CoreOS Container Linux Release Notes

Announcements:

• CoreOS Container Linux has reached its end of life and is no longer maintained or updated. Migrate to another operating system as soon as possible!

Changes:

• Update EOL warning banners in login prompt and MOTD

Announcements:

• CoreOS Container Linux will reach its end of life on May 26, 2020 and will no longer receive updates. We strongly recommend migrating to another operating system as soon as possible.

Changes:

• No changes since last alpha

Announcements:

• CoreOS Container Linux will reach its end of life on May 26, 2020 and will no longer receive updates. We strongly recommend migrating to another operating system as soon as possible.

Security fixes:

• Fix e2fsprogs arbitrary code execution via crafted filesystem (CVE-2019-5094)
• Fix Git arbitrary path overwrite, credential leak from credential helpers, remote code execution in recursive clones, and arbitrary command execution via submodules (CVE-2019-1348, CVE-2019-1387, CVE-2019-19604, CVE-2020-11008, CVE-2020-5260)
• Fix libarchive crash or use-after-free via crafted RAR file (CVE-2019-18408, CVE-2020-9308)
• Fix libgcrypt ECDSA timing attack (CVE-2019-13627)
• Fix libidn2 domain impersonation (CVE-2019-12290)
• Fix NSS crashes and heap corruption (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698, CVE-2018-18508, CVE-2019-11745)
• Fix OpenSSL overflow in Montgomery squaring procedure (CVE-2019-1551)
• Fix SQLite crash and heap corruption (CVE-2019-16168, CVE-2019-5827)
• Fix unzip heap overflow or excessive resource consumption via crafted archive (CVE-2018-1000035, CVE-2019-13232)
• Fix vim arbitrary command execution via crafted file (CVE-2019-12735)

Bug fixes:

• Fix GCE agent crash loop in new installs when using non-Google DNS (#2601)

Changes:

• Fetch container images in docker format rather than ACI by default in etcd-member.service, flanneld.service, and kubelet-wrapper

Updates:

• e2fsprogs 1.45.5
• etcd 3.3.20
• etcdctl 3.3.20
• Git 2.23.3
• Linux 4.19.123
• OpenSSL 1.0.2u
• vim 8.2.0360

Announcements:

• CoreOS Container Linux will reach its end of life on May 26, 2020 and will no longer receive updates. We strongly recommend migrating to another operating system as soon as possible.

Updates:

• Linux 4.19.106

Announcements:

• CoreOS Container Linux will reach its end of life on May 26, 2020 and will no longer receive updates. We strongly recommend migrating to another operating system as soon as possible.

Security fixes:

• Fix systemd use-after-free upon receiving crafted D-Bus message from local unprivileged attacker (CVE-2020-1712)

Changes:

• Add EOL warning banners to login prompt and MOTD
• Enable qede kernel module

Updates:

• Linux 4.19.102

Security fixes:

• Fix multiple Git vulnerabilities (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604)

Updates:

• Git 2.24.1
• Ignition 0.34.0
• Linux 4.19.95

Security fixes:

• Fix libexpat heap over-read (CVE-2019-15903)

Updates:

• etcd 3.3.18
• expat 2.2.8
• Linux 4.19.87

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
• Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)
• Fix curl Kerberos FTP double free (CVE-2019-5481)
• Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5482)
• Fix OpenSSL key extraction attacks under non-default conditions (CVE-2019-1563, CVE-2019-1547)

Bug fixes:

• Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
• Fix time zone for Brazil (#2627)

Updates:

• curl 7.66.0
• intel-microcode 20191115
• Linux 4.19.84
• OpenSSL 1.0.2t
• timezone-data 2019c

Bug fixes:

• Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
• Fix time zone for Brazil (#2627)

Updates:

• Linux 4.19.81
• timezone-data 2019c

Changes:

• Pin rkt to Go 1.12

Updates:

• Go 1.12.10
• Go 1.13.2
• Linux 4.19.80

Security fixes:

• Fix sudo allowing a user to run commands as root if configured to permit the user to run commands as everyone other than root (CVE-2019-14287)

Bug fixes:

• Fix kernel crash with CephFS mounts, introduced in 2275.0.0 (#2616)

Updates:

• etcd 3.3.17
• etcdctl 3.3.17
• Go 1.12.9
• Linux 4.19.79
• sudo 1.8.28

Bug fixes:

• Fix kernel crash with CephFS mounts, introduced in 2275.0.0 (#2616)

Updates:

• Linux 4.19.78

Security fixes:

• Fix dbus authentication bypass in non-default configurations (CVE-2019-12749)
• Fix kernel KVM guest escape (CVE-2019-14835)

Updates:

• intel-microcode 20190918
• Linux 4.19.75

Security fixes:

• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix GCE agent crash loop in new installs (#2608)

Updates:

• Linux 4.19.71

Security fixes:

• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix GCE agent crash loop in new installs (#2608)

Updates:

• Linux 4.19.69

Security fixes:

• Fix libarchive out of bounds reads (CVE-2017-14166, CVE-2017-14501, CVE-2017-14502, CVE-2017-14503)
• Fix pam_systemd bug allowing authenticated remote users to perform polkit actions as if locally logged in (CVE-2019-3842)
• Fix polkit information disclosure and denial of service (CVE-2018-1116)
• Fix SQLite multiple vulnerabilities, the worst of which allows code execution (CVE-2019-5018, CVE-2019-9936, CVE-2019-9937)
• Fix wget buffer overflow allowing arbitrary code execution (CVE-2019-5953)

Updates:

• etcd 3.3.15
• etcdctl 3.3.15
• Go 1.12.7
• Linux 4.19.68
• wget 1.20.3

Security fixes:

• Fix Linux information leak attack vector via speculative side channel (CVE-2019-1125)

Updates:

• Linux 4.19.65

Bug fixes:

• Fix Ignition fetching from S3 URLs when network is slow to start (ignition#826)

Updates:

• Linux 4.19.62

Bug fixes:

• Fix Docker device or resource busy error when creating overlay mounts, introduced in 2191.0.0

Updates:

• Linux 4.19.58

Security fixes:

• Fix libexpat denial of service (CVE-2018-20843)

Bug fixes:

• Fix Ignition panic when no guestinfo.(coreos|ignition).config parameters are specified on VMware (coreos/ignition#821)

Updates:

• expat 2.2.7
• Ignition 0.33.0
• Linux 4.19.56

Bug fixes:

• Temporarily revert bunzip2 change in 2163.0.0 causing decompression failures for invalid archives created by older versions of lbzip2, including Container Linux release images (#2589)

Changes:

• Increase size of developer container image to 4 GB

Updates:

• intel-microcode 20190618
• Linux 4.19.55

Security fixes:

• Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Changes:

• Increase size of developer container image to 4 GB

Updates:

• Linux 4.19.50

Bug fixes:

• Temporarily revert bunzip2 change in 2163.0.0 causing decompression failures for invalid archives created by older versions of lbzip2, including Container Linux release images (#2589)

Security fixes:

• Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5436)

Bug fixes:

• Fix invalid bzip2 compression of Container Linux release images (#2589)

Updates:

• coreutils 8.30
• curl 7.65.0
• GCC 8.3.0
• glibc 2.29
• Linux 4.19.47
• Rust 1.35.0

Updates:

• etcd 3.3.13
• etcdctl 3.3.13
• Go 1.12.5
• intel-microcode 20190514
• Linux 4.19.44

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)

Updates:

• intel-microcode 20190514
• Linux 4.19.43

Security fixes:

• Fix SQLite remote code execution (CVE-2018-20346)
• Fix GLib multiple vulnerabilities

Bug fixes:

• Fix systemd MountFlags=shared option (#2579)

Changes:

• Use Amazon's recommended NVMe timeout for new EC2 installs (#2484)
• Pin network interface naming to systemd v238 scheme (#2578)
• Enable XDP sockets (#2580)

Updates:

• Linux 4.19.37
• Rust 1.34.1

Security fixes:

• Fix libseccomp privilege escalation (CVE-2019-9893)

Bug fixes:

• Disable new sticky directory protections for backward compatibility (#2577)

Changes:

• Enable atlantic kernel module (#2576)

Updates:

• Go 1.12.4
• Ignition 0.32.0
• libseccomp 2.4.0
• Linux 4.19.36
• Rust 1.34.0
• tini 0.18.0

Security fixes:

• Fix libmspack vulnerabilities in the VMware agent for new installs (CVE-2018-14679, CVE-2018-14680, CVE-2018-14681, CVE-2018-14682, CVE-2018-18584, CVE-2018-18585, CVE-2018-18586)

Updates:

• Afterburn (formerly coreos-metadata) 4.0.0
• Git 2.21.0
• Go 1.12.2
• Linux 4.19.34

Security fixes:

• Fix OpenSSH scp allowing remote servers to change target directory permissions (CVE-2018-20685)
• Fix OpenSSH outputting ANSI control codes from remote servers (CVE-2019-6109, CVE-2019-6110)
• Fix OpenSSH scp allowing remote servers to overwrite arbitrary files (CVE-2019-6111)
• Fix OpenSSL side-channel timing attack (CVE-2018-5407)
• Fix OpenSSL padding oracle attack in misbehaving applications (CVE-2019-1559)
• Fix ntp ntpd denial of service by authenticated user (CVE-2019-8936)
• Fix ntp buffer overflow in ntpq and ntpdc (CVE-2018-12327)

Bug fixes:

• Fix systemd presets incorrectly handling escaped unit names (#2569)

Updates:

• GCC 8.2.0
• Go 1.12.1
• IANA timezone database 2018i
• Linux 4.19.31
• ntp 4.2.8p13
• OpenSSH 7.9p1
• OpenSSL 1.0.2r
• Update Engine 0.4.10

Security fixes:

• Fix tar local denial of service with --sparse option (CVE-2018-20482)
• Fix wget local information leak (CVE-2018-20483)

Bug fixes:

• Fix systemd-journald memory leak (#2564)

Changes:

• Enable vhost_vsock kernel module (#2563)

Updates:

• Go 1.12
• Linux 4.19.28
• Rust 1.33.0
• systemd 241
• tar 1.31
• wget 1.20.1

Security fixes:

• Fix curl vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-2018-16842, CVE-2018-16890, CVE-2019-3822, CVE-2019-3823)
• Fix Linux use-after-free in sockfs_setattr (CVE-2019-8912)
• Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)

Changes:

• Add AWS regions eu-north-1 and us-gov-east-1

Updates:

• curl 7.64.0
• Docker 18.06.3-ce
• Ignition 0.31.0
• Linux 4.19.25

Security fixes:

• Fix runc container breakout (CVE-2019-5736)

Changes:

• Revert /sys/bus/rbd/add to Linux 4.14 behavior (#2544)
• Add a new subkey for signing release images

Updates:

• etcd 3.3.12
• etcdctl 3.3.12
• flannel 0.11.0
• Linux 4.19.20

Security fixes:

• Fix Go CPU denial of service in ECC (CVE-2019-6486)

Updates:

• btrfs-progs 4.19
• e2fsprogs 1.44.5
• glibc 2.27
• Go 1.10.8
• Go 1.11.5
• Linux 4.19.18
• Rust 1.32.0
• util-linux 2.33
• xfsprogs 4.17.0

Security fixes:

• Fix systemd-journald privilege escalation (CVE-2018-16864, CVE-2018-16865)
• Fix systemd-journald out of bounds read (CVE-2018-16866)
• Fix ntpq, ntpdc buffer overflow (CVE-2018-12327)
• Fix etcd improper authentication with RBAC and client certs (CVE-2018-16886)

Changes:

• Add ip_vs_mh kernel module (#2542)

Updates:

• etcd 3.3.11
• etcdctl 3.3.11
• Linux 4.19.15
• ntp 4.2.8p12
• sudo 1.8.25p1

Bug fixes:

• Fix monitoring process events over netlink (#2537)

Updates:

• Ignition 0.30.0
• Go 1.10.7
• Go 1.11.4
• Linux 4.19.13

Security fixes:

• Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
• Fix PolicyKit always authorizing UIDs greater than INT_MAX (CVE-2018-19788)

Bug fixes:

• Fix AWS, Azure, and GCE disk aliases in the initramfs for Ignition (#2531)

Updates:

• Go 1.10.6
• Go 1.11.3
• Ignition 0.29.1
• Linux 4.19.9
• Rust 1.31.0
• wa-linux-agent 2.2.32

Updates:

• Linux 4.19.6
• iptables 1.6.2

Security fixes:

• Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)
• Fix curl buffer overrun in NTLM authentication code (CVE-2018-14618)
• Fix OpenSSL TLS client denial of service (CVE-2018-0732)
• Fix OpenSSL timing side channel in DSA signature generation (CVE-2018-0734)
• Fix OpenSSL timing side channel via SMT port contention (CVE-2018-5407)

Updates:

• coreos-metadata 3.0.2
• curl 7.61.1
• Go 1.10.5
• Go 1.11.2
• Linux 4.19.2
• OpenSSL 1.0.2p
• Rust 1.30.1

Security fixes:

• Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
• Fix systemd race allowing changing file permissions (CVE-2018-15687)
• Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)

Bug fixes:

• Add AWS and GCE disk aliases in the initramfs for Ignition (#2481)
• Add compatibility nf_conntrack_ipv4 kernel module to fix kube-proxy IPVS on Linux 4.19 (#2518)

Updates:

• IANA timezone database 2018e
• kexec-tools 2.0.17
• Linux 4.19.1

Security fixes:

• Fix Git remote code execution during recursive clone (CVE-2018-17456)
• Fix OpenSSH user enumeration (CVE-2018-15473)
• Fix Rust standard library integer overflow (CVE-2018-1000810)

Bug fixes:

• Fix missing kernel headers (#2505)

Updates:

• coreos-metadata 3.0.1
• etcd-wrapper 3.3.10
• etcdctl 3.3.10
• Git 2.18.1
• Linux 4.19
• linux-firmware 20181001
• OpenSSH 7.7p1
• Rust 1.29.1

Updates:

• glibc 2.26
• Go 1.11.1
• Linux 4.18.12
• nfs-utils 2.3.1
• open-vm-tools 10.3.0

Bug fixes:

• Fix Google Compute Engine OS Login activation (#2503)

Updates:

• Linux 4.18.9

Bug fixes:

• Fix Docker mounting named volumes (#2497)
• Fix Azure disk detection in Ignition (#2481)

Changes:

• Add support for Google Compute Engine OS Login
• Enable support for Mellanox Ethernet switches

Updates:

• coreos-metadata 3.0.0
• Go 1.10.4
• Go 1.11
• intel-microcode 20180807a
• Linux 4.18.7
• update-ssh-keys 0.3.0

Changes:

• Add CIFS userspace utilities (#571)
• Drop AWS PV images from regions which do not support PV

Updates:

• containerd 1.1.2
• Docker 18.06.1-ce
• Ignition 0.28.0
• Linux 4.18.5
• Rust 1.28.0

Security fixes:

• Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
• Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)
• Fix curl SMTP buffer overflow (CVE-2018-0500)

Bug fixes:

• Fix PXE systems attempting to mount an ESP (#2491)

Updates:

• coreos-metadata 2.0.0
• curl 7.61.0
• Ignition 0.27.0
• Linux 4.17.15
• update-ssh-keys 0.2.1

Security fixes:

• Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)

Bug fixes:

• Fix failure to mount large ext4 filesystems (#2485)

Updates:

• Linux 4.17.12

Changes:

• Remove ARM64 architecture
• Remove developer image from SDK

Updates:

• etcd 3.3.9
• etcdctl 3.3.9
• Linux 4.17.11

Changes:

• Add torcx remotes support

Updates:

• containerd 1.1.1
• Docker 18.06.0-ce
• intel-microcode 20180703
• Linux 4.17.9
• Update Engine 0.4.9

Security fixes:

• Fix curl buffer overflows (CVE-2018-1000300, CVE-2018-1000301)
• Fix Linux random seed during early boot (CVE-2018-1108)

Changes:

• Reads of /dev/urandom early in boot will block until entropy pool is fully initialized
• Support friendly AWS EBS NVMe device names (#2399)

Updates:

• cryptsetup 1.7.5
• curl 7.60.0
• etcd-wrapper 3.3.8
• etcdctl 3.3.8
• intel-microcode 20180616
• kmod 25
• Linux 4.17.3
• linux-firmware 20180606
• Locksmith 0.6.2
• OpenSSL 1.0.2o

