Flatcar Container Linux
      • Sharing URL Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Customize slides
      • Note Permission
      • Read
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • Write
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • Engagement control Commenting, Suggest edit, Emoji Reply
    • Invite by email
      Invitee

      This note has no invitees

    • Publish Note

      Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

      Your note will be visible on your profile and discoverable by anyone.
      Your note is now live.
      This note is visible on your profile and discoverable online.
      Everyone on the web can find and read all notes of this public team.
      See published notes
      Unpublish note
      Please check the box to agree to the Community Guidelines.
      View profile
    • Commenting
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
      • Everyone
    • Suggest edit
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
    • Emoji Reply
    • Enable
    • Versions and GitHub Sync
    • Note settings
    • Note Insights
    • Engagement control
    • Transfer ownership
    • Delete this note
    • Insert from template
    • Import from
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
    • Export to
      • Dropbox
      • Google Drive
      • Gist
    • Download
      • Markdown
      • HTML
      • Raw HTML
Menu Note settings Versions and GitHub Sync Note Insights Sharing URL Help
Menu
Options
Engagement control Transfer ownership Delete this note
Import from
Dropbox Google Drive Gist Clipboard
Export to
Dropbox Google Drive Gist
Download
Markdown HTML Raw HTML
Back
Sharing URL Link copied
/edit
View mode
  • Edit mode
  • View mode
  • Book mode
  • Slide mode
Edit mode View mode Book mode Slide mode
Customize slides
Note Permission
Read
Owners
  • Owners
  • Signed-in users
  • Everyone
Owners Signed-in users Everyone
Write
Owners
  • Owners
  • Signed-in users
  • Everyone
Owners Signed-in users Everyone
Engagement control Commenting, Suggest edit, Emoji Reply
  • Invite by email
    Invitee

