flatcar/scripts beta-4054.1.0

on GitHub

Changes since Beta 4012.1.0

Security fixes:

• Linux (CVE-2024-44944, CVE-2024-43877, CVE-2024-43876, CVE-2024-43875, CVE-2024-43873, CVE-2024-43871, CVE-2024-43881, CVE-2024-43880, CVE-2024-43879, CVE-2024-43869, CVE-2024-43870, CVE-2024-43856, CVE-2024-43860, CVE-2024-43859, CVE-2024-43858, CVE-2024-43833, CVE-2024-43832, CVE-2024-43831, CVE-2024-43830, CVE-2024-43829, CVE-2024-43828, CVE-2024-43855, CVE-2024-43854, CVE-2024-43853, CVE-2024-43851, CVE-2024-43850, CVE-2024-43849, CVE-2024-43847, CVE-2024-43846, CVE-2024-43845, CVE-2024-43842, CVE-2024-43841, CVE-2024-43839, CVE-2024-43837, CVE-2024-43834, CVE-2024-43825, CVE-2024-43823, CVE-2024-43821, CVE-2024-43818, CVE-2024-43817, CVE-2024-42321, CVE-2024-42322, CVE-2024-42288, CVE-2024-42297, CVE-2024-42296, CVE-2024-42295, CVE-2024-42294, CVE-2024-42292, CVE-2024-42320, CVE-2024-42318, CVE-2024-42291, CVE-2024-42316, CVE-2024-42315, CVE-2024-42314, CVE-2024-42313, CVE-2024-42311, CVE-2024-42310, CVE-2024-42309, CVE-2024-42308, CVE-2024-42290, CVE-2024-42307, CVE-2024-42306, CVE-2024-42305, CVE-2024-42304, CVE-2024-42303, CVE-2024-42302, CVE-2024-42301, CVE-2024-42299, CVE-2024-42298, CVE-2024-42289, CVE-2024-42284, CVE-2024-42283, CVE-2024-42281, CVE-2024-42280, CVE-2024-42279, CVE-2024-42278, CVE-2024-42277, CVE-2024-42287, CVE-2024-42286, CVE-2024-42285, CVE-2023-52889, CVE-2024-42276, CVE-2024-43867, CVE-2024-43866, CVE-2024-43864, CVE-2024-43863, CVE-2024-42312, CVE-2024-42274, CVE-2024-42273, CVE-2024-42272, CVE-2024-42271, CVE-2024-42270, CVE-2024-42269, CVE-2024-42268, CVE-2024-42267, CVE-2024-42265, CVE-2024-43908, CVE-2024-44931, CVE-2024-43914, CVE-2024-43912, CVE-2024-44935, CVE-2024-44934, CVE-2024-43909, CVE-2024-43905, CVE-2024-43903, CVE-2024-43902, CVE-2024-43900, CVE-2024-43907, CVE-2024-43906, CVE-2024-43897, CVE-2024-43894, CVE-2024-43893, CVE-2024-43892, CVE-2024-43890, CVE-2024-43889, CVE-2024-43895, CVE-2024-43883, CVE-2024-43861, CVE-2024-42259, CVE-2024-44943, CVE-2024-44942, CVE-2024-44941, CVE-2024-44940, CVE-2024-44938, CVE-2024-44939, CVE-2024-43898, CVE-2024-43882, CVE-2024-44947, CVE-2024-44946)
• curl (CVE-2024-6197, CVE-2024-6874)
• docker (CVE-2024-29018)
• git (CVE-2024-32002, CVE-2024-32004, CVE-2024-32020, CVE-2024-32021, CVE-2024-32465)
• glib (CVE-2024-34397)
• go (CVE-2023-45288, CVE-2023-45289, CVE-2023-45290, CVE-2024-24783, CVE-2024-24784, CVE-2024-24785, CVE-2024-24788, CVE-2024-24789, CVE-2024-24790, CVE-2024-24791)
• intel-microcode (CVE-2023-45733, CVE-2023-45745, CVE-2023-46103, CVE-2023-47855)
• libarchive (CVE-2024-26256, CVE-2024-37407)
• libxml2 (CVE-2024-34459)
• mit-krb5 (CVE-2024-26461, CVE-2024-26462, CVE-2024-37370, CVE-2024-37371)
• sysext-podman: podman (CVE-2024-3727)
• tpm2-tools (CVE-2024-29038, CVE-2024-29039, CVE-2024-29040)
• wget (CVE-2024-38428)
• SDK: nasm (CVE-2019-6290, CVE-2019-6291, CVE-2019-8343, CVE-2020-21528, CVE-2021-33450, CVE-2021-33452, CVE-2022-44368, CVE-2022-44369, CVE-2022-44370)

