Flatcar updates
Security fixes:
- Fix e2fsprogs arbitrary code execution via crafted filesystem (CVE-2019-5094)
- Fix Git arbitrary path overwrite, credential leak from credential helpers, remote code execution in recursive clones, and arbitrary command execution via submodules (CVE-2019-1348, CVE-2019-1387, CVE-2019-19604, CVE-2020-11008, CVE-2020-5260)
- Fix libarchive crash or use-after-free via crafted RAR file (CVE-2019-18408, CVE-2020-9308)
- Fix libgcrypt ECDSA timing attack (CVE-2019-13627)
- Fix libidn2 domain impersonation (CVE-2019-12290)
- Fix NSS crashes and heap corruption (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698, CVE-2018-18508, CVE-2019-11745)
- Fix OpenSSL overflow in Montgomery squaring procedure (CVE-2019-1551)
- Fix SQLite crash and heap corruption (CVE-2019-16168, CVE-2019-5827)
- Fix unzip heap overflow or excessive resource consumption via crafted archive (CVE-2018-1000035, CVE-2019-13232)
- Fix vim arbitrary command execution via crafted file (CVE-2019-12735)
Bug fixes:
- When writing the update kernel, prefer
/boot/coreosonly if/boot/coreos/vmlinux-*exists (flatcar-linux/update_engine#5) - Fixed sysroot-boot initramfs service race which resulted in a warning that this service failed
- Use the correct
BINHOSTURLs in the development container to download binary packages
Changes:
- Support the CoreOS GRUB
/boot/coreos/first_bootflag file (flatcar-linux/bootengine#13) - Fetch container images in docker format rather than ACI by default in
etcd-member.service,flanneld.service, andkubelet-wrapper - Use
flatcar.autologinkernel command line parameter on Azure and VMware for auto login on the serial console - Include
conntrack(conntrack-tools) - Include
journalctloutput,pstorekernel crash logs, andcoredumpctl listoutput in themaydayreport - Update wa-linux-agent to 2.2.46 on Azure
- Support both
coreos.config.*andflatcar.config.*guestinfo variables on VMware OEM
Updates: