Flatcar Container Linux
      • Sharing URL Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Customize slides
      • Note Permission
      • Read
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • Write
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • Engagement control Commenting, Suggest edit, Emoji Reply
    • Invite by email
      Invitee

      This note has no invitees

    • Publish Note

      Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

      Your note will be visible on your profile and discoverable by anyone.
      Your note is now live.
      This note is visible on your profile and discoverable online.
      Everyone on the web can find and read all notes of this public team.
      See published notes
      Unpublish note
      Please check the box to agree to the Community Guidelines.
      View profile
    • Commenting
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
      • Everyone
    • Suggest edit
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
    • Emoji Reply
    • Enable
    • Versions and GitHub Sync
    • Note settings
    • Note Insights New
    • Engagement control
    • Transfer ownership
    • Delete this note
    • Insert from template
    • Import from
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
    • Export to
      • Dropbox
      • Google Drive
      • Gist
    • Download
      • Markdown
      • HTML
      • Raw HTML
Menu Note settings Note Insights Versions and GitHub Sync Sharing URL Help
Menu
Options
Engagement control Transfer ownership Delete this note
Import from
Dropbox Google Drive Gist Clipboard
Export to
Dropbox Google Drive Gist
Download
Markdown HTML Raw HTML
Back
Sharing URL Link copied
/edit
View mode
  • Edit mode
  • View mode
  • Book mode
  • Slide mode
Edit mode View mode Book mode Slide mode
Customize slides
Note Permission
Read
Owners
  • Owners
  • Signed-in users
  • Everyone
Owners Signed-in users Everyone
Write
Owners
  • Owners
  • Signed-in users
  • Everyone
Owners Signed-in users Everyone
Engagement control Commenting, Suggest edit, Emoji Reply
  • Invite by email
    Invitee