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Changes:

• Drop obsolete cros_sdk method of entering SDK

Updates:

• etcd 3.3.7
• etcdctl 3.3.7
• Go 1.9.7
• Go 1.10.3
• Ignition 0.26.0
• Linux 4.16.16
• torcx 0.2.0

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Security fixes:

• Fix multiple procps vulnerabilities (CVE-2018-1120, CVE-2018-1121, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126, CVE-2018-1120, CVE-2018-1121, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1126)
• Fix shadow privilege escalation (CVE-2018-7169)
• Fix samba man-in-the-middle attack (CVE-2016-2119)
• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix failure to set network interface MTU (#2443)
• Fix inadvertent change of network interface names (#2437)
• Fix Docker bind mounts from root filesystem (#2440)

Changes:

• Update VMware virtual hardware version to 11 (ESXi > 6.0)

Updates:

• etcd 3.3.6
• etcdctl 3.3.6
• Git 2.16.4
• Linux 4.16.14
• open-vm-tools 10.2.5
• procps 3.3.15
• samba 4.5.16
• shadow 4.6

Security fixes:

• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix failure to set network interface MTU (#2443)

Updates:

• Git 2.16.4
• Linux 4.16.13

Bug fixes:

• Fix inadvertent change of network interface names (#2437)
• Fix Docker bind mounts from root filesystem (#2440)

Security fixes:

• Fix ncurses denial of service and arbitrary code execution (CVE-2017-10684, CVE-2017-10685, CVE-2017-11112, CVE-2017-11113, CVE-2017-13728, CVE-2017-13729, CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13733, CVE-2017-13734, CVE-2017-16879)
• Fix rsync arbitrary command execution (CVE-2018-5764)
• Fix wget cookie injection (CVE-2018-0494)

Changes:

• Enable QLogic FCoE offload support (#2367)
• Enable hardware RNG kernel drivers (#2430)
• Add notrap to ntpd default access restrictions (#2220)
• Allow booting default GRUB menu entry if GRUB password is enabled (#1597)
• coreos-install -i no longer modifies grub.cfg (#2291)
• QEMU wrapper script now enables VirtIO RNG device

Updates:

• bind-tools 9.11.2-P1
• Docker 18.05.0-ce
• etcd-wrapper 3.3.5
• etcdctl 3.3.5
• GnuPG 2.2.7
• GPT fdisk 1.0.3
• Ignition 0.25.1
• Less 529
• Linux 4.16.10
• rsync 3.1.3
• Rust 1.26
• util-linux 2.32
• vim 8.0.1298
• wget 1.19.5

Bug fixes:

• Fix GRUB free magic error on existing systems (#2400)

Changes:

• Add a dry-run option -y to coreos-install
• Support storing sudoers in SSSD and LDAP
• No longer publish Oracle Cloud release images

Updates:

• audit 2.7.1
• coreutils 8.28
• etcd-wrapper 3.3.4
• etcdctl 3.3.4
• Go 1.9.6
• Go 1.10.2
• Linux 4.16.7
• sudo 1.8.23
• Update Engine 0.4.7
• wa-linux-agent 2.2.25

Security fixes:

• Fix ntp clock manipulation from ephemeral connections (CVE-2016-1549, CVE-2018-7170)
• Fix ntp denial of service from out of bounds read (CVE-2018-7182)
• Fix ntp denial of service from packets with timestamp 0 (CVE-2018-7184, CVE-2018-7185)
• Fix ntp remote code execution (CVE-2018-7183)

Bug fixes:

• Pass /etc/machine-id from the host to the kubelet
• Fix docker2aci tar conversion (#2402)
• Switch /boot from FAT16 to FAT32 (#2246)

Changes:

• Make Ignition failures more visible on the console

Updates:

• containerd 1.0.3
• coreos-cloudinit 1.14.0
• coreos-metadata 1.0.6
• Docker 18.04.0-ce
• Go 1.9.5
• Go 1.10.1
• Linux 4.16.3
• ntp 4.2.8p11
• rkt 1.30.0
• Rust 1.25.0
• torcx 0.1.3
• update-ssh-keys 0.1.2

Security fixes:

• Fix curl out of bounds read (CVE-2018-1000005)
• Fix curl authentication data leak (CVE-2018-1000007)
• Fix curl buffer overflow (CVE-2018-1000120)
• Fix glibc integer overflow in libcidn (CVE-2017-14062)
• Fix glibc memory issues in glob() with ~ (CVE-2017-15670, CVE-2017-15671, CVE-2017-15804)
• Fix glibc mishandling RPATHs with $ORIGIN on setuid binaries (CVE-2017-16997)
• Fix glibc buffer underflow in realpath() (CVE-2018-1000001)
• Fix glibc integer overflow and heap corruption in memalign() (CVE-2018-6485)

Bug fixes:

• Fix GRUB crash at boot (#2284)

Updates:

• curl 7.59.0
• etcd-wrapper 3.3.3
• etcdctl 3.3.3
• glibc 2.25
• Ignition 0.24.0
• Linux 4.15.15
• Update Engine 0.4.6

Updates:

• containerd 1.0.2
• Docker 18.03.0-ce
• grep 3.0
• libseccomp 2.3.3
• libusb 1.0.21
• Linux 4.15.13
• systemd 238

Security fixes:

• Use latest Intel microcode for Spectre v2 mitigation (CVE-2017-5715)

Updates:

• etcd-wrapper 3.3.2
• etcdctl 3.3.2
• Ignition 0.23.0
• intel-microcode 20180312
• Linux 4.15.10

Bug fixes:

• Fix kernel netfilter deadlock (#2375)

Updates:

• Linux 4.15.7

Bug fixes:

• Fix containerd binary architecture for arm64 (#2366)

Changes:

• Enable the smartpqi kernel module (#2368)

Updates:

• etcd-wrapper 3.3.1
• etcdctl 3.3.1
• Go 1.10
• Linux 4.15.6

Security fixes:

• Build kernel with retpoline for Spectre v2 mitigation (CVE-2017-5715)

Bug fixes:

• Do not try to check /usr/share/oem filesystem on PXE (#2342)

Changes:

• Add BFQ I/O scheduler option in kernel (coreos-overlay#2971)
• Add throttled background buffered writeback option in kernel (coreos-overlay#2970)
• Add a new subkey for signing release images

Updates:

• containerd 1.0.1
• Docker 18.02.0-ce
• GCC 7.3.0
• Go 1.8.7
• Go 1.9.4
• Ignition 0.22.0
• Linux 4.14.19
• systemd 237

Breaking changes:

• Remove etcd2
• Remove fleet

Bug fixes:

• Fix missing default routes from mixing DHCP options (#2327)

Changes:

• Increase the coreos-install timeout for slow storage media

Updates:

• Docker 18.01.0-ce
• etcd-wrapper 3.2.15
• etcdctl 3.2.15
• flannel-wrapper 0.10.0
• GCE Agent 20171213
• GnuPG 2.2.4
• Go 1.8.6
• Go 1.9.3
• Ignition 0.21.0
• Linux 4.14.16
• Rust 1.23.0

Security fixes:

• Fix buffer overread in rsync (CVE-2017-16548)
• Fix access restriction bypass in rsync (CVE-2017-17433, CVE-2017-17434)

Bug fixes:

• Enable BNXT NIC kernel module (#2314)
• Enable vTPM proxy (#2308)
• Apply microcode at boot (#1862)

Updates:

• containerd 1.0.0
• Docker 17.12.0-ce
• etcd-wrapper 3.2.14
• etcdctl 3.2.14
• GCC 6.4.0
• Ignition 0.20.1
• kexec-tools 2.0.16
• Linux 4.14.14
• linux-firmware 20180103
• thin-provisioning-tools 0.7.0
• systemd 236

Security fixes:

• Fix CPU disclosure of kernel memory to user process (CVE-2017-5754, Meltdown)
• Fix denial of service due to incorrect eBPF sign extension (CVE-2017-16995)
• Fix eBPF verifier issues introduced in Linux 4.14 (CVE-2017-17852, CVE-2017-17853, CVE-2017-17854, CVE-2017-17855, CVE-2017-17856, CVE-2017-17857, CVE-2017-17862, CVE-2017-17863, CVE-2017-17864)

Bug fixes:

