar extension as optional systemd-sysext image with the release. Write 'zfs' to /etc/flatcar/enabled-sysext.conf through Ignition and the sysext will be installed during provisioning. ZFS support is experimental and ZFS is not supported for the root partition. (flatcar/scripts#1742)
• Removed Linux drivers for Mellanox Technologies Switch ASICs family and Spectrum/Spectrum-2/Spectrum-3/Spectrum-4 Ethernet Switch ASICs to reduce the initrd size on AMD64 by ~5MB (flatcar/scripts#1734). This change is part of the effort to reduce the initrd size (flatcar#1381).
• Removed coreos-cloudinit support for automatic keys conversion (e.g reboot-strategy -> reboot_strategy) (scripts#1687)

• SDK: Unified qemu image formats, so that the qemu_uefi build target provides the regular qemu and the qemu_uefi_secure artifacts (scripts#1847)

  Updates:

• Go (1.20.14)

• Ignition (2.18.0 (includes 2.17.0, 2.16.2, 2.16.1 and 2.16.0))
• Linux Firmware (20240312 (includes 20240220))
• audit (3.1.1)
• bind-tools (9.16.48)
• c-ares (1.25.0)
• cJSON (1.7.17)
• ca-certificates (3.99)
• checkpolicy (3.6)
• curl (8.6.0)
• ethtool (6.6)
• glibc (2.38)
• gnupg (2.4.4 (includes 2.2.42))
• less (643)
• libbsd (0.11.8)
• libcap-ng (0.8.4)
• libgcrypt (1.10.3)
• libidn2 (2.3.7 (includes https://gitlab.com/libidn/libidn2/-/releases/v2.3.4)))
• libksba (1.6.6)
• libnvme (1.7.1 (includes 1.7))
• libpsl (0.21.5)
• libseccomp (2.5.5)
• libselinux (3.6)
• libsemanage (3.6)
• libsepol (3.6)
• libuv (1.48.0)
• libverto (0.3.2)
• libxml2 (2.12.5 (includes 2.12.4))
• lsof (4.99.3 (includes 4.99.2 and 4.99.1))
• mime-types (2.1.54)
• multipath-tools (0.9.7)
• nvme-cli (2.7.1 (includes 2.7))
• openssl (3.2.1)
• policycoreutils (3.6)
• semodule-utils (3.6)
• shim (15.8)
• sqlite (3.45.1)
• sudo (1.9.15p5)
• systemd (255.3 (from 252.11))
• thin-provisioning-tools (1.0.10)
• traceroute (2.1.5 (includes 2.1.4))
• usbutils (017)
• util-linux (2.39.3)
• vim (9.0.2167)
• xmlsec (1.3.3)
• SDK: python (3.11.8)
• SDK: qemu (8.1.5)
• SDK: Rust (1.76.0)

Changes since Alpha 3913.0.0

Security fixes:

• Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor (CVE-2024-3094)

  Bug fixes:

• Disabled user-configdrive.service on OpenStack when config drive is used, which caused the hostname to be overwritten. The coreos-cloudinit.service unit already runs on OpenStack if the system is not configured via ignition. (Flatcar#1385)

• Fixed toolbox to prevent mounted ctr snapshots from being garbage-collected (toolbox#9)

  Changes:

• Added support for unlocking the rootfs with a TPM set up by systemd-cryptenroll (bootengine#93)

• Disabled real-time priority for multipathd as it prevents the cgroups2 cpu controller from working. (scripts#1771)
• Enabled the GRUB TPM2 module to measure the boot code path and files into PCR 8+9 in UEFI (scripts#1861)

• SDK: Unified qemu image formats, so that the qemu_uefi build target provides the regular qemu and the qemu_uefi_secure artifacts (scripts#1847)

  Updates:

• ca-certificates (3.99)

New Stable Release 3815.2.2

Changes since Stable 3815.2.1

Security fixes:

• Linux (CVE-2023-28746, CVE-2023-47233, CVE-2023-52639, CVE-2023-6270, CVE-2023-7042, CVE-2024-22099, CVE-2024-23307, CVE-2024-24861, CVE-2024-26584, CVE-2024-26585, CVE-2024-26642, CVE-2024-26651, CVE-2024-26654, CVE-2024-26659, CVE-2024-26686, CVE-2024-26700, CVE-2024-26809)
• Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor (CVE-2024-3094)

• openssh (CVE-2023-48795, CVE-2023-51384, CVE-2023-51385)

  Bug fixes:

• Disabled user-configdrive.service on OpenStack when config drive is used, which caused the hostname to be overwritten. The coreos-cloudinit.service unit already runs on OpenStack if the system is not configured via ignition. (Flatcar#1385)

• Fixed toolbox to prevent mounted ctr snapshots from being garbage-collected (toolbox#9)

