Security fixes
- Linux (CVE-2021-28964, CVE-2021-28972, CVE-2021-28971, CVE-2021-28951, CVE-2021-28952, CVE-2021-29266, CVE-2021-28688, CVE-2021-29264, CVE-2021-29649, CVE-2021-29650, CVE-2021-29646, CVE-2021-29647, CVE-2021-29154, CVE-2021-29155, CVE-2021-23133)
- dnsmasq (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687)
- git (CVE-2021-21300)
- gnutls (CVE-2021-20231, CVE-2021-20232)
- sqlite (CVE-2021-20227)
- qemu (CVE-2020-10717, CVE-2020-13754, CVE-2020-15859, CVE-2020-15863, CVE-2020-16092, CVE-2020-25741, CVE-2020-25742, CVE-2020-25743)
- curl (CVE-2021-22876, CVE-2021-22890)
- libxml2 (CVE-2020-24977)
- openldap (CVE-2021-27212)
Bug fixes
- Fix the patch to update DefaultTasksMax in systemd (coreos-overlay#971)
Changes
- GCE: The oem-gce.service was ported to use systemd-nspawn instead of rkt. A one-time action is required to fetch the new service file because the OEM partition is not updated:
sudo curl -s -S -f -L -o /etc/systemd/system/oem-gce.service https://raw.githubusercontent.com/kinvolk/coreos-overlay/fe7b0047ef5b634ebe04c9627bbf1ce3008ee5fa/coreos-base/oem-gce/files/units/oem-gce.service && sudo systemctl daemon-reload && sudo systemctl restart oem-gce.service - Make the hostname setting units optional. Having the hostname units as required by the initrd.target meant that if the unit failed the machine wouldn't start, disrupting the whole boot. (bootengine#23)
- Enable using iSCSI netroot devices on Flatcar (bootengine#22)
Updates
- Linux (5.10.32)
- systemd (247.6)
- openldap (2.4.58)
- curl (7.76.1)
- gnutls (3.7.1)
- git (2.26.3)
- libxml2 (2.9.10)
- sqlite (3.34.1)
- dnsmasq (2.83)
- go (1.16.2)
- SDK: QEMU (5.2.0)
- SDK: Rust (1.51.0)
Deprecation
- rkt and kubelet-wrapper are deprecated and removed from Alpha, also from subsequent channels in the future. Please read the removal announcement to know more.
Note: Please note that ARM images remain experimental for now.