• Don't separately configure Azure SR-IOV NIC
• Avoid deprecation warnings about OpenSSH UsePrivilegeSeparation option

Updates:

• Linux 4.14.11

Security fixes:

• Fix OpenSSL failure to respect error state (CVE-2017-3737)
• Fix OpenSSL multiplication overflow when using AVX2 instructions (CVE-2017-3738)
• Fix curl FTP/IMAP NUL termination bug (CVE-2017-1000254, CVE-2017-1000257)
• Fix curl out-of-bounds read when using wildcards FTP (CVE-2017-8817)

Bug fixes:

• Enable SCSI multipath device handler kernel modules (#2281)
• Fix EREMOTEIO error on SCSI WRITE SAME errors (#2180)

Changes:

• Switch /boot back to FAT16 for now (#2284)
• Ignition now reads platform base configs from the OEM partition (#2004)
• gcloud alias on GCE no longer leaks containers
• Build packages with Go 1.9 by default
• Add support for Silicon Image SATA controllers (#2278)
• Ignore TLS certificate CN when SAN is present in packages built with Go 1.9

Updates:

• coreos-metadata 1.0.5
• curl 7.57.0
• etcdctl 3.2.11
• etcd-wrapper 3.2.11
• Ignition 0.20.0
• Linux 4.14.7
• multipath-tools 0.6.4
• OpenSSL 1.0.2n
• update-ssh-keys 0.1.2

Security fixes:

• Fix kernel race condition allowing modification of read-only transparent huge pages (CVE-2017-1000405)
• Fix kernel use after free in DCCP (CVE-2017-8824)
• Fix kernel KVM denial of service on Intel processors (CVE-2017-1000407)
• Fix multiple libxml2 vulnerabilities (CVE-2016-9318, CVE-2017-0663, CVE-2017-5969, CVE-2017-7375, CVE-2017-9047, CVE-2017-9048, CVE-2017-9049, CVE-2017-9050)
• Fix OpenSSH sftp-server permitting creation of zero-length files in read-only mode (CVE-2017-15906)
• Fix OpenSSL one-byte buffer over-read with malformed X.509 certificate (CVE-2017-3735)
• Fix OpenSSL carry propagation bug (CVE-2017-3736)

Bug fixes:

• Fix systemd units failing with Amazon EFS (#2193)
• Fix NFS client race causing mount failures
• Check /boot and /usr/share/oem filesystems before mounting (#2245)
• Switch /boot from FAT16 to FAT32 (#2246)

Changes:

• Upload kernel configuration as release artifact
• Enable iptables security table
• Reduce /usr/share/oem commit interval to system default

Updates:

• containerd 1.0.0-beta.2
• coreos-metadata 1.0.4
• Docker 17.11.0-ce
• etcdctl 3.2.10
• etcd-wrapper 3.2.10
• flannel-wrapper 0.9.0
• Go 1.8.5
• Go 1.9.2
• Linux 4.14.4
• OpenSSH 7.6p1
• OpenSSL 1.0.2m
• Rust 1.21.0

Security fixes:

• Fix kernel race condition allowing modification of read-only transparent huge pages (CVE-2017-1000405)

Bug fixes:

• Fix systemd units failing with Amazon EFS (#2193)

Updates:

• coreos-metadata 1.0.4
• Linux 4.14.2

Security fixes:

• Fix systemd-resolved infinite loop in DNS response handling (CVE-2017-15908)

Bug fixes:

• Fix update-ssh-keys failing on public keys with options (#2229; introduced in 1576.1.0)

Updates:

• coreos-metadata 1.0.2
• Docker 17.10.0-ce
• iproute2 4.13.0
• Linux 4.14-rc8
• systemd 235
• update-ssh-keys 0.1.1
• util-linux 2.30.2

Security fixes:

• Fix wget overflows in HTTP protocol handling (CVE-2017-13089, CVE-2017-13090)
• Fix curl vulnerabilities in tftp URLs and in URL globbing (CVE-2017-1000100, CVE-2017-1000101)
• Fix libarchive crash due to buffer over-read (CVE-2016-10349, CVE-2016-10350)

Bug fixes:

• Fix etcd-member race with systemd-resolved
• Fix broken port forwarding on Kubernetes 1.8 in some environments (bootkube#740)

Changes:

• Re-add socat
• Developer container now checks out tagged release commits instead of release branches

Updates:

• coreos-metadata 1.0.0
• curl 7.55.1
• elfutils 0.169
• etcd 3.2.9
• Locksmith 0.6.1
• Update Engine 0.4.5
• update-ssh-keys 0.1.0

Bug fixes:

• Update Docker 1.12's "multiple graphdrivers" initialization error to occur earlier (#2196)
• Re-add kernel modules required for CIFS mounts (#2204)

Updates:

• Linux 4.13.9

Security fixes:

• Fix Linux waitid access check (CVE-2017-5123)

Bug fixes:

• Fix journal messages reporting duplicate /var/log/lastlog lines
• Fix journal messages reporting iscsidev.sh failures

Changes:

• Remove SSH socket-activation rate limiting

Updates:

• Docker 17.09.0-ce
• Go 1.8.4
• Linux 4.13.5
• rkt 1.29.0

Security fixes:

• Fix denial of service via incorrect iSCSI length validation (CVE-2017-14489)

Bug fixes:

• Populate /dev/disk/azure (#2098)
• Fix rkt overlay mount race (rkt#3805)
• Fix Docker overlay mount race (#2127)
• Fix layer-store corruption in Docker 1.12 (#1808)

Changes:

• Temporarily support a flag file to switch Docker versions
• Teach cgpt about the coreos-root-raid UUID
• Allow running etcd2 on arm64 without special environment variables
• At least 2 GiB of memory is recommended for reliably booting the ISO or via PXE

Updates:

• coreos-metadata 0.14.0
• etcd-wrapper 3.2.7
• etcd2 2.3.8
• etcdctl 3.2.7
• flannel-wrapper 0.9.0
• Go 1.8.3
• Ignition 0.19.0
• torcx 0.1.2

Bug fixes:

• Fix "stale file handle" errors in Docker containers (#2152)

Updates:

• Linux 4.13.3

Bug fixes:

• Fix cross-compiling Docker for arm64
• Remove errant newline in torcx store filenames

Updates:

• Linux 4.13.2

Security fixes:

• Fix tcpdump buffer overruns and infinite loops (see changelog)

Breaking changes:

• Remove best-effort update strategy from Locksmith

Changes:

• Support root on RAID
• Support additional MegaRAID controllers (#2131)

Updates:

• coreos-metadata 0.13.0
• Docker 17.06.2-ce
• Ignition 0.18.0
• Linux 4.13.1
• Locksmith 0.6.0
• tcpdump 4.9.2

Bug fixes:

• Fix use of previous subkey for signing release images in 1520.0.0

Changes:

• Support additional MegaRAID controllers (#2131)

Updates:

• Linux 4.13

Security fixes:

• Fix use-after-free in bzip2 (CVE-2016-3189)

Bug fixes:

• Fix ASAN support (#2105)
• Fix failure when calling coreos-install with a /dev/disk link

Changes:

• Add ipvsadm (#1979)
• Update etcdctl to the etcd3 version (#1717)
• Improve locksmith status in the MOTD (#1968)
• Add preliminary support for root on RAID
• Include terminfo in the initramfs to fix pager warnings
• Update to a new subkey for signing release images

Updates:

• containerd 0.2.9
• Docker 17.06.1-ce
• iproute2 4.12.0
• Linux 4.13-rc7
• locksmith 0.5.0
• net-tools 1.60 snapshot on 2016-11-10
• runc 1.0.0-rc3

Changes:

• Add tcpdump (#1992)
• Restart containerd when it crashes (#2096)

Updates:

• Git 2.14.1
• Linux 4.12.7

Security fixes:

• Fix git arbitrary code execution when cloning untrusted repositories (CVE-2017-1000117)

Updates:

• git 2.13.5
• Linux 4.12.6

Security fixes:

• Fix Linux heap out-of-bounds in AF_PACKET sockets (CVE-2017-1000111)
• Fix Linux exploitable memory corruption due to UDP fragmentation offload (CVE-2017-1000112)

Bug fixes:

• Fix enabling docker with Ignition (#2079)

Updates:

• Linux 4.12.5

Bug fixes:

• Fix running rkt with stage1-coreos from a systemd unit
• Fix emerge-gitclone in developer images with Python 3

Updates:

• rkt 1.28.1

Security fixes:

• Fix open-vm-tools insecure /tmp usage (CVE-2015-5191)

Bug fixes:

• Fix fsck logging harmless error messages (#1257)
• Fix timeouts when formatting large disks (#2026)
• Fix bonding driver problems with non-zero updelay (#2065)
• Fix virtio network performance (#2076)
• Fix formatting swap partitions with Ignition

Changes:

• Add nftables (#1421)
• Enable Hybla congestion control algorithm (#2045)
• Enable tracking memory changes (#2048)
• Add KVM support to the QEMU script for arm64 hosts

Updates:

• e2fsprogs 1.43.3
• EDK2 UDK2017
• etcd-wrapper 3.1.10
• flannel-wrapper 0.8.0
• Ignition 0.17.2
• Linux 4.12.4
• open-vm-tools 10.1.10
• rkt 1.28.0
• systemd 234
• torcx 0.1.0
• Update Engine 0.4.4

Bug fixes:

• Fix passing large MTU packets over VXLAN on Azure

Updates:

• dracut 045
• Linux 4.12.2

Security fixes:

• Fix systemd-resolved out-of-bounds write with crafted TCP payload (CVE-2017-9445)
• Fix libksba denial of service and information disclosure (CVE-2016-4579)
• Fix vim code execution (CVE-2017-5953)
• Fix wget header injection (CVE-2017-6508)

Bug fixes:

• Fix process hang when accessing /proc/sys/fs/binfmt_misc (#1630)
• Fix ext4 journal abort caused by container OOM (#1811)
• Fix error deleting firewall rules with recent iptables versions (#2022)
• Fix overriding coreos-metadata provider when fetching SSH keys (#2014)

Changes:

• Support coreos-install from local image
• Allow overriding coreos-install verification key
• Fail EC2 instance status checks after Ignition failure (#1890)
• Avoid automatically creating bond0 network device upon bonding driver load

Updates:

• coreos-metadata 0.12.0
• cryptsetup 1.7.4
• gnupg 2.1.20
• Ignition 0.17.1
• Linux 4.12
• linux-firmware 20170622
• rkt 1.27.0
• sudo 1.8.20p2
• vim 8.0.0386
• wget 1.19.1

Security fixes:

• Fixed stack guard page bypass in Linux (CVE-2017-1000364, Stack Clash)
• Fixed LD_LIBRARY_PATH heap/stack manipulation in glibc (CVE-2017-1000366, Stack Clash)
• Fixed PCRE denial of service (CVE-2017-6004)
• Fixed minicom remote code execution (CVE-2017-7467)

Changes:

• Moved docker to torcx package (details)
• Added vagrant-virtualbox image with Ignition support
• Added Ignition support to virtualbox image
• Switched AWS images to gp2 volumes (details)
• Added dosfstools
• Allowed kubelet to load ebtables kernel modules
• Enabled asynchronous DNS in curl
• Enabled lsof -M and -Z

Updates:

• dbus 1.10.18
• Ignition 0.16.0
• Linux 4.11.6
• shadow 4.5

Security fixes:

• Fix sudo privilege escalation (CVE-2017-1000367)

Bug fixes:

• Fix accidental removal of cryptsetup from the initrd (#1962)

Changes:

• Include lz4 support in journald (#1988)
• Enable kubelet-wrapper on arm64
• Enable flannel-wrapper on arm64

Updates:

• etcd-wrapper 3.1.8
• Linux 4.11.3

Bug fixes:

• Properly provision SSH from EC2 key pair if Ignition config is provided (#1981)

Security fixes:

• git-shell bypass (CVE-2017-8386)
• Carry bug in Go's amd64 elliptic curve implementation (CVE-2017-8932)

Bug fixes:

• Fixed handling of duplicate volumes in rkt fly (#1892)
• Fixed coreos-install defaulting to nonexistent versions when the update channel is overridden
• Fixed the flannel container not mounting /etc/ssl/certs from the host

Changes:

• Added the experimental torcx generator

Updates:

• btrfs-progs 4.10.2
• coreos-metadata 0.10.0
• Git 2.13.0
• Go 1.7.6
• Go 1.8.2
• Linux 4.11.2
• rkt 1.26.0

Security fixes:

• Fix NSS out-of-bounds write (CVE-2017-5461)
• Fix rpcbind/libtirpc remote denial of service (CVE-2017-8779)

Bug fixes:

• Fix VMware OVA template enabling DHCP on all interfaces by default (#1802)
• Increase timeout when fetching flanneld image (#1833)
• Fix docker run --init (#1912)
• Restart dockerd if it crashes

Changes:

• Remove etcd v0
• Change default Docker graph driver from overlay to overlay2
• Enable SELinux isolation by default for Docker containers on btrfs
• Experimental Active Directory support
• Enable virtio SCSI multiqueue support on GCE
• Enable etcd-wrapper on arm64
• Disallow access to /dev/mem regions that are bound to a kernel driver (CONFIG_IO_STRICT_DEVMEM)

Updates:

• Docker 17.05.0-ce
• Flannel 0.7.1
• GRUB 2.02
• Linux 4.11
• sudo 1.8.18p1
• util-linux 2.28.2

Bug Fixes:

• Fixed containerd crashes (#1909)
• Fixed sporadic network failures with docker network create (#1936)
• Fixed toolbox as a login shell over SSH as documented (#899)

Changes:

• The nvme-cli package has been added
• The coretest command has been removed from the image
• The coreos-metadata provider can be overridden (#1917)

Updates:

• curl 7.54.0
• etcd-wrapper 3.1.6
• GCE Agent 20170327
• Go 1.7.5
• Go 1.8.1
• Linux 4.10.12

Bug fixes:

• Fixed kubelet-wrapper leaving behind orphaned pods (#1831)
• Fixed coreos-install clobbering OEM bootloader configuration with Ignition

Changes:

• Enabled NVMe over RDMA
• AMIs are now tagged (#111)
• AMIs now have ENA enabled (#1853)
• Projects only in the initramfs are now included in package lists
• A JSON file is now produced listing all installed projects' licenses

Updates:

• curl 7.53.0
• Docker 17.04.0-ce
• Git 2.10.2
• Less 478
• Linux 4.10.9

Security fixes:

• Fixed local privilege escalation (CVE-2017-7184)

Bug fixes:

• Fixed cases where locksmithd could block login (#1774)
• Toolbox can now download images through a proxy again (#1869)

Changes:

• The update group is now written to /usr instead of /etc
• Ignition now detects the first boot via a file in the ESP
• Ignition will now continue to run on every boot until it succeeds
• Systems at an emergency shell will reboot after waiting for input for five minutes and roll back if updated
• Toolbox is now using the latest Fedora image by default again
• All official OEM image configuration has all been migrated from cloudinit to Ignition
• Packet systems now have arm64 builds

Updates:

• coreos-metadata 0.8.0
• Ignition 0.14.0
• Linux 4.10.4
• open-vm-tools 10.1.5

Bug Fixes:

• Fixed cloud-config files not being used in some install types (#1872)

Bug Fixes:

• Enabled building the ipvlan kernel module again (#1843)
• Corrected flannel configuration failures on service retries (#1847)
• Increased containerd start timeout to upstream default of two minutes (#1854)
• Created a default /etc/ssl/openssl.cnf when missing
• Created required SSSD paths when missing (#1813)
• Created required NSCD paths when missing and added its service unit
• Added myhostname to NSS as a last resort (#1764)
• The toolbox command is no longer unexpectedly killed (#1216)

Changes:

• SSSD now logs to the journal by default instead of files in /var/log
• SSSD support for the sudo command is now enabled (#1856)
• The arping and traceroute commands are now available on the host (#1572)

Updates:

• coreos-metadata 0.7.0
• cryptsetup 1.7.2
• kexec-tools 2.0.14
• libseccomp 2.3.1
• lvm2 2.02.145
• mdadm 3.4
• systemd 233

Bug Fixes:

• Fix root directory permissions on tmpfs-based roots (#1812)
• Don't hide --bind=/tmp/* mounts in nspawn containers

Changes:

• Add rxvt-unicode-256color to terminfo database
• Updated the eclass, profiles, scripts, and licenses packages in the SDK

Updates:

• Linux 4.10.1
• Ignition 0.13.0
• rkt 1.25.0
• glibc 2.23
• tcpdump 4.9.0

Security Fixes:

• Reapplied RunC privilege escalation patch (CVE-2016-9962)
• Fixed RunC ambient capabilities allowing permissions to be bypassed (CVE-2016-8867)
• Fixed DCCP double-free (CVE-2017-6074)

Bug Fixes:

• Fixed AWS PV boot kernel panics (#1690)
• Fixed VMware kernel panics (#1695)
• Fixed useradd defaults in chroots (#1787)
• Cleaned broken symlinks in /etc (#1807)

Updates:

• Docker 1.13.1
• Linux 4.9.9
• OpenSSL 1.0.2k
• wa-linux-agent 2.2.4

Security Fixes:

• Reactivated verity

Only the v1312.0.0 alpha release is affected by this issue. Users of the v1312.0.0 alpha release should reprovision their systems to re-enable the disk image consistency checks provided by verity.

