Weekly portage-stable package updates 2026-03-23

.github/workflows/portage-stable-packages-list

@@ -553,6 +553,7 @@ net-libs/libpsl
 net-libs/libslirp
 net-libs/libtirpc
 net-libs/nghttp2
+net-libs/ngtcp2
 net-libs/rpcsvc-proto
 
 net-misc/bridge-utils

changelog/security/2026-04-10-weekly-updates.md

@@ -0,0 +1,3 @@
+- go ([CVE-2025-61726](https://www.cve.org/CVERecord?id=CVE-2025-61726), [CVE-2025-61728](https://www.cve.org/CVERecord?id=CVE-2025-61728), [CVE-2025-61730](https://www.cve.org/CVERecord?id=CVE-2025-61730), [CVE-2025-61731](https://www.cve.org/CVERecord?id=CVE-2025-61731), [CVE-2025-68119](https://www.cve.org/CVERecord?id=CVE-2025-68119), [CVE-2025-68121](https://www.cve.org/CVERecord?id=CVE-2025-68121), [CVE-2025-61732](https://www.cve.org/CVERecord?id=CVE-2025-61732), [CVE-2026-25679](https://www.cve.org/CVERecord?id=CVE-2026-25679), [CVE-2026-27139](https://www.cve.org/CVERecord?id=CVE-2026-27139), [CVE-2026-27142](https://www.cve.org/CVERecord?id=CVE-2026-27142))
+- expat ([CVE-2026-32776](https://www.cve.org/CVERecord?id=CVE-2026-32776), [CVE-2026-32777](https://www.cve.org/CVERecord?id=CVE-2026-32777), [CVE-2026-32778](https://www.cve.org/CVERecord?id=CVE-2026-32778))
+- systemd ([CVE-2026-40223](https://www.cve.org/CVERecord?id=CVE-2026-40223), [CVE-2026-40226](https://www.cve.org/CVERecord?id=CVE-2026-40226))

changelog/updates/2026-04-10-weekly-updates.md

@@ -0,0 +1,18 @@
+- SDK: go ([1.25.8](https://go.dev/doc/devel/release#go1.25.8) (includes [1.25.7](https://go.dev/doc/devel/release#go1.25.7), [1.25.6](https://go.dev/doc/devel/release#go1.25.6)))
+- base, dev: cryptsetup ([2.8.4](https://gitlab.com/cryptsetup/cryptsetup/-/raw/v2.8.4/docs/v2.8.4-ReleaseNotes))
+- base, dev: expat ([2.7.5](https://github.com/libexpat/libexpat/blob/R_2_7_5/expat/Changes))
+- base, dev: less ([692](https://greenwoodsoftware.com/less/news.692.html) (includes [691](https://greenwoodsoftware.com/less/news.691.html)))
+- base, dev: lvm2 ([2.03.37](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_37) (includes [2.03.36](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_36), [2.03.35](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_35), [2.03.34](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_34), [2.03.33](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_33), [2.03.32](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_32), [2.03.31](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_31), [2.03.30](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_30), [2.03.29](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_29), [2.03.28](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_28), [2.03.27](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_27), [2.03.26](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_26), [2.03.25](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_25), [2.03.24](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_24), [2.03.23](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_23), [2.03.22](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_22)))
+- base, dev: mdadm ([4.5](https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/tree/CHANGELOG.md?h=mdadm-4.5))
+- base, dev: multipath-tools ([0.14.3](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.14.3/NEWS.md) (includes [0.14.2](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.14.2/NEWS.md), [0.14.1](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.14.1/NEWS.md), [0.14.0](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.14.0/NEWS.md), [0.13.0](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.13.0/NEWS.md), [0.12.0](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.12.0/NEWS.md), [0.11.0](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.11.0/NEWS.md), [0.10.0](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.10.0/NEWS.md), [0.9.9](https://raw.githubusercontent.com/opensvc/multipath-tools/refs/tags/0.9.9/NEWS.md)))
+- base, dev: nfs-utils ([2.8.5](https://lwn.net/Articles/1056938/) (includes [2.8.4](https://lwn.net/Articles/1037951/), [2.8.3](https://lwn.net/Articles/1015990/), [2.8.2](https://lwn.net/Articles/1001669/), [2.8.1](https://lwn.net/Articles/994839/))
+- base, dev: samba ([4.23.6](https://www.samba.org/samba/history/samba-4.23.6.html) (includes [4.23.5](https://www.samba.org/samba/history/samba-4.23.5.html), [4.23.4](https://www.samba.org/samba/history/samba-4.23.4.html), [4.23.3](https://www.samba.org/samba/history/samba-4.23.3.html), [4.23.2](https://www.samba.org/samba/history/samba-4.23.2.html), [4.23.1](https://www.samba.org/samba/history/samba-4.23.1.html), [4.23.0](https://www.samba.org/samba/history/samba-4.23.0.html)))
+- base, dev: shadow ([4.19.3](https://github.com/shadow-maint/shadow/releases/tag/4.19.3) (includes [4.19.2](https://github.com/shadow-maint/shadow/releases/tag/4.19.2), [4.19.1](https://github.com/shadow-maint/shadow/releases/tag/4.19.1), [4.19.0](https://github.com/shadow-maint/shadow/releases/tag/4.19.0), [4.18.0](https://github.com/shadow-maint/shadow/releases/tag/4.18.0), [4.17.0](https://github.com/shadow-maint/shadow/releases/tag/4.17.0), [4.16.0](https://github.com/shadow-maint/shadow/releases/tag/4.16.0), [4.15.0](https://github.com/shadow-maint/shadow/releases/tag/4.15.0)))
+- base, dev: socat ([1.8.1.1](https://repo.or.cz/socat.git/blob/refs/tags/tag-1.8.1.1:/CHANGES))
+- base, dev: strace ([6.19](https://github.com/strace/strace/releases/tag/v6.19))
+- base, dev: systemd ([259.4](https://raw.githubusercontent.com/systemd/systemd/refs/tags/v259.4/NEWS))
+- base, dev: tdb ([1.4.14](https://gitlab.com/samba-team/samba/-/commit/823ed52d5c561d8598da251154571402a307b367))
+- base, dev: tevent ([0.17.1](https://gitlab.com/samba-team/samba/-/commit/ebf4c4773733d2aae14c96f70681211ae40c1c18) (includes [0.17.0](https://gitlab.com/samba-team/samba/-/commit/2401f844c8beb7e856b79fb57f8e4c079b3fb0f0)))
+- base, dev: userspace-rcu ([0.15.6](https://lwn.net/Articles/1055984/))
+- dev: man-pages ([6.16](https://lwn.net/Articles/1044066/) (includes [6.15](https://sourceware.org/pipermail/libc-alpha/2025-July/168842.html), [6.14](https://lkml.org/lkml/2025/5/9/32), [6.13](https://lkml.org/lkml/2025/3/7/1714), [6.12](https://lkml.org/lkml/2025/2/24/432), [6.11](https://lwn.net/Articles/1009902/)))
+- sysext-zfs: zfs ([2.3.6](https://github.com/openzfs/zfs/releases/tag/zfs-2.3.6) (includes [2.3.5](https://github.com/openzfs/zfs/releases/tag/zfs-2.3.5)))

sdk_container/src/third_party/coreos-overlay/app-emulation/amazon-ssm-agent/amazon-ssm-agent-3.3.2299.0.ebuild → sdk_container/src/third_party/coreos-overlay/app-emulation/amazon-ssm-agent/amazon-ssm-agent-3.3.2299.0-r1.ebuild

@@ -1,31 +1,27 @@
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
-COREOS_GO_PACKAGE="${GITHUB_URI}"
+inherit go-env go-module sysroot systemd
 
-inherit coreos-go-depend golang-vcs-snapshot systemd
-
-EGO_PN="github.com/aws/${PN}"
 DESCRIPTION="AWS Systems Manager Agent"
 HOMEPAGE="https://github.com/aws/amazon-ssm-agent"
+SRC_URI="https://github.com/aws/amazon-ssm-agent/archive/${PV}.tar.gz -> ${P}.tar.gz"
+
 LICENSE="Apache-2.0"
-SRC_URI="https://${EGO_PN}/archive/${PV}.tar.gz -> ${P}.tar.gz ${EGO_VENDOR_URI}"
 SLOT="0"
 KEYWORDS="amd64 arm64"
 
-S="${WORKDIR}/${PN}-${PV}/src/${EGO_PN}"
-
 src_prepare() {
 	default
-	ln -s ${PWD}/vendor/src/* ${PWD}/vendor/
+	# Drop clearing of GOARCH and GOOS - it causes go run to
+	# create a binary for CBUILD, but then go run also invokes the
+	# binary using qemu-CHOST, because we use -exec flag when
+	# cross-compiling
+	sed -i -e 's/GOARCH= GOOS= go run/go run/' makefile || die
 }
 
 src_compile() {
-	go_export
-
-	# set agent release version
-	BRAZIL_PACKAGE_VERSION=${PV} ${EGO} run ./agent/version/versiongenerator/version-gen.go
 	# build all the tools
 	if [[ "${ARCH}" == "arm64" ]]; then
 		emake build-arm64

sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd

@@ -1,7 +1,4 @@
 flatcar_systemd_meson_args_array=(
-    # Point to our user mailing list.
-    -Dsupport-url='https://groups.google.com/forum/#!forum/flatcar-linux-user'
-
     # Use our ntp servers.
     -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"
 

sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-fs/multipath-tools

@@ -2,12 +2,12 @@ cros_post_src_install_add_dropin() {
 	mkdir -p "${D}$(systemd_get_systemunitdir)/multipathd.service.d"
 	cat <<EOF >"${D}$(systemd_get_systemunitdir)/multipathd.service.d/flatcar.conf"
 [Service]
-# Multipathd sets itself to sched_rr with highest priority.
-# Cgroups2 doesn't support realtime processes outside the root cgroup,
+# Set LimitRTPRIO to zero to tell multipathd to not even attempt
+# enabling the real-time scheduling. We do this, because cgroups2
+# doesn't support real-time processes outside the root cgroup -
 # if any such process exists then cpu controller can't be enabled.
-# This poses a bit of a dilemma.
-# Block realtime control for the process, but give it highest non-rt priority.
-RestrictRealtime=yes
-Nice=-20
+# Upstream unit already sets CPUWeight to 1000 to have a sufficient
+# priority in case of normal scheduling.
+LimitRTPRIO=0
 EOF
 }

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-containers/cri-tools/0000-Do-not-explicitly-pass-GOFLAGS.patch

