flatcar/scripts alpha-4284.0.0

on GitHub

Changes since Alpha 4230.0.1

Security fixes:

• Linux (CVE-2025-21835, CVE-2025-21836, CVE-2024-58086, CVE-2025-21823, CVE-2025-21821, CVE-2025-21787, CVE-2025-21785, CVE-2025-21784, CVE-2025-21782, CVE-2025-21783, CVE-2025-21781, CVE-2025-21780, CVE-2025-21796, CVE-2025-21795, CVE-2025-21794, CVE-2025-21793, CVE-2025-21792, CVE-2025-21791, CVE-2025-21790, CVE-2025-21789, CVE-2025-21779, CVE-2024-58020, CVE-2024-57834, CVE-2024-54458, CVE-2024-54456, CVE-2025-21776, CVE-2025-21775, CVE-2025-21772, CVE-2025-21773, CVE-2025-21767, CVE-2025-21766, CVE-2025-21765, CVE-2025-21764, CVE-2025-21763, CVE-2025-21761, CVE-2025-21762, CVE-2025-21760, CVE-2025-21759, CVE-2025-21758, CVE-2025-21756, CVE-2025-21704, CVE-2023-52655, CVE-2023-52434, CVE-2025-21848, CVE-2025-21847, CVE-2025-21846, CVE-2025-21866, CVE-2025-21865, CVE-2025-21864, CVE-2025-21863, CVE-2025-21862, CVE-2025-21844, CVE-2025-21859, CVE-2025-21858, CVE-2025-21857, CVE-2025-21856, CVE-2025-21855, CVE-2025-21854, CVE-2025-21853, CVE-2024-58088, CVE-2025-21838)
• afterburn (CVE-2025-0977)
• binutils (CVE-2024-53589, CVE-2025-1176, CVE-2025-1178, CVE-2025-1179, CVE-2025-1180, CVE-2025-1181, CVE-2025-1182)
• curl (CVE-2025-0167, CVE-2025-0665, CVE-2025-0725)
• git (CVE-2024-50349, CVE-2024-52005, CVE-2024-52006)
• glib (CVE-2024-52533)
• glibc (CVE-2025-0395)
• gnutls (CVE-2024-12243)
• intel-microcode (CVE-2023-34440, CVE-2023-43758, CVE-2024-24582, CVE-2024-28047, CVE-2024-28127, CVE-2024-29214, CVE-2024-31157, CVE-2024-39279, CVE-2024-31068, CVE-2024-36293, CVE-2024-37020, CVE-2024-39355)
• libarchive (CVE-2024-57970)
• libcap (CVE-2025-1390)
• libtasn1 (CVE-2024-12133)
• mit-krb5 (CVE-2025-24528)
• openssh (CVE-2025-26465, CVE-2025-26466)
• openssl (CVE-2024-12797, CVE-2024-13176)
• podman (CVE-2024-11218)
• rsync (CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747)
• socat (CVE-2024-54661)
• vim (CVE-2024-41957, CVE-2024-41965, CVE-2024-43374, CVE-2024-43790, CVE-2024-43802, CVE-2024-45306, CVE-2024-47814)

Bug fixes:

• Fix non-conforming GPT partition table (flatcar/Flatcar#1651)
• Fix update-ca-certificates behavior when concatenating certificates with missing trailing newlines. (flatcar/scripts#2667)
• Fixed PXE boot failures that arose since upgrading to systemd v256. Users were dumped to an emergency shell. (flatcar/bootengine#103)
• The kernel module build directory now contains native binaries in arm64 images instead of the previous amd64 binaries (scripts#2694)
• Nvidia driver installer service now supports the 570 driver branch by forcing the use of the proprietary kernel module. The 570 branch defaults to the kernel-open driver which requires loading firmware, which is not yet supported on Flatcar. (scripts#2694)
• azure: Fixed issue of wa-linux-agent overriding ssh public key from ignition configuration during provisioning (flatcar/Flatcar#1661)

Changes:

• Add changes for our secureboot signed images with our signed release process until the official shim signing (scripts#2754)
• Added support for ARM64 architecture in the NVIDIA driver installer service (scripts#2694)
• Added new image signing pub key to flatcar-install, needed for download verification of releases built from March 2025 onwards, if you have copies of flatcar-install or the image signing pub key, you need to update them as well (init#129)
• Build Intel iGPU i915 driver as module (scripts#2349)
• Enabled EROFS module with XATTR support (Flatcar#1659)

Updates:

• AMD64: nvidia-drivers (535.230.02)
• ARM64: nvidia-drivers (570.86.15)
• Linux (6.6.83 (includes 6.6.79, 6.6.80, 6.6.81, 6.6.82))
• Linux Firmware (20250311 (includes 20250211))
• SDK: cmake (3.31.5)
• SDK: go (1.23.6 (includes 1.23.5))
• SDK: meson (1.6.1)
• SDK: qemu (9.1.2 (includes 9.0))
• SDK: rust (1.84.1 (includes 1.83.0, 1.84.0))
• azure: wa-linux-agent (2.12.0.4)
• base, dev: binutils (2.44)
• base, dev: c-ares (1.34.4)
• base, dev: cracklib (2.10.3)
• base, dev: cri-tools (1.32.0 (includes 1.27.1, 1.28.0, 1.29.0, 1.30.0, 1.30.1, 1.31.0, 1.31.1))
• base, dev: curl (8.12.1 (includes 8.12.0))
• base, dev: e2fsprogs (1.47.2)
• base, dev: git (2.45.3)
• base, dev: glib (2.82.4 (includes 2.82.0, 2.82.1, 2.82.2, 2.82.3))
• base, dev: gnupg (2.4.7)
• base, dev: gnutls (3.8.9 (includes 3.8.8))
• base, dev: hwdata (0.391)
• base, dev: intel-microcode (20250211_p20250211)
• base, dev: ipset (7.23)
• base, dev: kbd (2.7.1 (includes 2.7, 2.7-rc1))
• base, dev: libsemanage (3.7)
• base, dev: libtasn1 (4.20.0)
• base, dev: linux-headers (6.12)
• base, dev: nettle (3.10.1)
• base, dev: nghttp2 (1.64.0 (includes 1.63.0))
• base, dev: openssh (9.9_p2 (includes 9.9_p1))
• base, dev: openssl (3.3.3)
• base, dev: policycoreutils (3.7)
• base, dev: semodule-utils (3.7)
• base, dev: socat (1.8.0.2 (includes 1.8.0.1))
• base, dev: sqlite (3.47.2)
• base, dev: sssd (2.9.6)
• base, dev: util-linux (2.40.4 (includes 2.40.3))
• base, dev: vim (9.1.0794)
• base, dev: zram-generator (1.2.1 (includes 1.2.0))
• ca-certificates (3.109)
• dev: gcc-config (2.12.1)
• sysext-containerd: runc (1.2.4 (includes 1.1.15, 1.2.0, 1.2.1, 1.2.2, 1.2.3))
• sysext-docker: docker (27.4.1 (includes 27.4.0))
• sysext-docker: docker-buildx (0.19.1 (includes 0.14.1, 0.15.0, 0.15.1, 0.16.0, 0.16.1, 0.16.2, 0.17.0, 0.17.1, 0.18.0, 0.19.0))
• sysext-podman: passt (2025.01.21)
• sysext-podman: podman (5.3.2)
• sysext-python: more-itertools (10.6.0)
• sysext-python: pip (25.0.1 (includes 25.0))
• sysext-python: setuptools (75.8.0 (includes 75.7.0))
• sysext-python: truststore (0.10.1)
• vmware: xmlsec (1.3.6)