    This note has no invitees

    • Publish Note

    Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

    Your note will be visible on your profile and discoverable by anyone.
    Your note is now live.
    This note is visible on your profile and discoverable online.
    Everyone on the web can find and read all notes of this public team.
    See published notes
    Unpublish note
    Please check the box to agree to the Community Guidelines.
    View profile
    Engagement control
    Commenting
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    • Everyone
    Suggest edit
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    Emoji Reply
    Enable
    Import from Dropbox Google Drive Gist Clipboard
       Owned this note    Owned this note      
    Published Linked with GitHub
    • Any changes
      Be notified of any changes
    • Mention me
      Be notified of mention me
    • Unsubscribe
    # Flatcar Container Linux Release - April 13th, 2023 [Part 2] #### Stable 3510.2.0 * Go * [CVE-2022-41717](https://nvd.nist.gov/vuln/detail/CVE-2022-41717) CVSSv3 score: 5.3(Medium) An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. * Linux * [CVE-2022-2196](https://nvd.nist.gov/vuln/detail/CVE-2022-2196) CVSSv3 score: 8.8(High) A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a * [CVE-2022-27672](https://nvd.nist.gov/vuln/detail/CVE-2022-27672) CVSSv3 score: 4.7(Medium) When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. * [CVE-2022-3707](https://nvd.nist.gov/vuln/detail/CVE-2022-3707) CVSSv3 score: 5.5(Medium) A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system. * [CVE-2023-1078](https://nvd.nist.gov/vuln/detail/CVE-2023-1078) CVSSv3 score: 7.8(High) A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption. * [CVE-2023-1281](https://nvd.nist.gov/vuln/detail/CVE-2023-1281) CVSSv3 score: n/a Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. * [CVE-2023-1513](https://nvd.nist.gov/vuln/detail/CVE-2023-1513) CVSSv3 score: 3.3(Low) A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. * [CVE-2023-26545](https://nvd.nist.gov/vuln/detail/CVE-2023-26545) CVSSv3 score: 7.8(High) In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. * SDK: Python * [CVE-2015-20107](https://nvd.nist.gov/vuln/detail/CVE-2015-20107) CVSSv3 score: 7.6(High) In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9 * [CVE-2020-10735](https://nvd.nist.gov/vuln/detail/CVE-2020-10735) CVSSv3 score: 7.5(High) A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability. * [CVE-2021-3654](https://nvd.nist.gov/vuln/detail/CVE-2021-3654) CVSSv3 score: 6.1(Medium) A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL. * [CVE-2022-37454](https://nvd.nist.gov/vuln/detail/CVE-2022-37454) CVSSv3 score: 9.8(Critical) The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface. * [CVE-2022-42919](https://nvd.nist.gov/vuln/detail/CVE-2022-42919) CVSSv3 score: 7.8(High) Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9. * [CVE-2022-45061](https://nvd.nist.gov/vuln/detail/CVE-2022-45061) CVSSv3 score: 7.5(High) An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. * SDK: qemu * [CVE-2022-4172](https://nvd.nist.gov/vuln/detail/CVE-2022-4172) CVSSv3 score: 6.5(Medium) An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host. * [CVE-2020-14394](https://nvd.nist.gov/vuln/detail/CVE-2020-14394) CVSSv3 score: 3.2(Low) An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service. * [CVE-2022-0216](https://nvd.nist.gov/vuln/detail/CVE-2022-0216) CVSSv3 score: 4.4(Medium) A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service. * [CVE-2022-3872](https://nvd.nist.gov/vuln/detail/CVE-2022-3872) CVSSv3 score: 8.6(High) An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. * SDK: rust * [CVE-2022-46176](https://nvd.nist.gov/vuln/detail/CVE-2022-46176) CVSSv3 score: 5.9(Medium) Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible. * [CVE-2022-36113](https://nvd.nist.gov/vuln/detail/CVE-2022-36113) CVSSv3 score: 8.1(High) Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write "ok" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. Mitigations We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to exercise care in choosing their dependencies though, as remote code execution is allowed by design there as well. * [CVE-2022-36114](https://nvd.nist.gov/vuln/detail/CVE-2022-36114) CVSSv3 score: 6.5(Medium) Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a "zip bomb"), exhausting the disk space on the machine using Cargo to download the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. We recommend users of alternate registries to excercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as the same concerns about build scripts and procedural macros apply here. * bind tools * [CVE-2022-2795](https://nvd.nist.gov/vuln/detail/CVE-2022-2795) CVSSv3 score: 7.5(High) By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. * [CVE-2022-2881](https://nvd.nist.gov/vuln/detail/CVE-2022-2881) CVSSv3 score: 8.2(High) The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process. * [CVE-2022-2906](https://nvd.nist.gov/vuln/detail/CVE-2022-2906) CVSSv3 score: n/a An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service. * [CVE-2022-3080](https://nvd.nist.gov/vuln/detail/CVE-2022-3080) CVSSv3 score: n/a By sending specific queries to the resolver, an attacker can cause named to crash. * [CVE-2022-38177](https://nvd.nist.gov/vuln/detail/CVE-2022-38177) CVSSv3 score: n/a By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. * [CVE-2022-38178](https://nvd.nist.gov/vuln/detail/CVE-2022-38178) CVSSv3 score: n/a By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. * containerd * [CVE-2022-23471](https://nvd.nist.gov/vuln/detail/CVE-2022-23471) CVSSv3 score: 6.5(Medium) containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. * cpio * [CVE-2021-38185](https://nvd.nist.gov/vuln/detail/CVE-2021-38185) CVSSv3 score: 7.8(High) GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data. * curl * [CVE-2022-35252](https://nvd.nist.gov/vuln/detail/CVE-2022-35252) CVSSv3 score: 3.7(Low) When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings. * [CVE-2022-43551](https://nvd.nist.gov/vuln/detail/CVE-2022-43551) CVSSv3 score: 7.5(High) A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded. * [CVE-2022-43552](https://nvd.nist.gov/vuln/detail/CVE-2022-43552) CVSSv3 score: 5.9(Medium) A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path. * [CVE-2022-32221](https://nvd.nist.gov/vuln/detail/CVE-2022-32221) CVSSv3 score: 9.8(Critical) When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. * [CVE-2022-35260](https://nvd.nist.gov/vuln/detail/CVE-2022-35260) CVSSv3 score: 6.5(Medium) curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service. * [CVE-2022-42915](https://nvd.nist.gov/vuln/detail/CVE-2022-42915) CVSSv3 score: 9.8(Critical) curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. * [CVE-2022-42916](https://nvd.nist.gov/vuln/detail/CVE-2022-42916) CVSSv3 score: 7.5(High) In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. * dbus * [CVE-2022-42010](https://nvd.nist.gov/vuln/detail/CVE-2022-42010) CVSSv3 score: 6.5(Medium) An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures. * [CVE-2022-42011](https://nvd.nist.gov/vuln/detail/CVE-2022-42011) CVSSv3 score: 6.5(Medium) An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type. * [CVE-2022-42012](https://nvd.nist.gov/vuln/detail/CVE-2022-42012) CVSSv3 score: 6.5(Medium) An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format. * git * [CVE-2022-39253](https://nvd.nist.gov/vuln/detail/CVE-2022-39253) CVSSv3 score: n/a Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`. * [CVE-2022-39260](https://nvd.nist.gov/vuln/detail/CVE-2022-39260) CVSSv3 score: 8.8(High) Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround. * [CVE-2022-23521](https://nvd.nist.gov/vuln/detail/CVE-2022-23521) CVSSv3 score: n/a Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue. * [CVE-2022-41903](https://nvd.nist.gov/vuln/detail/CVE-2022-41903) CVSSv3 score: n/a Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`. * libarchive * [CVE-2022-36227](https://nvd.nist.gov/vuln/detail/CVE-2022-36227) CVSSv3 score: 9.8(Critical) In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution." * libksba * [CVE-2022-47629](https://nvd.nist.gov/vuln/detail/CVE-2022-47629) CVSSv3 score: 9.8(Critical) Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser. * [CVE-2022-3515](https://nvd.nist.gov/vuln/detail/CVE-2022-3515) CVSSv3 score: 9.8(Critical) A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment. * libxml2 * [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303) CVSSv3 score: 7.5(High) An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault. * [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304) CVSSv3 score: 7.8(High) An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. * logrotate * [CVE-2022-1348](https://nvd.nist.gov/vuln/detail/CVE-2022-1348) CVSSv3 score: 6.5(Medium) A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0. * multipath-tools * [CVE-2022-41973](https://nvd.nist.gov/vuln/detail/CVE-2022-41973) CVSSv3 score: 7.8(High) multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root. * [CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974) CVSSv3 score: 7.8(High) multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR. * sudo * [CVE-2023-22809](https://nvd.nist.gov/vuln/detail/CVE-2023-22809) CVSSv3 score: 7.8(High) In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value. * [CVE-2022-43995](https://nvd.nist.gov/vuln/detail/CVE-2022-43995) CVSSv3 score: 7.1(High) Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture. * systemd * [CVE-2022-3821](https://nvd.nist.gov/vuln/detail/CVE-2022-3821) CVSSv3 score: 5.5(Medium) An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service. * [CVE-2022-4415](https://nvd.nist.gov/vuln/detail/CVE-2022-4415) CVSSv3 score: 5.5(Medium) A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting. * vim * [CVE-2023-0049](https://nvd.nist.gov/vuln/detail/CVE-2023-0049) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143. * [CVE-2023-0051](https://nvd.nist.gov/vuln/detail/CVE-2023-0051) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144. * [CVE-2023-0054](https://nvd.nist.gov/vuln/detail/CVE-2023-0054) CVSSv3 score: 7.8(High) Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145. * [CVE-2022-3705](https://nvd.nist.gov/vuln/detail/CVE-2022-3705) CVSSv3 score: 7.5(High) A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324. * [CVE-2022-3491](https://nvd.nist.gov/vuln/detail/CVE-2022-3491) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0742. * [CVE-2022-3520](https://nvd.nist.gov/vuln/detail/CVE-2022-3520) CVSSv3 