flatcar/scripts alpha-4628.0.0

on GitHub

Changes since Alpha 4593.0.0

Security fixes:

• Linux (CVE-2026-23145, CVE-2026-23144, CVE-2026-23142, CVE-2026-23141, CVE-2026-23054, CVE-2026-23053, CVE-2026-23050, CVE-2026-23049, CVE-2025-71196, CVE-2025-71195, CVE-2026-23055, CVE-2025-71193, CVE-2025-71194, CVE-2026-23038, CVE-2026-23037, CVE-2026-23026, CVE-2026-23025, CVE-2025-71191, CVE-2025-71190, CVE-2025-71189, CVE-2025-71188, CVE-2026-23035, CVE-2026-23033, CVE-2026-23032, CVE-2026-23031, CVE-2026-23030, CVE-2025-71185, CVE-2025-71186, CVE-2026-23003, CVE-2026-23002, CVE-2026-23001, CVE-2026-23000, CVE-2026-22999, CVE-2026-22998, CVE-2026-22997, CVE-2026-22996, CVE-2026-23013, CVE-2026-23011, CVE-2026-23010, CVE-2026-23006, CVE-2026-23005, CVE-2025-71162, CVE-2025-71163, CVE-2026-23135, CVE-2026-23133, CVE-2026-23131, CVE-2026-23121, CVE-2026-23120, CVE-2026-23119, CVE-2026-23116, CVE-2026-23129, CVE-2026-23128, CVE-2026-23126, CVE-2026-23125, CVE-2026-23124, CVE-2026-23123, CVE-2025-71200, CVE-2026-23113, CVE-2026-23089, CVE-2026-23098, CVE-2026-23097, CVE-2026-23096, CVE-2026-23095, CVE-2026-23094, CVE-2026-23110, CVE-2026-23091, CVE-2026-23108, CVE-2026-23107, CVE-2026-23105, CVE-2026-23103, CVE-2026-23101, CVE-2026-23099, CVE-2026-23090, CVE-2026-23062, CVE-2026-23061, CVE-2026-23060, CVE-2026-23059, CVE-2026-23058, CVE-2026-23057, CVE-2026-23088, CVE-2026-23087, CVE-2026-23086, CVE-2026-23085, CVE-2026-23084, CVE-2026-23083, CVE-2026-23056, CVE-2026-23082, CVE-2026-23080, CVE-2026-23078, CVE-2026-23076, CVE-2026-23075, CVE-2026-23074, CVE-2026-23073, CVE-2025-71199, CVE-2026-23072, CVE-2026-23071, CVE-2026-23069, CVE-2026-23068, CVE-2026-23065, CVE-2026-23064, CVE-2026-23063, CVE-2025-71197, CVE-2025-71198, CVE-2026-23212, CVE-2026-23173, CVE-2026-23172, CVE-2026-23155, CVE-2026-23154, CVE-2026-23151, CVE-2026-23150, CVE-2026-23170, CVE-2026-23168, CVE-2026-23167, CVE-2026-23166, CVE-2026-23148, CVE-2026-23164, CVE-2026-23163, CVE-2026-23161, CVE-2026-23160, CVE-2026-23159, CVE-2026-23158, CVE-2026-23156, CVE-2026-23146, CVE-2026-23118, CVE-2024-57881, CVE-2024-53690, CVE-2024-53685, CVE-2024-52319, CVE-2024-51729, CVE-2024-49573, CVE-2024-49571, CVE-2024-49568, CVE-2024-47408, CVE-2024-57791, CVE-2024-56788, CVE-2024-56372, CVE-2024-56369, CVE-2024-56368, CVE-2024-55916, CVE-2024-55881, CVE-2024-54680, CVE-2024-54455, CVE-2024-54193, CVE-2024-41149, CVE-2024-46896, CVE-2024-56719, CVE-2024-56718, CVE-2024-56717, CVE-2024-56716, CVE-2024-56715, CVE-2024-56714, CVE-2024-56713, CVE-2024-56712, CVE-2024-56710, CVE-2024-56711, CVE-2024-56709, CVE-2024-53164, CVE-2026-23216, CVE-2026-23215, CVE-2026-23214, CVE-2026-23213, CVE-2025-71228, CVE-2026-23219, CVE-2025-71225, CVE-2026-23206, CVE-2026-23209, CVE-2025-71222, CVE-2026-23180, CVE-2026-23179, CVE-2026-23178, CVE-2026-23177, CVE-2026-23176, CVE-2026-23205, CVE-2026-23204, CVE-2026-23202, CVE-2026-23201, CVE-2026-23200, CVE-2026-23199, CVE-2026-23198, CVE-2026-23193, CVE-2026-23191, CVE-2025-71224, CVE-2026-23190, CVE-2026-23189, CVE-2026-23188, CVE-2026-23187, CVE-2026-23182, CVE-2025-71223, CVE-2025-71220, CVE-2025-71203, CVE-2025-71204, CVE-2026-23112, CVE-2026-23111, CVE-2026-23220, CVE-2025-71237, CVE-2025-71236, CVE-2025-71235, CVE-2025-71234, CVE-2025-71233, CVE-2025-71232, CVE-2025-71231, CVE-2026-23230, CVE-2026-23229, CVE-2026-23228, CVE-2026-23224, CVE-2026-23223, CVE-2026-23222, CVE-2025-71229, CVE-2026-23237, CVE-2026-23238, CVE-2026-23236, CVE-2026-23235, CVE-2026-23234, CVE-2026-23233, CVE-2025-71238)
• bind (CVE-2025-40778, CVE-2025-40780, CVE-2025-8677)
• gnutls (CVE-2025-9820)
• go (CVE-2025-61727, CVE-2025-61729)
• libarchive (CVE-2025-60753)
• podman (CVE-2025-9566, CVE-2025-52881)
• urllib3 (CVE-2025-66418, CVE-2025-66471, 2026-21441)