@@ -0,0 +1,42 @@
+From ab81f8e0860e2c47283415afd1713188b22127ea Mon Sep 17 00:00:00 2001
+From: James Le Cuirot <jlecuirot@microsoft.com>
+Date: Mon, 13 Apr 2026 11:20:12 +0100
+Subject: [PATCH] Makefile: Don't explicitly pass GOFLAGS to go commands
+
+go automatically checks GOFLAGS and filters unknown flags for you, e.g.
+it will drop the go run -exec flag when doing go build. Explicitly
+passing GOFLAGS breaks this filtering.
+
+Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
+---
+ Makefile | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 3576643c03..cf7eb37d0e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -100,7 +100,6 @@ critest: ## Build the critest binary.
+ $(CRITEST):
+ 	CGO_ENABLED=$(CGO_ENABLED) $(GO_TEST) -c -o $@ \
+ 		-ldflags '$(GO_LDFLAGS)' \
+-		$(GOFLAGS) \
+ 	     $(PROJECT)/cmd/critest
+
+ .PHONY: crictl
+@@ -110,7 +109,6 @@ crictl: ## Build the crictl binary.
+ $(CRICTL):
+ 	CGO_ENABLED=$(CGO_ENABLED) $(GO_BUILD) -o $@ \
+ 		-ldflags '$(GO_LDFLAGS)' \
+-		$(GOFLAGS) \
+ 		$(PROJECT)/cmd/crictl
+
+ .PHONY: clean
+@@ -200,7 +198,6 @@ test-crictl: $(GINKGO) ## Run the crictl test suite.
+ 	# Run go test for templates_test.go and util_test.go
+ 	CGO_ENABLED=$(CGO_ENABLED) $(GO_TEST) \
+ 		-ldflags '$(GO_LDFLAGS)' \
+-		$(GOFLAGS) \
+ 		$(PROJECT)/cmd/crictl
+ 	$(GINKGO) $(TESTFLAGS) \
+ 		-r -p \

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-containers/cri-tools/README.md

@@ -0,0 +1,4 @@
+`0000-Do-not-explicitly-pass-GOFLAGS.patch` patch is taken from
+https://github.com/kubernetes-sigs/cri-tools/pull/2048/. Not currently
+merged, so it needs to be checked if updating to cri-tools >1.35.0
+(current release at the time of writing this message).

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch

@@ -1,7 +1,7 @@
-From 6055d8b50c4a39d3e5f4fa0cf017a3b04786c5ba Mon Sep 17 00:00:00 2001
+From 3e713e019ab2e13e0d48bf30bab0ddaf3573458d Mon Sep 17 00:00:00 2001
 From: David Michael <dm0@redhat.com>
 Date: Tue, 16 Apr 2019 02:44:51 +0000
-Subject: [PATCH 01/20] wait-online: set --any by default
+Subject: [PATCH 01/14] wait-online: set --any by default
 
 The systemd-networkd-wait-online command would normally continue
 waiting after a network interface is usable if other interfaces are

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch

@@ -1,7 +1,7 @@
-From 5bff53a23228b10d93d342510f0ffd41185e3011 Mon Sep 17 00:00:00 2001
+From d34fa493e6d69b97633e329d55413a549da8239d Mon Sep 17 00:00:00 2001
 From: Alex Crawford <alex.crawford@coreos.com>
 Date: Wed, 2 Mar 2016 10:46:33 -0800
-Subject: [PATCH 02/20] needs-update: don't require strictly newer usr
+Subject: [PATCH 02/14] needs-update: don't require strictly newer usr
 
 Updates should be triggered whenever usr changes, not only when it is newer.
 ---
@@ -23,7 +23,7 @@ index d9d78262a1..761bbdecca 100644
      This requires that updates to <filename>/usr/</filename> are always
      followed by an update of the modification time of
 diff --git a/src/shared/condition.c b/src/shared/condition.c
-index b09eff1bfb..3a170b1820 100644
+index 15e3ee9840..381378e77a 100644
 --- a/src/shared/condition.c
 +++ b/src/shared/condition.c
 @@ -817,7 +817,7 @@ static int condition_test_needs_update(Condition *c, char **env) {

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch

@@ -1,7 +1,7 @@
-From df56cf2ad0c6c84a22e9fca8893c610b82b78377 Mon Sep 17 00:00:00 2001
+From 2cc519ebec4f01f76bcdcde61259ba23a810ea30 Mon Sep 17 00:00:00 2001
 From: Adrian Vladu <avladu@cloudbasesolutions.com>
 Date: Fri, 16 Feb 2024 11:22:08 +0000
-Subject: [PATCH 03/20] core: use max for DefaultTasksMax
+Subject: [PATCH 03/14] core: use max for DefaultTasksMax
 
