owned this note
owned this note
Published
Linked with GitHub
# Flatcar Container Linux Release - 2022-06-01
## alpha-3255.0.0
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## beta-3227.1.0
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## stable-3139.2.2
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## lts-3033.3.1
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: cl.locksmith.cluster is flaky on EM
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## Communication
---
#### Guidelines / Things to Remember
- Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/
- [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post).
- Make sure the the LTS (channel) is referred to as `LTS-2022`, and not `LTS-3033`
---
### Announcement Message
Subject: Announcing new Alpha 3255.0.0, Beta 3227.1.0, Stable 3139.2.2, LTS-2022 3033.3.1 releases.
Hello,
We are pleased to announce new Flatcar Container Linux releases for the Alpha, Beta, Stable and LTS-2022 channels.
# New **Alpha** Release **3255.0.0**
_Changes since **Alpha 3227.0.0**_
## Security fixes:
- Linux ([CVE-2022-1734](https://nvd.nist.gov/vuln/detail/CVE-2022-1734), [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893), [CVE-2022-1012](https://nvd.nist.gov/vuln/detail/CVE-2022-1012), [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729))
- Go ([CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526))
- curl ([CVE-2022-22576](https://nvd.nist.gov/vuln/detail/CVE-2022-22576), [CVE-2022-27774](https://nvd.nist.gov/vuln/detail/CVE-2022-27774), [CVE-2022-27775](https://nvd.nist.gov/vuln/detail/CVE-2022-27775), [CVE-2022-27776](https://nvd.nist.gov/vuln/detail/CVE-2022-27776), [CVE-2022-27778](https://nvd.nist.gov/vuln/detail/CVE-2022-27778), [CVE-2022-27779](https://nvd.nist.gov/vuln/detail/CVE-2022-27779), [CVE-2022-27780](https://nvd.nist.gov/vuln/detail/CVE-2022-27780), [CVE-2022-27781](https://nvd.nist.gov/vuln/detail/CVE-2022-27781), [CVE-2022-27782](https://nvd.nist.gov/vuln/detail/CVE-2022-27782), [CVE-2022-30115](https://nvd.nist.gov/vuln/detail/CVE-2022-30115))
- Docker ([CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526))
- git ([CVE-2022-24765](https://nvd.nist.gov/vuln/detail/CVE-2022-24765))
- ncurses ([CVE-2022-29458](https://nvd.nist.gov/vuln/detail/CVE-2022-29458))
- openssl ([CVE-2022-1292](https://nvd.nist.gov/vuln/detail/CVE-2022-1292), [CVE-2022-1343](https://nvd.nist.gov/vuln/detail/CVE-2022-1343), [CVE-2022-1434](https://nvd.nist.gov/vuln/detail/CVE-2022-1434), [CVE-2022-1473](https://nvd.nist.gov/vuln/detail/CVE-2022-1473))
- nvidia-drivers ([CVE-2022-28181](https://nvd.nist.gov/vuln/detail/CVE-2022-28181), [CVE-2022-28183](https://nvd.nist.gov/vuln/detail/CVE-2022-28183), [CVE-2022-28184](https://nvd.nist.gov/vuln/detail/CVE-2022-28184), [CVE-2022-28185](https://nvd.nist.gov/vuln/detail/CVE-2022-28185))
- rsync ([CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032))
- runc ([CVE-2022-29162](https://nvd.nist.gov/vuln/detail/CVE-2022-29162))
- Torcx ([CVE-2022-27191](https://nvd.nist.gov/vuln/detail/CVE-2022-27191))
- SDK: qemu ([CVE-2021-20203](https://nvd.nist.gov/vuln/detail/CVE-2021-20203), [CVE-2021-3713](https://nvd.nist.gov/vuln/detail/CVE-2021-3713), [CVE-2021-3930](https://nvd.nist.gov/vuln/detail/CVE-2021-3930), [CVE-2021-3947](https://nvd.nist.gov/vuln/detail/CVE-2021-3947), [CVE-2021-4145](https://nvd.nist.gov/vuln/detail/CVE-2021-4145), [CVE-2022-26353](https://nvd.nist.gov/vuln/detail/CVE-2022-26353), [CVE-2022-26354](https://nvd.nist.gov/vuln/detail/CVE-2022-26354))
## Bug fixes:
- Ensured `/etc/flatcar/update.conf` exists because it happens to be used as flag file for Ansible ([init#71](https://github.com/flatcar-linux/init/pull/71))
- Fixed Ignition's OEM ID to be `metal` to follow the Ignition upstream change which otherwise resulted in a broken boot when the Flatcar OEM ID `pxe` was used ([bootengine#45](https://github.com/flatcar-linux/bootengine/pull/45))
- Added `networkd` translation to `files` section when converting from Ignition 2.x to Ignition 3.x ([coreos-overlay#1910](https://github.com/flatcar-linux/coreos-overlay/pull/1910), [flatcar#741](https://github.com/flatcar-linux/Flatcar/issues/741))
- GCP: Fixed shutdown script execution ([coreos-overlay#1912](https://github.com/flatcar-linux/coreos-overlay/pull/1912), [flatcar#743](https://github.com/flatcar-linux/Flatcar/issues/743))
## Changes:
- VMware: Added VMware networking configuration in the initramfs via guestinfo settings ([bootengine#44](https://github.com/flatcar-linux/bootengine/pull/44), [flatcar#717](https://github.com/flatcar-linux/Flatcar/issues/717))
## Updates:
- Linux ([5.15.43](https://lwn.net/Articles/896231/) (includes [5.15.42](https://lwn.net/Articles/896226), [5.15.41](https://lwn.net/Articles/895645), [5.15.40](https://lwn.net/Articles/895318), [5.15.39](https://lwn.net/Articles/895070), [5.15.38](https://lwn.net/Articles/894357)))
- Linux Firmware ([20220509](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220509))
- Go ([1.18.2](https://go.googlesource.com/go/+/refs/tags/go1.18.2))
- Docker ([20.10.16](https://docs.docker.com/engine/release-notes/#201016) (includes [20.10.15](https://docs.docker.com/engine/release-notes/#201015)))
- containerd ([1.6.4](https://github.com/containerd/containerd/releases/tag/v1.6.4))
- curl ([7.83.1](https://curl.se/mail/lib-2022-05/0010.html))
- dbus ([1.12.22](https://gitlab.freedesktop.org/dbus/dbus/-/blob/177ab044bc87cbc4ded75d21b900795a6fefef76/NEWS))
- e2fsprogs ([1.46.5](http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.46.5))
- git ([2.35.3](https://github.com/git/git/blob/v2.35.3/Documentation/RelNotes/2.35.3.txt))
- ldb ([2.4.1](https://gitlab.com/samba-team/samba/-/commit/a795e0c84597aa045d011e663dbad3cdabf0f1e6))
- ncurses ([6.3_p20220423](https://lists.gnu.org/archive/html/info-gnu/2021-11/msg00001.html))
- nvidia-drivers ([510.73.05](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-510-73-05/index.html))
- openssl ([3.0.3](https://www.openssl.org/news/changelog.html#openssl-30))
- rsync ([3.2.4](https://download.samba.org/pub/rsync/NEWS.html#3.2.4))
- runc ([1.1.2](https://github.com/opencontainers/runc/releases/tag/v1.1.2))
- samba ([4.15.4](https://www.samba.org/samba/history/samba-4.15.4.html))
- sqlite ([3.38.1](https://www.sqlite.org/releaselog/3_38_1.html))
- talloc ([2.3.3](https://gitlab.com/samba-team/samba/-/commit/bc1ee7ca0640f0136e5af7dcc4ca8ed0a5893053))
- tevent ([0.11.0](https://gitlab.com/samba-team/samba/-/commit/de4e8a1af9564f6056f9af90867c2f013449051c))
- gdbm ([1.22](https://lists.gnu.org/archive/html/info-gnu/2021-10/msg00006.html))
- new: acpid ([2.0.33](https://sourceforge.net/p/acpid2/code/ci/2.0.33/tree/Changelog))
- OEM: python ([3.9.12](https://www.python.org/downloads/release/python-3912/))
- OEM: python-distro ([1.7.0](https://github.com/python-distro/distro/releases/tag/v1.7.0))
- SDK: python ([3.9.12](https://www.python.org/downloads/release/python-3912/))
- SDK: qemu ([7.0.0](https://wiki.qemu.org/ChangeLog/7.0))
- SDK: Rust ([1.61.0](https://github.com/rust-lang/rust/releases/tag/1.61.0))
- VMware: open-vm-tools ([12.0.5](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.0.5))
# New **Beta** Release **3227.1.0**
_Changes since **Beta 3185.1.1**_
## Security fixes:
- Linux ([CVE-2022-1734](https://nvd.nist.gov/vuln/detail/CVE-2022-1734), [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893), [CVE-2022-1012](https://nvd.nist.gov/vuln/detail/CVE-2022-1012), [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729))
