flatcar/scripts stable-4459.2.0

on GitHub

Changes since Stable 4230.2.4

Security fixes:

• VMWare: open-vm-tools (CVE-2025-22247)
• afterburn (CVE-2025-0977, CVE-2025-3416)
• bind (CVE-2024-11187, CVE-2024-12705)
• binutils (CVE-2024-53589, CVE-2025-1176, CVE-2025-1178, CVE-2025-1179, CVE-2025-1180, CVE-2025-1181, CVE-2025-1182)
• c-ares (CVE-2025-31498)
• cifs-utils (CVE-2025-2312)
• containerd (CVE-2024-25621, CVE-2025-64329, CVE-2024-40635, CVE-2025-47291)
• crun (CVE-2025-24965)
• curl (CVE-2025-0167, CVE-2025-0665, CVE-2025-0725, curl-20250205)
• expat (CVE-2024-8176)
• git (CVE-2024-50349, CVE-2024-52005, CVE-2024-52006, CVE-2025-48384, CVE-2025-48385, CVE-2025-48386)
• glib (CVE-2024-52533, CVE-2025-4373, (CVE-2025-7039)
• glibc (CVE-2025-0395, CVE-2025-8058)
• gnutls (CVE-2024-12243, CVE-2025-32988, CVE-2025-32989, CVE-2025-32990, CVE-2025-6395)
• go (CVE-2025-22871, CVE-2025-22873, CVE-2025-4673, CVE-2025-0913, CVE-2025-22874, CVE-2025-4674, CVE-2025-47906, CVE-2025-47907)
• intel-microcode (CVE-2023-34440, CVE-2023-43758, CVE-2024-24582, CVE-2024-28047, CVE-2024-28127, CVE-2024-29214, CVE-2024-31157, CVE-2024-39279, CVE-2024-31068, CVE-2024-36293, CVE-2024-37020, CVE-2024-39355)
• iperf (CVE-2024-53580, CVE-2025-54349, CVE-2025-54350, CVE-2025-54351)
• jq (CVE-2024-23337, CVE-2024-53427, CVE-2025-48060)
• libarchive (CVE-2024-57970, CVE-2025-25724)
• libcap (CVE-2025-1390)
• libtasn1 (CVE-2024-12133)
• libxml2 (CVE-2024-56171, CVE-2025-24928, CVE-2025-27113, CVE-2025-32414, CVE-2025-32415, CVE-2025-49794, CVE-2025-49795, CVE-2025-49796)
• libxslt (CVE-2025-24855, CVE-2024-55549)
• mit-krb5 (CVE-2025-24528)
• nvidia-drivers (CVE-2025-23277, CVE-2025-23278, CVE-2025-23279, CVE-2025-23286)
• nvidia-drivers-service (CVE-2025-23244)
• openssh (CVE-2025-26465, CVE-2025-26466)
• openssl (CVE-2024-12797, CVE-2024-13176)
• perl (CVE-2024-56406)
• podman (CVE-2024-11218, CVE-2025-6032)
• python (CVE-2025-0938, CVE-2025-4516, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4517, CVE-2025-6069, CVE-2025-8194)
• requests (CVE-2024-47081)
• rsync (CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747)
• runc (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881)
• socat (CVE-2024-54661, socat-20250221)
• vim (CVE-2024-41957, CVE-2024-41965, CVE-2024-43374, CVE-2024-43790, CVE-2024-43802, CVE-2024-45306, CVE-2024-47814, CVE-2025-1215, CVE-2025-22134, CVE-2025-24014, GHSA-63p5-mwg2-787v, CVE-2025-27423, CVE-2025-29768, CVE-2025-53905, CVE-2025-53906, CVE-2025-9390)
• xz-utils (CVE-2025-31115)

Bug fixes:

