# Flatcar Container Linux Release - February 16th, 2023 ## Beta 3493.1.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: __GO__ ## Stable 3374.2.4 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: __GO__ ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). --- ### Announcement Message Subject: Announcing new releases Beta 3493.1.0, Stable 3374.2.4 Hello, We are pleased to announce a new Flatcar Container Linux release for the Beta and Stable channels. #### New Beta 3493.1.0 Release _Changes since **Beta 3446.1.1**_ #### Security fixes: - Linux ([CVE-2022-4129](https://nvd.nist.gov/vuln/detail/CVE-2022-4129), [CVE-2022-4382](https://nvd.nist.gov/vuln/detail/CVE-2022-4382), [CVE-2022-4842](https://nvd.nist.gov/vuln/detail/CVE-2022-4842), [CVE-2023-23559](https://nvd.nist.gov/vuln/detail/CVE-2023-23559)) - Go ([CVE-2022-41717](https://nvd.nist.gov/vuln/detail/CVE-2022-41717)) - containerd ([CVE-2022-23471](https://nvd.nist.gov/vuln/detail/CVE-2022-23471)) - git ([CVE-2022-23521](https://nvd.nist.gov/vuln/detail/CVE-2022-23521), [CVE-2022-41903](https://nvd.nist.gov/vuln/detail/CVE-2022-41903)) - glib ([fixes to normal form handling in GVariant](https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835)) - libarchive ([CVE-2022-36227](https://nvd.nist.gov/vuln/detail/CVE-2022-36227)) - systemd ([CVE-2022-3821](https://nvd.nist.gov/vuln/detail/CVE-2022-3821), [CVE-2022-4415](https://nvd.nist.gov/vuln/detail/CVE-2022-4415)) - vim ([CVE-2022-3491](https://nvd.nist.gov/vuln/detail/CVE-2022-3491), [CVE-2022-3520](https://nvd.nist.gov/vuln/detail/CVE-2022-3520), [CVE-2022-3591](https://nvd.nist.gov/vuln/detail/CVE-2022-3591), [CVE-2022-4141](https://nvd.nist.gov/vuln/detail/CVE-2022-4141), [CVE-2022-4292](https://nvd.nist.gov/vuln/detail/CVE-2022-4292), [CVE-2022-4293](https://nvd.nist.gov/vuln/detail/CVE-2022-4293)) - SDK: Python ([CVE-2015-20107](https://nvd.nist.gov/vuln/detail/CVE-2015-20107), [CVE-2020-10735](https://nvd.nist.gov/vuln/detail/CVE-2020-10735), [CVE-2021-3654](https://nvd.nist.gov/vuln/detail/CVE-2021-3654), [CVE-2022-37454](https://nvd.nist.gov/vuln/detail/CVE-2022-37454), [CVE-2022-42919](https://nvd.nist.gov/vuln/detail/CVE-2022-42919), [CVE-2022-45061](https://nvd.nist.gov/vuln/detail/CVE-2022-45061)) - SDK: qemu ([CVE-2020-14394](https://nvd.nist.gov/vuln/detail/CVE-2020-14394), [CVE-2022-0216](https://nvd.nist.gov/vuln/detail/CVE-2022-0216), [CVE-2022-3872](https://nvd.nist.gov/vuln/detail/CVE-2022-3872)) - SDK: rust ([CVE-2022-46176](https://nvd.nist.gov/vuln/detail/CVE-2022-46176)) #### Updates: - Linux ([5.15.92](https://lwn.net/Articles/922340) (includes [5.15.91](https://lwn.net/Articles/921851), [5.15.90](https://lwn.net/Articles/921029))) - Linux Firmware ([20230117](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20230117)) - Docker ([20.10.22](https://docs.docker.com/engine/release-notes/20.10/#201022)) - adcli ([0.9.2](https://gitlab.freedesktop.org/realmd/adcli/-/commits/8e88e3590a19006362ea8b8dfdc18bb88b3cb3b5/)) - binutils ([2.39](https://sourceware.org/pipermail/binutils/2022-August/122246.html)) - containerd ([1.6.15](https://github.com/containerd/containerd/releases/tag/v1.6.15) (includes [1.6.14](https://github.com/containerd/containerd/releases/tag/v1.6.14), [1.6.13](https://github.com/containerd/containerd/releases/tag/v1.6.13), [1.6.12](https://github.com/containerd/containerd/releases/tag/v1.6.12))) - cri-tools ([1.24.2](https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.24.2)) - elfutils ([0.188](https://sourceware.org/pipermail/elfutils-devel/2022q4/005561.html) (includes [0.187](https://sourceware.org/pipermail/elfutils-devel/2022q2/004978.html)) - file ([5.43](https://mailman.astron.com/pipermail/file/2022-September/000857.html)) - gawk ([5.2.1](https://lists.gnu.org/archive/html/help-gawk/2022-11/msg00008.html) (includes [5.2.0](https://lists.gnu.org/archive/html/help-gawk/2022-09/msg00000.html))) - git ([2.38.3](https://github.com/git/git/blob/v2.38.3/Documentation/RelNotes/2.38.3.txt)) - glib ([2.74.4](https://gitlab.gnome.org/GNOME/glib/-/tags/2.74.4)) - GNU C Library ([2.36](https://sourceware.org/pipermail/libc-alpha/2022-August/141193.html)) - Go ([1.19.5](https://go.dev/doc/devel/release#go1.19.5)) - I2C tools ([4.3](https://git.kernel.org/pub/scm/utils/i2c-tools/i2c-tools.git/tree/CHANGES?id=d8bc1f1ff4b00a6bd988aa114100ae9b787f50d8)) - Intel Microcode Package ([20221108](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20221108)) - libcap-ng ([0.8.3](https://people.redhat.com/sgrubb/libcap-ng/ChangeLog)) - libseccomp ([2.5.4](https://github.com/seccomp/libseccomp/releases/tag/v2.5.4) (includes [2.5.2](https://github.com/seccomp/libseccomp/releases/tag/v2.5.2), [2.5.3](https://github.com/seccomp/libseccomp/releases/tag/v2.5.3))) - MIT Kerberos V ([1.20.1](https://web.mit.edu/kerberos/krb5-1.20/krb5-1.20.1.html)) - nettle ([3.8.1](https://git.lysator.liu.se/nettle/nettle/-/blob/990abad16ceacd070747dcc76ed16a39c129321e/ChangeLog)) - rsync ([3.2.7](https://download.samba.org/pub/rsync/NEWS#3.2.7)) - shadow ([4.13](https://github.com/shadow-maint/shadow/releases/tag/4.13)) - sqlite ([3.40.1](https://www.sqlite.org/releaselog/3_40_1.html) (includes [3.40.0](https://www.sqlite.org/releaselog/3_40_0.html))) - systemd ([251.10](https://github.com/systemd/systemd-stable/commits/v251.10) (includes [251](https://github.com/systemd/systemd/releases/tag/v251))) - vim ([9.0.1000](https://github.com/vim/vim/releases/tag/v9.0.1000)) - XZ utils ([5.2.10](https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;h=d92fa88a835180af5d6ff22ad0e240d6468f81af;hb=f7c2cc55618b9af3318f0c908cf8db0df1e28e7c)) - OEM: python-oem ([3.9.16](https://www.python.org/downloads/release/python-3916/)) - SDK: libpng ([1.6.39](http://www.libpng.org/pub/png/src/libpng-1.6.39-README.txt) (includes [1.6.38](http://www.libpng.org/pub/png/src/libpng-1.6.38-README.txt))) - SDK: perl ([5.36.0](https://perldoc.perl.org/5.36.0/perldelta)) - SDK: portage ([3.0.41](https://gitweb.gentoo.org/proj/portage.git/tree/NEWS?h=portage-3.0.41)) - SDK: qemu ([7.1.0](https://wiki.qemu.org/ChangeLog/7.1)) - SDK: Rust ([1.66.1](https://github.com/rust-lang/rust/releases/tag/1.66.1)) _Changes since **Alpha 3493.0.0**_ #### Security fixes: - Linux ([CVE-2022-4129](https://nvd.nist.gov/vuln/detail/CVE-2022-4129), [CVE-2022-4382](https://nvd.nist.gov/vuln/detail/CVE-2022-4382), [CVE-2022-4842](https://nvd.nist.gov/vuln/detail/CVE-2022-4842), [CVE-2023-23559](https://nvd.nist.gov/vuln/detail/CVE-2023-23559)) #### Bug fixes: #### Changes: #### Updates: - Linux ([5.15.92](https://lwn.net/Articles/922340) (includes [5.15.91](https://lwn.net/Articles/921851), [5.15.90](https://lwn.net/Articles/921029))) - cri-tools ([1.24.2](https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.24.2)) #### New Stable 3374.2.4 Release _Changes since **Stable 3374.2.3**_ #### Security fixes: - Linux ([CVE-2022-36280](https://nvd.nist.gov/vuln/detail/CVE-2022-36280), [CVE-2022-41218](https://nvd.nist.gov/vuln/detail/CVE-2022-41218), [CVE-2022-47929](https://nvd.nist.gov/vuln/detail/CVE-2022-47929), [CVE-2023-0045](https://nvd.nist.gov/vuln/detail/CVE-2023-0045), [CVE-2023-0179](https://nvd.nist.gov/vuln/detail/CVE-2023-0179), [CVE-2023-0210](https://nvd.nist.gov/vuln/detail/CVE-2023-0210), [CVE-2023-0266](https://nvd.nist.gov/vuln/detail/CVE-2023-0266), [CVE-2023-0394](https://nvd.nist.gov/vuln/detail/CVE-2023-0394), [CVE-2023-23454](https://nvd.nist.gov/vuln/detail/CVE-2023-23454), [CVE-2023-23455](https://nvd.nist.gov/vuln/detail/CVE-2023-23455)) #### Updates: - Linux ([5.15.89](https://lwn.net/Articles/920321) (includes [5.15.88](https://lwn.net/Articles/920012), [5.15.87](https://lwn.net/Articles/919793))) - ca-certificates ([3.88.1](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_88_1.html)) - cri-tools ([1.24.2](https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.24.2)) Best, The Flatcar Container Linux Maintainers --- ### Security **Subject**: Security issues fixed with the latest Beta 3493.1.0, Stable 3374.2.4 releases **Security fix**: With the Beta 3493.1.0, Stable 3374.2.4 releases we ship fixes for the CVEs listed below. #### Beta 3493.1.0 * Go * [CVE-2022-41717](https://nvd.nist.gov/vuln/detail/CVE-2022-41717) CVSSv3 score: 5.3(Medium) An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. * Linux * [CVE-2022-4129](https://nvd.nist.gov/vuln/detail/CVE-2022-4129) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service. * [CVE-2022-4382](https://nvd.nist.gov/vuln/detail/CVE-2022-4382) CVSSv3 score: 6.4(Medium) A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side. * [CVE-2022-4842](https://nvd.nist.gov/vuln/detail/CVE-2022-4842) CVSSv3 score: 5.5(Medium) A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system. * [CVE-2023-23559](https://nvd.nist.gov/vuln/detail/CVE-2023-23559) CVSSv3 score: 7.8(High) In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition. * Python * [CVE-2015-20107](https://nvd.nist.gov/vuln/detail/CVE-2015-20107) CVSSv3 score: 7.6(High) In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9 * [CVE-2020-10735](https://nvd.nist.gov/vuln/detail/CVE-2020-10735) CVSSv3 score: 7.5(High) A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability. * [CVE-2021-3654](https://nvd.nist.gov/vuln/detail/CVE-2021-3654) CVSSv3 score: 6.1(Medium) A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL. * [CVE-2022-37454](https://nvd.nist.gov/vuln/detail/CVE-2022-37454) CVSSv3 score: 9.8(Critical) The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface. * [CVE-2022-42919](https://nvd.nist.gov/vuln/detail/CVE-2022-42919) CVSSv3 score: 7.8(High) Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9. * [CVE-2022-45061](https://nvd.nist.gov/vuln/detail/CVE-2022-45061) CVSSv3 score: 7.5(High) An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. * SDK: qemu * [CVE-2020-14394](https://nvd.nist.gov/vuln/detail/CVE-2020-14394) CVSSv3 score: 3.2(Low) An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service. * [CVE-2022-0216](https://nvd.nist.gov/vuln/detail/CVE-2022-0216) CVSSv3 score: 4.4(Medium) A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service. * [CVE-2022-3872](https://nvd.nist.gov/vuln/detail/CVE-2022-3872) CVSSv3 score: 8.6(High) An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. * SDK: rust * [CVE-2022-46176](https://nvd.nist.gov/vuln/detail/CVE-2022-46176) CVSSv3 score: 5.9(Medium) Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible. * containerd * [CVE-2022-23471](https://nvd.nist.gov/vuln/detail/CVE-2022-23471) CVSSv3 score: 6.5(Medium) containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. * git * [CVE-2022-23521](https://nvd.nist.gov/vuln/detail/CVE-2022-23521) CVSSv3 score: n/a Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue. * [CVE-2022-41903](https://nvd.nist.gov/vuln/detail/CVE-2022-41903) CVSSv3 score: n/a Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`. * libarchive * [CVE-2022-36227](https://nvd.nist.gov/vuln/detail/CVE-2022-36227) CVSSv3 score: 9.8(Critical) In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution." * systemd * [CVE-2022-3821](https://nvd.nist.gov/vuln/detail/CVE-2022-3821) CVSSv3 score: 5.5(Medium) An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service. * [CVE-2022-4415](https://nvd.nist.gov/vuln/detail/CVE-2022-4415) CVSSv3 score: 5.5(Medium) A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting. * vim * [CVE-2022-3491](https://nvd.nist.gov/vuln/detail/CVE-2022-3491) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0742. * [CVE-2022-3520](https://nvd.nist.gov/vuln/detail/CVE-2022-3520) CVSSv3 score: 9.8(Critical) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765. * [CVE-2022-3591](https://nvd.nist.gov/vuln/detail/CVE-2022-3591) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0789. * [CVE-2022-4141](https://nvd.nist.gov/vuln/detail/CVE-2022-4141) CVSSv3 score: 7.8(High) Heap based buffer overflow in vim/vim 9.0.0946 and below by allowing an attacker to CTRL-W gf in the expression used in the RHS of the substitute command. * [CVE-2022-4292](https://nvd.nist.gov/vuln/detail/CVE-2022-4292) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0882. * [CVE-2022-4293](https://nvd.nist.gov/vuln/detail/CVE-2022-4293) CVSSv3 score: 5.5(Medium) Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804. #### Stable 3374.2.4 * Linux * [CVE-2022-36280](https://nvd.nist.gov/vuln/detail/CVE-2022-36280) CVSSv3 score: 5.5(Medium) An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). * [CVE-2022-41218](https://nvd.nist.gov/vuln/detail/CVE-2022-41218) CVSSv3 score: 5.5(Medium) In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release. * [CVE-2022-47929](https://nvd.nist.gov/vuln/detail/CVE-2022-47929) CVSSv3 score: 5.5(Medium) In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with "tc qdisc" and "tc class" commands. This affects qdisc_graft in net/sched/sch_api.c. * [CVE-2023-0045](https://nvd.nist.gov/vuln/detail/CVE-2023-0045) CVSSv3 score: n/a * [CVE-2023-0179](https://nvd.nist.gov/vuln/detail/CVE-2023-0179) CVSSv3 score: n/a * [CVE-2023-0210](https://nvd.nist.gov/vuln/detail/CVE-2023-0210) CVSSv3 score: n/a * [CVE-2023-0266](https://nvd.nist.gov/vuln/detail/CVE-2023-0266) CVSSv3 score: 7.8(High) A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e * [CVE-2023-0394](https://nvd.nist.gov/vuln/detail/CVE-2023-0394) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash. * [CVE-2023-23454](https://nvd.nist.gov/vuln/detail/CVE-2023-23454) CVSSv3 score: 5.5(Medium) cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). * [CVE-2023-23455](https://nvd.nist.gov/vuln/detail/CVE-2023-23455) CVSSv3 score: 5.5(Medium) atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Beta 3393.1.0, Stable 3374.2.4 Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/ Tracking issue: https://github.com/flatcar/Flatcar/issues/960 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/@flatcar/B1OVBm3jo Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. @MAINTAINER @MAINTAINER @MAINTAINER #### Mastodon _The toot (from [@flatcar](https://hachyderm.io/@flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New #flatcar Beta and Stable releases now available! 📦 Many package updates for Beta: Linux, systemd, glibc and more 🔒 CVE fixes & security patches: Linux, Go, containerd and more 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #linux #cloudnative #containers #containerlinux #release #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome Flatcar releases of this month: - Beta 3493.1.0 (major release) - Stable 3374.2.4 (maintenance release) These releases include: 📦 Many package updates for Beta: Linux, systemd, glibc and more 🔒 CVE fixes & security patches: Linux, Go, containerd and more 📜 Release notes at the usual spot: https://www.flatcar.org/releases/