Bug fixes:

• Fix ownership of systemd units shipped with built-in docker/containerd sysexts. The files shipped on production images were accidentally owned by 1000:1000 instead of 0:0. This uid/gid is not present on Flatcar images but would be assigned to the first created user. Due to contents of sysexts and /usr being readonly on Flatcar, the invalid permissions can't be used to escalate privileges. (scripts#2266)
• Fixed bad usage of gpg that prevented flatcar-install from being used with custom signing keys (Flatcar#1471)
• Equinix Metal: Fixed oem-cloudinit.service. The availability check now uses the https://metadata.platformequinix.com/metadata endpoint. (scripts#2222)

Changes:

• As part of the update to Catalyst 4 (used to build the SDK), the coreos package repository has been renamed to coreos-overlay to match its directory name. This will be reflected in package listings and package manager output. (flatcar/scripts#2115)
• The kernel security module Landlock is now enabled for programs to sandbox themselves (flatcar/scripts#2158)

Updates:

• Linux (6.6.48 (includes 6.6.47, 6.6.46, 6.6.45, 6.6.44))
• Linux Firmware (20240709)
• audit (3.1.2)
• binutils (2.42)
• bpftool (6.9.2 (includes 6.8.2))
• btrfs-progs (6.9.2)
• c-ares (1.29.0 (includes 1.28.1, 1.28.0))
• cJSON (1.7.18)
• ca-certificates (3.104)
• containerd (1.7.20 (includes 1.7.19))
• cryptsetup (2.7.2 (includes 2.7.1 and 2.7.0))
• curl (8.9.0 (includes 8.8.0))
• docker (26.1.0, includes changes from 25.0)
• e2fsprogs (1.47.1)
• ethtool (6.9)
• findutils (4.10.0)
• gcc (13.3.1_p20240614)
• git (2.44.2 (includes 2.44.1, 2.44.0))
• glib (2.78.6 (includes 2.78.5, 2.78.4))
• gnupg (2.4.5)
• hwdata (0.383 (includes 0.382))
• intel-microcode (20240514_p20240514)
• iproute2 (6.8.0 (includes 6.7.0))
• ipset (7.22)
• kexec-tools (2.0.28)
• kmod (32)
• libarchive (3.7.4 (includes 3.7.3))
• libassuan (2.5.7)
• libcap (2.70)
• libcap-ng (0.8.5)
• libdnet (1.18.0)
• libgpg-error (1.49)
• libksba (1.6.7)
• libnl (3.9.0)
• libnvme (1.9)
• libpcre2 (10.43)
• libunwind (1.8.1 (includes 1.8.0))
• libusb (1.0.27)
• libxml2 (2.12.7 (includes 2.12.6))
• linux-pam (1.5.3)
• lshw (02.20.2b)
• mit-krb5 (1.21.3)
• multipath-tools (0.9.8)
• nmap (7.95)
• nvme-cli (2.9.1 (includes 2.9))
• pciutils (3.13.0 (includes 3.12.0))
• qemu-guest-agent (8.2.0)
• rsync (3.3.0)
• runc (1.1.13)
• sqlite (3.46.0 (includes 3.45.3))
• strace (6.9)
• sysext-podman: aardvark-dns (1.11.0)
• sysext-podman: containers-common (0.59.1)
• sysext-podman: podman (5.0.3)
• sysext-python: jaraco-text (3.12.1)
• sysext-python: setuptools (70.3.0 (includes 70.1.1, 70.1.0, 70.0.0, 69.5.1, 69.5.0, 69.4.2, 69.4.1, 69.4.0, 69.3.1, 69.3.0, 69.2.0))
• sysext-python: trove-classifiers (2024.7.2)
• systemd (255.8)
• talloc (2.4.1)
• tdb (1.4.9)
• tevent (0.15.0)
• tpm2-tools (5.7 (includes 5.6.1, 5.6))
• tpm2-tss (4.1.3 (includes changes from 4.0.2)
• util-linux (2.39.4)
• vim (9.1.0366 (includes changes from 9.1))
• wget (1.24.5)
• whois (5.5.21)
• xfsprogs (6.8.0 (includes changes from 6.6.0))
• xz-utils (5.6.2)
• zfs (2.2.3)
• zlib (1.3.1)
• zstd (1.5.6)
• VMware: open-vm-tools (12.4.5)
• SDK: Rust (1.80.0)
• SDK: go (1.21.12 includes changes from 1.21)
• SDK: nasm (2.16.01)
• SDK: portage (3.0.65 (includes changes from 3.0.63))
• SDK: qemu (8.2.3)