• Enabled CONFIG_CPUSETS_V1 to mitigate cgroupsv1 removal (e.g JVM) (Flatcar#1884)
• Enabled CONFIG_MEMCG_V1 to mitigate cgroupsv1 removal (e.g JVM) (Flatcar#1884)
• Excluded TUN/TAP interfaces from the default DHCP network configuration to solve conflicts with the programs that created them (Flatcar#1933)
• Fix non-conforming GPT partition table (Flatcar#1651)
• Fixed Intel microcode updates which were broken in recent Alpha and Beta releases by switching back to built-in extra firmware instead of early cpio inclusion (Flatcar#1909)
• Fixed a UID/GID mis-alignment for user/group messagebus between acct-user/acct-group and baselayout. (baselayout#36)
• Fixed path handling in the QEMU .sh launcher scripts. Given paths now are relative to the current directory and absolute paths work as you would expect.
• Fixed race condition in the script that grows the root partition to fill the disk. This bug sometimes caused the operation to not occur. (init#132)
• Fixed that the needed Flatcar extensions don't get removed on update which caused a re-download (update_engine#51)
• Reenabled console support for DRM drivers, so that with the virtio graphics driver the interactive console is shown again after boot (Flatcar#1834)
• azure: Fixed issue of wa-linux-agent overriding ssh public key from ignition configuration during provisioning (flatcar/Flatcar#1661)
• sysext-podman: removed /etc/subuid and /etc/subgid generation for core user, before this change it partially overwrites the file and causes issues. (Flatcar#1733) This could be created through initial provisioning. (scripts#3043)
• update-ssh-keys: More intuitive --help text and the -n (no-replace) option has been fixed. (flatcar/Flatcar#1554)

Changes:

• Added overlaybd system extension to support accelerated container images. Add overlaybd to /etc/flatcar/enabled-sysext.conf to check it out. The extension includes both overlaybd as well as accelerated-container-image tools.
• Added changes for our secureboot signed images with our signed release process until the official shim signing (scripts#2754)
• Added nftables-load.service and nftables-store.service services to load/store rules from/in /var/lib/nftables/rules-save (Flatcar#900)
• Added support for podman in toolbox (toolbox#11)
• Allow per-sysext USE flags and architecture-specific sysexts. (scripts#2798)
• Always truncate hostnames on the first occurrence of . (cloud-init#32)
• Azure OEM: add inotify-tools, python urllib3 (flatcar/scripts#3116)
• Build Intel iGPU i915 driver as module (scripts#2349)
• Compiled OS-dependent NVIDIA kernel module sysexts signed for secure boot. (scripts#2798)
• Enabled CONFIG_INET_DIAG_DESTROY in kernel options (flatcar/scripts#3176)
• Enabled EROFS module with XATTR support (Flatcar#1659)
• Enabled virtiofs and fuse-dax modules in the kernel for advaned Qemu usecases. Thank you @aaronk6! (Flatcar#2825)
• Ensured hostnames never exceeds 63 characters, regardless of the metadata provider (cloud-init#31)
• Hyper-V images now use a systemd-sysext image for layering additional platform-specific software on top of /usr
• Provided an Incus Flatcar extension as optional systemd-sysext image with the release. Write 'incus' to /etc/flatcar/enabled-sysext.conf through Ignition and the sysext will be installed during provisioning. (scripts#1655)
• Scaleway: The Linux console is now attached to the correct console port. (scripts#3383)
• Signed out-of-tree kernel modules using the ephemeral signing key so that ZFS and NVIDIA sysexts can work with secure boot. (scripts#2636)
• The kernel image and its embedded initrd are now compressed with xz rather than zstd. This gives greater compression at the cost of decompression performance. Systems may therefore now be ever so slightly slower to boot, but this was necessary to avoid running out of space in the /boot partition. Further measures to address the space issue are planned, and perhaps we can switch back to zstd in a later release.
• The qemu script (flatcar_production_qemu*.sh) received two new options. -D (or -image-disk-opts) can be used to add extra options to the virtio-blk-pci device for primary disk. -d (or -disk) can be used to add extra disks to the machine - this one takes a path to a raw or qcow2 image file and, after a comma, virtio-blk-pci options. To learn what disk options can be passed to -D or -d, call qemu-system-x86_64 -device virtio-blk-pci,help (qemu-system-aarch64 can be used too).
• /boot is now only accessible by the root user for better security. (Flatcar#296)
• ftrace syscalls also available in ARM64 builds. (Enables syscall tracepoints) (flatcar/scripts#2600)
• sysext-incus: removed /etc/subuid and /etc/subgid generation for root user, it has to be created through initial provisioning. (scripts#3028)
• systemd now uses OpenSSL instead of gcrypt for cryptography to reduce the size of the initrd. This change disables systemd-journal's Forward Secure Sealing feature, but it is generally not useful for Flatcar.

