New Stable Release 3139.2.0
Changes since Stable 3033.2.4
Security fixes:
- Linux (CVE-2022-1015, CVE-2022-1016)
- Go (CVE-2021-44716, CVE-2021-44717)
- containerd (CVE-2021-43816, CVE-2022-24769)
- gcc (CVE-2020-13844)
- Ignition (CVE-2020-14040, CVE-2021-38561)
- krb5 (CVE-2021-37750)
- libarchive (libarchive-1565, libarchive-1566)
- OpenSSH (CVE-2021-41617)
- openssl (CVE-2021-4044)
- torcx (CVE-2021-38561, CVE-2021-43565)
- vim (CVE-2021-3872, CVE-2021-3875, CVE-2021-3903, CVE-2021-3927, CVE-2021-3928, CVE-2021-3968, CVE-2021-3973, CVE-2021-3974)
- SDK: edk2-ovmf (CVE-2019-14584, CVE-2021-28210, CVE-2021-28211, CVE-2021-28213)
- SDK: libxslt (CVE-2021-30560)
- SDK: mantle (CVE-2021-3121, CVE-2021-38561, CVE-2021-43565)
- SDK: QEMU (CVE-2020-35504, CVE-2020-35505, CVE-2020-35506, CVE-2020-35517, CVE-2021-20203, CVE-2021-20255, CVE-2021-20257, CVE-2021-20263, CVE-2021-3409, CVE-2021-3416, CVE-2021-3527, CVE-2021-3544, CVE-2021-3545, CVE-2021-3546, CVE-2021-3582, CVE-2021-3607, CVE-2021-3608, CVE-2021-3682)
- SDK: Rust (CVE-2022-21658)
Bug fixes:
- Excluded the Kubenet cbr0 interface from networkd's DHCP config and set it to Unmanaged to prevent interference and ensure that it is not part of the network online check (init#55)
- Fixed the dracut emergency Ignition log printing that had a scripting error causing the cat command to fail (bootengine#33)
- network: Accept ICMPv6 Router Advertisements to fix IPv6 address assignment in the default DHCP setting (init#51, coreos-cloudinit#12, bootengine#30)
- flatcar-update: Stopped checking for the
USER
environment variable which may not be set in all environments, causing the script to fail unless a workaround was used like prepending an additionalsudo
invocation (init#58) - Reverted the Linux kernel commit which broke networking on AWS instances which use Intel 82559 NIC (c4/m4) (Flatcar#665, coreos-overlay#1723)
- Re-added the
brd drbd nbd rbd xen-blkfront zram libarc4 lru_cache zsmalloc
kernel modules to the initramfs since they were missing compared to the Flatcar 3033.2.x releases where the 5.10 kernel is used (bootengine#40)
Changes:
- Added a new flatcar-update tool to the image to ease manual updates, rollbacks, channel/release jumping, and airgapped updates (init#53)
- Update-engine now creates the
/run/reboot-required
flag file for kured (update_engine#15) - Excluded special network interface devices like bridge, tunnel, vxlan, and veth devices from the default DHCP configuration to prevent networkd interference (init#56)
- Added CONFIG_NF_CT_NETLINK_HELPER (for libnetfilter_cthelper), CONFIG_NET_VRF (for virtual routing and forwarding) and CONFIG_KEY_DH_OPERATIONS (for keyutils) to the kernel config (coreos-overlay#1524)
- Enabled the FIPS support for the Linux kernel, which users can now choose through a kernel parameter in
grub.cfg
(check it taking effect withcat /proc/sys/crypto/fips_enabled
) (coreos-overlay#1602) - Enabled FIPS mode for cryptsetup (portage-stable#312)
- Rework the way we set up the default python intepreter in SDK - it is now without specifying a version. This should work fine as long as we keep having one version of python in SDK.
- Add a way to remove packages that are hard-blockers for update. A hard-blocker means that the package needs to be removed (for example with
emerge -C
) before an update can happen. - Removed the pre-shipped
/etc/flatcar/update.conf
file, leaving it totally to the user to define the contents as it was unnecessarily overwriting the/use/share/flatcar/update.conf
(scripts#212)
Updates:
- Linux (5.15.32) (from 5.15.30)
- Linux headers (5.15)
- GCC 9.4.0
- acl (2.3.1)
- attr (2.5.1)
- audit (3.0.6)
- boost (1.76.0)
- btrfs-progs (5.15.1)
- ca-certificates (3.77)
- containerd (1.5.11)
- coreutils (8.32)
- diffutils (3.8)
- ethtool (5.10)
- findutils (4.8.0)
- glib (2.68.4)
- i2c-tools (4.2)
- iproute2 (5.15)
- ipset (7.11)
- iputils (20210722)
- ipvsadm (1.27)
- kmod (29)
- libarchive 3.5.2
- libcap-ng (0.8.2)
- libseccomp (2.5.1)
- lshw (02.19.2b_p20210121)
- lsof (4.94.0)
- openssh (8.8)
- openssl (3.0.2)
- parted (3.4 (includes 3.3))
- pciutils (3.7.0)
- polkit (0.120)
- runc (1.1.0)
- sbsigntools (0.9.4)
- sed (4.8)
- usbutils (014)
- vim 8.2.3582
- Azure: Python for OEM images (3.9.8)
- Azure: WALinuxAgent (2.6.0.2)
- SDK: edk2-ovmf 202105
- SDK: file (5.40)
- SDK: ipxe 1.21.1
- SDK: mantle (0.18.0)
- SDK: perf (5.15)
- SDK: Python (3.9.8)
- SDK: qemu (6.1.0
- SDK: Rust (1.58.1)
- SDK: seabios 1.14.0
- SDK: sgabios 0.1_pre10
Changes since Beta 3139.1.1
Security fixes:
- Linux (CVE-2022-1015, CVE-2022-1016)
- containerd (CVE-2022-24769)
Changes:
- Enabled FIPS mode for cryptsetup (portage-stable#312)