Changes since Alpha 4054.0.0

Security fixes:

• Linux (CVE-2024-44944, CVE-2024-43877, CVE-2024-43876, CVE-2024-43875, CVE-2024-43873, CVE-2024-43871, CVE-2024-43881, CVE-2024-43880, CVE-2024-43879, CVE-2024-43869, CVE-2024-43870, CVE-2024-43856, CVE-2024-43860, CVE-2024-43859, CVE-2024-43858, CVE-2024-43833, CVE-2024-43832, CVE-2024-43831, CVE-2024-43830, CVE-2024-43829, CVE-2024-43828, CVE-2024-43855, CVE-2024-43854, CVE-2024-43853, CVE-2024-43851, CVE-2024-43850, CVE-2024-43849, CVE-2024-43847, CVE-2024-43846, CVE-2024-43845, CVE-2024-43842, CVE-2024-43841, CVE-2024-43839, CVE-2024-43837, CVE-2024-43834, CVE-2024-43825, CVE-2024-43823, CVE-2024-43821, CVE-2024-43818, CVE-2024-43817, CVE-2024-42321, CVE-2024-42322, CVE-2024-42288, CVE-2024-42297, CVE-2024-42296, CVE-2024-42295, CVE-2024-42294, CVE-2024-42292, CVE-2024-42320, CVE-2024-42318, CVE-2024-42291, CVE-2024-42316, CVE-2024-42315, CVE-2024-42314, CVE-2024-42313, CVE-2024-42311, CVE-2024-42310, CVE-2024-42309, CVE-2024-42308, CVE-2024-42290, CVE-2024-42307, CVE-2024-42306, CVE-2024-42305, CVE-2024-42304, CVE-2024-42303, CVE-2024-42302, CVE-2024-42301, CVE-2024-42299, CVE-2024-42298, CVE-2024-42289, CVE-2024-42284, CVE-2024-42283, CVE-2024-42281, CVE-2024-42280, CVE-2024-42279, CVE-2024-42278, CVE-2024-42277, CVE-2024-42287, CVE-2024-42286, CVE-2024-42285, CVE-2023-52889, CVE-2024-42276, CVE-2024-43867, CVE-2024-43866, CVE-2024-43864, CVE-2024-43863, CVE-2024-42312, CVE-2024-42274, CVE-2024-42273, CVE-2024-42272, CVE-2024-42271, CVE-2024-42270, CVE-2024-42269, CVE-2024-42268, CVE-2024-42267, CVE-2024-42265, CVE-2024-43908, CVE-2024-44931, CVE-2024-43914, CVE-2024-43912, CVE-2024-44935, CVE-2024-44934, CVE-2024-43909, CVE-2024-43905, CVE-2024-43903, CVE-2024-43902, CVE-2024-43900, CVE-2024-43907, CVE-2024-43906, CVE-2024-43897, CVE-2024-43894, CVE-2024-43893, CVE-2024-43892, CVE-2024-43890, CVE-2024-43889, CVE-2024-43895, CVE-2024-43883, CVE-2024-43861, CVE-2024-42259, CVE-2024-44943, CVE-2024-44942, CVE-2024-44941, CVE-2024-44940, CVE-2024-44938, CVE-2024-44939, CVE-2024-43898, CVE-2024-43882, CVE-2024-44947, CVE-2024-44946)

Bug fixes:

• Fix ownership of systemd units shipped with built-in docker/containerd sysexts. The files shipped on production images were accidentally owned by 1000:1000 instead of 0:0. This uid/gid is not present on Flatcar images but would be assigned to the first created user. Due to contents of sysexts and /usr being readonly on Flatcar, the invalid permissions can't be used to escalate privileges. (scripts#2266)
• Equinix Metal: Fixed oem-cloudinit.service. The availability check now uses the https://metadata.platformequinix.com/metadata endpoint. (scripts#2222)

Updates:

• Linux (6.6.48 (includes 6.6.47, 6.6.46, 6.6.45, 6.6.44))
• ca-certificates (3.104)