    This note has no invitees

    • Publish Note

    Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

    Your note will be visible on your profile and discoverable by anyone.
    Your note is now live.
    This note is visible on your profile and discoverable online.
    Everyone on the web can find and read all notes of this public team.
    See published notes
    Unpublish note
    Please check the box to agree to the Community Guidelines.
    View profile
    Engagement control
    Commenting
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    • Everyone
    Suggest edit
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    Emoji Reply
    Enable
    Import from Dropbox Google Drive Gist Clipboard
       owned this note    owned this note      
    Published Linked with GitHub
    Subscribed
    • Any changes
      Be notified of any changes
    • Mention me
      Be notified of mention me
    • Unsubscribe
    Subscribe
    # Flatcar Container Linux Release - 2022-06-01 ## alpha-3255.0.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## beta-3227.1.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## stable-3139.2.2 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## lts-3033.3.1 - AMD64-usr - Platforms succeeded: All - Platforms failed: cl.locksmith.cluster is flaky on EM - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). - Make sure the the LTS (channel) is referred to as `LTS-2022`, and not `LTS-3033` --- ### Announcement Message Subject: Announcing new Alpha 3255.0.0, Beta 3227.1.0, Stable 3139.2.2, LTS-2022 3033.3.1 releases. Hello, We are pleased to announce new Flatcar Container Linux releases for the Alpha, Beta, Stable and LTS-2022 channels. # New **Alpha** Release **3255.0.0** _Changes since **Alpha 3227.0.0**_ ## Security fixes: - Linux ([CVE-2022-1734](https://nvd.nist.gov/vuln/detail/CVE-2022-1734), [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893), [CVE-2022-1012](https://nvd.nist.gov/vuln/detail/CVE-2022-1012), [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729)) - Go ([CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526)) - curl ([CVE-2022-22576](https://nvd.nist.gov/vuln/detail/CVE-2022-22576), [CVE-2022-27774](https://nvd.nist.gov/vuln/detail/CVE-2022-27774), [CVE-2022-27775](https://nvd.nist.gov/vuln/detail/CVE-2022-27775), [CVE-2022-27776](https://nvd.nist.gov/vuln/detail/CVE-2022-27776), [CVE-2022-27778](https://nvd.nist.gov/vuln/detail/CVE-2022-27778), [CVE-2022-27779](https://nvd.nist.gov/vuln/detail/CVE-2022-27779), [CVE-2022-27780](https://nvd.nist.gov/vuln/detail/CVE-2022-27780), [CVE-2022-27781](https://nvd.nist.gov/vuln/detail/CVE-2022-27781), [CVE-2022-27782](https://nvd.nist.gov/vuln/detail/CVE-2022-27782), [CVE-2022-30115](https://nvd.nist.gov/vuln/detail/CVE-2022-30115)) - Docker ([CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526)) - git ([CVE-2022-24765](https://nvd.nist.gov/vuln/detail/CVE-2022-24765)) - ncurses ([CVE-2022-29458](https://nvd.nist.gov/vuln/detail/CVE-2022-29458)) - openssl ([CVE-2022-1292](https://nvd.nist.gov/vuln/detail/CVE-2022-1292), [CVE-2022-1343](https://nvd.nist.gov/vuln/detail/CVE-2022-1343), [CVE-2022-1434](https://nvd.nist.gov/vuln/detail/CVE-2022-1434), [CVE-2022-1473](https://nvd.nist.gov/vuln/detail/CVE-2022-1473)) - nvidia-drivers ([CVE-2022-28181](https://nvd.nist.gov/vuln/detail/CVE-2022-28181), [CVE-2022-28183](https://nvd.nist.gov/vuln/detail/CVE-2022-28183), [CVE-2022-28184](https://nvd.nist.gov/vuln/detail/CVE-2022-28184), [CVE-2022-28185](https://nvd.nist.gov/vuln/detail/CVE-2022-28185)) - rsync ([CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032)) - runc ([CVE-2022-29162](https://nvd.nist.gov/vuln/detail/CVE-2022-29162)) - Torcx ([CVE-2022-27191](https://nvd.nist.gov/vuln/detail/CVE-2022-27191)) - SDK: qemu ([CVE-2021-20203](https://nvd.nist.gov/vuln/detail/CVE-2021-20203), [CVE-2021-3713](https://nvd.nist.gov/vuln/detail/CVE-2021-3713), [CVE-2021-3930](https://nvd.nist.gov/vuln/detail/CVE-2021-3930), [CVE-2021-3947](https://nvd.nist.gov/vuln/detail/CVE-2021-3947), [CVE-2021-4145](https://nvd.nist.gov/vuln/detail/CVE-2021-4145), [CVE-2022-26353](https://nvd.nist.gov/vuln/detail/CVE-2022-26353), [CVE-2022-26354](https://nvd.nist.gov/vuln/detail/CVE-2022-26354)) ## Bug fixes: - Ensured `/etc/flatcar/update.conf` exists because it happens to be used as flag file for Ansible ([init#71](https://github.com/flatcar-linux/init/pull/71)) - Fixed Ignition's OEM ID to be `metal` to follow the Ignition upstream change which otherwise resulted in a broken boot when the Flatcar OEM ID `pxe` was used ([bootengine#45](https://github.com/flatcar-linux/bootengine/pull/45)) - Added `networkd` translation to `files` section when converting from Ignition 2.x to Ignition 3.x ([coreos-overlay#1910](https://github.com/flatcar-linux/coreos-overlay/pull/1910), [flatcar#741](https://github.com/flatcar-linux/Flatcar/issues/741)) - GCP: Fixed shutdown script execution ([coreos-overlay#1912](https://github.com/flatcar-linux/coreos-overlay/pull/1912), [flatcar#743](https://github.com/flatcar-linux/Flatcar/issues/743)) ## Changes: - VMware: Added VMware networking configuration in the initramfs via guestinfo settings ([bootengine#44](https://github.com/flatcar-linux/bootengine/pull/44), [flatcar#717](https://github.com/flatcar-linux/Flatcar/issues/717)) ## Updates: - Linux ([5.15.43](https://lwn.net/Articles/896231/) (includes [5.15.42](https://lwn.net/Articles/896226), [5.15.41](https://lwn.net/Articles/895645), [5.15.40](https://lwn.net/Articles/895318), [5.15.39](https://lwn.net/Articles/895070), [5.15.38](https://lwn.net/Articles/894357))) - Linux Firmware ([20220509](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220509)) - Go ([1.18.2](https://go.googlesource.com/go/+/refs/tags/go1.18.2)) - Docker ([20.10.16](https://docs.docker.com/engine/release-notes/#201016) (includes [20.10.15](https://docs.docker.com/engine/release-notes/#201015))) - containerd ([1.6.4](https://github.com/containerd/containerd/releases/tag/v1.6.4)) - curl ([7.83.1](https://curl.se/mail/lib-2022-05/0010.html)) - dbus ([1.12.22](https://gitlab.freedesktop.org/dbus/dbus/-/blob/177ab044bc87cbc4ded75d21b900795a6fefef76/NEWS)) - e2fsprogs ([1.46.5](http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.46.5)) - git ([2.35.3](https://github.com/git/git/blob/v2.35.3/Documentation/RelNotes/2.35.3.txt)) - ldb ([2.4.1](https://gitlab.com/samba-team/samba/-/commit/a795e0c84597aa045d011e663dbad3cdabf0f1e6)) - ncurses ([6.3_p20220423](https://lists.gnu.org/archive/html/info-gnu/2021-11/msg00001.html)) - nvidia-drivers ([510.73.05](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-510-73-05/index.html)) - openssl ([3.0.3](https://www.openssl.org/news/changelog.html#openssl-30)) - rsync ([3.2.4](https://download.samba.org/pub/rsync/NEWS.html#3.2.4)) - runc ([1.1.2](https://github.com/opencontainers/runc/releases/tag/v1.1.2)) - samba ([4.15.4](https://www.samba.org/samba/history/samba-4.15.4.html)) - sqlite ([3.38.1](https://www.sqlite.org/releaselog/3_38_1.html)) - talloc ([2.3.3](https://gitlab.com/samba-team/samba/-/commit/bc1ee7ca0640f0136e5af7dcc4ca8ed0a5893053)) - tevent ([0.11.0](https://gitlab.com/samba-team/samba/-/commit/de4e8a1af9564f6056f9af90867c2f013449051c)) - gdbm ([1.22](https://lists.gnu.org/archive/html/info-gnu/2021-10/msg00006.html)) - new: acpid ([2.0.33](https://sourceforge.net/p/acpid2/code/ci/2.0.33/tree/Changelog)) - OEM: python ([3.9.12](https://www.python.org/downloads/release/python-3912/)) - OEM: python-distro ([1.7.0](https://github.com/python-distro/distro/releases/tag/v1.7.0)) - SDK: python ([3.9.12](https://www.python.org/downloads/release/python-3912/)) - SDK: qemu ([7.0.0](https://wiki.qemu.org/ChangeLog/7.0)) - SDK: Rust ([1.61.0](https://github.com/rust-lang/rust/releases/tag/1.61.0)) - VMware: open-vm-tools ([12.0.5](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.0.5)) # New **Beta** Release **3227.1.0** _Changes since **Beta 3185.1.1**_ ## Security fixes: - Linux ([CVE-2022-1734](https://nvd.nist.gov/vuln/detail/CVE-2022-1734), [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893), [CVE-2022-1012](https://nvd.nist.gov/vuln/detail/CVE-2022-1012), [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729)) - Go ([CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526)) - containerd ([CVE-2022-24769](https://nvd.nist.gov/vuln/detail/CVE-2022-24769)) - gnutls ([CVE-2021-4209](https://nvd.nist.gov/vuln/detail/CVE-2021-4209), [GNUTLS-SA-2022-01-17](https://gitlab.com/gnutls/gnutls/-/issues/1277)) - gzip,xz-utils ([CVE-2022-1271](https://nvd.nist.gov/vuln/detail/CVE-2022-1271)) - libarchive ([CVE-2022-26280](https://nvd.nist.gov/vuln/detail/CVE-2022-26280)) - nvidia-drivers ([CVE-2022-28181](https://nvd.nist.gov/vuln/detail/CVE-2022-28181), [CVE-2022-28183](https://nvd.nist.gov/vuln/detail/CVE-2022-28183), [CVE-2022-28184](https://nvd.nist.gov/vuln/detail/CVE-2022-28184), [CVE-2022-28185](https://nvd.nist.gov/vuln/detail/CVE-2022-28185)) - util-linux ([CVE-2021-3995](https://nvd.nist.gov/vuln/detail/CVE-2021-3995), [CVE-2021-3996](https://nvd.nist.gov/vuln/detail/CVE-2021-3996), [CVE-2022-0563](https://nvd.nist.gov/vuln/detail/CVE-2022-0563)) - zlib ([CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032)) ## Bug fixes: - Ensured `/etc/flatcar/update.conf` exists because it happens to be used as flag file for Ansible ([init#71](https://github.com/flatcar-linux/init/pull/71)) - Fixed Ignition's OEM ID to be `metal` to follow the Ignition upstream change which otherwise resulted in a broken boot when the Flatcar OEM ID `pxe` was used ([bootengine#45](https://github.com/flatcar-linux/bootengine/pull/45)) - Added `networkd` translation to `files` section when converting from Ignition 2.x to Ignition 3.x ([coreos-overlay#1910](https://github.com/flatcar-linux/coreos-overlay/pull/1910), [flatcar#741](https://github.com/flatcar-linux/Flatcar/issues/741)) - GCP: Fixed shutdown script execution ([coreos-overlay#1912](https://github.com/flatcar-linux/coreos-overlay/pull/1912), [flatcar#743](https://github.com/flatcar-linux/Flatcar/issues/743)) ## Changes: - Enabled `CONFIG_INTEL_RAPL` on AMD64 Kernel config to compile `intel_rapl_common` module in order to allow power monitoring on modern Intel processors ([flatcar#coreos-overlay#1801](https://github.com/flatcar-linux/coreos-overlay/pull/1801)) ## Updates: - Linux ([5.15.43](https://lwn.net/Articles/896231/) (includes [5.15.42](https://lwn.net/Articles/896226), [5.15.41](https://lwn.net/Articles/895645), [5.15.40](https://lwn.net/Articles/895318), [5.15.39](https://lwn.net/Articles/895070), [5.15.38](https://lwn.net/Articles/894357))) - Linux Firmware ([20220411](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220411)) - Go ([1.17.10](https://go.googlesource.com/go/+/refs/tags/go1.17.10)) - afterburn ([5.2.0](https://github.com/coreos/afterburn/releases/tag/v5.2.0)) - bind-tools ([9.16.27](https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_16_27/CHANGES)) - conntrack-tools ([1.4.6](https://lists.netfilter.org/pipermail/netfilter-announce/2020/000240.html)) - containerd ([1.6.3](https://github.com/containerd/containerd/releases/tag/v1.6.3) (includes [1.6.2](https://github.com/containerd/containerd/releases/tag/v1.6.2))) - Docker ([20.10.14](https://docs.docker.com/engine/release-notes/#201014)) - e2fsprogs ([1.46.4](http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.46.4)) - elfutils ([0.186](https://sourceware.org/git/?p=elfutils.git;a=blob;f=NEWS;h=490932ae4ef9b5a3af01d2c8c616f14d57586046;hb=983e86fd89e8bf02f2d27ba5dce5bf078af4ceda)) - gnutls ([3.7.3](https://gitlab.com/gnutls/gnutls/-/merge_requests/1517)) - gzip ([1.12](https://savannah.gnu.org/forum/forum.php?forum_id=10157) (includes [1.11](https://lists.gnu.org/archive/html/info-gnu/2021-09/msg00002.html))) - jansson ([2.14](https://github.com/akheron/jansson/blob/v2.14/CHANGES)) - libarchive [3.6.1](https://github.com/libarchive/libarchive/releases/tag/v3.6.1) - libbsd ([0.11.3](https://gitlab.freedesktop.org/libbsd/libbsd/-/commits/0.11.3/)) - libnetfilter_queue ([1.0.5](https://git.netfilter.org/libnetfilter_queue/log/?h=libnetfilter_queue-1.0.5)) - libpcap ([1.10.1](https://git.tcpdump.org/libpcap/blob/c7642e2cc0c5bd65754685b160d25dc23c76c6bd:/CHANGES)) - libtasn1 ([4.17.0](https://gitlab.com/gnutls/libtasn1/-/blob/v4.17.0/NEWS)) - liburing ([2.1](https://github.com/axboe/liburing/commits/liburing-2.1)) - mdadm ([4.2](https://lore.kernel.org/all/28fdbc45-96ca-7cdb-3ced-a5f65d978048@trained-monkey.org/T/)) - multipath-tools ([0.8.7](https://github.com/opensvc/multipath-tools/commits/0.8.7)) - nghttp2 ([1.45.1](https://github.com/nghttp2/nghttp2/releases/tag/v1.45.1)) - nvidia-drivers ([510.73.05](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-510-73-05/index.html)) - oniguruma ([6.9.7.1](https://github.com/kkos/oniguruma/releases/tag/v6.9.7.1)) - open-isns ([0.101](https://github.com/open-iscsi/open-isns/blob/v0.101/ChangeLog)) - pcre2 ([10.39](https://github.com/PhilipHazel/pcre2/blob/pcre2-10.39/NEWS)) - runc ([1.1.1](https://github.com/opencontainers/runc/releases/tag/v1.1.1)) - tcpdump ([4.99.1](https://git.tcpdump.org/tcpdump/blob/5f552b5e6e9fe05f7ad9681d51d0303233daba6a:/CHANGES)) - unzip ([6.0_p26](https://metadata.ftp-master.debian.org/changelogs//main/u/unzip/unzip_6.0-26_changelog)) - util-linux ([2.37.4](https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.37/v2.37.4-ChangeLog)) - zlib ([1.2.12](https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/ChangeLog#L4)) - SDK: Rust ([1.60.0](https://github.com/rust-lang/rust/releases/tag/1.60.0)) _Changes since **Alpha 3227.0.0**_ ## Security fixes: - Linux ([CVE-2022-1734](https://nvd.nist.gov/vuln/detail/CVE-2022-1734), [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893), [CVE-2022-1012](https://nvd.nist.gov/vuln/detail/CVE-2022-1012), [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729)) - Go ([CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526)) - nvidia-drivers ([CVE-2022-28181](https://nvd.nist.gov/vuln/detail/CVE-2022-28181), [CVE-2022-28183](https://nvd.nist.gov/vuln/detail/CVE-2022-28183), [CVE-2022-28184](https://nvd.nist.gov/vuln/detail/CVE-2022-28184), [CVE-2022-28185](https://nvd.nist.gov/vuln/detail/CVE-2022-28185)) ## Bug fixes: - Ensured `/etc/flatcar/update.conf` exists because it happens to be used as flag file for Ansible ([init#71](https://github.com/flatcar-linux/init/pull/71)) - Fixed Ignition's OEM ID to be `metal` to follow the Ignition upstream change which otherwise resulted in a broken boot when the Flatcar OEM ID `pxe` was used ([bootengine#45](https://github.com/flatcar-linux/bootengine/pull/45)) - Added `networkd` translation to `files` section when converting from Ignition 2.x to Ignition 3.x ([coreos-overlay#1910](https://github.com/flatcar-linux/coreos-overlay/pull/1910), [flatcar#741](https://github.com/flatcar-linux/Flatcar/issues/741)) - GCP: Fixed shutdown script execution ([coreos-overlay#1912](https://github.com/flatcar-linux/coreos-overlay/pull/1912), [flatcar#743](https://github.com/flatcar-linux/Flatcar/issues/743)) ## Updates: - Linux ([5.15.43](https://lwn.net/Articles/896231/) (includes [5.15.42](https://lwn.net/Articles/896226), [5.15.41](https://lwn.net/Articles/895645), [5.15.40](https://lwn.net/Articles/895318), [5.15.39](https://lwn.net/Articles/895070), [5.15.38](https://lwn.net/Articles/894357))) - Go ([1.17.10](https://go.googlesource.com/go/+/refs/tags/go1.17.10)) - nvidia-drivers ([510.73.05](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-510-73-05/index.html)) # New **Stable** Release **3139.2.2** _Changes since **Stable 3139.2.1**_ ## Security fixes: - Linux ([CVE-2022-1734](https://nvd.nist.gov/vuln/detail/CVE-2022-1734), [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893), [CVE-2022-1012](https://nvd.nist.gov/vuln/detail/CVE-2022-1012), [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729)) - Go ([CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526)) ## Bug fixes: - Ensured `/etc/flatcar/update.conf` exists because it happens to be used as flag file for Ansible ([init#71](https://github.com/flatcar-linux/init/pull/71)) - GCP: Fixed shutdown script execution ([coreos-overlay#1912](https://github.com/flatcar-linux/coreos-overlay/pull/1912), [flatcar#743](https://github.com/flatcar-linux/Flatcar/issues/743)) ## Updates: - Linux ([5.15.43](https://lwn.net/Articles/896231/) (includes [5.15.42](https://lwn.net/Articles/896226), [5.15.41](https://lwn.net/Articles/895645), [5.15.40](https://lwn.net/Articles/895318), [5.15.39](https://lwn.net/Articles/895070), [5.15.38](https://lwn.net/Articles/894357))) - Go ([1.17.10](https://go.googlesource.com/go/+/refs/tags/go1.17.10)) # New **LTS-2022** Release **3033.3.1** _Changes since **LTS-2022 3033.3.0**_ ## Security fixes: - Linux ([CVE-2022-28390](https://nvd.nist.gov/vuln/detail/CVE-2022-28390), [CVE-2022-0168](https://nvd.nist.gov/vuln/detail/CVE-2022-0168), [CVE-2022-1158](https://nvd.nist.gov/vuln/detail/CVE-2022-1158), [CVE-2022-1353](https://nvd.nist.gov/vuln/detail/CVE-2022-1353), [CVE-2022-30594](https://nvd.nist.gov/vuln/detail/CVE-2022-30594), [CVE-2022-1198](https://nvd.nist.gov/vuln/detail/CVE-2022-1198), [CVE-2022-28389](https://nvd.nist.gov/vuln/detail/CVE-2022-28389), [CVE-2022-28388](https://nvd.nist.gov/vuln/detail/CVE-2022-28388), [CVE-2022-1516](https://nvd.nist.gov/vuln/detail/CVE-2022-1516), [CVE-2022-29582](https://nvd.nist.gov/vuln/detail/CVE-2022-29582), [CVE-2021-4197](https://nvd.nist.gov/vuln/detail/CVE-2021-4197), [CVE-2022-1204](https://nvd.nist.gov/vuln/detail/CVE-2022-1204), [CVE-2022-1205](https://nvd.nist.gov/vuln/detail/CVE-2022-1205), [CVE-2022-29581](https://nvd.nist.gov/vuln/detail/CVE-2022-29581), [CVE-2022-1836](https://nvd.nist.gov/vuln/detail/CVE-2022-1836), [CVE-2022-1734](https://nvd.nist.gov/vuln/detail/CVE-2022-1734), [CVE-2022-0494](https://nvd.nist.gov/vuln/detail/CVE-2022-0494), [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893), [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729), [CVE-2022-0854](https://nvd.nist.gov/vuln/detail/CVE-2022-0854)) ## Bug fixes: - Ensured `/etc/flatcar/update.conf` exists because it happens to be used as flag file for Ansible ([init#71](https://github.com/flatcar-linux/init/pull/71)) ## Updates: - Linux ([5.10.118](https://lwn.net/Articles/896225/) (includes [5.10.117](https://lwn.net/Articles/895646), [5.10.116](https://lwn.net/Articles/895319), [5.10.115](https://lwn.net/Articles/895071), [5.10.114](https://lwn.net/Articles/894358), [5.10.113](https://lwn.net/Articles/892813), [5.10.112](https://lwn.net/Articles/891997), [5.10.111](https://lwn.net/Articles/891252), [5.10.110](https://lwn.net/Articles/890723))) - ca-certificates ([3.78](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_78.html)) Best, The Flatcar Container Linux Maintainers --- ### Security **Subject**: Security issues fixed with the latest Alpha 3255.0.0, Beta 3227.1.0, Stable 3139.2.2, LTS-2022 3033.3.1 releases **Security fix**: With the Alpha 3255.0.0, Beta 3227.1.0, Stable 3139.2.2, LTS-2022 3033.3.1 releases we ship a fix for the CVEs listed below. #### Alpha * Linux * [CVE-2022-1012](https://nvd.nist.gov/vuln/detail/CVE-2022-1012) CVSSv3 score: n/a * [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729) CVSSv3 score: n/a * [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893) CVSSv3 score: 7.8(High) The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state. * curl * [CVE-2022-22576](https://nvd.nist.gov/vuln/detail/CVE-2022-22576) CVSSv3 score: n/a An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). * [CVE-2022-27774](https://nvd.nist.gov/vuln/detail/CVE-2022-27774) CVSSv3 score: n/a curl follows HTTP(S) redirects when asked to. curl also supports authentication. When a user and password are provided for a URL with a given hostname, curl makes an effort to not pass on those credentials to other hosts in redirects unless given permission with a special option. This "same host check" has been flawed all since it was introduced. It does not work on cross protocol redirects and it does not consider different port numbers to be separate hosts. This leads to curl leaking credentials to other servers when it follows redirects from auth protected HTTP(S) URLs to other protocols and port numbers. It could also leak the TLS SRP credentials this way. By default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked to allow redirects to all protocols curl supports. * [CVE-2022-27775](https://nvd.nist.gov/vuln/detail/CVE-2022-27775) CVSSv3 score: n/a libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup. Due to errors in the logic, the config matching function did not take the IPv6 address zone id into account which could lead to libcurl reusing the wrong connection when one transfer uses a zone id and a subsequent transfer uses another (or no) zone id. * [CVE-2022-27776](https://nvd.nist.gov/vuln/detail/CVE-2022-27776) CVSSv3 score: n/a curl might leak authentication or cookie header data on HTTP redirects to the same host but another port number. When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hosts will make curl send the data to those. However, due to a flawed check, curl wrongly also sends that same set of headers to the hosts that are identical to the first one but use a different port number or URL scheme. Contrary to expectation and intention. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom Authorization: or Cookie: headers, as those headers often contain privacy sensitive information or data. curl and libcurl have options that allow users to opt out from this check, but that is not set by default. * [CVE-2022-27778](https://nvd.nist.gov/vuln/detail/CVE-2022-27778) CVSSv3 score: n/a curl might remove the wrong file when --no-clobber is used together with --remove-on-error. The --remove-on-error option tells curl to remove the output file when it returns an error, and not leave a partial file behind. The --no-clobber option prevents curl from overwriting a file if it already exists, and instead appends a number to the name to create a new unused file name. If curl adds a number to not "clobber" the output and an error occurs during transfer, the remove on error logic would remove the original file name without the added number. * [CVE-2022-27779](https://nvd.nist.gov/vuln/detail/CVE-2022-27779) CVSSv3 score: n/a libcurl wrongly allows HTTP cookies to be set for Top Level Domains (TLDs) if the host name is provided with a trailing dot. curl can be told to receive and send cookies when communicating using HTTP(S). curl's "cookie engine" can be built with or without Public Suffix List awareness. If PSL support not provided, a more rudimentary check exists to at least prevent cookies from being set on TLDs. This check was broken if the host name in the URL uses a trailing dot. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain. * [CVE-2022-27780](https://nvd.nist.gov/vuln/detail/CVE-2022-27780) CVSSv3 score: n/a The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a different URL using the wrong host name when it is later retrieved. For example, a URL like http://example.com%2F10.0.0.1/, would be allowed by the parser and get transposed into http://example.com/10.0.0.1/. This flaw can be used to circumvent filters, checks and more. * [CVE-2022-27781](https://nvd.nist.gov/vuln/detail/CVE-2022-27781) CVSSv3 score: n/a libcurl provides the CURLOPT_CERTINFO option to allow applications to request details to be returned about a TLS server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information. * [CVE-2022-27782](https://nvd.nist.gov/vuln/detail/CVE-2022-27782) CVSSv3 score: n/a libcurl provides the CURLOPT_CERTINFO option to allow applications to request details to be returned about a TLS server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information. * [CVE-2022-30115](https://nvd.nist.gov/vuln/detail/CVE-2022-30115) CVSSv3 score: n/a curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL used a trailing dot while not using one when it built the HSTS cache. Or the other way around - by having the trailing dot in the HSTS cache and not using the trailing dot in the URL. Since trailing dots in host names are somewhat special, many sites work equally fine with or without a trailing dot present. * docker * [CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526) CVSSv3 score: n/a Fix Faccessat on Linux. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible. * git * [CVE-2022-24765](https://nvd.nist.gov/vuln/detail/CVE-2022-24765) CVSSv3 score: 7.8(High) Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\.git\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\Users` if the user profile is located in `C:\Users\my-user-name`. * go * [CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526) CVSSv3 score: n/a Fix Faccessat on Linux. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible. * ncurses * [CVE-2022-29458](https://nvd.nist.gov/vuln/detail/CVE-2022-29458) CVSSv3 score: 7.1(High) ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library. * nvidia-drivers * [CVE-2022-28181](https://nvd.nist.gov/vuln/detail/CVE-2022-28181) CVSSv3 score: n/a NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components. * [CVE-2022-28183](https://nvd.nist.gov/vuln/detail/CVE-2022-28183) CVSSv3 score: 7.1(High) NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause an out-of-bounds read, which may lead to denial of service and information disclosure. * [CVE-2022-28184](https://nvd.nist.gov/vuln/detail/CVE-2022-28184) CVSSv3 score: n/a NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can access administrator- privileged registers, which may lead to denial of service, information disclosure, and data tampering. * [CVE-2022-28185](https://nvd.nist.gov/vuln/detail/CVE-2022-28185) CVSSv3 score: n/a NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the ECC layer, where an unprivileged regular user can cause an out-of-bounds write, which may lead to denial of service and data tampering. * openssl * [CVE-2022-1292](https://nvd.nist.gov/vuln/detail/CVE-2022-1292) CVSSv3 score: 9.8(Critical) The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd). * [CVE-2022-1343](https://nvd.nist.gov/vuln/detail/CVE-2022-1343) CVSSv3 score: 5.3(Medium) The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). * [CVE-2022-1434](https://nvd.nist.gov/vuln/detail/CVE-2022-1434) CVSSv3 score: 5.9(Medium) The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0 then the attacker could modify data being sent in both directions. In this case both clients and servers could be affected, regardless of the application protocol. Note that in the absence of an attacker this bug means that an OpenSSL 3.0 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the handshake when using this ciphersuite. The confidentiality of data is not impacted by this issue, i.e. an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. In order for this attack to work both endpoints must legitimately negotiate the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0, and is not available within the default provider or the default ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must have occurred: 1) OpenSSL must have been compiled with the (non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL must have had the legacy provider explicitly loaded (either through application code or via configuration) 3) The ciphersuite must have been explicitly added to the ciphersuite list 4) The libssl security level must have been set to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any others that both endpoints have in common Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). * [CVE-2022-1473](https://nvd.nist.gov/vuln/detail/CVE-2022-1473) CVSSv3 score: 7.5(High) The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). * rsync * [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) CVSSv3 score: 7.5(High) zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. * runc * [CVE-2022-29162](https://nvd.nist.gov/vuln/detail/CVE-2022-29162) CVSSv3 score: n/a runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file. * torcx * [CVE-2022-27191](https://nvd.nist.gov/vuln/detail/CVE-2022-27191) CVSSv3 score: 7.5(High) The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. * SDK: qemu * [CVE-2021-20203](https://nvd.nist.gov/vuln/detail/CVE-2021-20203) CVSSv3 score: 3.2(Low) An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. * [CVE-2021-3713](https://nvd.nist.gov/vuln/detail/CVE-2021-3713) CVSSv3 score: 7.4(High) An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. * [CVE-2021-3930](https://nvd.nist.gov/vuln/detail/CVE-2021-3930) CVSSv3 score: 6.5(Medium) An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition. * [CVE-2021-3947](https://nvd.nist.gov/vuln/detail/CVE-2021-3947) CVSSv3 score: 5.5(Medium) A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information. * [CVE-2021-4145](https://nvd.nist.gov/vuln/detail/CVE-2021-4145) CVSSv3 score: 6.5(Medium) A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node. * [CVE-2022-26353](https://nvd.nist.gov/vuln/detail/CVE-2022-26353) CVSSv3 score: 