  Changes:

• Disabled real-time priority for multipathd as it prevents the cgroups2 cpu controller from working. (scripts#1771)

• SDK: Unified qemu image formats, so that the qemu_uefi build target provides the regular qemu and the qemu_uefi_secure artifacts (scripts#1847)

  Updates:

• Linux (6.1.85 (includes 6.1.84, 6.1.83, 6.1.82))

• ca-certificates (3.99)
• openssh (9.6p1)

New LTS Release 3510.3.3

Changes since LTS 3510.3.2

Security fixes:

• Linux (CVE-2023-52429, CVE-2023-52434, CVE-2023-52435, CVE-2023-52447, CVE-2023-52486, CVE-2023-52489, CVE-2023-52491, CVE-2023-52492, CVE-2023-52493, CVE-2023-52494, CVE-2023-52497, CVE-2023-52498, CVE-2023-52583, CVE-2023-52587, CVE-2023-52588, CVE-2023-52594, CVE-2023-52595, CVE-2023-52597, CVE-2023-52598, CVE-2023-52599, CVE-2023-52600, CVE-2023-52601, CVE-2023-52602, CVE-2023-52603, CVE-2023-52604, CVE-2023-52606, CVE-2023-52607, CVE-2023-52608, CVE-2023-52614, CVE-2023-52615, CVE-2023-52616, CVE-2023-52617, CVE-2023-52618, CVE-2023-52619, CVE-2023-52620, CVE-2023-52622, CVE-2023-52623, CVE-2023-52627, CVE-2023-52630, CVE-2023-52631, CVE-2023-52633, CVE-2023-52635, CVE-2023-52637, CVE-2023-52638, CVE-2023-52640, CVE-2023-52641, CVE-2023-6270, CVE-2023-7042, CVE-2024-0340, CVE-2024-0565, CVE-2024-0841, CVE-2024-1086, CVE-2024-1151, CVE-2024-22099, CVE-2024-23849, CVE-2024-23850, CVE-2024-23851, CVE-2024-26592, CVE-2024-26593, CVE-2024-26594, CVE-2024-26600, CVE-2024-26601, CVE-2024-26602, CVE-2024-26603, CVE-2024-26606, CVE-2024-26608, CVE-2024-26610, CVE-2024-26614, CVE-2024-26615, CVE-2024-26622, CVE-2024-26625, CVE-2024-26627, CVE-2024-26635, CVE-2024-26636, CVE-2024-26640, CVE-2024-26641, CVE-2024-26644, CVE-2024-26645, CVE-2024-26651, CVE-2024-26659, CVE-2024-26660, CVE-2024-26663, CVE-2024-26664, CVE-2024-26665, CVE-2024-26668, CVE-2024-26671, CVE-2024-26673, CVE-2024-26675, CVE-2024-26676, CVE-2024-26679, CVE-2024-26684, CVE-2024-26685, CVE-2024-26688, CVE-2024-26689, CVE-2024-26696, CVE-2024-26697, CVE-2024-26698, CVE-2024-26702, CVE-2024-26704, CVE-2024-26707, CVE-2024-26712, CVE-2024-26715, CVE-2024-26717, CVE-2024-26720, CVE-2024-26727, CVE-2024-26733, CVE-2024-26735, CVE-2024-26736, CVE-2024-26737, CVE-2024-26743, CVE-2024-26744, CVE-2024-26747, CVE-2024-26748, CVE-2024-26749, CVE-2024-26751, CVE-2024-26752, CVE-2024-26754, CVE-2024-26763, CVE-2024-26764, CVE-2024-26766, CVE-2024-26769, CVE-2024-26771, CVE-2024-26772, CVE-2024-26773, CVE-2024-26774, CVE-2024-26776, CVE-2024-26777, CVE-2024-26778, CVE-2024-26779, CVE-2024-26782, CVE-2024-26787, CVE-2024-26788, CVE-2024-26790, CVE-2024-26791, CVE-2024-26793, CVE-2024-26795, CVE-2024-26798, CVE-2024-26801, CVE-2024-26802, CVE-2024-26803, CVE-2024-26804, CVE-2024-26805, CVE-2024-26808, CVE-2024-26809)

Bug fixes:

• Fixed toolbox to prevent mounted ctr snapshots from being garbage-collected (toolbox#9)

Changes:

• SDK: Unified qemu image formats, so that the qemu_uefi build target provides the regular qemu and the qemu_uefi_secure artifacts (scripts#1847)

Updates:

• Linux (5.15.154 (includes 5.15.153, 5.15.152, 5.15.151, 5.15.150, 5.15.149))
• ca-certificates (3.99 (includes 3.98))

Best,
The Flatcar Container Linux Maintainers