- Go ([CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526))
- containerd ([CVE-2022-24769](https://nvd.nist.gov/vuln/detail/CVE-2022-24769))
- gnutls ([CVE-2021-4209](https://nvd.nist.gov/vuln/detail/CVE-2021-4209), [GNUTLS-SA-2022-01-17](https://gitlab.com/gnutls/gnutls/-/issues/1277))
- gzip,xz-utils ([CVE-2022-1271](https://nvd.nist.gov/vuln/detail/CVE-2022-1271))
- libarchive ([CVE-2022-26280](https://nvd.nist.gov/vuln/detail/CVE-2022-26280))
- nvidia-drivers ([CVE-2022-28181](https://nvd.nist.gov/vuln/detail/CVE-2022-28181), [CVE-2022-28183](https://nvd.nist.gov/vuln/detail/CVE-2022-28183), [CVE-2022-28184](https://nvd.nist.gov/vuln/detail/CVE-2022-28184), [CVE-2022-28185](https://nvd.nist.gov/vuln/detail/CVE-2022-28185))
- util-linux ([CVE-2021-3995](https://nvd.nist.gov/vuln/detail/CVE-2021-3995), [CVE-2021-3996](https://nvd.nist.gov/vuln/detail/CVE-2021-3996), [CVE-2022-0563](https://nvd.nist.gov/vuln/detail/CVE-2022-0563))
- zlib ([CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032))
## Bug fixes:
- Ensured `/etc/flatcar/update.conf` exists because it happens to be used as flag file for Ansible ([init#71](https://github.com/flatcar-linux/init/pull/71))
- Fixed Ignition's OEM ID to be `metal` to follow the Ignition upstream change which otherwise resulted in a broken boot when the Flatcar OEM ID `pxe` was used ([bootengine#45](https://github.com/flatcar-linux/bootengine/pull/45))
- Added `networkd` translation to `files` section when converting from Ignition 2.x to Ignition 3.x ([coreos-overlay#1910](https://github.com/flatcar-linux/coreos-overlay/pull/1910), [flatcar#741](https://github.com/flatcar-linux/Flatcar/issues/741))
- GCP: Fixed shutdown script execution ([coreos-overlay#1912](https://github.com/flatcar-linux/coreos-overlay/pull/1912), [flatcar#743](https://github.com/flatcar-linux/Flatcar/issues/743))
## Changes:
- Enabled `CONFIG_INTEL_RAPL` on AMD64 Kernel config to compile `intel_rapl_common` module in order to allow power monitoring on modern Intel processors ([flatcar#coreos-overlay#1801](https://github.com/flatcar-linux/coreos-overlay/pull/1801))
## Updates:
- Linux ([5.15.43](https://lwn.net/Articles/896231/) (includes [5.15.42](https://lwn.net/Articles/896226), [5.15.41](https://lwn.net/Articles/895645), [5.15.40](https://lwn.net/Articles/895318), [5.15.39](https://lwn.net/Articles/895070), [5.15.38](https://lwn.net/Articles/894357)))
- Linux Firmware ([20220411](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220411))
- Go ([1.17.10](https://go.googlesource.com/go/+/refs/tags/go1.17.10))
- afterburn ([5.2.0](https://github.com/coreos/afterburn/releases/tag/v5.2.0))
- bind-tools ([9.16.27](https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_16_27/CHANGES))
- conntrack-tools ([1.4.6](https://lists.netfilter.org/pipermail/netfilter-announce/2020/000240.html))
- containerd ([1.6.3](https://github.com/containerd/containerd/releases/tag/v1.6.3) (includes [1.6.2](https://github.com/containerd/containerd/releases/tag/v1.6.2)))
- Docker ([20.10.14](https://docs.docker.com/engine/release-notes/#201014))
- e2fsprogs ([1.46.4](http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.46.4))
- elfutils ([0.186](https://sourceware.org/git/?p=elfutils.git;a=blob;f=NEWS;h=490932ae4ef9b5a3af01d2c8c616f14d57586046;hb=983e86fd89e8bf02f2d27ba5dce5bf078af4ceda))
- gnutls ([3.7.3](https://gitlab.com/gnutls/gnutls/-/merge_requests/1517))
- gzip ([1.12](https://savannah.gnu.org/forum/forum.php?forum_id=10157) (includes [1.11](https://lists.gnu.org/archive/html/info-gnu/2021-09/msg00002.html)))
- jansson ([2.14](https://github.com/akheron/jansson/blob/v2.14/CHANGES))
- libarchive [3.6.1](https://github.com/libarchive/libarchive/releases/tag/v3.6.1)
