flatcar/scripts alpha-4487.0.0

on GitHub

Changes since Alpha 4459.0.0

Known bugs:

• Updating with OEM or Flatcar extensions is broken when ue-rs parses the Omaha response and thusfalls back to downloading from the release server or bincache which may fail for self-hosted Nebraska updates or payloads passed with flatcar-update (ue-rs#92)

Security fixes:

• Linux (CVE-2025-39927, CVE-2025-39926, CVE-2025-39923, CVE-2025-39913, CVE-2025-39912, CVE-2025-39911, CVE-2025-39909, CVE-2025-39907, CVE-2025-39917, CVE-2025-39916, CVE-2025-39914, CVE-2025-39885, CVE-2025-39886, CVE-2025-39876, CVE-2025-39873, CVE-2025-39871, CVE-2025-39870, CVE-2025-39869, CVE-2025-39884, CVE-2025-39883, CVE-2025-39882, CVE-2025-39881, CVE-2025-39880, CVE-2025-39877, CVE-2025-39963, CVE-2025-39961, CVE-2025-39957, CVE-2025-39956, CVE-2025-39955, CVE-2025-39938, CVE-2025-39937, CVE-2025-39934, CVE-2025-39953, CVE-2025-39952, CVE-2025-39951, CVE-2025-39950, CVE-2025-39932, CVE-2025-39949, CVE-2025-39948, CVE-2025-39947, CVE-2025-39946, CVE-2025-39945, CVE-2025-39944, CVE-2025-39943, CVE-2025-39942, CVE-2025-39940, CVE-2025-39929, CVE-2025-39931, CVE-2024-57878, CVE-2024-57877, CVE-2024-57875, CVE-2024-57876, CVE-2024-57874, CVE-2025-23128, CVE-2025-23127, CVE-2025-23126, CVE-2025-23125, CVE-2025-23124, CVE-2024-57872, CVE-2024-57850, CVE-2024-57849, CVE-2024-57839, CVE-2024-57843, CVE-2024-48875, CVE-2024-48873, CVE-2024-47809, CVE-2024-47794, CVE-2024-47143, CVE-2024-47141, CVE-2024-45828, CVE-2024-43098, CVE-2024-53680, CVE-2024-52332, CVE-2024-50051, CVE-2024-49569, CVE-2024-48881, CVE-2024-48876, CVE-2024-41932, CVE-2024-41935, CVE-2024-56787, CVE-2024-56786, CVE-2024-56785, CVE-2024-56784, CVE-2024-56783, CVE-2024-56781, CVE-2024-56782, CVE-2024-56640, CVE-2024-56639, CVE-2024-56638, CVE-2024-56637, CVE-2024-56636, CVE-2024-56635, CVE-2024-56634, CVE-2024-56651, CVE-2024-56633, CVE-2024-56650, CVE-2024-56649, CVE-2024-56648, CVE-2024-56647, CVE-2024-56646, CVE-2024-56645, CVE-2024-56644, CVE-2024-56643, CVE-2024-56642, CVE-2024-56641, CVE-2024-56631, CVE-2024-56632, CVE-2024-56615, CVE-2024-56624, CVE-2024-56623, CVE-2024-56622, CVE-2024-56621, CVE-2024-56620, CVE-2024-56619, CVE-2024-56618, CVE-2024-56617, CVE-2024-56630, CVE-2024-56629, CVE-2024-56628, CVE-2024-56627, CVE-2024-56626, CVE-2024-56625, CVE-2024-56616, CVE-2024-56592, CVE-2024-56591, CVE-2024-56590, CVE-2024-56589, CVE-2024-56588, CVE-2024-56587, CVE-2024-56614, CVE-2024-56613, CVE-2024-56586, CVE-2024-56612, CVE-2024-56611, CVE-2024-56610, CVE-2024-56609, CVE-2024-56608, CVE-2024-56607, CVE-2024-56606, CVE-2024-56605, CVE-2024-56604, CVE-2024-56603, CVE-2024-56585, CVE-2024-56602, CVE-2024-56601, CVE-2024-56600, CVE-2024-56599, CVE-2024-56598, CVE-2024-56597, CVE-2024-56596, CVE-2024-56595, CVE-2024-56594, CVE-2024-56593, CVE-2024-56583, CVE-2024-56584)
• binutils (CVE-2025-5244, CVE-2025-5245, CVE-2025-8225)
• curl (CVE-2025-9086, CVE-2025-10148)
• go (CVE-2025-47910)
• libpcre2 (CVE-2025-58050)
• libxml2 (libxml2-20250908)
• libxslt (CVE-2025-7424, CVE-2025-7425)
• net-tools (CVE-2025-46836)

Bug fixes:

• Enabled CONFIG_MEMCG_V1 to mitigate cgroupsv1 removal (e.g JVM) (Flatcar#1884)
• Fixed the QEMU launcher script to include HVF acceleration on arm64-based Macs for faster performance (Flatcar#1901)

Changes:

• Increased all partition sizes: /boot to 1 GB, the two /usr partitions to 2 GB, /oem to 1 GB so that we can use more space in a few years when we can assume that most nodes run the new partition layout - existing nodes can still update for the next years (scripts#3027)
• Reduced the kernel+initrd size on /boot by half. Flatcar now uses a minimal first stage initrd just to access the /usr partition and then switches to the full initrd that does the full system preparation as before. Since this means that the set of kernel modules available in the first initrd is reduced, please report any impact.
• Scaleway: SSH keys are now fetched via Afterburn (scripts#3277)
• Scaleway: The hostname is now set via Afterburn (scripts#3277)

Updates:

• Afterburn (5.10.0)
• Linux (6.12.51 (includes 6.12.48, 6.12.49, 6.12.50))
• Linux Firmware (20250917)
• SDK: azure-core (1.16.1)
• SDK: azure-identity (1.13.1)
• SDK: go (1.24.7)
• SDK: pkgcheck (0.10.37)
• SDK: rust (1.89.0)
• base, dev: bash (5.3_p3)
• base, dev: btrfs-progs (6.16)
• base, dev: coreutils (9.7 (includes 9.6))
• base, dev: cryptsetup (2.8.1)
• base, dev: curl (8.16.0)
• base, dev: expat (2.7.2)
• base, dev: gcc (14.3.1_p20250801)
• base, dev: hwdata (0.398)
• base, dev: libffi (3.5.2)
• base, dev: libnftnl (1.3.0)
• base, dev: libxml2 (2.13.9)
• base, dev: ncurses (6.5_p20250802)
• base, dev: nftables (1.1.4)
• base, dev: readline (8.3_p1)
• base, dev: samba (4.22.3 (includes 4.21.0, 4.22.0, 4.22.1, 4.22.2))
• base, dev: talloc (2.4.3)
• base, dev: tdb (1.4.13)
• base, dev: tevent (0.16.2)
• ca-certificates (3.117 (includes 3.116))
• dev, sysext-incus: squashfs-tools (4.7.2 (includes 4.7.1))
• dev: binutils (2.45)
• open-vm-tools (13.0.5)
• sysext-incus, sysext-podman, vmware: fuse (3.17.4)
• sysext-nvidia-drivers-570, sysext-nvidia-drivers-570-open: nvidia-drivers (570.190)
• sysext-podman: gpgme (2.0.0)
• sysext-python: charset-normalizer (3.4.3)
• sysext-python: jaraco-functools (4.3.0)
• sysext-python: markdown-it-py (4.0.0)
• sysext-python: pip (25.2)
• sysext-python: requests (2.32.5)