kinvolk/manifest v3139.2.0

on GitHub

New Stable Release 3139.2.0

Changes since Stable 3033.2.4

Security fixes:

• Linux (CVE-2022-1015, CVE-2022-1016)
• Go (CVE-2021-44716, CVE-2021-44717)
• containerd (CVE-2021-43816, CVE-2022-24769)
• gcc (CVE-2020-13844)
• Ignition (CVE-2020-14040, CVE-2021-38561)
• krb5 (CVE-2021-37750)
• libarchive (libarchive-1565, libarchive-1566)
• OpenSSH (CVE-2021-41617)
• openssl (CVE-2021-4044)
• torcx (CVE-2021-38561, CVE-2021-43565)
• vim (CVE-2021-3872, CVE-2021-3875, CVE-2021-3903, CVE-2021-3927, CVE-2021-3928, CVE-2021-3968, CVE-2021-3973, CVE-2021-3974)
• SDK: edk2-ovmf (CVE-2019-14584, CVE-2021-28210, CVE-2021-28211, CVE-2021-28213)
• SDK: libxslt (CVE-2021-30560)
• SDK: mantle (CVE-2021-3121, CVE-2021-38561, CVE-2021-43565)
• SDK: QEMU (CVE-2020-35504, CVE-2020-35505, CVE-2020-35506, CVE-2020-35517, CVE-2021-20203, CVE-2021-20255, CVE-2021-20257, CVE-2021-20263, CVE-2021-3409, CVE-2021-3416, CVE-2021-3527, CVE-2021-3544, CVE-2021-3545, CVE-2021-3546, CVE-2021-3582, CVE-2021-3607, CVE-2021-3608, CVE-2021-3682)
• SDK: Rust (CVE-2022-21658)

Bug fixes:

• Excluded the Kubenet cbr0 interface from networkd's DHCP config and set it to Unmanaged to prevent interference and ensure that it is not part of the network online check (init#55)
• Fixed the dracut emergency Ignition log printing that had a scripting error causing the cat command to fail (bootengine#33)
• network: Accept ICMPv6 Router Advertisements to fix IPv6 address assignment in the default DHCP setting (init#51, coreos-cloudinit#12, bootengine#30)
• flatcar-update: Stopped checking for the USER environment variable which may not be set in all environments, causing the script to fail unless a workaround was used like prepending an additional sudo invocation (init#58)
• Reverted the Linux kernel commit which broke networking on AWS instances which use Intel 82559 NIC (c4/m4) (Flatcar#665, coreos-overlay#1723)
• Re-added the brd drbd nbd rbd xen-blkfront zram libarc4 lru_cache zsmalloc kernel modules to the initramfs since they were missing compared to the Flatcar 3033.2.x releases where the 5.10 kernel is used (bootengine#40)

Changes:

• Added a new flatcar-update tool to the image to ease manual updates, rollbacks, channel/release jumping, and airgapped updates (init#53)
• Update-engine now creates the /run/reboot-required flag file for kured (update_engine#15)
• Excluded special network interface devices like bridge, tunnel, vxlan, and veth devices from the default DHCP configuration to prevent networkd interference (init#56)
• Added CONFIG_NF_CT_NETLINK_HELPER (for libnetfilter_cthelper), CONFIG_NET_VRF (for virtual routing and forwarding) and CONFIG_KEY_DH_OPERATIONS (for keyutils) to the kernel config (coreos-overlay#1524)
• Enabled the FIPS support for the Linux kernel, which users can now choose through a kernel parameter in grub.cfg (check it taking effect with cat /proc/sys/crypto/fips_enabled) (coreos-overlay#1602)
• Enabled FIPS mode for cryptsetup (portage-stable#312)
• Rework the way we set up the default python intepreter in SDK - it is now without specifying a version. This should work fine as long as we keep having one version of python in SDK.
• Add a way to remove packages that are hard-blockers for update. A hard-blocker means that the package needs to be removed (for example with emerge -C) before an update can happen.
• Removed the pre-shipped /etc/flatcar/update.conf file, leaving it totally to the user to define the contents as it was unnecessarily overwriting the /use/share/flatcar/update.conf (scripts#212)

Updates:

• Linux (5.15.32) (from 5.15.30)
• Linux headers (5.15)
• GCC 9.4.0
• acl (2.3.1)
• attr (2.5.1)
• audit (3.0.6)
• boost (1.76.0)
• btrfs-progs (5.15.1)
• ca-certificates (3.77)
• containerd (1.5.11)
• coreutils (8.32)
• diffutils (3.8)
• ethtool (5.10)
• findutils (4.8.0)
• glib (2.68.4)
• i2c-tools (4.2)
• iproute2 (5.15)
• ipset (7.11)
• iputils (20210722)
• ipvsadm (1.27)
• kmod (29)
• libarchive 3.5.2
• libcap-ng (0.8.2)
• libseccomp (2.5.1)
• lshw (02.19.2b_p20210121)
• lsof (4.94.0)
• openssh (8.8)
• openssl (3.0.2)
• parted (3.4 (includes 3.3))
• pciutils (3.7.0)
• polkit (0.120)
• runc (1.1.0)
• sbsigntools (0.9.4)
• sed (4.8)
• usbutils (014)
• vim 8.2.3582
• Azure: Python for OEM images (3.9.8)
• Azure: WALinuxAgent (2.6.0.2)
• SDK: edk2-ovmf 202105
• SDK: file (5.40)
• SDK: ipxe 1.21.1
• SDK: mantle (0.18.0)
• SDK: perf (5.15)
• SDK: Python (3.9.8)
• SDK: qemu (6.1.0
• SDK: Rust (1.58.1)
• SDK: seabios 1.14.0
• SDK: sgabios 0.1_pre10

Changes since Beta 3139.1.1

Security fixes:

• Linux (CVE-2022-1015, CVE-2022-1016)
• containerd (CVE-2022-24769)

Changes:

• Enabled FIPS mode for cryptsetup (portage-stable#312)

Updates:

• Linux (5.15.32) (from 5.15.30)
• ca-certificates (3.77)
• containerd (1.5.11)
• Azure: WALinuxAgent (2.6.0.2)