score: 9.8(Critical) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765. * [CVE-2022-3591](https://nvd.nist.gov/vuln/detail/CVE-2022-3591) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0789. * [CVE-2022-4141](https://nvd.nist.gov/vuln/detail/CVE-2022-4141) CVSSv3 score: 7.8(High) Heap based buffer overflow in vim/vim 9.0.0946 and below by allowing an attacker to CTRL-W gf in the expression used in the RHS of the substitute command. * [CVE-2022-4292](https://nvd.nist.gov/vuln/detail/CVE-2022-4292) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0882. * [CVE-2022-4293](https://nvd.nist.gov/vuln/detail/CVE-2022-4293) CVSSv3 score: 5.5(Medium) Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804. * [CVE-2022-1725](https://nvd.nist.gov/vuln/detail/CVE-2022-1725) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.4959. * [CVE-2022-3234](https://nvd.nist.gov/vuln/detail/CVE-2022-3234) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483. * [CVE-2022-3235](https://nvd.nist.gov/vuln/detail/CVE-2022-3235) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0490. * [CVE-2022-3278](https://nvd.nist.gov/vuln/detail/CVE-2022-3278) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552. * [CVE-2022-3256](https://nvd.nist.gov/vuln/detail/CVE-2022-3256) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0530. * [CVE-2022-3296](https://nvd.nist.gov/vuln/detail/CVE-2022-3296) CVSSv3 score: 7.8(High) Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577. * [CVE-2022-3297](https://nvd.nist.gov/vuln/detail/CVE-2022-3297) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0579. * [CVE-2022-3324](https://nvd.nist.gov/vuln/detail/CVE-2022-3324) CVSSv3 score: 7.8(High) Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598. * [CVE-2022-3352](https://nvd.nist.gov/vuln/detail/CVE-2022-3352) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0614. * [CVE-2022-2042](https://nvd.nist.gov/vuln/detail/CVE-2022-2042) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2124](https://nvd.nist.gov/vuln/detail/CVE-2022-2124) CVSSv3 score: 7.8(High) Buffer Over-read in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2125](https://nvd.nist.gov/vuln/detail/CVE-2022-2125) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2126](https://nvd.nist.gov/vuln/detail/CVE-2022-2126) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2129](https://nvd.nist.gov/vuln/detail/CVE-2022-2129) CVSSv3 score: 7.8(High) Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2175](https://nvd.nist.gov/vuln/detail/CVE-2022-2175) CVSSv3 score: 7.8(High) Buffer Over-read in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2182](https://nvd.nist.gov/vuln/detail/CVE-2022-2182) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2183](https://nvd.nist.gov/vuln/detail/CVE-2022-2183) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2206](https://nvd.nist.gov/vuln/detail/CVE-2022-2206) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2207](https://nvd.nist.gov/vuln/detail/CVE-2022-2207) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2208](https://nvd.nist.gov/vuln/detail/CVE-2022-2208) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163. * [CVE-2022-2210](https://nvd.nist.gov/vuln/detail/CVE-2022-2210) CVSSv3 score: 7.8(High) Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2231](https://nvd.nist.gov/vuln/detail/CVE-2022-2231) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2257](https://nvd.nist.gov/vuln/detail/CVE-2022-2257) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2264](https://nvd.nist.gov/vuln/detail/CVE-2022-2264) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2284](https://nvd.nist.gov/vuln/detail/CVE-2022-2284) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2285](https://nvd.nist.gov/vuln/detail/CVE-2022-2285) CVSSv3 score: 7.8(High) Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2286](https://nvd.nist.gov/vuln/detail/CVE-2022-2286) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2287](https://nvd.nist.gov/vuln/detail/CVE-2022-2287) CVSSv3 score: 7.1(High) Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2288](https://nvd.nist.gov/vuln/detail/CVE-2022-2288) CVSSv3 score: 7.8(High) Out-of-bounds Write in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2289](https://nvd.nist.gov/vuln/detail/CVE-2022-2289) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2304](https://nvd.nist.gov/vuln/detail/CVE-2022-2304) CVSSv3 score: 7.8(High) Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2343](https://nvd.nist.gov/vuln/detail/CVE-2022-2343) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044. * [CVE-2022-2344](https://nvd.nist.gov/vuln/detail/CVE-2022-2344) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045. * [CVE-2022-2345](https://nvd.nist.gov/vuln/detail/CVE-2022-2345) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0046. * [CVE-2022-2522](https://nvd.nist.gov/vuln/detail/CVE-2022-2522) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061. * [CVE-2022-2816](https://nvd.nist.gov/vuln/detail/CVE-2022-2816) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0212. * [CVE-2022-2817](https://nvd.nist.gov/vuln/detail/CVE-2022-2817) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0213. * [CVE-2022-2819](https://nvd.nist.gov/vuln/detail/CVE-2022-2819) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0211. * [CVE-2022-2845](https://nvd.nist.gov/vuln/detail/CVE-2022-2845) CVSSv3 