Updates:

• AWS: Amazon SSM Agent (3.3.2299.0)
• Ignition (2.22.0 (includes 2.21.0))
• Linux (6.12.54 (includes 6.12, 6.12.1, 6.12.2, 6.12.3, 6.12.4, 6.12.5, 6.12.6, 6.12.7, 6.12.8, 6.12.9, 6.12.10, 6.12.11, 6.12.12, 6.12.13, 6.12.14, 6.12.15, 6.12.16, 6.12.17, 6.12.18, 6.12.19, 6.12.20, 6.12.21, 6.12.22, 6.12.23, 6.12.24, 6.12.25, 6.12.26, 6.12.27, 6.12.28, 6.12.29, 6.12.30, 6.12.31, 6.12.32, 6.12.33, 6.12.34, 6.12.35, 6.12.36, 6.12.37, 6.12.38, 6.12.39, 6.12.40, 6.12.41, 6.12.42, 6.12.43, 6.12.44, 6.12.45, 6.12.46, 6.12.47, 6.12.48, 6.12.49, 6.12.50, 6.12.51, 6.12.52, 6.12.53))
• Linux Firmware (20250808 (includes 20250211, 20250311, 20250410, 20250509, 20250613, 20250627, 20250708))
• SDK: cmake (3.31.7 (includes 3.31.5))
• SDK: gdb (16.3)
• SDK: gentoo-syntax (16)
• SDK: gnu-efi (4.0.2)
• SDK: go (1.24.6 (includes 1.23.5, 1.23.6, 1.24.1, 1.24.2, 1.24.4, 1.24.5))
• SDK: iperf (3.19)
• SDK: m4 (1.4.20)
• SDK: maturin (1.9.1)
• SDK: meson (1.7.2 (includes 1.6.1))
• SDK: mtools (4.0.49)
• SDK: nano (8.5)
• SDK: perl (5.40.2 (includes 5.40.1))
• SDK: pkgcheck (0.10.36 (includes 0.10.34))
• SDK: python-cryptography (45.0.4)
• SDK: qemu (9.2.3 (includes 9.0, 9.1.2))
• SDK: rust (1.88.0 (includes 1.83.0, 1.84.0, 1.84.1, 1.85.0, 1.85.1, 1.86.0, 1.87.0))
• SDK: sbsigntools (0.9.5)
• VMWare: open-vm-tools (12.5.2)
• afterburn (5.8.2)
• azure, dev, gce, sysext-python: gdbm (1.26 (includes 1.25))
• azure, dev, gce, sysext-python: mpdecimal (4.0.1)
• azure, dev, gce, sysext-python: python (3.11.13 (includes 3.11.12))
• azure: wa-linux-agent (2.12.0.4)
• base, dev: azure-vm-utils (0.7.0 (includes 0.5.0, 0.5.1, 0.5.2, 0.6.0))
• base, dev: bind (9.18.37 (includes 9.18.30, 9.18.31, 9.18.32, 9.18.33, 9.18.34, 9.18.35, 9.18.36))
• base, dev: binutils (2.44)
• base, dev: btrfs-progs (6.15 (includes 6.13))
• base, dev: c-ares (1.34.4)
• base, dev: checkpolicy (3.8.1 (includes 3.8))
• base, dev: cifs-utils (7.3 (includes 7.1, 7.2))
• base, dev: cracklib (2.10.3)
• base, dev: cri-tools (1.32.0 (includes 1.27.1, 1.28.0, 1.29.0, 1.30.0, 1.30.1, 1.31.0, 1.31.1))
• base, dev: cryptsetup (2.8.0)
• base, dev: curl (8.15.0 (includes 8.12.0, 8.12.1, 8.13.0, 8.14.0, 8.14.1))
• base, dev: dbus (1.16.2 (includes 1.14.6, 1.14.8, 1.16.0))
• base, dev: diffutils (3.12 (includes 3.11))
• base, dev: e2fsprogs (1.47.3 (includes 1.47.2))
• base, dev: elfutils (0.193 (includes 0.192))
• base, dev: ethtool (6.15 (includes 6.11))
• base, dev: expat (2.7.1 (includes 2.7.0))
• base, dev: gawk (5.3.2)
• base, dev: gcc (14.3.0)
• base, dev: git (2.49.0 (includes 2.45.3, 2.46.0, 2.46.1, 2.46.2, 2.46.3, 2.47.0, 2.47.1, 2.47.2, 2.48.0, 2.48.1))
• base, dev: glib (2.84.4 (includes 2.82.0, 2.82.1, 2.82.2, 2.82.3, 2.82.4, 2.82.5, 2.83.0, 2.83.1, 2.83.2, 2.83.3, 2.83.4, 2.83.5, 2.84.0, 2.84.1, 2.84.2, 2.84.3))
• base, dev: glibc (2.41)
• base, dev: gnupg (2.4.8 (includes 2.4.7))
• base, dev: gnutls (3.8.10 (includes 3.8.8, 3.8.9))
