# Flatcar Container Linux Release - April 16th 2024 ## Alpha 3941.0.0 - AMD64-usr - Platforms succeeded: All except qemu, qemu_uefi, qemu_uefi_secure - Platforms failed: - qemu, qemu_uefi: ``cl.tpm.*`` - expected - qemu_uefi_secure - expected - Platforms not tested: None - ARM64-usr - Platforms succeeded: All except equinix_metal - Platforms failed: - equinix_metal: No machine available - expected - Platforms not tested: None VERDICT: **GO** ## Beta 3913.1.0 - AMD64-usr - Platforms succeeded: All except qemu_uefi, qemu_uefi_secure - Platforms failed: - qemu_uefi: ``cl.tpm.*`` - expected - qemu_uefi_secure - expected - Platforms not tested: None - ARM64-usr - Platforms succeeded: All except equinix_metal, qemu_uefi - Platforms failed: - equinix_metal: No machine available - expected - qemu_uefi: ``cl.tpm.*`` - expected - Platforms not tested: None VERDICT: **GO** ## Stable 3815.2.2 - AMD64-usr - Platforms succeeded: All except qemu_uefi_secure - Platforms failed: - qemu_uefi_secure - expected - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: **GO** ## LTS 3510.3.3 - AMD64-usr - Platforms succeeded: All except qemu_uefi_secure - Platforms failed: - qemu_uefi_secure - expected - Platforms not tested: None - ARM64-usr - Platforms succeeded: All except equinix_metal - Platforms failed: - equinix_metal: No machine available - expected - Platforms not tested: None VERDICT: **GO** ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as β€œFlatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). --- ### Announcement Message Subject: Announcing new releases Alpha 3941.0.0, Beta 3913.1.0, Stable 3815.2.2, LTS 3510.3.3 Hello, We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, LTS channel. #### New Alpha Release 3941.0.0 _Changes since **Alpha 3913.0.0**_ #### Security fixes: - Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor ([CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094)) - c-ares ([CVE-2024-25629](https://nvd.nist.gov/vuln/detail/CVE-2024-25629)) - coreutils ([coreutils-2024-03-28](https://lists.gnu.org/archive/html/info-gnu/2024-03/msg00006.html)) - curl ([CVE-2024-2004](https://nvd.nist.gov/vuln/detail/CVE-2024-2004), [CVE-2024-2379](https://nvd.nist.gov/vuln/detail/CVE-2024-2379), [CVE-2024-2398](https://nvd.nist.gov/vuln/detail/CVE-2024-2398), [CVE-2024-2466](https://nvd.nist.gov/vuln/detail/CVE-2024-2466)) - nghttp2 ([CVE-2024-28182](https://nvd.nist.gov/vuln/detail/CVE-2024-28182)) #### Bug fixes: - Disabled user-configdrive.service on OpenStack when config drive is used, which caused the hostname to be overwritten. The coreos-cloudinit.service unit already runs on OpenStack if the system is not configured via ignition. ([Flatcar#1385](https://github.com/flatcar/Flatcar/issues/1385)) - Fixed `toolbox` to prevent mounted `ctr` snapshots from being garbage-collected ([toolbox#9](https://github.com/flatcar/toolbox/pull/9)) #### Changes: - Added zram-generator package to the image ([scripts#1772](https://github.com/flatcar/scripts/pull/1772)) - Add Intel igc driver to support I225/I226 family NICs. ([flatcar/scripts#1786](https://github.com/flatcar/scripts/pull/1786)) - Added Hyper-V VHDX image ([flatcar/scripts#1791](https://github.com/flatcar/scripts/pull/1791)) - Added support for unlocking the rootfs with a TPM set up by systemd-cryptenroll ([bootengine#93](https://github.com/flatcar/bootengine/pull/93)) - Disabled real-time priority for multipathd as it prevents the cgroups2 cpu controller from working. ([flatcar/scripts#1771](https://github.com/flatcar/scripts/pull/1771)) - Enabled amd-pstate,amd-pstate-epp cpufreq drivers for some AMD CPUs in the kernel. ([flatcar/scripts#1770](https://github.com/flatcar/scripts/pull/1770)) - Enabled ntpd by default on AWS & GCP, enabled chronyd by default on Azure. The native time sync source is used on each cloud. ([scripts#1792](https://github.com/flatcar/scripts/pull/1792)) - Enabled the ptp_vmw module in the kernel. - Switched ptp_kvm from kernel builtin to module. - Enabled the GRUB TPM2 module to measure the boot code path and files into PCR 8+9 in UEFI ([scripts#1861](https://github.com/flatcar/scripts/pull/1861)) - Hyper-V images, both .vhd and .vhdx files are available as `zip` compressed, switching from `bzip2` to a built-in available