flatcar/scripts beta-4344.1.0

on GitHub

Changes since Beta 4230.1.1

Security fixes:

• VMWare: open-vm-tools (CVE-2025-22247)
• afterburn (CVE-2025-3416, CVE-2025-0977)
• binutils (CVE-2024-53589, CVE-2025-1176, CVE-2025-1178, CVE-2025-1179, CVE-2025-1180, CVE-2025-1181, CVE-2025-1182)
• c-ares (CVE-2025-31498)
• cifs-utils (CVE-2025-2312)
• containerd (CVE-2024-40635)
• crun (CVE-2025-24965)
• curl (CVE-2025-0167, CVE-2025-0665, CVE-2025-0725, curl-20250205)
• expat (CVE-2024-8176)
• git (CVE-2024-50349, CVE-2024-52005, CVE-2024-52006)
• glib (CVE-2024-52533)
• glibc (CVE-2025-0395)
• gnutls (CVE-2024-12243)
• go (CVE-2025-22871)
• intel-microcode (CVE-2023-34440, CVE-2023-43758, CVE-2024-24582, CVE-2024-28047, CVE-2024-28127, CVE-2024-29214, CVE-2024-31157, CVE-2024-39279, CVE-2024-31068, CVE-2024-36293, CVE-2024-37020, CVE-2024-39355)
• iperf (CVE-2024-53580)
• libarchive (CVE-2024-57970, CVE-2025-25724)
• libcap (CVE-2025-1390)
• libtasn1 (CVE-2024-12133)
• libxml2 (CVE-2024-56171, CVE-2025-24928, CVE-2025-27113)
• libxslt (CVE-2025-24855, CVE-2024-55549)
• mit-krb5 (CVE-2025-24528)
• openssh (CVE-2025-26465, CVE-2025-26466)
• openssl (CVE-2024-13176, CVE-2024-12797)
• perl (CVE-2024-56406)
• podman (CVE-2024-11218)
• python (CVE-2025-0938)
• rsync (CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747)
• socat (CVE-2024-54661, socat-20250221)
• vim (CVE-2024-41957, CVE-2024-41965, CVE-2024-43374, CVE-2024-43790, CVE-2024-43802, CVE-2024-45306, CVE-2024-47814)
• xz-utils (CVE-2025-31115)

Bug fixes:

• Added back some BCC tools (scripts#2900)
• Fix non-conforming GPT partition table (flatcar/Flatcar#1651)
• Fixed path handling in the QEMU .sh launcher scripts. Given paths now are relative to the current directory and absolute paths work as you would expect.
• Fixed race condition in the script that grows the root partition to fill the disk. This bug sometimes caused the operation to not occur. (init#132)
• Fixed the inclusion of Intel and AMD CPU microcode in the initrd. This was accidentally dropped some time ago.
• azure: Fixed issue of wa-linux-agent overriding ssh public key from ignition configuration during provisioning (flatcar/Flatcar#1661)
• update-ssh-keys: More intuitive --help text and the -n (no-replace) option has been fixed. (flatcar/Flatcar#1554)

Changes:

• Add changes for our secureboot signed images with our signed release process until the official shim signing (scripts#2754)
• Added nftables-load.service and nftables-store.service services to load/store rules from/in /var/lib/nftables/rules-save (Flatcar#900)
• Added support for podman in toolbox (toolbox#11)
• Allow per-sysext USE flags and architecture-specific sysexts. (scripts#2798)
• Always truncate hostnames on the first occurrence of . (cloud-init#32)
• Build Intel iGPU i915 driver as module (scripts#2349)
• Compile OS-dependent NVIDIA kernel module sysexts signed for secure boot. (scripts#2798)
• Enabled EROFS module with XATTR support (Flatcar#1659)
• Enabled virtiofs and fuse-dax modules in the kernel for advaned Qemu usecases. Thank you @aaronk6! (Flatcar#2825)
• Ensure hostnames never exceeds 63 characters, regardless of the metadata provider (cloud-init#31)
• Provided an Incus Flatcar extension as optional systemd-sysext image with the release. Write 'incus' to /etc/flatcar/enabled-sysext.conf through Ignition and the sysext will be installed during provisioning. (scripts#1655)
• Sign out-of-tree kernel modules using the ephemeral signing key so that ZFS and NVIDIA sysexts can work with secure boot. (scripts#2636)
• The kernel image and its embedded initrd are now compressed with xz rather than zstd. This gives greater compression at the cost of decompression performance. Systems may therefore now be ever so slightly slower to boot, but this was necessary to avoid running out of space in the /boot partition. Further measures to address the space issue are planned, and perhaps we can switch back to zstd in a later release.
• The qemu script (flatcar_production_qemu*.sh) received two new options. -D (or -image-disk-opts) can be used to add extra options to the virtio-blk-pci device for primary disk. -d (or -disk) can be used to add extra disks to the machine - this one takes a path to a raw or qcow2 image file and, after a comma, virtio-blk-pci options. To learn what disk options can be passed to -D or -d, call qemu-system-x86_64 -device virtio-blk-pci,help (qemu-system-aarch64 can be used too).
• /boot is now only accessible by the root user for better security. (Flatcar#296)
• sysext-incus: removed /etc/subuid and /etc/subgid generation for root user, it has to be created through initial provisioning. (scripts#3028)
• systemd now uses OpenSSL instead of gcrypt for cryptography to reduce the size of the initrd. This change disables systemd-journal's Forward Secure Sealing feature, but it is generally not useful for Flatcar.

