Flatcar updates
Security fixes:
- Fix e2fsprogs arbitrary code execution via crafted filesystem (CVE-2019-5094)
- Fix libarchive crash or use-after-free via crafted RAR file (CVE-2019-18408, CVE-2020-9308)
- Fix libgcrypt ECDSA timing attack (CVE-2019-13627)
- Fix libidn2 domain impersonation (CVE-2019-12290)
- Fix NSS crashes and heap corruption (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698, CVE-2018-18508, CVE-2019-11745)
- Fix OpenSSL overflow in Montgomery squaring procedure (CVE-2019-1551)
- Fix SQLite crash and heap corruption (CVE-2019-16168, CVE-2019-5827)
- Fix unzip heap overflow or excessive resource consumption via crafted archive (CVE-2018-1000035, CVE-2019-13232)
- Fix vim arbitrary command execution via crafted file (CVE-2019-12735)
Bug fixes:
- Revert adding the SELinux use flag for docker-runc until a regression is solved
- When writing the update kernel, prefer
/boot/coreos
only if/boot/coreos/vmlinux-*
exists (flatcar-linux/update_engine#5) - Fixed sysroot-boot initramfs service race which resulted in a warning that this service failed
Changes:
- Support the CoreOS GRUB
/boot/coreos/first_boot
flag file (flatcar-linux/bootengine#13) - Fetch container images in docker format rather than ACI by default in
etcd-member.service
,flanneld.service
, andkubelet-wrapper
- Add wireguard kernel module from wireguard-linux-compat
- Include
wg
(wireguard-tools) - Enable regex support for
jq
- Use
flatcar.autologin
kernel command line parameter on Azure for auto login on the serial console
Updates: