What's new in Container Linux by CoreOS 2303.3.0
Dec 5, 2019
New in Container Linux by CoreOS 2247.7.0 (Nov 21, 2019)
- Security fixes:
- Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
- Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)
- Bug fixes:
- Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
- Updates:
- intel-microcode 20191115
- Linux 4.19.84
New in Container Linux by CoreOS 2247.6.0 (Nov 8, 2019)
- Bug fixes:
- Fix time zone for Brazil (#2627)
- Updates:
- timezone-data 2019c
New in Container Linux by CoreOS 2191.5.0 (Sep 5, 2019)
- Security fixes:
- Fix pam_systemd bug allowing authenticated remote users to perform polkit actions as if locally logged in (CVE-2019-3842)
- Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)
- Bug fixes:
- Fix GCE agent crash loop in new installs (#2608)
- Updates:
- Linux 4.19.68
New in Container Linux by CoreOS 2191.4.1 (Aug 30, 2019)
- Security fixes:
- Fix wget buffer overflow allowing arbitrary code execution (CVE-2019-5953)
- Updates:
- Linux 4.19.66
- wget 1.20.3
New in Container Linux by CoreOS 2135.6.0 (Aug 6, 2019)
- Updates:
- intel-microcode 20190618
- Linux 4.19.56
New in Container Linux by CoreOS 2135.5.0 (Jul 4, 2019)
- Bug fixes:
- Fix Ignition panic when no guestinfo.(coreos|ignition).config parameters are specified on VMware (coreos/ignition#821)
- Updates:
- Ignition 0.33.0
New in Container Linux by CoreOS 2079.6.0 (Jun 19, 2019)
- Security fixes:
- Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)
- Bug fixes:
- Fix invalid bzip2 compression of Container Linux release images (#2589)
New in Container Linux by CoreOS 2079.5.1 (Jun 8, 2019)
- Bug fixes:
- Fix systemd MountFlags=shared option (#2579)
- Changes:
- Pin network interface naming to systemd v238 scheme (#2578)
New in Container Linux by CoreOS 2079.4.0 (May 16, 2019)
- Security fixes:
- Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)
- Updates:
- intel-microcode 20190514
- Linux 4.19.43
New in Container Linux by CoreOS 2023.5.0 (Mar 18, 2019)
- Security fixes:
- Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)
- Bug fixes:
- Fix systemd-journald memory leak (#2564)
- Updates:
- Linux 4.19.25
New in Container Linux by CoreOS 2023.4.0 (Feb 26, 2019)
- Security fixes:
- Fix Linux use-after-free in sockfs_setattr (CVE-2019-8912)
- Changes:
- Add AWS regions eu-north-1 and us-gov-east-1
New in Container Linux by CoreOS 1967.6.0 (Feb 13, 2019)
- Bug fixes:
- Fix kernel POSIX timer rearming (#2549)
New in Container Linux by CoreOS 1967.5.0 (Feb 13, 2019)
- Security fixes:
- Fix runc container breakout (CVE-2019-5736)
New in Container Linux by CoreOS 1967.4.0 (Jan 29, 2019)
New in Container Linux by CoreOS 1911.5.0 (Dec 22, 2018)
- Security fixes:
- Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
- Fix PolicyKit always authorizing UIDs greater than INT_MAX (CVE-2018-19788)
- Updates:
- Go 1.10.6
- Go 1.11.3
- Linux 4.14.84
New in Container Linux by CoreOS 1911.4.0 (Nov 27, 2018)
- Security fixes:
- Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)
- Updates:
- Linux 4.14.81
New in Container Linux by CoreOS 1911.3.0 (Nov 8, 2018)
- Security fixes:
- Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
- Fix systemd race allowing changing file permissions (CVE-2018-15687)
- Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)
New in Container Linux by CoreOS 1855.5.0 (Oct 29, 2018)
- Security fixes:
- Fix Git remote code execution during recursive clone (CVE-2018-17456)
- Updates:
- Git 2.16.5
- Linux 4.14.74
New in Container Linux by CoreOS 1855.4.0 (Sep 12, 2018)
- Bug fixes:
- Fix Docker mounting named volumes (#2497)
New in Container Linux by CoreOS 1800.7.0 (Aug 16, 2018)
- Security fixes:
- Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
- Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)
- Updates:
- intel-microcode 20180703
- Linux 4.14.63
New in Container Linux by CoreOS 1800.6.0 (Aug 7, 2018)
- Security fixes:
- Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)
- Bug fixes:
- Fix failure to mount large ext4 filesystems (#2485)
New in Container Linux by CoreOS 1800.5.0 (Jul 30, 2018)
- Bug fixes:
- Fix kernel CIFS client (#2480)
- Updates:
- Linux 4.14.59
New in Container Linux by CoreOS 1745.7.0 (Jun 16, 2018)
- Fix TCP connection stalls (#2457)
New in Container Linux by CoreOS 1745.6.0 (Jun 12, 2018)
- Bug fixes:
- Fix Hyper-V network driver regression (#2454)
- Updates:
- Linux 4.14.48
New in Container Linux by CoreOS 1745.5.0 (Jun 5, 2018)
- Security fixes:
- Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)
- Bug fixes:
- Fix failure to set network interface MTU (#2443)
- Updates:
- Git 2.16.4
- Linux 4.14.44
New in Container Linux by CoreOS 1745.4.0 (May 25, 2018)
- Bug fixes:
- Fix inadvertent change of network interface names (#2437)
New in Container Linux by CoreOS 1745.3.1 (May 24, 2018)
- Updates:
- Ignition 0.24.1
- Linux 4.14.42
New in Container Linux by CoreOS 1688.5.3 (May 4, 2018)
- Bug fixes:
- Avoid GRUB crash at boot (#2284)
- Fix kernel panic with vxlan (#2382)
New in Container Linux by CoreOS 1688.4.0 (Mar 28, 2018)
- Security fixes:
- Use latest Intel microcode for Spectre v2 mitigation (CVE-2017-5715)
- Updates:
- intel-microcode 20180312
- Linux 4.14.30
New in Container Linux by CoreOS 1632.3.0 (Feb 19, 2018)
- Bug fixes:
- Do not try to check /usr/share/oem filesystem on PXE (#2342)
- Don't separately configure Azure SR-IOV NIC
- Avoid deprecation warnings about OpenSSH UsePrivilegeSeparation option
- Changes:
- Increase the coreos-install timeout for slow storage media
- Add a new subkey for signing release images
- Updates:
- Linux 4.14.19
New in Container Linux by CoreOS 1576.5.0 (Jan 5, 2018)
- Security fixes:
- Fix CPU disclosure of kernel memory to user process (CVE-2017-5754, Meltdown)
- Fix denial of service due to incorrect eBPF sign extension (CVE-2017-16995)
- Bug fixes:
- Don't fail update-ssh-keys, and thus coreos-cloudinit, on an invalid SSH key (#2283)
- Updates:
- Linux 4.14.11
New in Container Linux by CoreOS 1576.4.0 (Dec 12, 2017)
- Security fixes:
- Fix kernel use after free in DCCP (CVE-2017-8824)
- Fix kernel KVM denial of service on Intel processors (CVE-2017-1000407)
- Major changes:
- Update default Docker version from 1.12.6 to 17.09.0
New in Container Linux by CoreOS 1520.8.0 (Oct 29, 2017)
- Security fixes:
- Fix wget overflows in HTTP protocol handling (CVE-2017-13089, CVE-2017-13090)
New in Container Linux by CoreOS 1465.7.0 (Sep 7, 2017)
- Bug fixes:
- Fix ASAN support (#2105)
- Changes:
- Update to a new subkey for signing release images
- Updates:
- Linux 4.12.10
New in Container Linux by CoreOS 1465.6.0 (Sep 5, 2017)
New in Container Linux by CoreOS 1409.8.0 (Aug 12, 2017)
- Security fixes:
- Fix Linux heap out-of-bounds in AF_PACKET sockets (CVE-2017-1000111)
- Fix Linux exploitable memory corruption due to UDP fragmentation offload (CVE-2017-1000112)
- Updates:
- Linux 4.11.12
New in Container Linux by CoreOS 1409.5.0 (Jun 24, 2017)
- Bug fixes:
- Fixed handling of duplicate volumes in rkt fly (#2016)
- Fixed kernel oops in 1409.2.0 with mmap(..., MAP_FIXED, ...)
New in Container Linux by CoreOS 1409.2.0 (Jun 21, 2017)
- Security fixes:
- Fixed stack guard page bypass in Linux (CVE-2017-1000364, Stack Clash)
- Fixed LD_LIBRARY_PATH heap/stack manipulation in glibc (CVE-2017-1000366, Stack Clash)
- Updates:
- Linux 4.11.6
New in Container Linux by CoreOS 1353.8.0 (May 31, 2017)
- Security fixes:
- Fix NSS out-of-bounds write (CVE-2017-5461)
- Bug fixes:
- Fixed kubelet-wrapper leaving behind orphaned pods (#1831)
New in Container Linux by CoreOS 1353.7.0 (May 9, 2017)
- Bug Fixes:
- Fixed sporadic network failures with docker network create (#1936)
New in Container Linux by CoreOS 1353.6.0 (Apr 27, 2017)
- Bug Fixes:
- Fixed kubelet-wrapper failures with /var/log mounted (#1892)
- Fixed containerd crashes (#1909)
- Changes:
- The coreos-metadata provider can be overridden (#1917)
- Updates:
- curl 7.54.0
- Go 1.7.5
- Linux 4.9.24
New in Container Linux by CoreOS 1298.7.0 (Apr 2, 2017)
- Security fixes:
- Fixed local privilege escalation (CVE-2017-7184)
- Bug fixes:
- Fixed a bug where systemd would spam 'Time has been changed' messages (#1868)
- Updates:
- Linux 4.9.16
New in Container Linux by CoreOS 1298.6.0 (Mar 16, 2017)
- Bug Fixes:
- Enabled building the ipvlan kernel module again (#1843)
- Corrected flannel configuration failures on service retries (#1847)
New in Container Linux by CoreOS 1298.5.0 (Mar 7, 2017)
- Bug Fixes:
- Fix useradd defaults in chroots (#1787)
- Upgrades:
- Linux 4.9.9
New in Container Linux by CoreOS 1235.12.0 (Feb 24, 2017)
- Security Fixes:
- Reapplied RunC privilege escalation patch (CVE-2016-9962)
- Fixed RunC ambient capabilities allowing permissions to be bypassed (CVE-2016-8867)
- Fixed DCCP double-free (CVE-2017-6074)
- Changes:
- Images are now generated in the vmware_raw format
- Since 1235.8.0, RunC was built from an incorrect cached source archive which did not include the security patches.
New in Container Linux by CoreOS 1235.9.0 (Feb 3, 2017)
- Fixed sporadic network failures in Docker containers.
New in Container Linux by CoreOS 1185.5.0 (Dec 8, 2016)
- Fix af_packet.c race condition (CVE-2016-8655)
New in Container Linux by CoreOS 1185.3.0 (Nov 2, 2016)
- Removed etcd-wrapper:
- The Stable channel has never contained a version which included this wrapper script and service. If an instance was booted from the Beta or Alpha channels and then moved to the Stable channel, it will lose the etcd-wrapper when it updates to this release.
New in Container Linux by CoreOS 1122.3.0 (Oct 24, 2016)
- Fix privilege escalation vulnerability in Linux kernel - CVE-2016-5195 (Dirty COW)
- Fix denial of service in systemd - CVE-2016-7795
New in Container Linux by CoreOS 1122.2.0 (Sep 7, 2016)
- Bug Fixes:
- Correct nameserver option parsing in networkd (#1456)
- Fix erroneous warning about install sections in service units (#1512)
- Fix timer execution calculation in systemd (#1516)
- Improve journald’s resilience to ENOSPC errors (#1522)
- Build rkt without TEXTREL section (#1525)
- Reintroduce sdnotify-proxy (#1528)
- Changes:
- Removed etcd-wrapper
- The Stable channel has never contained a version which included this wrapper script and service. If an instance was booted from the Beta or Alpha channels and then moved to the Stable channel, it will lose the etcd-wrapper when it updates to this release.
- Updates:
- rkt 1.8.0 (removed on ARM64)
- The Stable channel has never contained a version which included rkt for ARM64. If an ARM64 instance was booted from the Beta or Alpha channels and then moved to the Stable channel, it will lose rkt when it updates to this release.
- Docker 1.10.3
New in Container Linux by CoreOS 1068.10.0 (Aug 23, 2016)
- Fix timer assertion in systemd (#1308)
- Correct nameserver option parsing in networkd (#1456)
- Fix timer execution calculation in systemd (#1516)
- Improve journald’s resilience to ENOSPC errors (#1522)
New in Container Linux by CoreOS 1068.9.0 (Aug 11, 2016)
- Security Updates:
- libcurl 7.50.1 for CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-4802, CVE-2016-3739
New in Container Linux by CoreOS 1068.8.0 (Jul 31, 2016)
- Security Updates:
- libpcre 8.38-r1 for CVE-2014-8964, CVE-2014-8964, CVE-2015-5073, CVE-2015-5073, CVE-2015-5073, CVE-2015-8380, CVE-2015-8381, CVE-2015-8383, CVE-2015-8384, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8392, CVE-2015-8393, CVE-2015-8394, CVE-2015-8395, CVE-2016-1283, CVE-2016-1283
- Bug Fixes:
- Properly escape systemd specifiers (#1459)
New in Container Linux by CoreOS 1068.6.0 (Jul 13, 2016)
- Bug Fixes:
- Fix parsing of the user database which caused systemd-sysusers to crash (#1394)
- Fix handling of certain unicode characters in bash (#1411)
- Fix issue when starting transient services (#1430)
- Include work-around for empty SSH host keys (#106)
- Changes:
- Removed Kubernetes kubelet
- The Stable channel has never contained a version which included the kubelet. If an instance was booted from the Beta or Alpha channels and then moved to the Stable channel, it will lose the kubelet when it updates to this release.
- Set group for /dev/kvm
- Updates:
- coreos-metadata v0.4.1
- bash 4.3_p46
New in Container Linux by CoreOS 1010.6.0 (Jul 3, 2016)
- Linux 4.5.7 + patches for CVE-2016-4997 and CVE-2016-4998
- OpenSSH 7.2p2 for CVE-2016-3115
- dhcpcd 6.10.1 CVE-2016-1503
- libgcrypt 1.6.5 CVE-2015-7511
- rsync 3.1.1
New in Container Linux by CoreOS 1010.5.0 (May 28, 2016)
- Removed Kubernetes kubelet:
- The Stable channel has never contained a version which included the kubelet. If an instance was booted from the Beta or Alpha channels and then moved to the Stable channel, it will lose the kubelet when it updates to this release.
New in Container Linux by CoreOS 899.17.0 (May 4, 2016)
- OpenSSL 1.0.2h
- ntpd 4.2.8p7
- git 2.7.3-r1
- jq 1.5-r2
New in Container Linux by CoreOS 899.15.0 (Apr 5, 2016)
- Fixes:
- fleet 0.11.7 (#1186)
- Fix systemd-networkd assertion failure when stopping (#1197)
New in Container Linux by CoreOS 899.13.0 (Mar 23, 2016)
- Removed Kubernetes kubelet:
- The Stable channel has never contained a version which included the kubelet. If an instance was booted from the Beta or Alpha channels and then moved to the Stable channel, it will lose the kubelet when it updates to this release.
New in Container Linux by CoreOS 835.13.0 (Feb 18, 2016)
- glibc patched for CVE-2015-1781, CVE-2014-8121, CVE-2015-8776, CVE-2015-8778, CVE-2015-8779 and CVE-2015-7547 coreos-overlay#1180
New in Container Linux by CoreOS 835.12.0 (Feb 3, 2016)
- Update to OpenSSL 1.0.2f for CVE-2016-0701 and CVE-2015-3197 and updates CVE-2015-4000 (logjam)
New in Container Linux by CoreOS 835.10.0 (Jan 21, 2016)
- Fix security issue in OpenSSH 6.9p1, applying the small patch recommended in the 7.1p2 release notes. CVE-2016-0777
- Fix keyring ref leak in kernel CVE-2016-0728
New in Container Linux by CoreOS 835.8.0 (Dec 3, 2015)
- Removed Kubernetes kubelet. The Stable channel has never contained a version which included the kubelet. If an instance was booted from the Beta or Alpha channels and then moved to the Stable channel, it will lose the kubelet when it updates to this release.
- coreos-metadata 0.3.0
New in Container Linux by CoreOS 766.5.0 (Nov 8, 2015)
- Bug Fixes:
- Minimize high-order allocations in OverlayFS (https://github.com/coreos/bugs/issues/489)
- Fixed issue causing journald to consume large amounts of CPU (https://github.com/coreos/bugs/issues/322)
- Removed locksmith's dependency on update-engine (https://github.com/coreos/bugs/issues/944)
New in Container Linux by CoreOS 766.4.0 (Sep 30, 2015)
- Changes:
- Linux 4.1.7
- Bug Fixes:
- Correct systemd's handling of machine state on daemon-reload (https://github.com/coreos/bugs/issues/454)
- Fix docker0 bridge failures (https://github.com/coreos/bugs/issues/471)
New in Container Linux by CoreOS 766.3.0 (Sep 10, 2015)
- Linux 4.1.6
- etcd 2.1.2
- coreos-install includes a new image signing GPG key which will be used starting next week.
- Ignition has been removed from the 766 release branch, for now it is only available in alpha releases.
New in Container Linux by CoreOS 723.3.0 (Aug 4, 2015)
- Security Fixes:
- OpenSSL 1.0.1p (CVE-2015-1793)
New in Container Linux by CoreOS 681.0.0 (Jun 10, 2015)
- Docker 1.6.2
- Linux 4.0.3
- coreos-cloudinit 1.4.1
- Use systemd-timesyncd instead of ntpd for time synchronization
- By default, systemd-timesyncd will prefer time servers provided by DHCP and fall back to coreos.pool.ntp.org
- Mount root volume read/write via kernel cmdline instead of in the initramfs
- Blacklist xen_fbfront on ec2 images
- Fixes 30s pause during boot (https://github.com/coreos/bugs/issues/208)
- Enable 3w_sas and 3w_9xxx kernel modules
- openssl 1.0.1m
- dhcpcd 6.6.7
- Updated timezone data to 2015b
New in Container Linux by CoreOS 647.2.0 (May 28, 2015)
- Linux 4.0.1:
- Enable SCSI_MVSAS
New in Container Linux by CoreOS 494.3.0 (Dec 4, 2014)
- coreos-cloudinit v0.10.9
- Temporary shim for Docker's --insecure-registry flag (https://github.com/coreos/coreos-overlay/commit/f6ae1a34d144e3476fb9c31f3c6ff7df9c18c41c)
New in Container Linux by CoreOS 444.4.0 (Oct 10, 2014)
New in Container Linux by CoreOS 367.1.0 (Jul 27, 2014)
- Linux 3.15.2
- Docker 1.0.1
- Support on all major cloud providers, including Rackspace Cloud, Amazon EC2 (including HVM), and Google Compute Engine
- Commercial support via CoreOS Managed Linux