 Since systemd v228, systemd has a DefaultTasksMax which defaulted
 to 512, later 15% of the system's maximum number of PIDs.  This
@@ -21,7 +21,7 @@ Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
  3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
-index cf5a3612f6..a0f9f8ba57 100644
+index b7fe53dc9c..175fe67139 100644
 --- a/man/systemd-system.conf.xml
 +++ b/man/systemd-system.conf.xml
 @@ -227,7 +227,7 @@
@@ -34,10 +34,10 @@ index cf5a3612f6..a0f9f8ba57 100644
          Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
          For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
 diff --git a/src/core/manager.c b/src/core/manager.c
-index 20a535f2f4..be1c352045 100644
+index a5a51023c5..ef0ce9e31d 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
-@@ -112,7 +112,7 @@
+@@ -113,7 +113,7 @@
  /* How many units and jobs to process of the bus queue before returning to the event loop. */
  #define MANAGER_BUS_MESSAGE_BUDGET 100U
 

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch

@@ -1,7 +1,7 @@
-From 38ef166d85928d1f806bc48f3d29f45563d1abde Mon Sep 17 00:00:00 2001
+From a8c18ecc95e15af2d669649115826430698dcc5d Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Tue, 20 Dec 2016 16:43:22 +0000
-Subject: [PATCH 04/20] systemd: Disable SELinux permissions checks
+Subject: [PATCH 04/14] systemd: Disable SELinux permissions checks
 
 We don't care about the interaction between systemd and SELinux policy, so
 let's just disable these checks rather than having to incorporate policy
@@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
-index 8ccc31630d..34e9cebee8 100644
+index 7457b3d456..82afe343dd 100644
 --- a/src/core/selinux-access.c
 +++ b/src/core/selinux-access.c
 @@ -2,7 +2,7 @@
@@ -22,8 +22,8 @@ index 8ccc31630d..34e9cebee8 100644
 -#if HAVE_SELINUX
 +#if 0
 
- #include <selinux/avc.h>
- #include <selinux/selinux.h>
+ #include <unistd.h>
+
 -- 
 2.52.0
 

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch

@@ -1,7 +1,7 @@
-From 4e071bef0713099cfe2540a5576744c0e5c41723 Mon Sep 17 00:00:00 2001
+From 33a603bb00fce6e4c3b4faf80157e8532932fb00 Mon Sep 17 00:00:00 2001
 From: Sayan Chowdhury <schowdhury@microsoft.com>
 Date: Fri, 16 Dec 2022 16:28:26 +0530
-Subject: [PATCH 05/20] Revert "getty: Pass tty to use by agetty via stdin"
+Subject: [PATCH 05/14] Revert "getty: Pass tty to use by agetty via stdin"
 
 This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
 
@@ -17,17 +17,17 @@ Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
  4 files changed, 12 insertions(+), 12 deletions(-)
 
 diff --git a/units/console-getty.service.in b/units/console-getty.service.in
-index 967d8337ab..1f2d8b910f 100644
+index 278048724f..5731e68d8f 100644
 --- a/units/console-getty.service.in
 +++ b/units/console-getty.service.in
 @@ -20,12 +20,12 @@ Before=getty.target
  ConditionPathExists=/dev/console
 
  [Service]
--ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM}
+-ExecStart=-{{AGETTY}} --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM}
 +# The '-o' option value tells agetty to replace 'login' arguments with '--' for
 +# safety, and then the entered username.
-+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 console ${TERM}
++ExecStart=-{{AGETTY}} -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 console ${TERM}
  Type=idle
  Restart=always
  UtmpIdentifier=cons
@@ -37,17 +37,17 @@ index 967d8337ab..1f2d8b910f 100644
  TTYReset=yes
  TTYVHangup=yes
 diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in
-index e0b27613df..5f27653d1f 100644
+index 18e5a98a7f..568fcd1e53 100644
 --- a/units/container-getty@.service.in
 +++ b/units/container-getty@.service.in
 @@ -25,13 +25,13 @@ Conflicts=rescue.service
  Before=rescue.service
 