Updates:

• AWS: Amazon SSM Agent (3.3.2299.0)
• Ignition (2.21.0)
• Linux (6.12.34 (includes 6.12.33, 6.12.32, 6.12.31, 6.12.30 6.12.29 6.12.28, 6.12.27, 6.12.26, 6.12.25, 6.12.24, 6.12.23, 6.12.22, 6.12.21, 6.12.20 6.12.19, 6.12.18, 6.12.17, 6.12.16, 6.12.15, 6.12.14, 6.12.13, 6.12.12, 6.12.11, 6.12.10, 6.12.9, 6.12.8, 6.12.7, 6.12.6, 6.12.5, 6.12.4, 6.12.3, 6.12.2, 6.12.1, 6.12, 6.6.89))
• Linux Firmware (20250509 (includes 20250410, 20250311, 20250211))
• SDK: cmake (3.31.5)
• SDK: go (1.24.2 (includes 1.24.1, 1.23.6, 1.23.5))
• SDK: meson (1.6.1)
• SDK: perl (5.40.2 (includes 5.40.1)
• SDK: pkgcheck (0.10.34)
• SDK: qemu (9.1.2 (includes 9.0))
• SDK: rust (1.85.1 (includes 1.85.0, 1.84.1, 1.84.0, 1.83.0))
• VMWare: open-vm-tools (12.5.2)
• afterburn (5.8.2)
• azure, dev, gce, sysext-python: gdbm (1.25)
• azure, dev, gce, sysext-python: python (3.11.12)
• azure: wa-linux-agent (2.12.0.4)
• base, dev: azure-vm-utils (0.6.0 (includes 0.5.2, 0.5.1, 0.5.0))
• base, dev: bind (9.18.31 (includes 9.18.30))
• base, dev: binutils (2.44)
• base, dev: btrfs-progs (6.13)
• base, dev: c-ares (1.34.4)
• base, dev: cifs-utils (7.3 (includes 7.2, 7.1))
• base, dev: cracklib (2.10.3)
• base, dev: cri-tools (1.32.0 (includes 1.31.1, 1.31.0, 1.30.1, 1.30.0, 1.29.0, 1.28.0, 1.27.1))
• base, dev: curl (8.13.0 (includes 8.12.1, 8.12.0)
• base, dev: dbus (1.16.2 (includes 1.16.0, 1.14.8, 1.14.6))
• base, dev: diffutils (3.12 (includes 3.11))
• base, dev: e2fsprogs (1.47.2)
• base, dev: elfutils (0.192)
• base, dev: ethtool (6.11)
• base, dev: expat (2.7.1 (includes 2.7.0))
• base, dev: git (2.49.0 (includes 2.48.1 2.48.0, 2.47.2, 2.47.1, 2.47.0, 2.46.3, 2.46.2, 2.46.1, 2.46.0, 2.45.3))
• base, dev: glib ((2.82.5 (includes 2.82.4, 2.82.3, 2.82.2, 2.82.1, 2.82.0))
• base, dev: gnupg (2.4.7)
• base, dev: gnutls (3.8.9 (includes 3.8.8))
• base, dev: hwdata (0.391)
• base, dev: intel-microcode (20250211_p20250211)
• base, dev: iproute2 (6.14.0 (includes 6.13.0))
• base, dev: ipset (7.23)
• base, dev: iptables (1.8.11 (includes 1.8.10, 1.8.9))
• base, dev: kbd (2.7.1 (includes 2.7, 2.7-rc1))
• base, dev: ldb (2.9.2 (includes 2.9.1, 2.9.0))
• base, dev: libarchive (3.7.9 (includes 3.7.8))
• base, dev: libidn2 (2.3.8)
• base, dev: libnvme (1.12)
• base, dev: libpcre2 (10.45)
• base, dev: libseccomp (2.6.0 (includes 2.5.6))
• base, dev: libsemanage (3.7)
• base, dev: libtasn1 (4.20.0)
• base, dev: libtirpc (1.3.6 (includes 1.3.5))
• base, dev: libuv (1.50.0)
• base, dev: libxcrypt (4.4.38 (includes 4.4.37))
• base, dev: libxml2 (2.13.7 (includes 2.13.6, 2.13.5, 2.13.4, 2.13.3, 2.13.2, 2.13.1, 2.13.0, 2.12.10))
• base, dev: linux-headers (6.12)
• base, dev: logrotate (3.22.0 (includes 3.21.0))
• base, dev: lvm2 (2.03.22 (includes 2.03.21, 2.03.20, 2.03.19, 2.03.18, 2.03.17, 2.03.16, 2.03.15, 2.03.14, 2.03.13, 2.03.12, 2.03.11, 2.03.10, 2.03.09, 2.03.08, 2.03.07, 2.03.06, 2.03.05, 2.03.04, 2.03.03, 2.03.02, 2.03.01, 2.03.00))
• base, dev: mdadm (4.4 (includes 4.3))
• base, dev: ncurses (6.5_p20250125)
• base, dev: nettle (3.10.1)
• base, dev: nfs-utils (2.7.1 (includes 2.6.4, 2.6.3, 2.6.2, 2.6.1))
• base, dev: nftables (1.1.1 (includes 1.1.0, 1.0.9, 1.0.8, 1.0.7, 1.0.6, 1.0.5, 1.0.4, 1.0.3, 1.0.2, 1.0.1, 1.0.0))
• base, dev: nghttp2 (1.65.0 (includes 1.64.0, 1.63.0))
• base, dev: nvme-cli (2.12)
• base, dev: oniguruma (6.9.10)
• base, dev: open-iscsi (2.1.11)
• base, dev: open-isns (0.103)
• base, dev: openssh (9.9_p2 (includes 9.9_p1))
• base, dev: openssl (3.3.3)
• base, dev: pkgconf (2.4.3 (includes 2.4.2, 2.4.1, 2.4.0))
• base, dev: policycoreutils (3.7)