- libbsd ([0.11.3](https://gitlab.freedesktop.org/libbsd/libbsd/-/commits/0.11.3/))
- libnetfilter_queue ([1.0.5](https://git.netfilter.org/libnetfilter_queue/log/?h=libnetfilter_queue-1.0.5))
- libpcap ([1.10.1](https://git.tcpdump.org/libpcap/blob/c7642e2cc0c5bd65754685b160d25dc23c76c6bd:/CHANGES))
- libtasn1 ([4.17.0](https://gitlab.com/gnutls/libtasn1/-/blob/v4.17.0/NEWS))
- liburing ([2.1](https://github.com/axboe/liburing/commits/liburing-2.1))
- mdadm ([4.2](https://lore.kernel.org/all/28fdbc45-96ca-7cdb-3ced-a5f65d978048@trained-monkey.org/T/))
- multipath-tools ([0.8.7](https://github.com/opensvc/multipath-tools/commits/0.8.7))
- nghttp2 ([1.45.1](https://github.com/nghttp2/nghttp2/releases/tag/v1.45.1))
- nvidia-drivers ([510.73.05](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-510-73-05/index.html))
- oniguruma ([6.9.7.1](https://github.com/kkos/oniguruma/releases/tag/v6.9.7.1))
- open-isns ([0.101](https://github.com/open-iscsi/open-isns/blob/v0.101/ChangeLog))
- pcre2 ([10.39](https://github.com/PhilipHazel/pcre2/blob/pcre2-10.39/NEWS))
- runc ([1.1.1](https://github.com/opencontainers/runc/releases/tag/v1.1.1))
- tcpdump ([4.99.1](https://git.tcpdump.org/tcpdump/blob/5f552b5e6e9fe05f7ad9681d51d0303233daba6a:/CHANGES))
- unzip ([6.0_p26](https://metadata.ftp-master.debian.org/changelogs//main/u/unzip/unzip_6.0-26_changelog))
- util-linux ([2.37.4](https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.37/v2.37.4-ChangeLog))
- zlib ([1.2.12](https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/ChangeLog#L4))
- SDK: Rust ([1.60.0](https://github.com/rust-lang/rust/releases/tag/1.60.0))
_Changes since **Alpha 3227.0.0**_
## Security fixes:
- Linux ([CVE-2022-1734](https://nvd.nist.gov/vuln/detail/CVE-2022-1734), [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893), [CVE-2022-1012](https://nvd.nist.gov/vuln/detail/CVE-2022-1012), [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729))
- Go ([CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526))
- nvidia-drivers ([CVE-2022-28181](https://nvd.nist.gov/vuln/detail/CVE-2022-28181), [CVE-2022-28183](https://nvd.nist.gov/vuln/detail/CVE-2022-28183), [CVE-2022-28184](https://nvd.nist.gov/vuln/detail/CVE-2022-28184), [CVE-2022-28185](https://nvd.nist.gov/vuln/detail/CVE-2022-28185))
## Bug fixes:
- Ensured `/etc/flatcar/update.conf` exists because it happens to be used as flag file for Ansible ([init#71](https://github.com/flatcar-linux/init/pull/71))
- Fixed Ignition's OEM ID to be `metal` to follow the Ignition upstream change which otherwise resulted in a broken boot when the Flatcar OEM ID `pxe` was used ([bootengine#45](https://github.com/flatcar-linux/bootengine/pull/45))
- Added `networkd` translation to `files` section when converting from Ignition 2.x to Ignition 3.x ([coreos-overlay#1910](https://github.com/flatcar-linux/coreos-overlay/pull/1910), [flatcar#741](https://github.com/flatcar-linux/Flatcar/issues/741))
- GCP: Fixed shutdown script execution ([coreos-overlay#1912](https://github.com/flatcar-linux/coreos-overlay/pull/1912), [flatcar#743](https://github.com/flatcar-linux/Flatcar/issues/743))
## Updates:
- Linux ([5.15.43](https://lwn.net/Articles/896231/) (includes [5.15.42](https://lwn.net/Articles/896226), [5.15.41](https://lwn.net/Articles/895645), [5.15.40](https://lwn.net/Articles/895318), [5.15.39](https://lwn.net/Articles/895070), [5.15.38](https://lwn.net/Articles/894357)))
- Go ([1.17.10](https://go.googlesource.com/go/+/refs/tags/go1.17.10))
- nvidia-drivers ([510.73.05](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-510-73-05/index.html))
# New **Stable** Release **3139.2.2**
_Changes since **Stable 3139.2.1**_