  [Service]
--ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM}
+-ExecStart=-{{AGETTY}} --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM}
 +# The '-o' option value tells agetty to replace 'login' arguments with '--' for
 +# safety, and then the entered username.
-+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear pts/%I ${TERM}
++ExecStart=-{{AGETTY}} -o '-- \\u' --noreset --noclear pts/%I ${TERM}
  Type=idle
  Restart=always
  RestartSec=0
@@ -58,17 +58,17 @@ index e0b27613df..5f27653d1f 100644
  TTYReset=yes
  TTYVHangup=yes
 diff --git a/units/getty@.service.in b/units/getty@.service.in
-index 104c4acc96..1819627d1c 100644
+index 15f1a572fd..a3285d956e 100644
 --- a/units/getty@.service.in
 +++ b/units/getty@.service.in
 @@ -34,13 +34,13 @@ Before=rescue.service
  ConditionPathExists=/dev/tty0
 
  [Service]
--ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM}
+-ExecStart=-{{AGETTY}} --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d - ${TERM}
 +# The '-o' option value tells agetty to replace 'login' arguments with '--' for
 +# safety, and then the entered username.
-+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear %I ${TERM}
++ExecStart=-{{AGETTY}} -o '-- \\u' --noreset --noclear %I ${TERM}
  Type=idle
  Restart=always
  RestartSec=0
@@ -79,17 +79,17 @@ index 104c4acc96..1819627d1c 100644
  TTYReset=yes
  TTYVHangup=yes
 diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in
-index 0134c83d48..ba4cbc0edb 100644
+index 8b5a63d681..29ab8a0533 100644
 --- a/units/serial-getty@.service.in
 +++ b/units/serial-getty@.service.in
 @@ -30,12 +30,12 @@ Conflicts=rescue.service
  Before=rescue.service
 
  [Service]
--ExecStart=-/sbin/agetty --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM}
+-ExecStart=-{{AGETTY}} --noreset --noclear --issue-file=/etc/issue:/etc/issue.d:/run/issue.d:/usr/lib/issue.d --keep-baud 115200,57600,38400,9600 - ${TERM}
 +# The '-o' option value tells agetty to replace 'login' arguments with '--' for
 +# safety, and then the entered username.
-+ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 %I ${TERM}
++ExecStart=-{{AGETTY}} -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 %I ${TERM}
  Type=idle
  Restart=always
  UtmpIdentifier=%I

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch

@@ -1,7 +1,7 @@
-From b097e139801009d722c33a9580bcda23a4a7a1e1 Mon Sep 17 00:00:00 2001
+From 6c83b73ac087aaa1f08551c064cbac119ad92490 Mon Sep 17 00:00:00 2001
 From: Adrian Vladu <avladu@cloudbasesolutions.com>
 Date: Fri, 16 Feb 2024 11:29:04 +0000
-Subject: [PATCH 06/20] units: Keep using old journal file format
+Subject: [PATCH 06/14] units: Keep using old journal file format
 
 Systemd 252 made an incompatible change in journal file format. Temporarily
 force journald to use the old journal format to give logging containers more

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch

@@ -1,7 +1,7 @@
-From 0ba9b9356861f8012c0e7794d9c61ebf21a9c6d7 Mon Sep 17 00:00:00 2001
+From 9d6db023c34d96b582e763da77c464629266f8e8 Mon Sep 17 00:00:00 2001
 From: Krzesimir Nowak <knowak@microsoft.com>
 Date: Wed, 22 Oct 2025 10:39:42 +0200
-Subject: [PATCH 07/20] tmpfiles.d: Fix DNS issues with default k8s
+Subject: [PATCH 07/14] tmpfiles.d: Fix DNS issues with default k8s
  configuration
 
 The Kubelet takes /etc/resolv.conf for, e.g., CoreDNS which has dnsPolicy