• base, dev: polkit (126 (includes 125, 124, 123, 122))
• base, dev: qemu-guest-agent (9.2.0 (includes 9.1, 9.0))
• base, dev: rpcbind (1.2.7)
• base, dev: rsync (3.4.1 (includes 3.4.0))
• base, dev: samba (4.20.7 (includes 4.20.6, 4.20.5, 4.20.4, 4.20.3, 4.20.2, 4.20.1, 4.20.0))
• base, dev: semodule-utils (3.7)
• base, dev: shadow (4.14.8 (includes 4.14.7, 4.14.6, 4.14.5, 4.14.4, 4.14.3, 4.14.2, 4.14.1, 4.14.0))
• base, dev: socat (1.8.0.3 (includes 1.8.0.2, 1.8.0.1))
• base, dev: sqlite (3.49.1 (includes 3.49.0, 3.48.0, 3.47.2))
• base, dev: sssd (2.9.6)
• base, dev: strace (6.14 (includes 6.13))
• base, dev: tdb (1.4.12 (includes 1.4.11))
• base, dev: timezone-data (2025b (includes 2025a, 2024b, 2024a, 2023d, 2023c, 2023b, 2023a, 2022g, 2022f, 2022e, 2022d, 2022c, 2022b, 2022a, 2021e, 2021d, 2021c, 2021b))
• base, dev: trousers (0.3.15)
• base, dev: unzip (6.0_p29)
• base, dev: userspace-rcu (0.15.1 (includes 0.15.0))
• base, dev: util-linux (2.40.4 (includes 2.40.3))
• base, dev: vim (9.1.0794)
• base, dev: which (2.23)
• base, dev: xfsprogs (6.13.0 (includes 6.12.0))
• base, dev: xz-utils (5.6.4)
• base, dev: zram-generator (1.2.1 (includes 1.2.0))
• base, dev: zstd (1.5.7)
• ca-certificates (3.112 (includes 3.111))
• containerd: containerd (2.0.2)
• containerd: runc (1.2.5 (includes 1.2.4 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.15))
• dev: bash-completion (2.16.0)
• dev: eselect (1.4.30 (includes 1.4.29))
• dev: gcc-config (2.12.1)
• dev: getuto (1.15)
• dev: iperf (3.18)
• dev: man-pages (6.10)
• dev: minicom (2.10)
• dev: mpfr (4.2.2)
• dev: pahole (1.29 (includes 1.28))
• dev: patch (2.8)
• dev: portage (3.0.67)
• docker: docker (28.0.1 (includes 28.0.0, 27.4.1, 27.4.0))
• docker: docker-buildx (0.20.1 (includes 0.20.0, 0.19.3, 0.19.2, 0.19.1, 0.19.0, 0.18.0, 0.17.1, 0.17.0, 0.16.2, 0.16.1, 0.16.0, 0.15.1, 0.15.0, 0.14.1))
• dracut (106 (includes 105, 104, 103, 102, 101, 100, 060, 059, 058, 057, 056, 055, 054))
• sysext-docker: docker-buildx (0.21.2 (includes 0.21.1, 0.21.0))
• sysext-podman, vmware: fuse (3.17.2 (includes 3.17.1))
• sysext-podman: aardvark-dns (1.14.0 (includes 1.13.1, 1.13.0))
• sysext-podman: catatonit (0.2.1)
• sysext-podman: conmon (2.1.13 (includes 2.1.12, 2.1.11))
• sysext-podman: containers-common (0.62.2 (includes 0.62.1, 0.62.0, 0.61.0))
• sysext-podman: containers-image (5.34.2 (includes 5.34.1, 5.34.0, 5.33.0))
• sysext-podman: containers-shortnames (2025.03.19)
• sysext-podman: containers-storage (1.57.2 (includes 1.57.1, 1.57.0, 1.56.0))
• sysext-podman: crun (1.20, 1.19.1, 1.19, 1.18.2, 1.18.1, 1.18)
• sysext-podman: gpgme (1.24.2)
• sysext-podman: netavark (1.14.1 (includes 1.14.0, 1.13.1, 1.13.0))
• sysext-podman: passt (2025.02.17 (includes 2025.01.21))
• sysext-podman: podman (5.3.2)
• sysext-python: more-itertools (10.6.0)
• sysext-python: pip (25.0.1 (includes 25.0))
• sysext-python: platformdirs (4.3.7)
• sysext-python: rich (14.0.0)
• sysext-python: setuptools (78.1.0 (includes 78.0.2, 78.0.1, 78.0.0, 77.0.3, 77.0.2, 77.0.1, 77.0.0, 76.1.0, 76.0.0, 75.8.2, 75.8.1, 75.8.0, 75.7.0))
• sysext-python: setuptools-scm (8.2.1, 8.2.0)
• sysext-python: trove-classifiers (2025.4.11.15 (includes 2025.3.3.18, 2025.3.19.19))
• sysext-python: truststore (0.10.1)
• sysext-python: typing-extensions (4.13.2 (includes 4.13.1, 4.13.0))
• sysext-python: urllib3 (2.4.0)
• sysext-python: wheel (0.46.1 (includes 0.46.0))
• sysext-zfs: zfs (2.3.1 (includes 2.3.0))
• vmware: libxslt (1.1.43 (includes 1.1.42, 1.1.41, 1.1.40))
• vmware: xmlsec (1.3.7, 1.3.6)