## Security fixes:
- Linux ([CVE-2022-1734](https://nvd.nist.gov/vuln/detail/CVE-2022-1734), [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893), [CVE-2022-1012](https://nvd.nist.gov/vuln/detail/CVE-2022-1012), [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729))
- Go ([CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526))
## Bug fixes:
- Ensured `/etc/flatcar/update.conf` exists because it happens to be used as flag file for Ansible ([init#71](https://github.com/flatcar-linux/init/pull/71))
- GCP: Fixed shutdown script execution ([coreos-overlay#1912](https://github.com/flatcar-linux/coreos-overlay/pull/1912), [flatcar#743](https://github.com/flatcar-linux/Flatcar/issues/743))
## Updates:
- Linux ([5.15.43](https://lwn.net/Articles/896231/) (includes [5.15.42](https://lwn.net/Articles/896226), [5.15.41](https://lwn.net/Articles/895645), [5.15.40](https://lwn.net/Articles/895318), [5.15.39](https://lwn.net/Articles/895070), [5.15.38](https://lwn.net/Articles/894357)))
- Go ([1.17.10](https://go.googlesource.com/go/+/refs/tags/go1.17.10))
# New **LTS-2022** Release **3033.3.1**
_Changes since **LTS-2022 3033.3.0**_
## Security fixes:
- Linux ([CVE-2022-28390](https://nvd.nist.gov/vuln/detail/CVE-2022-28390), [CVE-2022-0168](https://nvd.nist.gov/vuln/detail/CVE-2022-0168), [CVE-2022-1158](https://nvd.nist.gov/vuln/detail/CVE-2022-1158), [CVE-2022-1353](https://nvd.nist.gov/vuln/detail/CVE-2022-1353), [CVE-2022-30594](https://nvd.nist.gov/vuln/detail/CVE-2022-30594), [CVE-2022-1198](https://nvd.nist.gov/vuln/detail/CVE-2022-1198), [CVE-2022-28389](https://nvd.nist.gov/vuln/detail/CVE-2022-28389), [CVE-2022-28388](https://nvd.nist.gov/vuln/detail/CVE-2022-28388), [CVE-2022-1516](https://nvd.nist.gov/vuln/detail/CVE-2022-1516), [CVE-2022-29582](https://nvd.nist.gov/vuln/detail/CVE-2022-29582), [CVE-2021-4197](https://nvd.nist.gov/vuln/detail/CVE-2021-4197), [CVE-2022-1204](https://nvd.nist.gov/vuln/detail/CVE-2022-1204), [CVE-2022-1205](https://nvd.nist.gov/vuln/detail/CVE-2022-1205), [CVE-2022-29581](https://nvd.nist.gov/vuln/detail/CVE-2022-29581), [CVE-2022-1836](https://nvd.nist.gov/vuln/detail/CVE-2022-1836), [CVE-2022-1734](https://nvd.nist.gov/vuln/detail/CVE-2022-1734), [CVE-2022-0494](https://nvd.nist.gov/vuln/detail/CVE-2022-0494), [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893), [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729), [CVE-2022-0854](https://nvd.nist.gov/vuln/detail/CVE-2022-0854))
## Bug fixes:
- Ensured `/etc/flatcar/update.conf` exists because it happens to be used as flag file for Ansible ([init#71](https://github.com/flatcar-linux/init/pull/71))
## Updates:
- Linux ([5.10.118](https://lwn.net/Articles/896225/) (includes [5.10.117](https://lwn.net/Articles/895646), [5.10.116](https://lwn.net/Articles/895319), [5.10.115](https://lwn.net/Articles/895071), [5.10.114](https://lwn.net/Articles/894358), [5.10.113](https://lwn.net/Articles/892813), [5.10.112](https://lwn.net/Articles/891997), [5.10.111](https://lwn.net/Articles/891252), [5.10.110](https://lwn.net/Articles/890723)))
- ca-certificates ([3.78](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_78.html))
Best,
The Flatcar Container Linux Maintainers
---
### Security
**Subject**: Security issues fixed with the latest Alpha 3255.0.0, Beta 3227.1.0, Stable 3139.2.2, LTS-2022 3033.3.1 releases
**Security fix**: With the Alpha 3255.0.0, Beta 3227.1.0, Stable 3139.2.2, LTS-2022 3033.3.1 releases we ship a fix for the CVEs listed below.
#### Alpha
* Linux
* [CVE-2022-1012](https://nvd.nist.gov/vuln/detail/CVE-2022-1012) CVSSv3 score: n/a
* [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729) CVSSv3 score: n/a
* [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893) CVSSv3 score: 7.8(High)
The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.