Bug fixes:

• Added full terminfo database to support modern terminals like foot and Alacritty.
• Enabled back PAM sssd support for LDAP authentication (scripts#3696)

Changes:

• Dropped the "Oklo" release codename as it was never updated in a meaningful way.
• Function tracer (ftrace) enabled in ARM64 builds. (Enables CONFIG_FUNCTION_TRACER & CONFIG_DYNAMIC_FTRACE for observability and security tools) (flatcar/scripts#3685)
• Moved systemd-sysext image mounting into the initrd, so that system extensions can better define the behavior of the final system at boot without workarounds to apply settings late at boot. This means .wants symlinks for systemd units work as expected now and, therefore, we dropped the ensure-sysext.service workaround. We still recommend extensions to keep their workarounds, e.g., using .upholds instead of .wants, to better support live reloading. A skipping logic prevents an extension refresh late at boot but only if no changes were found. For extensions that are not stored on a custom filesystem, such as a separate /var partition, the new extension mounting from the initrd won't be able to load them early but they will be picked up late at boot through the extension refresh. This is another case where it's good if extensions keep workarounds for late loading.
• OS-dependent sysexts (e.g., docker-flatcar, containerd-flatcar, podman, zfs, nvidia) are now cryptographically signed using dm-verity roothash signatures. This enables stricter sysext policies via systemd-sysext and provides a foundation for verifying user-provided extensions in future releases. The format changed from squashfs to erofs-based Discoverable Disk Images (DDI). OEM sysexts (e.g., oem-azure, oem-gce) are now also signed and built during the image phase to ensure consistent signing with the same ephemeral key. (scripts#3162)
• Switched /etc/ from a custom overlayfs for A/B updates to using a systemd-confext extension providing the default contents by using systemd-confext in the mutable mode where /etc/ gets used as upperdir scripts#3555

Updates:

• azure, dev, sysext-python: urllib3 (2.6.3)
• base, dev: bash (5.3_p9)
• base, dev: bind (9.18.42)
• base, dev: binutils-config (5.6)
• base, dev: btrfs-progs (6.17.1)
• base, dev: ca-certificates (3.120.1)
• base, dev: coreutils (9.9)
• base, dev: cri-tools (1.33.0)
• base, dev: curl (8.17.0)
• base, dev: elfutils (0.194)
• base, dev: git (2.52.0)
• base, dev: gnutls (3.8.11)
• base, dev: kexec-tools (2.0.32)
• base, dev: libarchive (3.8.5 (includes 3.8.4, 3.8.3, 3.8.2))
• base, dev: libcap (2.77)
• base, dev: libnftnl (1.3.1)
• base, dev: libnl (3.11.0)
• base, dev: libnvme (1.16.1 (includes 1.16))
• base, dev: libpcre2 (10.47)
• base, dev: libxml2 (2.15.1 (includes 2.15.0))
• base, dev: nvme-cli (2.16)
• base, dev: pambase (20251104)
• base, dev: readline (8.3_p3)
• base, dev: selinux-base (2.20250618)
• base, dev: systemd (258.2)
• base, dev: thin-provisioning-tools (1.3.1)
• base, dev: usbutils (019)
• base, dev: userspace-rcu (0.15.5)
• base, dev: xfsprogs (6.17.0)
• dev: bash-completion (2.17.0)
• dev: binutils (2.45.1)
• dev: cJSON (1.7.19)
• dev: gcc-config (2.12.2)
• dev: portage (3.0.72 (includes 3.0.71, 3.0.70))
• dev, sysext-incus: squashfs-tools (4.7.4)
• Linux (6.12.74 (includes 6.12.73,6.12.72, 6.12.71, 6.12.70, 6.12.69, 6.12.68, 6.12.67))
• Linux Firmware (20260110)
• open-vm-tools (13.0.10)
• SDK: cmake (4.1.4)
• SDK: crossdev (20251214)
• SDK: go (1.25.5)
• SDK: perl (5.42.0)
• SDK: rust (1.91.0 (includes 1.90.0))
• sysext-containerd: containerd (2.2.0)
• sysext-containerd: runc (1.4.0)
• sysext-docker: docker (28.2.2 (includes 28.2.1, 28.2.0, 28.1.1, 28.1.0))
• sysext-docker: docker-cli (28.4.0 (includes 28.3.0, 28.2.0, 28.1.0))
• sysext-incus: incus (6.0.5)
• sysext-incus: lxc (6.0.5)
• sysext-incus: lxcfs (6.0.5)
• sysext-nvidia-drivers-570, sysext-nvidia-drivers-570-open: nvidia-drivers (570.207)
• sysext-podman: containers-image (5.35.0)
• sysext-podman: podman (5.7.0 (includes 5.6.0))
• sysext-python: charset-normalizer (3.4.4)
• sysext-python: idna (3.11)
• sysext-python: msgpack (1.1.2)
• sysext-python: pip (25.3)
• sysext-python: setuptools-scm (9.2.2)
• sysext-python: trove-classifiers (2025.11.14.15)
• sysext-zfs: zfs (2.3.4)