Changes since Stable 3760.2.0
Security fixes:
- Linux (CVE-2023-46838, CVE-2023-50431, CVE-2023-6610, CVE-2023-6915, CVE-2024-1085, CVE-2024-1086, CVE-2024-23849)
- Go (CVE-2023-39326, CVE-2023-45285)
- VMWare: open-vm-tools (CVE-2023-34058, CVE-2023-34059)
- docker (CVE-2024-24557)
- nghttp2 (CVE-2023-44487)
- runc (CVE-2024-21626)
- samba (CVE-2023-4091)
- zlib (CVE-2023-45853)
Bug fixes:
- Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
- Forwarded the proxy environment variables of
update-engine.service
to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326) - Set TTY used for fetching server_context to RAW mode before running cloudinit on cloudsigma (scripts#1280)
Changes:
- torcx was replaced by systemd-sysext in the OS image. Learn more about sysext and how to customise OS images here.
(which is now also a legacy option because systemd-sysext offers a more robust and better structured way of customisation, including OS independent updates).- Torcx entered deprecation 2 years ago in favour of deploying plain Docker binaries
- Torcx has been removed entirely; if you use torcx to extend the Flatcar base OS image, please refer to our conversion script and to the sysext documentation mentioned above for migrating.
- Consequently,
update_engine
will not perform torcx sanity checks post-update anymore. - Relevant changes: scripts#1216, update_engine#30, Mantle#466, Mantle#465.
- NOTE: The docker btrfs storage driver has been de-prioritised; BTRFS backed storage will now default to the
overlay2
driver
(changelog, upstream pr). - NOTE: If you are already using btrfs-backed Docker storage and are upgrading to this new version, Docker will automatically use the
btrfs
storage driver for backwards-compatibility with your deployment. - Docker will remove the
btrfs
driver entirely in a future version. Please consider migrating your deployments to theoverlay2
driver.
Using the btrfs driver can still be enforced by creating a respective docker config at/etc/docker/daemon.json
. - cri-tools, runc, containerd, docker, and docker-cli are now built from Gentoo upstream ebuilds. Docker received a major version upgrade - it was updated to Docker 24 (from Docker 20; see "updates").
- GCP OEM images now use a systemd-sysext image for layering additional platform-specific software on top of
/usr
and being part of the OEM A/B updates (flatcar#1146) - Added a
flatcar-update --oem-payloads <yes|no>
flag to skip providing OEM payloads, e.g., for downgrades (init#114)
Updates:
- Linux (6.1.77 (includes 6.1.76, 6.1.75, 6.1.74))
- Linux Firmware (20231111 (includes 20231030))
- Go (1.20.12)
- Azure: WALinuxAgent (v2.9.1.1)
- DEV: Azure (3.11.6)
- DEV: iperf (3.15)
- DEV: smartmontools (7.4)
- SDK: Rust (1.73.0)
- SDK: Python (3.11.0 (includes 23.2))
- VMWare: open-vm-tools (12.3.5)
- acpid (2.0.34)
- ca-certificates (3.97)
- containerd (1.7.9 (includes 1.7.8, 1.7.13, 1.7.10))
- cri-tools (1.27.0)
- ding-libs (0.6.2)
- docker (24.0.9 (includes 24.0.6, 23.0))
- efibootmgr (18)
- efivar (38)
- ethtool (6.5)
- hwdata (v0.375 (includes 0.374))
- iproute2 (6.5.0)
- ipvsadm (1.31 (includes 1.30, 1.29, 1.28))
- json-c (0.17)
- libffi (3.4.4 (includes 3.4.3, 3.4.2))
- liblinear (246)
- libmnl (1.0.5)
- libnetfilter_conntrack (1.0.9)
- libnetfilter_cthelper (1.0.1)
- libnetfilter_cttimeout (1.0.1)
- libnfnetlink (1.0.2)
- libsodium (1.0.19)
- libunistring (1.1)
- libunwind (1.7.2 (includes 1.7.0))
- liburing (2.3)
- mpc (1.3.1 (includes 1.3.0))
- mpfr (4.2.1)
- nghttp2 (1.57.0 (includes 1.56.0, 1.55.1, 1.55.0, 1.54.0, 1.53.0, 1.52.0))
- nspr (4.35)
- ntp (4.2.8p17)
- nvme-cli (v2.6 (includes v1.6))
- protobuf (21.12 (includes 21.11, 21.10))
- runc (1.1.12)
- samba (4.18.8)
- sqlite (3.43.2)
- squashfs-tools (4.6.1 (includes 4.6))
- thin-provisioning-tools (1.0.6)
Changes since Beta 3815.1.0
Security fixes:
- Linux (CVE-2023-46838, CVE-2023-50431, CVE-2023-6610, CVE-2023-6915, CVE-2024-1085, CVE-2024-1086, CVE-2024-23849)
- docker (CVE-2024-24557)
- runc (CVE-2024-21626)
Bug fixes:
- Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
- Forwarded the proxy environment variables of
update-engine.service
to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)
Changes:
- Added a
flatcar-update --oem-payloads <yes|no>
flag to skip providing OEM payloads, e.g., for downgrades (init#114)