* curl
* [CVE-2022-22576](https://nvd.nist.gov/vuln/detail/CVE-2022-22576) CVSSv3 score: n/a
An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).
* [CVE-2022-27774](https://nvd.nist.gov/vuln/detail/CVE-2022-27774) CVSSv3 score: n/a
curl follows HTTP(S) redirects when asked to. curl also supports authentication. When a user and password are provided for a URL with a given hostname, curl makes an effort to not pass on those credentials to other hosts in redirects unless given permission with a special option. This "same host check" has been flawed all since it was introduced. It does not work on cross protocol redirects and it does not consider different port numbers to be separate hosts. This leads to curl leaking credentials to other servers when it follows redirects from auth protected HTTP(S) URLs to other protocols and port numbers. It could also leak the TLS SRP credentials this way. By default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked to allow redirects to all protocols curl supports.
* [CVE-2022-27775](https://nvd.nist.gov/vuln/detail/CVE-2022-27775) CVSSv3 score: n/a
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup. Due to errors in the logic, the config matching function did not take the IPv6 address zone id into account which could lead to libcurl reusing the wrong connection when one transfer uses a zone id and a subsequent transfer uses another (or no) zone id.
* [CVE-2022-27776](https://nvd.nist.gov/vuln/detail/CVE-2022-27776) CVSSv3 score: n/a
curl might leak authentication or cookie header data on HTTP redirects to the same host but another port number. When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hosts will make curl send the data to those. However, due to a flawed check, curl wrongly also sends that same set of headers to the hosts that are identical to the first one but use a different port number or URL scheme. Contrary to expectation and intention. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom Authorization: or Cookie: headers, as those headers often contain privacy sensitive information or data. curl and libcurl have options that allow users to opt out from this check, but that is not set by default.
* [CVE-2022-27778](https://nvd.nist.gov/vuln/detail/CVE-2022-27778) CVSSv3 score: n/a
curl might remove the wrong file when --no-clobber is used together with --remove-on-error. The --remove-on-error option tells curl to remove the output file when it returns an error, and not leave a partial file behind. The --no-clobber option prevents curl from overwriting a file if it already exists, and instead appends a number to the name to create a new unused file name. If curl adds a number to not "clobber" the output and an error occurs during transfer, the remove on error logic would remove the original file name without the added number.
* [CVE-2022-27779](https://nvd.nist.gov/vuln/detail/CVE-2022-27779) CVSSv3 score: n/a
libcurl wrongly allows HTTP cookies to be set for Top Level Domains (TLDs) if the host name is provided with a trailing dot. curl can be told to receive and send cookies when communicating using HTTP(S). curl's "cookie engine" can be built with or without Public Suffix List awareness. If PSL support not provided, a more rudimentary check exists to at least prevent cookies from being set on TLDs. This check was broken if the host name in the URL uses a trailing dot. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain.
* [CVE-2022-27780](https://nvd.nist.gov/vuln/detail/CVE-2022-27780) CVSSv3 score: n/a
The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a different URL using the wrong host name when it is later retrieved. For example, a URL like http://example.com%2F10.0.0.1/, would be allowed by the parser and get transposed into http://example.com/10.0.0.1/. This flaw can be used to circumvent filters, checks and more.
* [CVE-2022-27781](https://nvd.nist.gov/vuln/detail/CVE-2022-27781) CVSSv3 score: n/a
libcurl provides the CURLOPT_CERTINFO option to allow applications to request details to be returned about a TLS server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information.
* [CVE-2022-27782](https://nvd.nist.gov/vuln/detail/CVE-2022-27782) CVSSv3 score: n/a
libcurl provides the CURLOPT_CERTINFO option to allow applications to request details to be returned about a TLS server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information.
* [CVE-2022-30115](https://nvd.nist.gov/vuln/detail/CVE-2022-30115) CVSSv3 score: n/a
curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL used a trailing dot while not using one when it built the HSTS cache. Or the other way around - by having the trailing dot in the HSTS cache and not using the trailing dot in the URL. Since trailing dots in host names are somewhat special, many sites work equally fine with or without a trailing dot present.
* docker
* [CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526) CVSSv3 score: n/a
Fix Faccessat on Linux. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
* git
* [CVE-2022-24765](https://nvd.nist.gov/vuln/detail/CVE-2022-24765) CVSSv3 score: 7.8(High)
Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\.git\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\Users` if the user profile is located in `C:\Users\my-user-name`.
* go
* [CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526) CVSSv3 score: n/a
Fix Faccessat on Linux. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
* ncurses
* [CVE-2022-29458](https://nvd.nist.gov/vuln/detail/CVE-2022-29458) CVSSv3 score: 7.1(High)
ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.