• base, dev: grep (3.12)
• base, dev: gzip (1.14)
• base, dev: hwdata (0.391)
• base, dev: inih (59)
• base, dev: intel-microcode (20250211_p20250211)
• base, dev: iproute2 (6.16.0 (includes 6.13.0, 6.14.0))
• base, dev: ipset (7.24 (includes 7.23))
• base, dev: iptables (1.8.11 (includes 1.8.9, 1.8.10))
• base, dev: iputils (20250605 (includes 20250602))
• base, dev: jansson (2.14.1)
• base, dev: jq (1.8.1 (includes 1.8.0))
• base, dev: kbd (2.7.1 (includes 2.7, 2.7-rc1))
• base, dev: kexec-tools (2.0.31)
• base, dev: kmod (34.2)
• base, dev: ldb (2.9.2 (includes 2.9.0, 2.9.1))
• base, dev: libarchive (3.8.1 (includes 3.7.8, 3.7.9, 3.8.0))
• base, dev: libcap (2.76 (includes 2.72, 2.73, 2.74, 2.75))
• base, dev: libffi (3.4.8 (includes 3.4.7))
• base, dev: libgcrypt (1.11.2 (includes 1.11.1))
• base, dev: libgpg-error (1.53 (includes 1.52))
• base, dev: libidn2 (2.3.8)
• base, dev: libnftnl (1.2.9)
• base, dev: libnvme (1.15 (includes 1.12))
• base, dev: libpcre2 (10.45)
• base, dev: libseccomp (2.6.0 (includes 2.5.6))
• base, dev: libselinux (3.8.1 (includes 3.8))
• base, dev: libsemanage (3.7)
• base, dev: libsepol (3.8.1 (includes 3.8))
• base, dev: libsodium (1.0.20_p20250606)
• base, dev: libtasn1 (4.20.0)
• base, dev: libtirpc (1.3.6 (includes 1.3.5))
• base, dev: libunistring (1.3)
• base, dev: libunwind (1.8.2)
• base, dev: liburing (2.9 (includes 2.8))
• base, dev: libusb (1.0.29 (includes 1.0.28))
• base, dev: libuv (1.51.0 (includes 1.50.0))
• base, dev: libxcrypt (4.4.38 (includes 4.4.37))
• base, dev: libxml2 (2.13.8 (includes 2.12.10, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7))
• base, dev: linux-headers (6.12)
• base, dev: logrotate (3.22.0 (includes 3.21.0))
• base, dev: lsof (4.99.5)
• base, dev: lvm2 (2.03.21 (includes 2.03.00, 2.03.01, 2.03.02, 2.03.03, 2.03.04, 2.03.05, 2.03.06, 2.03.07, 2.03.08, 2.03.09, 2.03.10, 2.03.11, 2.03.12, 2.03.13, 2.03.14, 2.03.15, 2.03.16, 2.03.17, 2.03.18, 2.03.19, 2.03.20))
• base, dev: mdadm (4.4 (includes 4.3))
• base, dev: ncurses (6.5_p20250531 (includes 6.5_p20250125))
• base, dev: nettle (3.10.2 (includes 3.10.1))
• base, dev: nfs-utils (2.7.1 (includes 2.6.1, 2.6.2, 2.6.3, 2.6.4))
• base, dev: nftables (1.1.1 (includes 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0))
• base, dev: nghttp2 (1.65.0 (includes 1.63.0, 1.64.0))
• base, dev: ntp (4.2.8_p18)
• base, dev: nvidia-drivers-service (570.172.08 (includes 535.247.01, 535.261.03, 570.124.06, 570.133.20, 570.148.08, 570.172.08))
• base, dev: nvme-cli (2.15 (includes 2.12))
• base, dev: oniguruma (6.9.10)
• base, dev: open-iscsi (2.1.11)
• base, dev: open-isns (0.103)
• base, dev: openssh (10.0_p1 (includes 9.9_p1, 9.9_p2))
• base, dev: openssl (3.4.2 (includes 3.3.3, 3.4.0, 3.4.1))
• base, dev: pciutils (3.14.0)
• base, dev: pinentry (1.3.2)
• base, dev: pkgconf (2.5.1 (includes 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0))
