# Flatcar Container Linux Release - November 24th, 2022 ## Alpha 3432.0.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: **GO** ## Beta 3417.1.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: **GO** ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). --- ### Announcement Message Subject: Announcing new releases Alpha 3432.0.0 and Beta 3417.1.0 Hello, We are pleased to announce a new Flatcar Container Linux release for the Alpha and Beta channel. ## New Alpha Release 3432.0.0 _Changes since **Alpha 3417.0.0**_ #### Security fixes: - Linux ([CVE-2022-3543](https://nvd.nist.gov/vuln/detail/CVE-2022-3543), [CVE-2022-3564](https://nvd.nist.gov/vuln/detail/CVE-2022-3564), [CVE-2022-3619](https://nvd.nist.gov/vuln/detail/CVE-2022-3619), [CVE-2022-3623](https://nvd.nist.gov/vuln/detail/CVE-2022-3623), [CVE-2022-3628](https://nvd.nist.gov/vuln/detail/CVE-2022-3628), [CVE-2022-42895](https://nvd.nist.gov/vuln/detail/CVE-2022-42895), [CVE-2022-42896](https://nvd.nist.gov/vuln/detail/CVE-2022-42896)) - cpio ([CVE-2021-38185](https://nvd.nist.gov/vuln/detail/CVE-2021-38185)) - curl ([CVE-2022-32221](https://nvd.nist.gov/vuln/detail/CVE-2022-32221), [CVE-2022-35260](https://nvd.nist.gov/vuln/detail/CVE-2022-32221), [CVE-2022-42915](https://nvd.nist.gov/vuln/detail/CVE-2022-32221), [CVE-2022-42916](https://nvd.nist.gov/vuln/detail/CVE-2022-32221)) - expat ([CVE-2022-43680](https://nvd.nist.gov/vuln/detail/CVE-2022-43680)) - libksba ([CVE-2022-3515](https://nvd.nist.gov/vuln/detail/CVE-2022-3515)) - vim ([CVE-2022-3705](https://nvd.nist.gov/vuln/detail/CVE-2022-3705)) #### Bug fixes: - Added support for hardware security keys in update-ssh-keys ([update-ssh-keys#7](https://github.com/flatcar/update-ssh-keys/pull/7)) - Fixed Ignition btrfs forced formatting for OEM partition ([coreos-overlay#2277](https://github.com/flatcar/coreos-overlay/pull/2277)) #### Changes: #### Updates: - Linux ([5.15.79](https://lwn.net/Articles/915100) (includes [5.15.78](https://lwn.net/Articles/914423))) - Linux Firmware ([20221109](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20221109)) - ca-certificates ([3.85](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_85.html)) - containerd ([1.6.10](https://github.com/containerd/containerd/releases/tag/v1.6.10)) - Expat ([2.5.0](https://github.com/libexpat/libexpat/blob/R_2_5_0/expat/Changes)) - cpio ([2.13](https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html)) - curl ([7.86](https://curl.se/changes.html#7_86_0)) - glib ([2.74.1](https://gitlab.gnome.org/GNOME/glib/-/tags/2.74.1)) - libcap ([2.66](https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.d9ygdose5kw)) - libksba ([1.6.2](https://dev.gnupg.org/T6230)) - openssh ([9.1](http://www.openssh.com/releasenotes.html#9.1)) - sqlite ([3.39.4](https://sqlite.org/releaselog/3_39_4.html)) - vim ([9.0.0828](https://github.com/vim/vim/releases/tag/v9.0.0828)) - whois ([5.5.14](https://github.com/rfc1036/whois/commit/ab10466cf2e1ec4887f6a44375c3e29c1720157f)) - XZ utils ([5.2.7](https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;h=0205423e79ce8297102096b0fc8b030ddf5b2023;hb=d24a57b7fc7e5e9267b84367cb0788d3acf7f569)) - SDK: Rust ([1.65.0](https://github.com/rust-lang/rust/releases/tag/1.65.0)) ## New Beta Release 3417.1.0 _Changes since **Beta 3402.1.0**_ #### Security fixes: - Linux ([CVE-2022-3543](https://nvd.nist.gov/vuln/detail/CVE-2022-3543), [CVE-2022-3564](https://nvd.nist.gov/vuln/detail/CVE-2022-3564), [CVE-2022-3619](https://nvd.nist.gov/vuln/detail/CVE-2022-3619), [CVE-2022-3623](https://nvd.nist.gov/vuln/detail/CVE-2022-3623), [CVE-2022-3628](https://nvd.nist.gov/vuln/detail/CVE-2022-3628), [CVE-2022-42895](https://nvd.nist.gov/vuln/detail/CVE-2022-42895), [CVE-2022-42896](https://nvd.nist.gov/vuln/detail/CVE-2022-42896)) - git ([CVE-2022-39253](https://nvd.nist.gov/vuln/detail/CVE-2022-39253), [CVE-2022-39260](https://nvd.nist.gov/vuln/detail/CVE-2022-39260)) - multipath-tools ([CVE-2022-41973](https://nvd.nist.gov/vuln/detail/CVE-2022-41973), [CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)) #### Bug fixes: - Fixed Ignition btrfs forced formatting for OEM partition ([coreos-overlay#2277](https://github.com/flatcar/coreos-overlay/pull/2277)) #### Changes: - Toolbox now uses containerd to download and mount the image ([toolbox#7](https://github.com/flatcar/toolbox/pull/7)) #### Updates: - Linux ([5.15.79](https://lwn.net/Articles/915100) (includes [5.15.78](https://lwn.net/Articles/914423))) - Docker ([20.10.21](https://docs.docker.com/engine/release-notes/#201021)) - Go ([1.19.3](https://go.dev/doc/devel/release#go1.19.3)) - ca-certificates ([3.85](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_85.html)) - containerd ([1.6.9](https://github.com/containerd/containerd/releases/tag/v1.6.9)) - glibc ([2.35](https://savannah.gnu.org/forum/forum.php?forum_id=10111)) - bpftool ([5.19.8](https://lwn.net/Articles/907523/)) - git ([2.37.4](https://github.com/git/git/blob/master/Documentation/RelNotes/2.37.4.txt)) - iputils ([20211215](https://github.com/iputils/iputils/releases/tag/20211215)) - libcap ([2.65](https://sites.google.com/site/fullycapable/release-notes-for-libcap?authuser=0#h.wfblevfzkj0)) - multipath-tools ([0.9.3](https://github.com/opensvc/multipath-tools/releases/tag/0.9.3)) - wget ([1.21.3](https://lists.gnu.org/archive/html/info-gnu/2022-02/msg00017.html)) - whois ([5.5.13](https://github.com/rfc1036/whois/blob/v5.5.13/debian/changelog)) - xz-utils ([5.2.6](https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;h=4c79b18ff26a1c479a920b21f07d050599c04c9e;hb=8dfed05bdaa4873833ba24279f02ad2db25effea)) _Changes since **Alpha 3417.0.0**_ #### Security fixes: - Linux ([CVE-2022-3543](https://nvd.nist.gov/vuln/detail/CVE-2022-3543), [CVE-2022-3564](https://nvd.nist.gov/vuln/detail/CVE-2022-3564), [CVE-2022-3619](https://nvd.nist.gov/vuln/detail/CVE-2022-3619), [CVE-2022-3623](https://nvd.nist.gov/vuln/detail/CVE-2022-3623), [CVE-2022-3628](https://nvd.nist.gov/vuln/detail/CVE-2022-3628), [CVE-2022-42895](https://nvd.nist.gov/vuln/detail/CVE-2022-42895), [CVE-2022-42896](https://nvd.nist.gov/vuln/detail/CVE-2022-42896)) #### Bug fixes: - Fixed Ignition btrfs forced formatting for OEM partition ([coreos-overlay#2277](https://github.com/flatcar/coreos-overlay/pull/2277)) #### Changes: #### Updates: - Linux ([5.15.79](https://lwn.net/Articles/915100) (includes [5.15.78](https://lwn.net/Articles/914423))) - ca-certificates ([3.85](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_85.html)) Best, The Flatcar Container Linux Maintainers --- ### Security **Subject**: Security issues fixed with the latest Alpha 3432.0.0 and Beta 3417.1.0 releases **Security fix**: With the Alpha 3432.0.0 and Beta 3417.1.0 releases we ship fixes for the CVEs listed below. #### Alpha 3432.0.0 * Linux * [CVE-2022-3543](https://nvd.nist.gov/vuln/detail/CVE-2022-3543) CVSSv3 score: 5.5(Medium) A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function unix_sock_destructor/unix_release_sock of the file net/unix/af_unix.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211043. * [CVE-2022-3564](https://nvd.nist.gov/vuln/detail/CVE-2022-3564) CVSSv3 score: 8(High) A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087. * [CVE-2022-3619](https://nvd.nist.gov/vuln/detail/CVE-2022-3619) CVSSv3 score: 4.3(Medium) A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211918 is the identifier assigned to this vulnerability. * [CVE-2022-3623](https://nvd.nist.gov/vuln/detail/CVE-2022-3623) CVSSv3 score: 7.5(High) A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function follow_page_pte of the file mm/gup.c of the component BPF. The manipulation leads to race condition. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211921 was assigned to this vulnerability. * [CVE-2022-3628](https://nvd.nist.gov/vuln/detail/CVE-2022-3628) CVSSv3 score: n/a * [CVE-2022-42895](https://nvd.nist.gov/vuln/detail/CVE-2022-42895) CVSSv3 score: n/a There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req function which can be used to leak kernel pointers remotely. We recommend upgrading past commit https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e https://www.google.com/url * [CVE-2022-42896](https://nvd.nist.gov/vuln/detail/CVE-2022-42896) CVSSv3 score: n/a There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim. We recommend upgrading past commit https://www.google.com/url https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url * cpio * [CVE-2021-38185](https://nvd.nist.gov/vuln/detail/CVE-2021-38185) CVSSv3 score: 7.8(High) GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data. * curl * [CVE-2022-32221](https://nvd.nist.gov/vuln/detail/CVE-2022-32221) CVSSv3 score: n/a POST following PUT confusion. When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. * [CVE-2022-35260](https://nvd.nist.gov/vuln/detail/CVE-2022-35260) CVSSv3 score: n/a .netrc parser out-of-bounds access. curl can be told to parse a .netrc file for credentials. If that file ends in a line with consecutive non-white space letters and no newline, curl could read past the end of the stack-based buffer, and if the read works, write