score: 7.8(High) Buffer Over-read in GitHub repository vim/vim prior to 9.0.0218. * [CVE-2022-2849](https://nvd.nist.gov/vuln/detail/CVE-2022-2849) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0220. * [CVE-2022-2862](https://nvd.nist.gov/vuln/detail/CVE-2022-2862) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0221. * [CVE-2022-2874](https://nvd.nist.gov/vuln/detail/CVE-2022-2874) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0224. * [CVE-2022-2889](https://nvd.nist.gov/vuln/detail/CVE-2022-2889) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0225. * [CVE-2022-2923](https://nvd.nist.gov/vuln/detail/CVE-2022-2923) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240. * [CVE-2022-2946](https://nvd.nist.gov/vuln/detail/CVE-2022-2946) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0246. * [CVE-2022-2980](https://nvd.nist.gov/vuln/detail/CVE-2022-2980) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0259. * [CVE-2022-2982](https://nvd.nist.gov/vuln/detail/CVE-2022-2982) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0260. * [CVE-2022-3016](https://nvd.nist.gov/vuln/detail/CVE-2022-3016) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0286. * [CVE-2022-3099](https://nvd.nist.gov/vuln/detail/CVE-2022-3099) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0360. * [CVE-2022-3134](https://nvd.nist.gov/vuln/detail/CVE-2022-3134) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0389. * [CVE-2022-3153](https://nvd.nist.gov/vuln/detail/CVE-2022-3153) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404. #### LTS 3033.3.11 * Linux * [CVE-2022-4379](https://nvd.nist.gov/vuln/detail/CVE-2022-4379) CVSSv3 score: 7.5(High) A use-after-free vulnerability was found in __nfs42_ssc_open() in fs/nfs/nfs4file.c in the Linux kernel. This flaw allows an attacker to conduct a remote denial * [CVE-2023-1076](https://nvd.nist.gov/vuln/detail/CVE-2023-1076) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. * [CVE-2023-1077](https://nvd.nist.gov/vuln/detail/CVE-2023-1077) CVSSv3 score: 7.8(High) In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption. * [CVE-2023-1079](https://nvd.nist.gov/vuln/detail/CVE-2023-1079) CVSSv3 score: 6.8(Medium) A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data. * [CVE-2023-1118](https://nvd.nist.gov/vuln/detail/CVE-2023-1118) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. * [CVE-2023-1611](https://nvd.nist.gov/vuln/detail/CVE-2023-1611) CVSSv3 score: 6.3(Medium) A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea * [CVE-2023-1670](https://nvd.nist.gov/vuln/detail/CVE-2023-1670) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system. * [CVE-2023-1829](https://nvd.nist.gov/vuln/detail/CVE-2023-1829) CVSSv3 score: n/a A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root. We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. * [CVE-2023-1855](https://nvd.nist.gov/vuln/detail/CVE-2023-1855) CVSSv3 score: 6.3(Medium) A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem. * [CVE-2023-1989](https://nvd.nist.gov/vuln/detail/CVE-2023-1989) CVSSv3 score: n/a A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices. * [CVE-2023-1990](https://nvd.nist.gov/vuln/detail/CVE-2023-1990) CVSSv3 score: n/a A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem. * [CVE-2023-23004](https://nvd.nist.gov/vuln/detail/CVE-2023-23004) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-25012](https://nvd.nist.gov/vuln/detail/CVE-2023-25012) CVSSv3 score: 4.6(Medium) The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long. * [CVE-2023-28466](https://nvd.nist.gov/vuln/detail/CVE-2023-28466) CVSSv3 score: 7(High) do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference). * [CVE-2023-30456](https://nvd.nist.gov/vuln/detail/CVE-2023-30456) CVSSv3 score: 7.8(High) An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4. * [CVE-2023-30772](https://nvd.nist.gov/vuln/detail/CVE-2023-30772) CVSSv3 score: n/a The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device. --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Alpha 3572.0.0 , Beta 3549.1.0, Stable 3510.2.0, LTS 3033.3.11 Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/ Tracking issue: https://github.com/flatcar/Flatcar/issues/996 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/FM1VSrAQTA6_Db0fqnL7GQ and https://hackmd.io/38QOoqCIS5S4pkJ0PR7wdw Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. @MAINTAINER @MAINTAINER @MAINTAINER #### Mastodon _The toot (from [@flatcar](https://hachyderm.io/@flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar releases for all channels now available! 📦 Many package updates: systemd, Linux, runc and more 🔒 CVE fixes & security patches: Linux, vim, sudo, multipath-tools 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #linux #cloudnative #containers #updates #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome Flatcar releases of this month: - Alpha 3572.0.0 (new major) - Beta 3549.1.0 (maintenance release) - Stable 3510.2.0 (maintenance release) - LTS-2022 3033.3.11 (maintenance release) These releases include: 📦 Many package updates: systemd, Linux, runc and more 🔒 CVE fixes & security patches: Linux, vim, sudo, multipath-tools 📜 Release notes at the usual spot: https://www.flatcar.org/releases/