7.5(High) A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0. * [CVE-2022-26354](https://nvd.nist.gov/vuln/detail/CVE-2022-26354) CVSSv3 score: 3.2(Low) A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0. #### Beta * Linux * [CVE-2022-1012](https://nvd.nist.gov/vuln/detail/CVE-2022-1012) CVSSv3 score: n/a * [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729) CVSSv3 score: n/a * [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893) CVSSv3 score: 7.8(High) The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state. * containerd * [CVE-2022-24769](https://nvd.nist.gov/vuln/detail/CVE-2022-24769) CVSSv3 score: n/a Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting. * gnutls * [CVE-2021-4209](https://nvd.nist.gov/vuln/detail/CVE-2021-4209) CVSSv3 score: n/a Using gnutls with guile disabled, null pointer may passed to memcpy as argument 2, causing null pointer dereference. * [GNUTLS-SA-2022-01-17](https://gitlab.com/gnutls/gnutls/-/issues/1277) When a single trust list object is shared among multiple threads, calls to gnutls_x509_trust_list_verify_crt2() was able to corrupt temporary memory where internal copy of an issuer certificate is stored. The code path is only taken when a PKCS#11 based trust store is enabled and the issuer certificate is already stored as trusted. This affects GnuTLS 3.7.0 to 3.7.2 * go * [CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526) CVSSv3 score: n/a Fix Faccessat on Linux. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible. * gzip,xz-utils * [CVE-2022-1271](https://nvd.nist.gov/vuln/detail/CVE-2022-1271) CVSSv3 score: n/a Malicious filenames can make zgrep and xzgrep to write to arbitrary files or (with a GNU sed extension) lead to arbitrary code execution. The issue with the old sed script is that with multiple newlines, the N-command will read the second line of input, then the s-commands will be skipped because it's not the end of the file yet, then a new sed cycle starts and the pattern space is printed and emptied. So only the last line or two get escaped. * libarchive * [CVE-2022-26280](https://nvd.nist.gov/vuln/detail/CVE-2022-26280) CVSSv3 score: 9.1(Critical) Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init. * nvidia-drivers * [CVE-2022-28181](https://nvd.nist.gov/vuln/detail/CVE-2022-28181) CVSSv3 score: n/a NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components. * [CVE-2022-28183](https://nvd.nist.gov/vuln/detail/CVE-2022-28183) CVSSv3 score: 7.1(High) NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause an out-of-bounds read, which may lead to denial of service and information disclosure. * [CVE-2022-28184](https://nvd.nist.gov/vuln/detail/CVE-2022-28184) CVSSv3 score: n/a NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can access administrator- privileged registers, which may lead to denial of service, information disclosure, and data tampering. * [CVE-2022-28185](https://nvd.nist.gov/vuln/detail/CVE-2022-28185) CVSSv3 score: n/a NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the ECC layer, where an unprivileged regular user can cause an out-of-bounds write, which may lead to denial of service and data tampering. * util-linux * [CVE-2021-3995](https://nvd.nist.gov/vuln/detail/CVE-2021-3995) CVSSv3 score: n/a This issue is related to parsing the /proc/self/mountinfo file allows an unprivileged user to unmount other user's filesystems that are either world-writable themselves or mounted in a world-writable directory. * [CVE-2021-3996](https://nvd.nist.gov/vuln/detail/CVE-2021-3996) CVSSv3 score: n/a Improper UID check in libmount allows an unprivileged user to unmount FUSE filesystems of users with similar UID. * [CVE-2022-0563](https://nvd.nist.gov/vuln/detail/CVE-2022-0563) CVSSv3 score: 5.5(Medium) A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. * zlib * [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) CVSSv3 score: 7.5(High) zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. #### Stable * Linux * [CVE-2022-1012](https://nvd.nist.gov/vuln/detail/CVE-2022-1012) CVSSv3 score: n/a * [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729) CVSSv3 score: n/a * [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893) CVSSv3 score: 7.8(High) The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state. * go * [CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526) CVSSv3 score: n/a Fix Faccessat on Linux. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible. #### LTS-2022 * Linux * [CVE-2022-0494](https://nvd.nist.gov/vuln/detail/CVE-2022-0494) CVSSv3 score: 4.4(Medium) A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) to create issues with confidentiality. * [CVE-2022-0854](https://nvd.nist.gov/vuln/detail/CVE-2022-0854) CVSSv3 score: 5.5(Medium) A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space. * [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729) CVSSv3 score: n/a * [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893) CVSSv3 score: 7.8(High) The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state. Best, The Flatcar Container Linux Maintainers --- ### Communication #### Twitter _The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ A fresh new set of Flatcar releases is available! 📦 More than 20 package updates (Linux, curl, ...) 📜 Release notes in usual spot: https://www.flatcar.org/releases/ #### Kubernetes Slack _This goes in the #flatcar channel_ First release message in this channel! Please welcome a new batch of Flatcar releases: - Alpha 3255.0.0 (new major) - Beta 3227.1.0 (promoted from Alpha) - Stable 3139.2.2 (maintenance release) - LTS-2022 3033.3.1 (maintenance release) These releases include: 📦 More than 20 package updates including security fixes (Linux, curl, ...) 🩹 Some bugfixes (GCP shutdown script, PXE booting, ...) 📜 Release notes in usual spot: https://www.flatcar.org/releases/