a zero byte possibly beyond its boundary. This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes. If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service. * [CVE-2022-42915](https://nvd.nist.gov/vuln/detail/CVE-2022-42915) CVSSv3 score: 9.8(Critical) curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. * [CVE-2022-42916](https://nvd.nist.gov/vuln/detail/CVE-2022-42916) CVSSv3 score: 7.5(High) In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. * expat * [CVE-2022-43680](https://nvd.nist.gov/vuln/detail/CVE-2022-43680) CVSSv3 score: 7.5(High) In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. * libksba * [CVE-2022-3515](https://nvd.nist.gov/vuln/detail/CVE-2022-3515) CVSSv3 score: n/a A severe bug has been found in [Libksba] , the library used by GnuPG for parsing the ASN.1 structures as used by S/MIME. The bug affects all versions of [Libksba] before 1.6.2 and may be used for remote code execution. * vim * [CVE-2022-3705](https://nvd.nist.gov/vuln/detail/CVE-2022-3705) CVSSv3 score: 7.5(High) A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324. #### Beta 3417.1.0 * Linux * [CVE-2022-3543](https://nvd.nist.gov/vuln/detail/CVE-2022-3543) CVSSv3 score: 5.5(Medium) A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function unix_sock_destructor/unix_release_sock of the file net/unix/af_unix.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211043. * [CVE-2022-3564](https://nvd.nist.gov/vuln/detail/CVE-2022-3564) CVSSv3 score: 8(High) A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087. * [CVE-2022-3619](https://nvd.nist.gov/vuln/detail/CVE-2022-3619) CVSSv3 score: 4.3(Medium) A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211918 is the identifier assigned to this vulnerability. * [CVE-2022-3623](https://nvd.nist.gov/vuln/detail/CVE-2022-3623) CVSSv3 score: 7.5(High) A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function follow_page_pte of the file mm/gup.c of the component BPF. The manipulation leads to race condition. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211921 was assigned to this vulnerability. * [CVE-2022-3628](https://nvd.nist.gov/vuln/detail/CVE-2022-3628) CVSSv3 score: n/a * [CVE-2022-42895](https://nvd.nist.gov/vuln/detail/CVE-2022-42895) CVSSv3 score: n/a There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req function which can be used to leak kernel pointers remotely. We recommend upgrading past commit https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e https://www.google.com/url * [CVE-2022-42896](https://nvd.nist.gov/vuln/detail/CVE-2022-42896) CVSSv3 score: n/a There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim. We recommend upgrading past commit https://www.google.com/url https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url * git * [CVE-2022-39253](https://nvd.nist.gov/vuln/detail/CVE-2022-39253) CVSSv3 score: n/a Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`. * [CVE-2022-39260](https://nvd.nist.gov/vuln/detail/CVE-2022-39260) CVSSv3 score: 8.8(High) Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround. * multipath-tools * [CVE-2022-41973](https://nvd.nist.gov/vuln/detail/CVE-2022-41973) CVSSv3 score: 7.8(High) multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root. * [CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974) CVSSv3 score: 7.8(High) multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR. --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Alpha 3432.0.0 and Beta 3417.1.0 Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/ Tracking issue: https://github.com/flatcar/Flatcar/issues/902 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/QYuWDKyuRze_cVac1oexWw?view Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. @MAINTAINER @MAINTAINER @MAINTAINER #### Mastodon _The toot (from [@flatcar](https://hachyderm.io/@flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar Alpha 3432.0.0 and Beta 3417.1.0 releases now available! 🩹 Fix bugs: fix Ignition btrfs forced formatting for OEM partition 🚀 New features: support hardware security keys in update-ssh-keys 📦 Many package updates: Linux Kernel, curl, openssh 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome Flatcar releases of this month: - Alpha 3432.0.0 (new major) - Beta 3417.1.0 (maintenance release, transition from Alpha) These releases include: 🩹 Fix bugs: fix Ignition btrfs forced formatting for OEM partition 🚀 New features: support hardware security keys in update-ssh-keys 📦 Many package updates: Linux Kernel, curl, openssh 📜 Release notes in usual spot: https://www.flatcar.org/releases/