    Import from clipboard

    Paste your markdown or webpage here...

    Advanced permission required

    Your current role can only read. Ask the system administrator to acquire write and comment permission.

    This team is disabled

    Sorry, this team is disabled. You can't edit this note.

    This note is locked

    Sorry, only owner can edit this note.

    Reach the limit

    Sorry, you've reached the max length this note can be.
    Please reduce the content or divide it to more notes, thank you!

    Import from Gist

    Import from Snippet

    or

    Export to Snippet

    Are you sure?

    Do you really want to delete this note?
    All users will lose their connection.

    Create a note from template

    Create a note from template

    Oops...
    This template has been removed or transferred.
    Upgrade
    All
    • All
    • Team
    No template.

    Create a template

    Upgrade

    Delete template

    Do you really want to delete this template?
    Turn this template into a regular note and keep its content, versions, and comments.

    This page need refresh

    You have an incompatible client version.
    Refresh to update.
    New version available!
    See releases notes here
    Refresh to enjoy new features.
    Your user state has changed.
    Refresh to load new user state.

    Sign in

    Forgot password

    or

    By clicking below, you agree to our terms of service.

    Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in with Wallet
    Wallet ( )
    Connect another wallet

    New to HackMD? Sign up

    Help

    • English
    • 中文
    • Français
    • Deutsch
    • 日本語
    • Español
    • Català
    • Ελληνικά
    • Português
    • italiano
    • Türkçe
    • Русский
    • Nederlands
    • hrvatski jezik
    • język polski
    • Українська
    • हिन्दी
    • svenska
    • Esperanto
    • dansk

    Documents

    Help & Tutorial

    How to use Book mode

    Slide Example

    API Docs

    Edit in VSCode

    Install browser extension

    Contacts

    Feedback

    Discord

    Send us email

    Resources

    Releases

    Pricing

    Blog

    Policy

    Terms

    Privacy

    Cheatsheet

    Syntax Example Reference
    # Header Header 基本排版
    - Unordered List
    • Unordered List
    1. Ordered List
    1. Ordered List
    - [ ] Todo List
    • Todo List
    > Blockquote
    Blockquote
    **Bold font** Bold font
    *Italics font* Italics font
    ~~Strikethrough~~ Strikethrough
    19^th^ 19th
    H~2~O H2O
    ++Inserted text++ Inserted text
    ==Marked text== Marked text
    [link text](https:// "title") Link
    ![image alt](https:// "title") Image
    `Code` Code 在筆記中貼入程式碼
    ```javascript
    var i = 0;
    ```    		 
    var i = 0;
    :smile: :smile: Emoji list
    {%youtube youtube_id %} Externals
    $L^aT_eX$ LaTeX
    :::info
    This is a alert area.
    :::

    This is a alert area.
    Versions and GitHub Sync
    Get Full History Access

    • Edit version name
    • Delete

    revision author avatar     named on  

    More Less

    Note content is identical to the latest version.
    Compare
      Choose a version
      No search result
      Version not found
    Sign in to link this note to GitHub
    Learn more
    This note is not linked with GitHub
     

    Feedback

    Submission failed, please try again

    Thanks for your support.

    On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

    Please give us some advice and help us improve HackMD.

     

    Thanks for your feedback

    Remove version name

    Do you want to remove this version name and description?

    Transfer ownership

    Transfer to
      Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

        Link with GitHub

        Please authorize HackMD on GitHub
        • Please sign in to GitHub and install the HackMD app on your GitHub repo.
        • HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.
        Learn more  Sign in to GitHub

        Push the note to GitHub Push to GitHub Pull a file from GitHub

          Authorize again
         

        Choose which file to push to

        Select repo
        Refresh Authorize more repos
        Select branch
        Select file
        Select branch
        Choose version(s) to push
        • Save a new version and push
        • Choose from existing versions
        Include title and tags
        Available push count

        Pull from GitHub

         
        File from GitHub
        File from HackMD

        GitHub Link Settings

        File linked

        Linked by
        File path
        Last synced branch
        Available push count

        Danger Zone

        Unlink
        You will no longer receive notification when GitHub file changes after unlink.

        Syncing

        Push failed

        Push successfully