* nvidia-drivers
* [CVE-2022-28181](https://nvd.nist.gov/vuln/detail/CVE-2022-28181) CVSSv3 score: n/a
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components.
* [CVE-2022-28183](https://nvd.nist.gov/vuln/detail/CVE-2022-28183) CVSSv3 score: 7.1(High)
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause an out-of-bounds read, which may lead to denial of service and information disclosure.
* [CVE-2022-28184](https://nvd.nist.gov/vuln/detail/CVE-2022-28184) CVSSv3 score: n/a
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can access administrator- privileged registers, which may lead to denial of service, information disclosure, and data tampering.
* [CVE-2022-28185](https://nvd.nist.gov/vuln/detail/CVE-2022-28185) CVSSv3 score: n/a
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the ECC layer, where an unprivileged regular user can cause an out-of-bounds write, which may lead to denial of service and data tampering.
* openssl
* [CVE-2022-1292](https://nvd.nist.gov/vuln/detail/CVE-2022-1292) CVSSv3 score: 9.8(Critical)
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
* [CVE-2022-1343](https://nvd.nist.gov/vuln/detail/CVE-2022-1343) CVSSv3 score: 5.3(Medium)
The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).
* [CVE-2022-1434](https://nvd.nist.gov/vuln/detail/CVE-2022-1434) CVSSv3 score: 5.9(Medium)
The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0 then the attacker could modify data being sent in both directions. In this case both clients and servers could be affected, regardless of the application protocol. Note that in the absence of an attacker this bug means that an OpenSSL 3.0 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the handshake when using this ciphersuite. The confidentiality of data is not impacted by this issue, i.e. an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. In order for this attack to work both endpoints must legitimately negotiate the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0, and is not available within the default provider or the default ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must have occurred: 1) OpenSSL must have been compiled with the (non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL must have had the legacy provider explicitly loaded (either through application code or via configuration) 3) The ciphersuite must have been explicitly added to the ciphersuite list 4) The libssl security level must have been set to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any others that both endpoints have in common Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).
* [CVE-2022-1473](https://nvd.nist.gov/vuln/detail/CVE-2022-1473) CVSSv3 score: 7.5(High)
The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).
* rsync
* [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) CVSSv3 score: 7.5(High)
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
* runc
* [CVE-2022-29162](https://nvd.nist.gov/vuln/detail/CVE-2022-29162) CVSSv3 score: n/a
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.
* torcx
* [CVE-2022-27191](https://nvd.nist.gov/vuln/detail/CVE-2022-27191) CVSSv3 score: 7.5(High)
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
* SDK: qemu
* [CVE-2021-20203](https://nvd.nist.gov/vuln/detail/CVE-2021-20203) CVSSv3 score: 3.2(Low)
An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
* [CVE-2021-3713](https://nvd.nist.gov/vuln/detail/CVE-2021-3713) CVSSv3 score: 7.4(High)
An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.
* [CVE-2021-3930](https://nvd.nist.gov/vuln/detail/CVE-2021-3930) CVSSv3 score: 6.5(Medium)
An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
* [CVE-2021-3947](https://nvd.nist.gov/vuln/detail/CVE-2021-3947) CVSSv3 score: 5.5(Medium)
A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information.
* [CVE-2021-4145](https://nvd.nist.gov/vuln/detail/CVE-2021-4145) CVSSv3 score: 6.5(Medium)
A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node.
* [CVE-2022-26353](https://nvd.nist.gov/vuln/detail/CVE-2022-26353) CVSSv3 score: 7.5(High)
A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.
* [CVE-2022-26354](https://nvd.nist.gov/vuln/detail/CVE-2022-26354) CVSSv3 score: 3.2(Low)
A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.
#### Beta
* Linux
* [CVE-2022-1012](https://nvd.nist.gov/vuln/detail/CVE-2022-1012) CVSSv3 score: n/a
* [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729) CVSSv3 score: n/a
* [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893) CVSSv3 score: 7.8(High)
The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.
* containerd
* [CVE-2022-24769](https://nvd.nist.gov/vuln/detail/CVE-2022-24769) CVSSv3 score: n/a
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.
* gnutls
* [CVE-2021-4209](https://nvd.nist.gov/vuln/detail/CVE-2021-4209) CVSSv3 score: n/a
Using gnutls with guile disabled, null pointer may passed to memcpy as argument 2, causing null pointer dereference.