Windows compression - `zip` ([scripts#1878](https://github.com/flatcar/scripts/pull/1878)) - OpenStack, Brightbox: Added the `flatcar.autologin` kernel cmdline parameter by default as the hypervisor manages access to the console ([scripts#1866](https://github.com/flatcar/scripts/pull/1866)) - Removed `actool` from the image and `acbuild` from the SDK as these tools are deprecated and not used ([scripts#1817](https://github.com/flatcar/scripts/pull/1817)) - SDK: Unified qemu image formats, so that the `qemu_uefi` build target provides the regular `qemu` and the `qemu_uefi_secure` artifacts ([scripts#1847](https://github.com/flatcar/scripts/pull/1847)) - The default VM memory was bumped to 2 GB in the Qemu script and for VMware OVFs ([scripts#1827](https://github.com/flatcar/scripts/pull/1827)) #### Updates: - Linux Firmware ([20240410](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20240410)) - acl ([2.3.2](https://lists.nongnu.org/archive/html/acl-devel/2024-01/msg00012.html)) - attr ([2.5.2](https://lists.nongnu.org/archive/html/acl-devel/2024-01/msg00011.html)) - bpftool ([6.7.6](https://kernelnewbies.org/Linux_6.7#Tracing.2C_probing_and_BPF)) - c-ares ([1.27.0](https://github.com/c-ares/c-ares/releases/tag/cares-1_27_0) (includes [1.26.0](https://github.com/c-ares/c-ares/releases/tag/cares-1_26_0))) - ca-certificates ([3.99](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_99.html)) - containerd ([1.7.15](https://github.com/containerd/containerd/releases/tag/v1.7.15) (includes [1.7.14](https://github.com/containerd/containerd/releases/tag/v1.7.14))) - coreutils ([9.5](https://lists.gnu.org/archive/html/info-gnu/2024-03/msg00006.html)) - curl ([8.7.1](https://curl.se/changes.html#8_7_1) (includes [8.7.0](https://curl.se/changes.html#8_7_0))) - ethtool ([6.7](https://git.kernel.org/pub/scm/network/ethtool/ethtool.git/tree/NEWS?h=v6.7)) - git ([2.43.2](https://github.com/git/git/blob/v2.43.2/Documentation/RelNotes/2.43.2.txt)) - inih ([58](https://github.com/benhoyt/inih/releases/tag/r58)) - ipset ([7.21](https://git.netfilter.org/ipset/tree/ChangeLog?h=v7.21) (includes [7.20](https://git.netfilter.org/ipset/tree/ChangeLog?h=v7.20))) - iputils ([20240117](https://github.com/iputils/iputils/releases/tag/20240117) (includes [20231222](https://github.com/iputils/iputils/releases/tag/20231222)) - libnvme ([1.8](https://github.com/linux-nvme/libnvme/releases/tag/v1.8)) - nghttp2 ([1.61.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.61.0) (includes [1.58.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.58.0), [1.59.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.59.0) and [1.60.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.60.0))) - nvme-cli ([2.8](https://github.com/linux-nvme/nvme-cli/releases/tag/v2.8)) - open-vm-tools ([12.4.0](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.4.0)) - samba ([4.18.9](https://www.samba.org/samba/history/samba-4.18.9.html)) - selinux-refpolicy ([2.20240226](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20240226)) - SDK: libpng ([1.6.43](https://github.com/pnggroup/libpng/blob/v1.6.43/ANNOUNCE) (includes [1.6.42](https://github.com/pnggroup/libpng/blob/v1.6.42/ANNOUNCE) and [1.6.41](https://github.com/pnggroup/libpng/blob/v1.6.41/ANNOUNCE))) - SDK: Rust ([1.77.1](https://github.com/rust-lang/rust/releases/tag/1.77.1) (includes [1.77.0](https://github.com/rust-lang/rust/releases/tag/1.77.0))) #### New Beta Release 3913.1.0 _Changes since **Beta 3874.1.0**_ #### Security fixes: - Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor ([CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094)) - coreutils ([CVE-2024-0684](https://nvd.nist.gov/vuln/detail/CVE-2024-0684)) - dnsmasq ([CVE-2023-28450](https://nvd.nist.gov/vuln/detail/CVE-2023-28450), [CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387), [CVE-2023-50868](https://nvd.nist.gov/vuln/detail/CVE-2023-50868)) - gcc ([CVE-2023-4039](https://nvd.nist.gov/vuln/detail/CVE-2023-4039)) - glibc ([CVE-2023-5156](https://nvd.nist.gov/vuln/detail/CVE-2023-5156), [CVE-2023-6246](https://nvd.nist.gov/vuln/detail/CVE-2023-6246), [CVE-2023-6779](https://nvd.nist.gov/vuln/detail/CVE-2023-6779), [CVE-2023-6780](https://nvd.nist.gov/vuln/detail/CVE-2023-6780)) - gnupg ([gnupg-2024-01-25](https://gnupg.org/blog/20240125-smartcard-backup-key.html)) - gnutls ([CVE-2024-0567](https://nvd.nist.gov/vuln/detail/CVE-2024-0567), [CVE-2024-0553](https://nvd.nist.gov/vuln/detail/CVE-2024-0553)) - libuv ([CVE-2024-24806](https://nvd.nist.gov/vuln/detail/CVE-2024-24806)) - libxml2 ([CVE-2024-25062](https://nvd.nist.gov/vuln/detail/CVE-2024-25062)) - openssl ([CVE-2023-5678](https://nvd.nist.gov/vuln/detail/CVE-2023-5678), [CVE-2023-6129](https://nvd.nist.gov/vuln/detail/CVE-2023-6129), [CVE-2023-6237](https://nvd.nist.gov/vuln/detail/CVE-2023-6237), [CVE-2024-0727](https://nvd.nist.gov/vuln/detail/CVE-2024-0727)) - sudo ([CVE-2023-42465](https://nvd.nist.gov/vuln/detail/CVE-2023-42465)) - vim ([CVE-2023-48231](https://nvd.nist.gov/vuln/detail/CVE-2023-48231), [CVE-2023-48232](https://nvd.nist.gov/vuln/detail/CVE-2023-48232), [CVE-2023-48233](https://nvd.nist.gov/vuln/detail/CVE-2023-48233), [CVE-2023-48234](https://nvd.nist.gov/vuln/detail/CVE-2023-48234), [CVE-2023-48235](https://nvd.nist.gov/vuln/detail/CVE-2023-48235), [CVE-2023-48236](https://nvd.nist.gov/vuln/detail/CVE-2023-48236), [CVE-2023-48237](https://nvd.nist.gov/vuln/detail/CVE-2023-48237), [CVE-2023-48706](https://nvd.nist.gov/vuln/detail/CVE-2023-48706)) #### Bug fixes: - Disabled user-configdrive.service on OpenStack when config drive is used, which caused the hostname to be overwritten. The coreos-cloudinit.service unit already runs on OpenStack if the system is not configured via ignition. ([Flatcar#1385](https://github.com/flatcar/Flatcar/issues/1385)) - Fixed `toolbox` to prevent mounted `ctr` snapshots from being garbage-collected ([toolbox#9](https://github.com/flatcar/toolbox/pull/9)) - Removed custom CloudSigma coreos-cloudinit service configuration since it will be called with the cloudsigma oem anyway. The restart of the service can also cause the serial port to be stuck in an nondeterministic state which breaks future runs. #### Changes: - A new format `qemu_uefi_secure` is introduced to test Flatcar for SecureBoot-enabled features. The format will be later merged into `qemu_uefi`. - Added Ignition Clevis support for encrypted disks unlocked with a TPM2 device or a Tang server ([scripts#1560](https://github.com/flatcar/scripts/pull/1560)) - Added Scaleway images ([flatcar/scripts#1683](https://github.com/flatcar/scripts/pull/1683)) - Added support for unlocking the rootfs with a TPM set up by systemd-cryptenroll ([bootengine#93](https://github.com/flatcar/bootengine/pull/93)) - Disabled real-time priority for multipathd as it prevents the cgroups2 cpu controller from working. ([flatcar/scripts#1771](https://github.com/flatcar/scripts/pull/1771)) - Enabled the GRUB TPM2 module to measure the boot code path and files into PCR 8+9 in UEFI ([scripts#1861](https://github.com/flatcar/scripts/pull/1861)) - Provided a ZFS-2.2.2 Flatcar extension as optional systemd-sysext image with the release. Write 'zfs' to `/etc/flatcar/enabled-sysext.conf` through Ignition and the sysext will be installed during provisioning. ZFS support is experimental and ZFS is not supported for the root partition. ([flatcar/scripts#1742](https://github.com/flatcar/scripts/pull/1742)) - Removed Linux drivers for Mellanox Technologies Switch ASICs family and Spectrum/Spectrum-2/Spectrum-3/Spectrum-4 Ethernet Switch ASICs to reduce the initrd size on AMD64 by ~5MB ([flatcar/scripts#1734](https://github.com/flatcar/scripts/pull/1734)). This change is part of the effort to reduce the initrd size ([flatcar#1381](https://github.com/flatcar/Flatcar/issues/1381)). - Removed coreos-cloudinit support for automatic keys conversion (e.g `reboot-strategy` -> `reboot_strategy`) ([scripts#1687](https://github.com/flatcar/scripts/pull/1687)) - SDK: Unified qemu image formats, so that the `qemu_uefi` build target provides the regular `qemu` and the `qemu_uefi_secure` artifacts ([scripts#1847](https://github.com/flatcar/scripts/pull/1847)) #### Updates: - Go ([1.20.14](https://go.dev/doc/devel/release#go1.20.14)) - Ignition ([2.18.0](https://coreos.github.io/ignition/release-notes/#ignition-2180-2024-03-01) (includes [2.17.0](https://coreos.github.io/ignition/release-notes/#ignition-2170-2023-11-20), [2.16.2](https://coreos.github.io/ignition/release-notes/#ignition-2162-2023-07-12), [2.16.1](https://coreos.github.io/ignition/release-notes/#ignition-2161-2023-07-10) and [2.16.0](https://coreos.github.io/ignition/release-notes/#ignition-2160-2023-06-29))) - Linux Firmware ([20240312](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20240312) (includes [20240220](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20240220))) - audit ([3.1.1](https://github.com/linux-audit/audit-userspace/releases/tag/v3.1.1)) - bind-tools ([9.16.48](https://bind9.readthedocs.io/en/v9.16.48/notes.html#notes-for-bind-9-16-48)) - c-ares ([1.25.0](https://c-ares.org/changelog.html#1_25_0)) - cJSON ([1.7.17](https://github.com/DaveGamble/cJSON/releases/tag/v1.7.17)) - ca-certificates ([3.99](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_99.html)) - checkpolicy ([3.6](https://github.com/SELinuxProject/selinux/releases/tag/3.6)) - curl ([8.6.0](https://curl.se/changes.html#8_6_0)) - ethtool ([6.6](https://git.kernel.org/pub/scm/network/ethtool/ethtool.git/tree/NEWS?h=v6.6)) - glibc ([2.38](https://sourceware.org/pipermail/libc-alpha/2023-July/150524.html)) - gnupg ([2.4.4](https://lists.gnupg.org/pipermail/gnupg-announce/2024q1/000481.html) (includes [2.2.42](https://dev.gnupg.org/T6307))) - less ([643](https://www.greenwoodsoftware.com/less/news.643.html)) - libbsd ([0.11.8](https://lists.freedesktop.org/archives/libbsd/2024-January/000377.html)) - libcap-ng ([0.8.4](https://github.com/stevegrubb/libcap-ng/releases/tag/v0.8.4)) - libgcrypt ([1.10.3](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=NEWS;h=b767dc1170eb479b9a311cca4074c58e4eedaf0b;hb=aa1610866f8e42bdc272584f0a717f32ee050a22)) - libidn2 ([2.3.7](https://gitlab.com/libidn/libidn2/-/blob/v2.3.7/NEWS) (includes https://gitlab.com/libidn/libidn2/-/releases/v2.3.4))) - libksba ([1.6.6](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=blob;f=NEWS;h=48b42025773e88fbb78d015d1f154fef4c80ef9f;hb=5b220df6f8216a9d5f6139c7b17f075374a27480)) - libnvme ([1.7.1](https://github.com/linux-nvme/libnvme/releases/tag/v1.7.1) (includes [1.7](https://github.com/linux-nvme/libnvme/releases/tag/v1.7))) - libpsl ([0.21.5](https://github.com/rockdaboot/libpsl/blob/0.21.5/NEWS)) - libseccomp ([2.5.5](https://github.com/seccomp/libseccomp/releases/tag/v2.5.5)) - libselinux ([3.6](https://github.com/SELinuxProject/selinux/releases/tag/3.6)) - libsemanage ([3.6](https://github.com/SELinuxProject/selinux/releases/tag/3.6)) - libsepol ([3.6](https://github.com/SELinuxProject/selinux/releases/tag/3.6)) - libuv ([1.48.0](https://github.com/libuv/libuv/releases/tag/v1.48.0)) - libverto ([0.3.2](https://github.com/latchset/libverto/releases/tag/0.3.2)) - libxml2 ([2.12.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5) (includes [2.12.4](https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.12.4/NEWS))) - lsof ([4.99.3](https://github.com/lsof-org/lsof/releases/tag/4.99.3) (includes [4.99.2](https://github.com/lsof-org/lsof/releases/tag/4.99.2) and [4.99.1](https://github.com/lsof-org/lsof/releases/tag/4.99.1))) - mime-types ([2.1.54](https://pagure.io/mailcap/blob/9699055a1b4dfb90f7594ee2e8dda705fa56d3b8/f/NEWS)) - multipath-tools ([0.9.7](https://github.com/opensvc/multipath-tools/commits/0.9.7)) - nvme-cli ([2.7.1](https://github.com/linux-nvme/nvme-cli/releases/tag/v2.7.1) (includes [2.7](https://github.com/linux-nvme/nvme-cli/releases/tag/v2.7))) - openssl ([3.2.1](https://github.com/openssl/openssl/blob/openssl-3.2.1/CHANGES.md)) - policycoreutils ([3.6](https://github.com/SELinuxProject/selinux/releases/tag/3.6)) - semodule-utils ([3.6](https://github.com/SELinuxProject/selinux/releases/tag/3.6)) - shim ([15.8](https://github.com/rhboot/shim/releases/tag/15.8)) - sqlite ([3.45.1](https://www.sqlite.org/releaselog/3_45_1.html)) - sudo ([1.9.15p5](https://www.sudo.ws/releases/stable/#1.9.15p5)) - systemd ([255.3](https://github.com/systemd/systemd-stable/releases/tag/v255.3) (from 252.11)) - thin-provisioning-tools ([1.0.10](https://github.com/jthornber/thin-provisioning-tools/commits/v1.0.10/)) - traceroute ([2.1.5](https://sourceforge.net/projects/traceroute/files/traceroute/traceroute-2.1.5/) (includes [2.1.4](https://sourceforge.net/projects/traceroute/files/traceroute/traceroute%202.1.4/))) - usbutils ([017](https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usbutils.git/tree/NEWS?h=v017)) - util-linux ([2.39.3](https://github.com/util-linux/util-linux/blob/v2.39.3/Documentation/releases/v2.39.3-ReleaseNotes)) - vim ([9.0.2167](https://github.com/vim/vim/commits/v9.0.2167/)) - xmlsec ([1.3.3](https://github.com/lsh123/xmlsec/releases/tag/1.3.3)) - SDK: python ([3.11.8](https://www.get-python.org/downloads/release/python-3118/)) - SDK: qemu ([8.1.5](https://wiki.qemu.org/ChangeLog/8.1)) - SDK: Rust ([1.76.0](https://github.com/rust-lang/rust/releases/tag/1.76.0)) _Changes since **Alpha 3913.0.0**_ #### Security fixes: - Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor ([CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094)) #### Bug fixes: - Disabled user-configdrive.service on OpenStack when config drive is used, which caused the hostname to be overwritten. The coreos-cloudinit.service unit already runs on OpenStack if the system is not configured via ignition. ([Flatcar#1385](https://github.com/flatcar/Flatcar/issues/1385)) - Fixed `toolbox` to prevent mounted `ctr` snapshots from being garbage-collected ([toolbox#9](https://github.com/flatcar/toolbox/pull/9)) #### Changes: - Added support for unlocking the rootfs with a TPM set up by systemd-cryptenroll ([bootengine#93](https://github.com/flatcar/bootengine/pull/93)) - Disabled real-time priority for multipathd as it prevents the cgroups2 cpu controller from working. ([scripts#1771](https://github.com/flatcar/scripts/pull/1771)) - Enabled the GRUB TPM2 module to measure the boot code path and files into PCR 8+9 in UEFI ([scripts#1861](https://github.com/flatcar/scripts/pull/1861)) - SDK: Unified qemu image formats, so that the `qemu_uefi` build target provides the regular `qemu` and the `qemu_uefi_secure` artifacts ([scripts#1847](https://github.com/flatcar/scripts/pull/1847)) #### Updates: - ca-certificates ([3.99](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_99.html)) #### New Stable Release 3815.2.2 _Changes since **Stable 3815.2.1**_ #### Security fixes: - Linux ([CVE-2023-28746](https://nvd.nist.gov/vuln/detail/CVE-2023-28746), [CVE-2023-47233](https://nvd.nist.gov/vuln/detail/CVE-2023-47233), [CVE-2023-52639](https://nvd.nist.gov/vuln/detail/CVE-2023-52639), [CVE-2023-6270](https://nvd.nist.gov/vuln/detail/CVE-2023-6270), [CVE-2023-7042](https://nvd.nist.gov/vuln/detail/CVE-2023-7042), [CVE-2024-22099](https://nvd.nist.gov/vuln/detail/CVE-2024-22099), [CVE-2024-23307](https://nvd.nist.gov/vuln/detail/CVE-2024-23307), [CVE-2024-24861](https://nvd.nist.gov/vuln/detail/CVE-2024-24861), [CVE-2024-26584](https://nvd.nist.gov/vuln/detail/CVE-2024-26584), [CVE-2024-26585](https://nvd.nist.gov/vuln/detail/CVE-2024-26585), [CVE-2024-26642](https://nvd.nist.gov/vuln/detail/CVE-2024-26642), [CVE-2024-26651](https://nvd.nist.gov/vuln/detail/CVE-2024-26651), [CVE-2024-26654](https://nvd.nist.gov/vuln/detail/CVE-2024-26654), [CVE-2024-26659](https://nvd.nist.gov/vuln/detail/CVE-2024-26659), [CVE-2024-26686](https://nvd.nist.gov/vuln/detail/CVE-2024-26686), [CVE-2024-26700](https://nvd.nist.gov/vuln/detail/CVE-2024-26700), [CVE-2024-26809](https://nvd.nist.gov/vuln/detail/CVE-2024-26809)) - Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor ([CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094)) - openssh ([CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795), [CVE-2023-51384](https://nvd.nist.gov/vuln/detail/CVE-2023-51384), [CVE-2023-51385](https://nvd.nist.gov/vuln/detail/CVE-2023-51385)) #### Bug fixes: - Disabled user-configdrive.service on OpenStack when config drive is used, which caused the hostname to be overwritten. The coreos-cloudinit.service unit already runs on OpenStack if the system is not configured via ignition. ([Flatcar#1385](https://github.com/flatcar/Flatcar/issues/1385)) - Fixed `toolbox` to prevent mounted `ctr` snapshots from being garbage-collected ([toolbox#9](https://github.com/flatcar/toolbox/pull/9)) #### Changes: - Disabled real-time priority for multipathd as it prevents the cgroups2 cpu controller from working. ([scripts#1771](https://github.com/flatcar/scripts/pull/1771)) - SDK: Unified qemu image formats, so that the `qemu_uefi` build target provides the regular `qemu` and the `qemu_uefi_secure` artifacts ([scripts#1847](https://github.com/flatcar/scripts/pull/1847)) #### Updates: - Linux ([6.1.85](https://lwn.net/Articles/969355) (includes [6.1.84](https://lwn.net/Articles/968254), [6.1.83](https://lwn.net/Articles/966759), [6.1.82](https://lwn.net/Articles/965607))) - ca-certificates ([3.99](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_99.html)) - openssh ([9.6p1](https://www.openssh.com/releasenotes.html#9.6p1)) #### New LTS Release 3510.3.3 _Changes since **LTS 3510.3.2**_ #### Security fixes: - Linux ([CVE-2023-52429](https://nvd.nist.gov/vuln/detail/CVE-2023-52429), [CVE-2023-52434](https://nvd.nist.gov/vuln/detail/CVE-2023-52434), [CVE-2023-52435](https://nvd.nist.gov/vuln/detail/CVE-2023-52435), [CVE-2023-52447](https://nvd.nist.gov/vuln/detail/CVE-2023-52447), [CVE-2023-52486](https://nvd.nist.gov/vuln/detail/CVE-2023-52486), [CVE-2023-52489](https://nvd.nist.gov/vuln/detail/CVE-2023-52489), [CVE-2023-52491](https://nvd.nist.gov/vuln/detail/CVE-2023-52491), [CVE-2023-52492](https://nvd.nist.gov/vuln/detail/CVE-2023-52492), [CVE-2023-52493](https://nvd.nist.gov/vuln/detail/CVE-2023-52493), [CVE-2023-52494](https://nvd.nist.gov/vuln/detail/CVE-2023-52494), [CVE-2023-52497](https://nvd.nist.gov/vuln/detail/CVE-2023-52497), [CVE-2023-52498](https://nvd.nist.gov/vuln/detail/CVE-2023-52498), [CVE-2023-52583](https://nvd.nist.gov/vuln/detail/CVE-2023-52583), [CVE-2023-52587](https://nvd.nist.gov/vuln/detail/CVE-2023-52587), [CVE-2023-52588](https://nvd.nist.gov/vuln/detail/CVE-2023-52588), [CVE-2023-52594](https://nvd.nist.gov/vuln/detail/CVE-2023-52594), [CVE-2023-52595](https://nvd.nist.gov/vuln/detail/CVE-2023-52595), [CVE-2023-52597](https://nvd.nist.gov/vuln/detail/CVE-2023-52597), [CVE-2023-52598](https://nvd.nist.gov/vuln/detail/CVE-2023-52598), [CVE-2023-52599](https://nvd.nist.gov/vuln/detail/CVE-2023-52599), [CVE-2023-52600](https://nvd.nist.gov/vuln/detail/CVE-2023-52600), [CVE-2023-52601](https://nvd.nist.gov/vuln/detail/CVE-2023-52601), [CVE-2023-52602](https://nvd.nist.gov/vuln/detail/CVE-2023-52602), [CVE-2023-52603](https://nvd.nist.gov/vuln/detail/CVE-2023-52603), [CVE-2023-52604](https://nvd.nist.gov/vuln/detail/CVE-2023-52604), [CVE-2023-52606](https://nvd.nist.gov/vuln/detail/CVE-2023-52606), [CVE-2023-52607](https://nvd.nist.gov/vuln/detail/CVE-2023-52607), [CVE-2023-52608](https://nvd.nist.gov/vuln/detail/CVE-2023-52608), [CVE-2023-52614](https://nvd.nist.gov/vuln/detail/CVE-2023-52614), [CVE-2023-52615](https://nvd.nist.gov/vuln/detail/CVE-2023-52615), [CVE-2023-52616](https://nvd.nist.gov/vuln/detail/CVE-2023-52616), [CVE-2023-52617](https://nvd.nist.gov/vuln/detail/CVE-2023-52617), [CVE-2023-52618](https://nvd.nist.gov/vuln/detail/CVE-2023-52618), [CVE-2023-52619](https://nvd.nist.gov/vuln/detail/CVE-2023-52619), [CVE-2023-52620](https://nvd.nist.gov/vuln/detail/CVE-2023-52620), [CVE-2023-52622](https://nvd.nist.gov/vuln/detail/CVE-2023-52622), [CVE-2023-52623](https://nvd.nist.gov/vuln/detail/CVE-2023-52623), [CVE-2023-52627](https://nvd.nist.gov/vuln/detail/CVE-2023-52627), [CVE-2023-52630](https://nvd.nist.gov/vuln/detail/CVE-2023-52630), [CVE-2023-52631](https://nvd.nist.gov/vuln/detail/CVE-2023-52631), [CVE-2023-52633](https://nvd.nist.gov/vuln/detail/CVE-2023-52633), [CVE-2023-52635](https://nvd.nist.gov/vuln/detail/CVE-2023-52635), [CVE-2023-52637](https://nvd.nist.gov/vuln/detail/CVE-2023-52637), [CVE-2023-52638](https://nvd.nist.gov/vuln/detail/CVE-2023-52638), [CVE-2023-52640](https://nvd.nist.gov/vuln/detail/CVE-2023-52640), [CVE-2023-52641](https://nvd.nist.gov/vuln/detail/CVE-2023-52641), [CVE-2023-6270](https://nvd.nist.gov/vuln/detail/CVE-2023-6270), [CVE-2023-7042](https://nvd.nist.gov/vuln/detail/CVE-2023-7042), [CVE-2024-0340](https://nvd.nist.gov/vuln/detail/CVE-2024-0340), [CVE-2024-0565](https://nvd.nist.gov/vuln/detail/CVE-2024-0565), [CVE-2024-0841](https://nvd.nist.gov/vuln/detail/CVE-2024-0841), [CVE-2024-1086](https://nvd.nist.gov/vuln/detail/CVE-2024-1086), [CVE-2024-1151](https://nvd.nist.gov/vuln/detail/CVE-2024-1151), [CVE-2024-22099](https://nvd.nist.gov/vuln/detail/CVE-2024-22099), [CVE-2024-23849](https://nvd.nist.gov/vuln/detail/CVE-2024-23849), [CVE-2024-23850](https://nvd.nist.gov/vuln/detail/CVE-2024-23850), [CVE-2024-23851](https://nvd.nist.gov/vuln/detail/CVE-2024-23851), [CVE-2024-26592](https://nvd.nist.gov/vuln/detail/CVE-2024-26592), [CVE-2024-26593](https://nvd.nist.gov/vuln/detail/CVE-2024-26593), [CVE-2024-26594](https://nvd.nist.gov/vuln/detail/CVE-2024-26594), [CVE-2024-26600](https://nvd.nist.gov/vuln/detail/CVE-2024-26600), [CVE-2024-26601](https://nvd.nist.gov/vuln/detail/CVE-2024-26601), [CVE-2024-26602](https://nvd.nist.gov/vuln/detail/CVE-2024-26602), [CVE-2024-26603](https://nvd.nist.gov/vuln/detail/CVE-2024-26603), [CVE-2024-26606](https://nvd.nist.gov/vuln/detail/CVE-2024-26606), [CVE-2024-26608](https://nvd.nist.gov/vuln/detail/CVE-2024-26608), [CVE-2024-26610](https://nvd.nist.gov/vuln/detail/CVE-2024-26610), [CVE-2024-26614](https://nvd.nist.gov/vuln/detail/CVE-2024-26614), [CVE-2024-26615](https://nvd.nist.gov/vuln/detail/CVE-2024-26615), [CVE-2024-26622](https://nvd.nist.gov/vuln/detail/CVE-2024-26622), [CVE-2024-26625](https://nvd.nist.gov/vuln/detail/CVE-2024-26625), [CVE-2024-26627](https://nvd.nist.gov/vuln/detail/CVE-2024-26627), [CVE-2024-26635](https://nvd.nist.gov/vuln/detail/CVE-2024-26635), [CVE-2024-26636](https://nvd.nist.gov/vuln/detail/CVE-2024-26636), [CVE-2024-26640](https://nvd.nist.gov/vuln/detail/CVE-2024-26640), [CVE-2024-26641](https://nvd.nist.gov/vuln/detail/CVE-2024-26641), [CVE-2024-26644](https://nvd.nist.gov/vuln/detail/CVE-2024-26644), [CVE-2024-26645](https://nvd.nist.gov/vuln/detail/CVE-2024-26645), [CVE-2024-26651](https://nvd.nist.gov/vuln/detail/CVE-2024-26651), [CVE-2024-26659](https://nvd.nist.gov/vuln/detail/CVE-2024-26659), [CVE-2024-26660](https://nvd.nist.gov/vuln/detail/CVE-2024-26660), [CVE-2024-26663](https://nvd.nist.gov/vuln/detail/CVE-2024-26663), [CVE-2024-26664](https://nvd.nist.gov/vuln/detail/CVE-2024-26664), [CVE-2024-26665](https://nvd.nist.gov/vuln/detail/CVE-2024-26665), [CVE-2024-26668](https://nvd.nist.gov/vuln/detail/CVE-2024-26668), [CVE-2024-26671](https://nvd.nist.gov/vuln/detail/CVE-2024-26671), [CVE-2024-26673](https://nvd.nist.gov/vuln/detail/CVE-2024-26673), [CVE-2024-26675](https://nvd.nist.gov/vuln/detail/CVE-2024-26675), [CVE-2024-26676](https://nvd.nist.gov/vuln/detail/CVE-2024-26676), [CVE-2024-26679](https://nvd.nist.gov/vuln/detail/CVE-2024-26679), [CVE-2024-26684](https://nvd.nist.gov/vuln/detail/CVE-2024-26684), [CVE-2024-26685](https://nvd.nist.gov/vuln/detail/CVE-2024-26685), [CVE-2024-26688](https://nvd.nist.gov/vuln/detail/CVE-2024-26688), [CVE-2024-26689](https://nvd.nist.gov/vuln/detail/CVE-2024-26689), [CVE-2024-26696](https://nvd.nist.gov/vuln/detail/CVE-2024-26696), [CVE-2024-26697](https://nvd.nist.gov/vuln/detail/CVE-2024-26697), [CVE-2024-26698](https://nvd.nist.gov/vuln/detail/CVE-2024-26698), [CVE-2024-26702](https://nvd.nist.gov/vuln/detail/CVE-2024-26702), [CVE-2024-26704](https://nvd.nist.gov/vuln/detail/CVE-2024-26704), [CVE-2024-26707](https://nvd.nist.gov/vuln/detail/CVE-2024-26707), [CVE-2024-26712](https://nvd.nist.gov/vuln/detail/CVE-2024-26712), [CVE-2024-26715](https://nvd.nist.gov/vuln/detail/CVE-2024-26715), [CVE-2024-26717](https://nvd.nist.gov/vuln/detail/CVE-2024-26717), [CVE-2024-26720](https://nvd.nist.gov/vuln/detail/CVE-2024-26720), [CVE-2024-26727](https://nvd.nist.gov/vuln/detail/CVE-2024-26727), [CVE-2024-26733](https://nvd.nist.gov/vuln/detail/CVE-2024-26733), [CVE-2024-26735](https://nvd.nist.gov/vuln/detail/CVE-2024-26735), [CVE-2024-26736](https://nvd.nist.gov/vuln/detail/CVE-2024-26736), [CVE-2024-26737](https://nvd.nist.gov/vuln/detail/CVE-2024-26737), [CVE-2024-26743](https://nvd.nist.gov/vuln/detail/CVE-2024-26743), [CVE-2024-26744](https://nvd.nist.gov/vuln/detail/CVE-2024-26744), [CVE-2024-26747](https://nvd.nist.gov/vuln/detail/CVE-2024-26747), [CVE-2024-26748](https://nvd.nist.gov/vuln/detail/CVE-2024-26748), [CVE-2024-26749](https://nvd.nist.gov/vuln/detail/CVE-2024-26749), [CVE-2024-26751](https://nvd.nist.gov/vuln/detail/CVE-2024-26751), [CVE-2024-26752](https://nvd.nist.gov/vuln/detail/CVE-2024-26752), [CVE-2024-26754](https://nvd.nist.gov/vuln/detail/CVE-2024-26754), [CVE-2024-26763](https://nvd.nist.gov/vuln/detail/CVE-2024-26763), [CVE-2024-26764](https://nvd.nist.gov/vuln/detail/CVE-2024-26764), [CVE-2024-26766](https://nvd.nist.gov/vuln/detail/CVE-2024-26766), [CVE-2024-26769](https://nvd.nist.gov/vuln/detail/CVE-2024-26769), [CVE-2024-26771](https://nvd.nist.gov/vuln/detail/CVE-2024-26771), [CVE-2024-26772](https://nvd.nist.gov/vuln/detail/CVE-2024-26772), [CVE-2024-26773](https://nvd.nist.gov/vuln/detail/CVE-2024-26773), [CVE-2024-26774](https://nvd.nist.gov/vuln/detail/CVE-2024-26774), [CVE-2024-26776](https://nvd.nist.gov/vuln/detail/CVE-2024-26776), [CVE-2024-26777](https://nvd.nist.gov/vuln/detail/CVE-2024-26777), [CVE-2024-26778](https://nvd.nist.gov/vuln/detail/CVE-2024-26778), [CVE-2024-26779](https://nvd.nist.gov/vuln/detail/CVE-2024-26779), [CVE-2024-26782](https://nvd.nist.gov/vuln/detail/CVE-2024-26782), [CVE-2024-26787](https://nvd.nist.gov/vuln/detail/CVE-2024-26787), [CVE-2024-26788](https://nvd.nist.gov/vuln/detail/CVE-2024-26788), [CVE-2024-26790](https://nvd.nist.gov/vuln/detail/CVE-2024-26790), [CVE-2024-26791](https://nvd.nist.gov/vuln/detail/CVE-2024-26791), [CVE-2024-26793](https://nvd.nist.gov/vuln/detail/CVE-2024-26793), [CVE-2024-26795](https://nvd.nist.gov/vuln/detail/CVE-2024-26795), [CVE-2024-26798](https://nvd.nist.gov/vuln/detail/CVE-2024-26798), [CVE-2024-26801](https://nvd.nist.gov/vuln/detail/CVE-2024-26801), [CVE-2024-26802](https://nvd.nist.gov/vuln/detail/CVE-2024-26802), [CVE-2024-26803](https://nvd.nist.gov/vuln/detail/CVE-2024-26803), [CVE-2024-26804](https://nvd.nist.gov/vuln/detail/CVE-2024-26804), [CVE-2024-26805](https://nvd.nist.gov/vuln/detail/CVE-2024-26805), [CVE-2024-26808](https://nvd.nist.gov/vuln/detail/CVE-2024-26808), [CVE-2024-26809](https://nvd.nist.gov/vuln/detail/CVE-2024-26809)) #### Bug fixes: - Fixed `toolbox` to prevent mounted `ctr` snapshots from being garbage-collected ([toolbox#9](https://github.com/flatcar/toolbox/pull/9)) #### Changes: - SDK: Unified qemu image formats, so that the `qemu_uefi` build target provides the regular `qemu` and the `qemu_uefi_secure` artifacts ([scripts#1847](https://github.com/flatcar/scripts/pull/1847)) #### Updates: - Linux ([5.15.154](https://lwn.net/Articles/969357) (includes [5.15.153](https://lwn.net/Articles/966760), [5.15.152](https://lwn.net/Articles/965608), [5.15.151](https://lwn.net/Articles/964564), [5.15.150](https://lwn.net/Articles/964175), [5.15.149](https://lwn.net/Articles/963359))) - ca-certificates ([3.99](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_99.html) (includes [3.98](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_98.html))) Best, The Flatcar Container Linux Maintainers --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Alpha 3941.0.0, Beta 3913.1.0, Stable 3815.2.2, LTS 3510.3.3 Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/ Tracking issue: https://github.com/flatcar/Flatcar/issues/1425 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/w9dt8nWvQvKz6NVTfiZxhQ?view Please give your Go/No-Go vote with πŸ’š for Go, ❌ for No-Go, and βœ‹ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. @MAINTAINER @MAINTAINER @MAINTAINER #### Mastodon _The toot (from [@flatcar](https://hachyderm.io/@flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar releases for all channels now available! πŸš€ Zram-generator in Alpha, improve Flatcar Hyper-V experience, Scaleway images lands on Beta πŸ”’ CVE fixes & security: precautious downgrade of xz-utils to 5.4.2 πŸ“œ Release notes at the usual spot: https://www.flatcar.org/releases/ #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome Flatcar releases of this month: - Alpha 3941.0.0 (new major) - Beta 3913.1.0 (new major) - Stable 3815.2.2 (maintenance release) - LTS-2023 3510.3.3 (maintenance release) These releases include: πŸš€ new features: zram-generator in Alpha, improve Flatcar Hyper-V experience, Scaleway images lands on Beta πŸ“¦ Many package updates: openssh 9.6 in Stable πŸ”’ CVE fixes & security: precautious downgrade of xz-utils to 5.4.2 πŸ“œ Release notes in usual spot: https://www.flatcar.org/releases/
Last changed by  
Flatcar Container Linux
169

Read more

Security tracking

Schedule of tracking security issues of Flatcar

5/16/2024
Flatcar Container Linux Release - ${DATE}

AMD64-usr

4/16/2024
Flatcar Container Linux Release - March 19th 2024

AMD64-usr

3/20/2024
CAPI sysext deadlines

Meetings are conducted bi-weekly on Thursdays

2/23/2024
Read more from Flatcar Container Linux
Published on HackMD