• base, dev: policycoreutils (3.7)
• base, dev: polkit (126 (includes 122, 123, 124, 125))
• base, dev: qemu-guest-agent (9.2.0 (includes 9.0, 9.1))
• base, dev: quota (4.10)
• base, dev: rpcbind (1.2.8 (includes 1.2.7))
• base, dev: rsync (3.4.1 (includes 3.4.0))
• base, dev: samba (4.20.7 (includes 4.20.0, 4.20.1, 4.20.2, 4.20.3, 4.20.4, 4.20.5, 4.20.6))
• base, dev: selinux (2.20250213)
• base, dev: semodule-utils (3.8.1 (includes 3.7, 3.8))
• base, dev: shadow (4.14.8 (includes 4.14.0, 4.14.1, 4.14.2, 4.14.3, 4.14.4, 4.14.5, 4.14.6, 4.14.7))
• base, dev: socat (1.8.0.3 (includes 1.8.0.1, 1.8.0.2))
• base, dev: sqlite (3.50.4 (includes 3.47.2, 3.48.0, 3.49.0, 3.49.1, 3.49.2, 3.50.3))
• base, dev: sssd (2.9.7 (includes 2.9.6))
• base, dev: strace (6.16 (includes 6.13, 6.14))
• base, dev: sudo (1.9.17_p2)
• base, dev: tdb (1.4.12 (includes 1.4.11))
• base, dev: trousers (0.3.15)
• base, dev: unzip (6.0_p29)
• base, dev: userspace-rcu (0.15.2 (includes 0.15.0, 0.15.1))
• base, dev: util-linux (2.40.4 (includes 2.40.3))
• base, dev: vim (9.1.1652 (includes 9.1.0794, 9.1.1436))
• base, dev: which (2.23)
• base, dev: xfsprogs (6.13.0 (includes 6.12.0))
• base, dev: xz-utils (5.8.1 (includes 5.6.4, 5.8.0))
• base, dev: zram-generator (1.2.1 (includes 1.2.0))
• base, dev: zstd (1.5.7)
• btrfs-progs (6.14)
• ca-certificates (3.116)
• chrony (4.7)
• curl (8.14.1)
• dbus-glib (0.114)
• dev, sysext-incus: squashfs-tools (4.7)
• dev: bash-completion (2.16.0)
• dev: eselect (1.4.30 (includes 1.4.29))
• dev: file (5.46)
• dev: gcc-config (2.12.1)
• dev: gdb (16.2 (includes 16.1))
• dev: getuto (1.15)
• dev: gnuconfig (20250710)
• dev: iperf (3.19.1 (includes 3.18))
• dev: man-db (2.13.1)
• dev: man-pages (6.10)
• dev: minicom (2.10)
• dev: mpfr (4.2.2)
• dev: pahole (1.30 (includes 1.28, 1.29))
• dev: patch (2.8)
• dev: portage (3.0.68 (includes 3.0.67))
• dev: sandbox (2.46)
• dev: smartmontools (7.5)
• docker: docker (28.0.1 (includes 27.4.0, 27.4.1, 28.0.0))
• docker: docker-buildx (0.20.1 (includes 0.14.1, 0.15.0, 0.15.1, 0.16.0, 0.16.1, 0.16.2, 0.17.0, 0.17.1, 0.18.0, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.20.0))
• dracut (106 (includes 054, 055, 056, 057, 058, 059, 060, 100, 101, 102, 103, 104, 105))
• ethtool (6.14)
• fuse-overlayfs (1.15)
• git (2.49.1)
• inih (60)
• iproute2 (6.15.0)
• kbd (2.8.0)
• less (679)
• libffi (3.5.1)
• libgpg-error (1.55)
• libnvme (1.14)
• libxml2 (2.14.5)
• ncurses (6.5_p20250329)
• nftables (1.1.3)
• nvme-cli (2.14)
• passt (2025.6.11)
• procps (4.0.5)
• samba (4.20.8)
• sqlite (3.50.2)
• strace (6.15)
• sysext-containerd: containerd (2.0.7 (includes 2.0.2, 2.0.5, 2.0.6))
• sysext-containerd: runc (1.3.3 (includes 1.1.15, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2)
• sysext-docker: docker (28.0.4 (includes 28.0.2, 28.0.3))
• sysext-docker: docker-buildx (0.21.2 (includes 0.21.0, 0.21.1))