* [GNUTLS-SA-2022-01-17](https://gitlab.com/gnutls/gnutls/-/issues/1277)
When a single trust list object is shared among multiple threads, calls to gnutls_x509_trust_list_verify_crt2() was able to corrupt temporary memory where internal copy of an issuer certificate is stored. The code path is only taken when a PKCS#11 based trust store is enabled and the issuer certificate is already stored as trusted. This affects GnuTLS 3.7.0 to 3.7.2
* go
* [CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526) CVSSv3 score: n/a
Fix Faccessat on Linux. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
* gzip,xz-utils
* [CVE-2022-1271](https://nvd.nist.gov/vuln/detail/CVE-2022-1271) CVSSv3 score: n/a
Malicious filenames can make zgrep and xzgrep to write to arbitrary files or (with a GNU sed extension) lead to arbitrary code execution. The issue with the old sed script is that with multiple newlines, the N-command will read the second line of input, then the s-commands will be skipped because it's not the end of the file yet, then a new sed cycle starts and the pattern space is printed and emptied. So only the last line or two get escaped.
* libarchive
* [CVE-2022-26280](https://nvd.nist.gov/vuln/detail/CVE-2022-26280) CVSSv3 score: 9.1(Critical)
Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.
* nvidia-drivers
* [CVE-2022-28181](https://nvd.nist.gov/vuln/detail/CVE-2022-28181) CVSSv3 score: n/a
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components.
* [CVE-2022-28183](https://nvd.nist.gov/vuln/detail/CVE-2022-28183) CVSSv3 score: 7.1(High)
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause an out-of-bounds read, which may lead to denial of service and information disclosure.
* [CVE-2022-28184](https://nvd.nist.gov/vuln/detail/CVE-2022-28184) CVSSv3 score: n/a
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can access administrator- privileged registers, which may lead to denial of service, information disclosure, and data tampering.
* [CVE-2022-28185](https://nvd.nist.gov/vuln/detail/CVE-2022-28185) CVSSv3 score: n/a
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the ECC layer, where an unprivileged regular user can cause an out-of-bounds write, which may lead to denial of service and data tampering.
* util-linux
* [CVE-2021-3995](https://nvd.nist.gov/vuln/detail/CVE-2021-3995) CVSSv3 score: n/a
This issue is related to parsing the /proc/self/mountinfo file allows an unprivileged user to unmount other user's filesystems that are either world-writable themselves or mounted in a world-writable directory.
* [CVE-2021-3996](https://nvd.nist.gov/vuln/detail/CVE-2021-3996) CVSSv3 score: n/a
Improper UID check in libmount allows an unprivileged user to unmount FUSE filesystems of users with similar UID.
* [CVE-2022-0563](https://nvd.nist.gov/vuln/detail/CVE-2022-0563) CVSSv3 score: 5.5(Medium)
A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.
* zlib
* [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) CVSSv3 score: 7.5(High)
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
#### Stable
* Linux
* [CVE-2022-1012](https://nvd.nist.gov/vuln/detail/CVE-2022-1012) CVSSv3 score: n/a
* [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729) CVSSv3 score: n/a
* [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893) CVSSv3 score: 7.8(High)
The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.
* go
* [CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526) CVSSv3 score: n/a
Fix Faccessat on Linux. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
#### LTS-2022
* Linux
* [CVE-2022-0494](https://nvd.nist.gov/vuln/detail/CVE-2022-0494) CVSSv3 score: 4.4(Medium)
A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) to create issues with confidentiality.
* [CVE-2022-0854](https://nvd.nist.gov/vuln/detail/CVE-2022-0854) CVSSv3 score: 5.5(Medium)
A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.
* [CVE-2022-1729](https://nvd.nist.gov/vuln/detail/CVE-2022-1729) CVSSv3 score: n/a
* [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893) CVSSv3 score: 7.8(High)
The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.
Best,
The Flatcar Container Linux Maintainers
---
### Communication
#### Twitter
_The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._
A fresh new set of Flatcar releases is available!
📦 More than 20 package updates (Linux, curl, ...)
📜 Release notes in usual spot: https://www.flatcar.org/releases/
#### Kubernetes Slack
_This goes in the #flatcar channel_
First release message in this channel! Please welcome a new batch of Flatcar releases:
- Alpha 3255.0.0 (new major)
- Beta 3227.1.0 (promoted from Alpha)
- Stable 3139.2.2 (maintenance release)
- LTS-2022 3033.3.1 (maintenance release)
These releases include:
📦 More than 20 package updates including security fixes (Linux, curl, ...)
🩹 Some bugfixes (GCP shutdown script, PXE booting, ...)
📜 Release notes in usual spot: https://www.flatcar.org/releases/