    Import from clipboard

    Paste your markdown or webpage here...

    Advanced permission required

    Your current role can only read. Ask the system administrator to acquire write and comment permission.

    This team is disabled

    Sorry, this team is disabled. You can't edit this note.

    This note is locked

    Sorry, only owner can edit this note.

    Reach the limit

    Sorry, you've reached the max length this note can be.
    Please reduce the content or divide it to more notes, thank you!

    Import from Gist

    Import from Snippet

    or

    Export to Snippet

    Are you sure?

    Do you really want to delete this note?
    All users will lose their connection.

    Create a note from template

    Create a note from template

    Oops...
    This template has been removed or transferred.
    Upgrade
    All
    • All
    • Team
    No template.

    Create a template

    Upgrade

    Delete template

    Do you really want to delete this template?
    Turn this template into a regular note and keep its content, versions, and comments.

    This page need refresh

    You have an incompatible client version.
    Refresh to update.
    New version available!
    See releases notes here
    Refresh to enjoy new features.
    Your user state has changed.
    Refresh to load new user state.

    Sign in

    Forgot password

    or

    By clicking below, you agree to our terms of service.

    Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in with Wallet
    Wallet ( )
    Connect another wallet

    New to HackMD? Sign up

    Help

    • English
    • 中文
    • Français
    • Deutsch
    • 日本語
    • Español
    • Català
    • Ελληνικά
    • Português
    • italiano
    • Türkçe
    • Русский
    • Nederlands
    • hrvatski jezik
    • język polski
    • Українська
    • हिन्दी
    • svenska
    • Esperanto
    • dansk

    Documents

    Help & Tutorial

    How to use Book mode

    Slide Example

    API Docs

    Edit in VSCode

    Install browser extension

    Contacts

    Feedback

    Discord

    Send us email

    Resources

    Releases

    Pricing

    Blog

    Policy

    Terms

    Privacy

    Cheatsheet

    Syntax Example Reference
    # Header Header 基本排版
    - Unordered List
    • Unordered List
    1. Ordered List
    1. Ordered List
    - [ ] Todo List
    • Todo List
    > Blockquote
    Blockquote
    **Bold font** Bold font
    *Italics font* Italics font
    ~~Strikethrough~~ Strikethrough
    19^th^ 19th
    H~2~O H2O
    ++Inserted text++ Inserted text
    ==Marked text== Marked text
    [link text](https:// "title") Link
    ![image alt](https:// "title") Image
    `Code` Code 在筆記中貼入程式碼
    ```javascript
    var i = 0;
    ```    		 
    var i = 0;
    :smile: :smile: Emoji list
    {%youtube youtube_id %} Externals
    $L^aT_eX$ LaTeX
    :::info
    This is a alert area.
    :::

    This is a alert area.
    Versions and GitHub Sync
    Get Full History Access

    • Edit version name
    • Delete

    revision author avatar     named on  

    More Less

    Note content is identical to the latest version.
    Compare
      Choose a version
      No search result
      Version not found
    Sign in to link this note to GitHub
    Learn more
    This note is not linked with GitHub
     

    Feedback

    Submission failed, please try again

    Thanks for your support.

    On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

    Please give us some advice and help us improve HackMD.

     

    Thanks for your feedback

    Remove version name

    Do you want to remove this version name and description?

    Transfer ownership

    Transfer to
      Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

        Link with GitHub

        Please authorize HackMD on GitHub
        • Please sign in to GitHub and install the HackMD app on your GitHub repo.
        • HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.
        Learn more  Sign in to GitHub

        Push the note to GitHub Push to GitHub Pull a file from GitHub

          Authorize again
         

        Choose which file to push to

        Select repo
        Refresh Authorize more repos
        Select branch
        Select file
        Select branch
        Choose version(s) to push
        • Save a new version and push
        • Choose from existing versions
        Include title and tags
        Available push count

        Pull from GitHub

         
        File from GitHub
        File from HackMD

        GitHub Link Settings

        File linked

        Linked by
        File path
        Last synced branch
        Available push count

        Danger Zone

        Unlink
        You will no longer receive notification when GitHub file changes after unlink.

        Syncing

        Push failed

        Push successfully