• sysext-incus, sysext-podman, vmware: fuse (3.17.3)
• sysext-incus: cowsql (1.15.9 (includes 1.15.8))
• sysext-incus: incus (6.0.4)
• sysext-incus: lxc (6.0.4)
• sysext-incus: lxcfs (6.0.4)
• sysext-nvidia-drivers-535, sysext-nvidia-drivers-535-open: nvidia-drivers (535.261.03)
• sysext-nvidia-drivers-570, sysext-nvidia-drivers-570-open: nvidia-drivers (570.181 (includes 570.153.02, 570.169, 570.172.08))
• sysext-podman, vmware: fuse (3.17.2 (includes 3.17.1))
• sysext-podman: aardvark-dns (1.14.0 (includes 1.13.0, 1.13.1))
• sysext-podman: catatonit (0.2.1)
• sysext-podman: conmon (2.1.13 (includes 2.1.11, 2.1.12))
• sysext-podman: containers-common (0.63.0 (includes 0.61.0, 0.62.0, 0.62.1, 0.62.2))
• sysext-podman: containers-image (5.34.2 (includes 5.33.0, 5.34.0, 5.34.1))
• sysext-podman: containers-shortnames (2025.03.19)
• sysext-podman: containers-storage (1.57.2 (includes 1.56.0, 1.57.0, 1.57.1))
• sysext-podman: crun (1.20 (includes 1.18, 1.18.1, 1.18.2, 1.19, 1.19.1))
• sysext-podman: gpgme (1.24.3 (includes 1.24.2))
• sysext-podman: netavark (1.14.1 (includes 1.13.0, 1.13.1, 1.14.0))
• sysext-podman: passt (2025.04.15 (includes 2025.01.21, 2025.02.17))
• sysext-podman: podman (5.5.2 (includes 5.3.2)
• sysext-python: cachecontrol (0.14.3 (includes 0.14.2))
• sysext-python: charset-normalizer (3.4.2)
• sysext-python: distlib (0.4.0)
• sysext-python: ensurepip-pip (25.1.1)
• sysext-python: jaraco-collections (5.2.1)
• sysext-python: jaraco-functools (4.2.1)
• sysext-python: more-itertools (10.7.0 (includes 10.6.0))
• sysext-python: msgpack (1.1.1)
• sysext-python: packaging (25.0)
• sysext-python: pip (25.1.1 (includes 25.0, 25.0.1, 25.1))
• sysext-python: platformdirs (4.3.8 (includes 4.3.7))
• sysext-python: pygments (2.19.2)
• sysext-python: requests (2.32.4 (includes 2.32.3))
• sysext-python: resolvelib (1.2.0)
• sysext-python: rich (14.1.0 (includes 14.0.0))
• sysext-python: setuptools (80.9.0 (includes 75.7.0, 75.8.0, 75.8.1, 75.8.2, 76.0.0, 76.1.0, 77.0.0, 77.0.1, 77.0.2, 77.0.3, 78.0.0, 78.0.1, 78.0.2, 78.1.0, 79.0.0, 80.0.0, 80.1.0, 80.2.0, 80.3.0, 80.4.0, 80.6.0, 80.7.0, 80.8.0))
• sysext-python: setuptools-scm (8.3.1 (includes 8.2.0, 8.2.1, 8.3.0))
• sysext-python: trove-classifiers (2025.8.26.11 (includes 2025.3.3.18, 2025.3.19.19, 2025.4.11.15, 2025.4.28.22, 2025.5.1.12, 2025.5.7.19, 2025.5.8.13, 2025.5.8.15, 2025.5.9.12, 2025.8.6.13))
• sysext-python: truststore (0.10.4 (includes 0.10.1))
• sysext-python: typing-extensions (4.14.1 (includes 4.13.0, 4.13.1, 4.13.2, 4.14.0))
• sysext-python: urllib3 (2.5.0 (includes 2.4.0))
• sysext-python: wheel (0.46.1 (includes 0.46.0))
• sysext-zfs: zfs (2.3.2 (includes 2.3.0, 2.3.1))
• userspace-rcu (0.15.3)
• util-linux (2.41.1)
• vmware: libxslt (1.1.43 (includes 1.1.40, 1.1.41, 1.1.42))
• vmware: open-vm-tools (13.0.0)
• vmware: xmlsec (1.3.7 (includes 1.3.6))
• xfsprogs (6.14.0)
• zfs (2.3.3)