Known Issues:

• Verity was not properly enabled in this build; use v1313.0.0 instead

Bug Fixes:

• Work around SELinux issues with user namespaces in Docker (#1728)

Changes:

• Added the vmware_raw disk format (#359)
• Increased kernel's supported CPU count to 512 (#1771)
• Verity enabled on arm64

Updates:

• Docker 1.13.0
• Flannel 0.7.0
• GRUB 2.02~beta3
• NSPR 4.13.1
• NSS 3.28.1
• OpenSSH 7.4_p1
• rkt 1.23.0

Bug Fixes:

• File systems are no longer labelled for /usr partitions (#1628)
• Programs installed only in the initramfs are now included in package and license listings
• Fixed NFS file paths for arm64 (#1763)
• The busctl monitor command functions properly again (#1736)

Changes:

• Added support for Cisco VIC FC NIC (#1759)
• The toolbox script no longer relies on Docker (#1704)
• The coreos-install script now supports arm64

Updates:

• Linux 4.8.17
• dbus 1.10.12
• Docker 1.12.6
• xfsprogs 4.9.0

Security Fixes:

• Fix RunC privilege escalation (CVE-2016-9962)

Bugs Fixed:

• Properly quote value for DISTRIB_ID in /etc/lsb-release (#1751)
• Fix Azure Linux Agent's detection of the host distribution

Security Fixes:

• Bash 4.3-p48 (CVE-2016-7543, CVE-2016-9401)

Bug Fixes:

• Disable SELinux permissions checks in systemd (#1682)
• Fix pthread-related segfault in systemd (#1694)
• Fix netfilter regression in Linux (#1743)

Changes:

• Guest tools have been disabled in the Vagrant image when using Parallels
• Enable support for Realtek USB, Amazon Elastic, and QLogic network adapters
• Enable support for BBR (Bottleneck Bandwidth and RTT) TCP congestion control
• Enable support for MPLS tunnels
• Remove redundant paths /bin and /sbin from $PATH
• Pin toolbox to Fedora 24 to work around #1216
• Add etcd client and server to /etc/services

Removals:

• Remove early-docker (early-docker.service, early-docker.socket, and early-docker.target)

Updates:

• Linux 4.8.15 (reverted from 4.9)
• Docker 1.12.5
• GCE Agent 20161212
• Shadow 4.4

Bug Fixes:

• Rename 50-docker-veth.network to fix nspawn bridge networking (#404)
• Fix various cases where Docker commands hang (#1117, #1654, #1681)
• Fix dependency cycle in multipath service (#1581)
• Fix kernel panic on certain AWS machine types (#1690)
• Fix race between networkd and Docker (#1638)

Changes:

• Enable ACPI for ARM64
• Add Unmanaged option to networkd network config
• Enable XFS quota support
• Enable USB ACM support

Updates:

• Linux 4.9
• rkt 1.21.0
• Docker 1.12.4
• Ignition 0.12.1
• coreos-cloudinit 1.13.0
• openSSH 7.3_p1
• glibc 2.22
• multipath-tools 0.6.2

Security Fixes:

• Fix af_packet.c race condition (CVE-2016-8655)

Bug Fixes:

• Fix polkit translation faults on ARM64
• Enable SELinux support for runc (#1664)
• Properly declare dependencies between flanneld.service and flannel-docker-opts.service
• Allow etcd-wrapper to use custom data directory (#1685)

Changes:

• Automatically resize XFS root partitions to fill disk
• Add support for Ignition in coreos_production_qemu.sh
• Published VHDs now have the correct blob size in the footer

Updates:

• Linux 4.8.11
• rkt 1.20.0
• Ignition 0.12.0
• ntp 4.2.8p9
• unzip 6.0p20 (ARM64)
• rpcbind 0.2.3 (ARM64)

Bug Fixes:

• Correctly apply VLAN configurations to bridges (#1642)
• Properly pass flannel-related options to Docker (#1659)

Changes:

• Enable support for seccomp in Docker
• Automatically resize XFS root partitions to fill disk
• Add support for streaming file-descriptors to systemd
• Add support for ASIX network adapters

Updates:

• coreos-metadata 0.6.2
• bash 4.3_p46-r2

Security Fixes:

• Update curl to 7.50.3 (https://curl.haxx.se/docs/adv_20160914.html)

Bug Fixes:

• Fix Docker-related networking issue (#254)
• Fix race condition in coreos-metadata on Azure (#1582)
• Fix file mode on sssd.service (#1604)

Changes:

• Introduce Vagrant Parallels images

Updates:

• Linux 4.8.6
• Non-Docker Go binaries now built with 1.7.3
• rkt 1.18.0
• Docker 1.12.3
• coreos-metadata 0.6.1

Security Fixes:

• Update nss-usrfiles with glibc 2.23 (CVE-2014-8121 and CVE-2015-5277)
• Update OpenSSL to 1.0.2j (CVE-2016-8610)
  • Note: SSLv2 methods have been disabled, changing the libssl ABI

Bug Fixes:

• Fix password-length requirement and password logins for SSSD-managed accounts in PAM configuration
• Add support for C.UTF-8 locale (#112)
• Correctly set GPT flags on update-engine restart (#1625)

Changes:

• New installations will have dm-verity enabled by default for the /usr mount.
• Enable support for more Mellanox cards (CONFIG_MLX5_CORE_EN and CONFIG_MLX5_CORE_EN_DCB)
• Enable support for more MegaRAID cards (CONFIG_MEGARAID_NEWGEN)
• Enable support for kprobe and bpf (CONFIG_BPF_SYSCALL, CONFIG_KPROBES, CONFIG_OPTPROBES, CONFIG_KPROBES_ON_FTRACE, CONFIG_KRETPROBES, CONFIG_KPROBE_EVENT, and CONFIG_BPF_EVENTS)
• The support scripts and utilities for GCE images have been moved from the OEM partition into a container image, executed by rkt
• The kubelet-wrapper script has been updated, changing a few variable names
  • KUBELET_VERSION has been deprecated in favor of KUBELET_IMAGE_TAG
  • KUBELET_ACI has been deprecated in favor of KUBELET_IMAGE_URL
  • RKT_OPTS has been deprecated in favor of RKT_RUN_ARGS
• The etcd-wrapper script has been updated along with the addition of etcd-member.service
• A flannel-wrapper script has been introduced and flanneld.service updated to use it
• The DigitalOcean images are now provisioned via Ignition instead of coreos-cloudinit
• Docker's containerd has been split out into a separate containerd.service

Updates:

• Linux 4.8.4
• GnuPG 2.1.15
• CA certificate database from nss 3.27.1
• IANA timezone database 2016e
• Ignition 0.11.2
• rkt 1.17.0
• locksmith 0.4.2

Security Fixes:

• Fix privilege escalation vulnerability in Linux kernel - CVE-2016-5195 (Dirty COW)
• Fix denial of service in systemd - CVE-2016-7795

Bug Fixes:

• Disabled dm-verity support by default, unblocking Xen-based environments (#1600)

Bug Fixes:

• Fix nspawn mount propagation (#1578)

Changes:

• New installations will have dm-verity enabled by default for the /usr mount.
• When running via QEMU, Ignition will now correctly use the QEMU config provider.

Updates:

• Update Engine 0.4.0

Bug Fixes:

• Make GRUB more robust to odd disk configurations (#1238)
• Mount /etc/hosts into flannel container (#1565)
• Fix deadlock triggered by coreos-cloudinit configuring locksmith (#1588)

Bug Fixes:

• Fix intermittent network issues in Docker containers. (#1554)
• Fix last login message in SSH sessions (#1557)
• Fix systemd user session startup (#1498)
• Support overriding the initrd's default DHCP network configuration with ip= kernel command line options (#981)
• EC2: Fix system console for HVM instances (coreos-overlay#2189)

Updates:

• coreos-cloudinit 1.12.0
• flannel 0.6.2
• Ignition 0.11.1
• Most Go applications are now built with 1.7.1

Updates:

• Locksmith 0.4.1

Security Updates:

• curl 7.50.2 (CVE-2016-7141)

Bug Fixes:

• Don't deny logins due to user's shell (#1523)
• Fix off-by-one error in cgpt resize (#1527)
• Disable the systemd-resolved stub resolver (#1545)

Updates:

• Mayday 1.0.0
• Linux 4.7.3
• etcd 2.3.7
• rkt 1.14.0
• Ignition 0.11.0
• coreos-metadata 0.6.0
• git 2.7.3

Bug Fixes:

• Properly expand toolbox mount variable (#1540)

Updates:

• Ignition 0.10.1

Bug Fixes:

• Properly report errors from cgpt repair operations
• Fix deadlock in file_remove_privs() on overlayfs
• Build rkt without TEXTREL section (#1525)
• Reintroduce sdnotify-proxy (#1528)
• Fix disk corruption issues in GRUB by doing stricter GPT header validation
  • GRUB will now abort the boot if the gptprio command fails

Changes:

• Use the default Docker cgroup driver instead of the systemd driver
• Add /dev/disk/by-id links for GCE ephemeral disks (#1465)
• Add SSH helper support in SSSD (#1470)
• Enable IMA, DNS resolution for Ceph, POSIX ACLs for Ceph, and EXT4 encryption in the kernel
• Include qemu_fw_cfg LKM in the initramfs
• Expose mount options for toolbox in the TOOLBOX_BIND environment variable

Updates:

• systemd 231
• dracut 044
• Linux 4.7.1
• btrfs-progs 4.4.1
• libusb 1.0.19
• rkt 1.13.0
• Ignition 0.10.0
• Locksmith 0.4.0
• Docker 1.12.1
• containerd 0.2.3
• runc untagged (Docker uses this untagged version of runc)
• fleet 0.11.8
• curl 7.50.1

Security:

• It is no longer necessary to be a member of the wheel group in order to be able to run the su command.
  • If this behaviour is desired, copy the /lib/pam.d/su file to /etc/pam.d/su and edit it to add auth required pam_wheel.so use_uid directly under auth sufficient pam_rootok.so.
• Enable ioctl() and getattr() on pipefs permissions

Bug Fixes:

• Add missing line wrap in etcd-wrapper
• Use the MAC address as the DHCP client ID if the machine is diskless (#1432)
• If coreos.autologin is used, don't check password when entering the emergency shell (#1433)
• Decode Azure userdata for cloud-init properly (#1463)
• Fix colors in PS1 prompt (#1464)
• Allow NSS lookups to succeed if SSSD isn't running (#1466)
• Prune shells that are not installed from /etc/shells (#1474)

Changes:

• Add support for the following in the kernel
  • 3ware 7xxx/8xxx series hardware raid
  • National Semiconductor DP8381x series PCI Ethernet
  • via-rhine network support

Updates:

• Linux 4.7
• rkt 1.11.0
• Ignition 0.8.0
• coreos-metadata 0.5.0

Security Updates:

• wget 1.18 (for ARM64) CVE-2016-4971

Bug Fixes:

• When installing, zero the end of the disk to ensure ZFS data is cleared (#1398)
• Fix a few issues related to moving flannel into a rkt container (#1436 #1445 #1439)
• Ensure transient systemd units are started properly (#1430)
• Use a stable DHCP client identifier when PXE booting (#1432)
• Properly escape systemd specifiers (#1459)

Changes:

• Enabled TCM support in the kernel
• Enabled support for JMicron PATA drives in the kernel
• Enabled kerberos support in SSSD and sshd

Additions:

• etcd-wrapper
  • This wrapper script will allow arbitrary versions of etcd to be fetched and run within a rkt container.
• libgpg-error 1.19

Updates:

• Linux 4.6.4
• rkt 1.10.1
• Ignition 0.7.1
• coreutils 8.25

Bug Fixes:

• Include work-around for empty SSH host keys (#106)
• Include kernel modules and firmware in initramfs (#1263)
• Fix parsing of the user database which caused systemd-sysusers to crash (#1394)
• Fix handling of certain unicode characters in bash (#1411)
• Fix sudoers options for created users on Azure

Changes:

• Kubernetes kubelet has been removed from the image
• flanneld has been moved from early-docker to a rkt container
• Enable TCM_IBLOCK and TCM_USER2 in Linux
• Set group for /dev/kvm

Additions:

• quota 4.02 (including rpc.rquotad) added to the image

Updates:

• Linux 4.6.3
• bash 4.3_p46
• rkt 1.9.1
• docker 1.11.2
• runc 0.1.0
• containerd 0.2.0

Updates:

• Linux 4.6.3 CVE-2016-4997 and CVE-2016-4998
• dhcpcd 6.10.1 CVE-2016-1503
• libgcrypt 1.6.5 CVE-2015-7511

Bug Fixes:

• Fix errors in Docker related to setting cpu-shares (#1289)
• Fix failure when relabelling layers in Docker (#1301)
• Fix issue causing coreos-metadata to crash (#1306)

Updates:

• rkt 1.8.0
• Ignition 0.7.0
• coreos-metadata 0.4.1
• wa-linux-agent 2.1.3

Changes:

• Remove file, portage, python, and a number of other packages that were mistakenly added to the image in 1045.0.0
• Populate /etc/hosts with an entry for localhost when the file is absent
• Grant more SELinux permissions on chr_files in container context
• Build Docker with support for the journald logging driver

Updates:

• ntp 4.2.8p8
• rkt 1.7.0

Changes:

• Fix using containers interactively with SELinux coreos-overlay#1986
• ARM64: experimental support for updates and Cavium ThunderX

Security Fixes:

• Fall back to pam_deny in authentication (Security Brief)
• Remove login shell for operator user
• Stop disabling SHA512 password hashes in PAM
  • This restores the previous pre-PAM behavior of allowing SHA512 password hashes

Changes:

• The image signing key has been updated again, revoking the sub-key that signed 1045.0.0 and 1047.0.0 and adding a new sub-key for this and future releases.
• Add rkt-admin group which has access to /etc/rkt
• GCE images are now provisioned by Ignition instead of coreos-cloudinit

Updates:

• Linux 4.6
• rkt 1.6.0
• Ignition 0.6.0
• coreos-cloudinit 1.11.0
• Google Compute Daemon 1.3.2

Changes:

• Change systemd's default per-unit task limit from 512 back to unlimited, restoring the behavior of previous releases. A custom limit may be specified via TasksMax individual units or DefaultTasksMax in /etc/systemd/system.conf. #1281
• Fix path to stage1-fly.aci in the kubelet-wrapper script. #1282
• Fix PAM library error in rkt's stage1-coreos.aci. #1283

Updates:

• Linux 4.5.3
• rkt 1.5.1
• coreos-cloudinit 1.10.1
• coreos-metadata 0.4.0
• Ignition 0.5.0

Changes:

• Image downloads are now signed with a new sub-key. https://coreos.com/security/image-signing-key/
• Permit execmem in SELinux policy. #1258
• Add sssd and realmd for integrating with centralized account/auth services. Experimental.
• coreos-install now downloads images over HTTPS

Security Updates:

• OpenSSL 1.0.2h for CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, CVE-2016-2176
• ntpd 4.2.8p7 for CVE-2016-1551, CVE-2016-1549, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519, CVE-2016-1547, CVE-2016-1548, CVE-2015-7704, CVE-2015-8138, CVE-2016-1550
• git 2.7.3-r1 for CVE-2015-7545, CVE-2016-2315, CVE-2016-2315
• jq 1.5-r2 for CVE-2015-8863

Security Updates:

• ntpd 4.2.8p7

Fixes:

• Whitelisted devices with SCSI_IDENT property (#1236)
• Fixed docker cpu share setting (#1246)

Changes:

• PAM enabled for sshd
• Removed the newly-imposed TaskMax limit for Docker

Updates:

• Linux 4.5.2
• systemd v229
• OpenSSH 7.2p2 for CVE-2016-3115
• etcd 2.3.2
• Go binaries now built with 1.5.4

Changes:

• Partially enable PAM, sshd does not use it by default yet, sudo and console access do.
• Enable SELinux option (-Z) for coreutils. #1059
• Include iSCSI and multipath tools #634
• Enabled pids/hugetlb cgroup controllers.
• Enabled pl2302 usb serial driver.
• Fix OS detection when using the kublet-wrapper script.
• Fix intermittent problems while detecting Exoscale and CloudStack metadata services. coreos-overlay#1893

Fixes:

• Fix high-CPU-load issue with systemd-udevd on Hyper-V (#1036)
• Repair GPT headers before attempting to randomize the disk GUID (#1091)
• Fix vxlan networking issues on Azure when under high load (#1156)
• Cease forwarding the journal to the console (#1162)
• Fix binary resolution error in systemd-nspawn (#1196)
• Fix systemd-networkd assertion failure when stopping (#1197)

Changes:

• DSA support has been removed from OpenSSH
• Enabled DHCPv6
• Added prefixes to grub TPM events to indicate their provenance
• tpm_hostpolicy tool generates a TPM policy file based on host characteristics
• Known good TPM PCR values for CoreOS are now shipped alongside the OS

Updates:

• Linux 4.5.0
• etcd 2.3.1
• fleet 0.11.7
• Ignition 0.4.0
• coreos-cloudinit 1.10.0

Fixes:

• updated grub to rectify a bug in systems with TPM firmware but a disabled TPM. Support for netboot via grub was improved, and the mechanism used to measure system state into the TPM was modified.

Updates:

• rkt 1.2.1
• Docker 1.10.3
• Ignition 0.3.3
  • Fixes boot failures on EC2 when no config is supplied.
• coreos-cloudinit 1.9.3
• util-linux-2.27-1

Changes:

• tpmown utility added - run to enable and take ownership of a system TPM. This may trigger a system reboot if required for the firmware to change the TPM state.

Security Updates:

• Git 2.7.3 (CVE-2016-2324, CVE-2016-2315)

Fixes:

• systemd-journald:
  • Journal offlining is now performed asynchronously and ftruncates coalesced, helps fix:
    • https://github.com/coreos/bugs/issues/334
    • https://github.com/coreos/bugs/issues/990
  • Archived/rotated journals are now explicitly made durable when closing, reducing likelihood unclean shutdown corrupting recently rotated journals.
• systemd sd-event: fixed priority queue comparison function, fixes:
  • http://lists.freedesktop.org/archives/systemd-devel/2015-September/034356.html

Updates:

• Linux 4.4.6
• rkt 1.1.0
• sudo 1.8.15
• nspr 4.12
• Ignition 0.3.2

Changes:

• fleet now runs as the fleet user instead of root.

Changes:

• The VMWare OVA image now defines variables that can be used to configure networking, provide a cloud config, and more. The required functionality is provided by cloudinit 1.9.0 and later.
• Enabled ENCLOSURE_SERVICES, SCSI_ENCLOSURE, GCM, and FIB options in the kernel. #1152 #1150 #1096
• Include headers required for building external modules in /lib/modules/$(uname -r)/build. #1082

Updates:

• The Go compiler has been updated to 1.5.3
• Linux 4.4.4

Security Updates:

• OpenSSL 1.0.2g, for CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-0800 (DROWN)

Fixes:

• Modify systemd's ConditionNeedsUpdate so that it will pass whenever /usr is changed, not only when it is newer. This will properly trigger user and group creation. (#1137)

Updates:

• Linux 4.4.3
  • Enabled CONFIG_DLM
• curl 7.47.1
• wget 1.17.1
• git 2.4.10
• jq 1.5
• Docker 1.10.2
• coreos-cloudinit 1.9.2
• Ignition 0.3.1

Changes:

• Patch Kubelet v1.1.2 with updated go-dockerclient libarary for docker v1.10.x support
• Enabled EC ciphersuites in OpenSSL

Fixes:

• Revert fix for networkd links unlinking (#1140)
• Override Docker's native cgroup driver to use systemd (#1132)
  • This exec option is provided in the DOCKER_CGROUPS environment variable within docker.service. This can be overridden or removed via a systemd unit drop-in.

Changes:

• wa-linux-agent 2.0.16

Changes:

• Added a new script for launching the kublet under rkt, the bundled /usr/bin/kublet is still available but deprecated. New documentation is still in progress.

Updates:

• Docker 1.10.1
• go-tspi master

Fixes:

• glibc patched for CVE-2014-8121, CVE-2015-8776, CVE-2015-8778, CVE-2015-8779, and CVE-2015-7547 coreos-overlay#1172

Additions:

• New image type openstack_mini which is identical to openstack but with a smaller root filesystem to offer a little more flexibility in how the disk image is used.

Fixes:

• Update to polkit 0.113 again, due to a packaging bug it was mistakenly downgraded to 0.112 in CoreOS 942.0.0.
• Fix install location of rkt's stage1 ACIs so the --stage1-from-dir option works correctly rkt #2160

Updates:

• Linux 4.4.1
• coreos-cloudinit 1.9.0
• socat 1.7.3.1

Fixes:

• Add an [Install] section to flanneld's systemd unit. #1102
• Add support for Ignition in coreos-install.

Updates:

• Docker 1.10
• etcd 2.2.5
• rkt 1.0

Fixes:

• Update to OpenSSL 1.0.2f for CVE-2016-0701 and CVE-2015-3197 and updates CVE-2015-4000 (logjam)

Changes:

• Disabled LLMNR in systemd-networkd. To re-enable it, you must override the configuration snippet:

  mkdir -p /etc/systemd/resolved.conf.d
  ln -s /dev/null /etc/systemd/resolved.conf.d/10-disable-llmnr.conf
  

• Allow override flannel docker image via an environment variable #1079

Updates:

• rkt 0.16.0

Fixes:

• Update to ntp 4.2.8p6, which addresses a number of bugs and medium/low CVEs since the prior version of 4.2.8p3.

Changes:

• Minimum password length has been increased to eight

Fixes:

• Fix keyring ref leak in kernel CVE-2016-0728

Changes:

• Enable BINFMT_MISC support in the kernel

Fixes:

• Fix security issue in OpenSSH 7.1p1, applying the small patch recommended in the 7.1p2 release notes. CVE-2016-0777

Security Fixes:

• GRUB: Fix for reading username and password (CVE-2015-8370)

Updates:

• rkt 0.15.0
• Linux 4.4
• Ignition 0.2.6
• etcd 2.2.4

Changes:

• Match ETCD_SSL_DIR between host system and flannel container

Updates:

• etcd 2.2.3
• Ignition 0.2.5

Fixes:

• Two out of three of the fixes for using SELinux with Docker #1015
• Keep a copy of System.map under lib/modules coreos-overlay#1698

Bug Fixes:

• Increase systemd-journal-remote per-connection memory limits #927
• Stop using invalid name in disk resize script when using CCISS driver #1037

Changes:

• btrfs-progs 4.2.2
• glibc 2.21
• Linux 4.3.3
  • Enabled kernel FSCACHE for CEPH, CIFS, NFS and 9P network filesystems

Security Fixes:

• OpenSSL 1.0.2e (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, and CVE-2015-1794)

Bugs Fixed:

• Remove etcd2 service timeout limit (https://github.com/coreos/bugs/issues/936)
• Fixed regression which prevented machinectl login from functioning (https://github.com/coreos/bugs/issues/1002)
• Fixed shutdown behavior so that it cleanly terminates SSH connections (https://github.com/coreos/bugs/issues/1009)
• Fixed issue which caused systemd-nspawn to crash in certain situations (https://github.com/coreos/bugs/issues/1010)
• Included missing bnx2x firmware (https://github.com/coreos/bugs/issues/1016)
• Enable SCSI_AIC79XX in the kernel (https://github.com/coreos/bugs/issues/1026)
• Fixed inability to schedule kubernetes pods (https://github.com/kubernetes/kubernetes/issues/16961)