Changes since Alpha 4344.0.0

Security fixes:

• Linux (CVE-2025-38052, CVE-2025-38061, CVE-2025-38060, CVE-2025-38059, CVE-2025-38058, CVE-2025-38057, CVE-2025-38056, CVE-2025-38055, CVE-2025-38081, CVE-2025-38080, CVE-2025-38079, CVE-2025-38078, CVE-2025-38077, CVE-2025-38075, CVE-2025-38074, CVE-2025-38073, CVE-2025-38072, CVE-2025-38054, CVE-2025-38071, CVE-2025-38069, CVE-2025-38068, CVE-2025-38066, CVE-2025-38065, CVE-2025-38063, CVE-2025-38062, CVE-2025-38053, CVE-2025-38038, CVE-2025-38037, CVE-2025-38035, CVE-2025-38034, CVE-2025-38033, CVE-2025-38051, CVE-2025-38031, CVE-2025-38048, CVE-2025-38047, CVE-2025-38046, CVE-2025-38045, CVE-2025-38044, CVE-2025-38043, CVE-2025-38040, CVE-2025-38039, CVE-2025-38030, CVE-2025-38003, CVE-2025-38004, CVE-2025-38000, CVE-2025-38082, CVE-2025-38001, CVE-2025-38083)

Bug fixes:

• Fixed race condition in the script that grows the root partition to fill the disk. This bug sometimes caused the operation to not occur. (init#132)

Changes:

• Added support for podman in toolbox (toolbox#11)
• /boot is now only accessible by the root user for better security. (Flatcar#296)
• sysext-incus: removed /etc/subuid and /etc/subgid generation for root user, it has to be created through initial provisioning. (scripts#3028)

Updates:

• Linux (6.12.34 (includes 6.12.33, 6.12.32, 6.12.31))
• ca-certificates (3.112)