Changes since Beta 4459.1.0

Security fixes:

• Linux (CVE-2025-40109, CVE-2025-40107, CVE-2025-40028, CVE-2025-40027, CVE-2025-40026, CVE-2025-40000, CVE-2025-39995, CVE-2025-40052, CVE-2025-40061, CVE-2025-40060, CVE-2025-40059, CVE-2025-40058, CVE-2025-40057, CVE-2025-40056, CVE-2025-40055, CVE-2025-40081, CVE-2025-40080, CVE-2025-40079, CVE-2025-40078, CVE-2025-40071, CVE-2025-40070, CVE-2025-40068, CVE-2025-40067, CVE-2025-40062, CVE-2025-40053, CVE-2025-40029, CVE-2025-40038, CVE-2025-40037, CVE-2025-40036, CVE-2025-40035, CVE-2025-40033, CVE-2025-40051, CVE-2025-40049, CVE-2025-40031, CVE-2025-40048, CVE-2025-40047, CVE-2025-40045, CVE-2025-40044, CVE-2025-40043, CVE-2025-40039, CVE-2025-40030, CVE-2025-40018, CVE-2025-40004, CVE-2025-40032, CVE-2025-40042, CVE-2025-40019)
• sysext-containerd: containerd (CVE-2024-25621, CVE-2025-64329)
• sysext-containerd: runc (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881)

Bug fixes:

• Enabled CONFIG_MEMCG_V1 to mitigate cgroupsv1 removal (e.g JVM) (Flatcar#1884)
• Excluded TUN/TAP interfaces from the default DHCP network configuration to solve conflicts with the programs that created them (Flatcar#1933)
• Fixed Intel microcode updates which were broken in recent Alpha and Beta releases by switching back to built-in extra firmware instead of early cpio inclusion (Flatcar#1909)
• Fixed that the needed Flatcar extensions don't get removed on update which caused a re-download (update_engine#51)

Changes:

• Scaleway: The Linux console is now attached to the correct console port. (scripts#3383)

Updates:

• Linux (6.12.54 (includes 6.12.53, 6.12.52))
• sysext-containerd: containerd (2.0.7 (includes 2.0.6))
• sysext-containerd: runc (1.3.3 (includes 1.3.2, 1.3.1, 1.3.0))