# Flatcar Container Linux Release - June 19th, 2023 ## Alpha 3637.0.0 - AMD64-usr - Platforms succeeded: all - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: all - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Beta 3602.1.1 - AMD64-usr - Platforms succeeded: all - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: all - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Stable 3510.2.3 - AMD64-usr - Platforms succeeded: all - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: all - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## LTS 3033.3.14 - AMD64-usr - Platforms succeeded: all - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: all - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). - Make sure the the LTS is referred to as `LTS-2021`, and not `LTS-2605` --- ### Announcement Message Subject: Announcing new releases Alpha 3637.0.0, Beta 3602.1.1, Stable 3510.2.3, LTS 3033.3.14 Hello, We are pleased to announce a new Flatcar Container Linux release for Alpha, Beta, Stable, and LTS channel. ### New Alpha Release 3637.0.0 _Changes since **Alpha 3619.0.0**_ #### Security fixes: - Go ([CVE-2023-29402](https://nvd.nist.gov/vuln/detail/CVE-2023-29402), [CVE-2023-29403](https://nvd.nist.gov/vuln/detail/CVE-2023-29403), [CVE-2023-29404](https://nvd.nist.gov/vuln/detail/CVE-2023-29404), [CVE-2023-29405](https://nvd.nist.gov/vuln/detail/CVE-2023-29405)) - c-ares ([CVE-2023-31124](https://nvd.nist.gov/vuln/detail/CVE-2023-31124), [CVE-2023-31130](https://nvd.nist.gov/vuln/detail/CVE-2023-31130), [CVE-2023-31147](https://nvd.nist.gov/vuln/detail/CVE-2023-31147), [CVE-2023-32067](https://nvd.nist.gov/vuln/detail/CVE-2023-32067)) - sudo ([CVE-2023-27320](https://nvd.nist.gov/vuln/detail/CVE-2023-27320), [CVE-2023-28486](https://nvd.nist.gov/vuln/detail/CVE-2023-28486), [CVE-2023-28487](https://nvd.nist.gov/vuln/detail/CVE-2023-28487)) - VMware: open-vm-tools ([CVE-2023-20867](https://nvd.nist.gov/vuln/detail/CVE-2023-20867)) #### Bug fixes: - Resolved the conflicting FD usage of libselinux and systemd which caused, e.g., a systemd crash on certain watchdog interaction during shutdown (patch in systemd 252.11) #### Changes: - Added TLS Kernel module ([scripts#865](https://github.com/flatcar/scripts/pull/865)) - Added support for multipart MIME userdata in coreos-cloudinit. Ignition now detects multipart userdata and delegates execution to coreos-cloudinit. ([scripts#873](https://github.com/flatcar/scripts/pull/873)) - Enabled the virtio GPU driver ([scripts#830](https://github.com/flatcar/scripts/pull/830)) - Migrate to Type=notify in containerd.service. Changed the unit to Type=notify, utilizing the existing containerd support for sd_notify call after socket setup. ([scripts#866](https://github.com/flatcar/scripts/pull/866)) - Migrated the NVIDIA installer from the Azure/AWS OEM partition to `/usr` to make it available on all platforms ([scripts#932](https://github.com/flatcar/scripts/pull/932/), [Flatcar#1077](https://github.com/flatcar/Flatcar/issues/1077)) - Azure and QEMU OEM images now use systemd-sysext images for layering additional platform-specific software on top of `/usr`. For Azure images this also means that the image has a normal Python installation available through the sysext image. The OEM software is still not updated but this will be added soon. - Moved a mountpoint of the OEM partition from `/usr/share/oem` to `/oem`. `/usr/share/oem` became a symlink to `/oem` for backward compatibility. Despite the move, the initrd images providing files through `/usr/share/oem` should keep using `/usr/share/oem`. The move was done to enable activating the OEM sysext images that are placed in the OEM partition. #### Updates: - Linux ([6.1.34](https://lwn.net/Articles/934623) (includes [6.1.33](https://lwn.net/Articles/934319), [6.1.32](https://lwn.net/Articles/933908), [6.1.31](https://lwn.net/Articles/933281))) - Go ([1.20.5](https://go.dev/doc/devel/release#go1.20.5)) - c-ares ([1.19.1](https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1)) - ca-certificates ([3.90](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_90.html)) - coreutils ([9.1](https://git.savannah.gnu.org/cgit/coreutils.git/tree/NEWS?h=v9.1)) - debianutils ([5.7](https://metadata.ftp-master.debian.org/changelogs//main/d/debianutils/debianutils_5.7-0.4_changelog)) - ethtool ([6.2](https://git.kernel.org/pub/scm/network/ethtool/ethtool.git/tree/NEWS?h=v6.2)) - grep ([3.8](http://savannah.gnu.org/forum/forum.php?forum_id=10227)) - hwdata ([0.367](https://github.com/vcrhonek/hwdata/releases/tag/v0.367)) - iproute ([6.2](https://lwn.net/Articles/923952/)) - kbd ([2.5.1](https://github.com/legionus/kbd/releases/tag/v2.5.1)) - kexec-tools ([2.0.24](https://github.com/horms/kexec-tools/releases/tag/v2.0.24)) - kmod ([30](https://lwn.net/Articles/899526/)) - less ([632](http://www.greenwoodsoftware.com/less/news.632.html)) - nvme-cli ([2.3](https://github.com/linux-nvme/nvme-cli/releases/tag/v2.3)) - pciutils ([3.9.0](https://github.com/pciutils/pciutils/releases/tag/v3.9.0)) - sed ([4.9](https://lists.gnu.org/archive/html/info-gnu/2022-11/msg00001.html)) - smartmontools ([7.3](https://github.com/smartmontools/smartmontools/releases/tag/RELEASE_7_3)) - strace ([6.2](https://github.com/strace/strace/releases/tag/v6.2)) - sudo ([1.9.13p3](https://www.sudo.ws/releases/stable/#1.9.13p3)) - systemd ([252.11](https://github.com/systemd/systemd-stable/releases/tag/v252.11) (from 252.5)) - usbutils ([015](https://github.com/gregkh/usbutils/blob/79b796f945ea7d5c2b0e2a74f9b8819cb7948680/NEWS)) - util-linux ([2.38.1](https://github.com/util-linux/util-linux/releases/tag/v2.38.1)) - SDK: Rust ([1.70.0](https://github.com/rust-lang/rust/releases/tag/1.70.0)) - SDK: man-db ([2.11.2](https://gitlab.com/man-db/man-db/-/tags/2.11.2)) - SDK: man-pages ([6.03](https://lore.kernel.org/lkml/d56662b2-538c-7252-9052-8afbf325f843@gmail.com/T/)) - VMware: open-vm-tools ([12.2.5](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.2.5)) ### New Beta Release 3602.1.1 _Changes since **Beta 3602.1.0**_ #### Bug fixes: - Resolved the conflicting FD usage of libselinux and systemd which caused, e.g., a systemd crash on certain watchdog interaction during shutdown (patch in systemd 252.11) #### Updates: - Linux ([5.15.117](https://lwn.net/Articles/934622) (includes [5.15.116](https://lwn.net/Articles/934320), [5.15.115](https://lwn.net/Articles/933909), [5.15.114](https://lwn.net/Articles/933280))) - ca-certificates ([3.90](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_90.html)) - systemd ([252.11](https://github.com/systemd/systemd-stable/releases/tag/v252.11) (from 252.5)) ### New Stable Release 3510.2.3 _Changes since **Stable 3510.2.2**_ #### Security fixes: - Linux ([CVE-2022-48425](https://nvd.nist.gov/vuln/detail/CVE-2022-48425)) #### Updates: - Linux ([5.15.113](https://lwn.net/Articles/932883) (includes [5.15.112](https://lwn.net/Articles/932134))) - ca-certificates ([3.90](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_90.html)) ## New LTS Release 3033.3.14 _Changes since **LTS 3033.3.13**_ #### Security fixes: - Linux ([CVE-2022-4269](https://nvd.nist.gov/vuln/detail/CVE-2022-4269)) #### Updates: - Linux ([5.10.184](https://lwn.net/Articles/934624) (includes [5.10.183](https://lwn.net/Articles/934321), [5.10.182](https://lwn.net/Articles/933910), [5.10.181](https://lwn.net/Articles/933279))) - ca-certificates ([3.90](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_90.html)) #### Detailed Security Report **Security fix**: With the Alpha 3637.0.0, Beta 3602.1.1, Stable 3510.2.3, LTS 3033.3.14 release we ship fixes for the CVEs listed below. #### Alpha 3637.0.0 * Go * [CVE-2023-29402](https://nvd.nist.gov/vuln/detail/CVE-2023-29402) CVSSv3 score: 9.8(Critical) The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). * [CVE-2023-29403](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) CVSSv3 score: 7.8(High) On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. * [CVE-2023-29404](https://nvd.nist.gov/vuln/detail/CVE-2023-29404) CVSSv3 score: 9.8(Critical) The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. * [CVE-2023-29405](https://nvd.nist.gov/vuln/detail/CVE-2023-29405) CVSSv3 score: 9.8(Critical) The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler. * VMware: open-vm-tools * [CVE-2023-20867](https://nvd.nist.gov/vuln/detail/CVE-2023-20867) CVSSv3 score: n/a A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. * c-ares * [CVE-2023-31124](https://nvd.nist.gov/vuln/detail/CVE-2023-31124) CVSSv3 score: n/a c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. * [CVE-2023-31130](https://nvd.nist.gov/vuln/detail/CVE-2023-31130) CVSSv3 score: 6.4(Medium) c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. * [CVE-2023-31147](https://nvd.nist.gov/vuln/detail/CVE-2023-31147) CVSSv3 score: 6.5(Medium) c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1. * [CVE-2023-32067](https://nvd.nist.gov/vuln/detail/CVE-2023-32067) CVSSv3 score: n/a c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1. * sudo * [CVE-2023-27320](https://nvd.nist.gov/vuln/detail/CVE-2023-27320) CVSSv3 score: 7.2(High) Sudo before 1.9.13p2 has a double free in the per-command chroot feature. * [CVE-2023-28486](https://nvd.nist.gov/vuln/detail/CVE-2023-28486) CVSSv3 score: 5.3(Medium) Sudo before 1.9.13 does not escape control characters in log messages. * [CVE-2023-28487](https://nvd.nist.gov/vuln/detail/CVE-2023-28487) CVSSv3 score: 5.3(Medium) Sudo before 1.9.13 does not escape control characters in sudoreplay output. #### Stable 3510.2.3 * Linux * [CVE-2022-48425](https://nvd.nist.gov/vuln/detail/CVE-2022-48425) CVSSv3 score: 7.8(High) In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs. #### LTS 3033.3.14 * Linux * [CVE-2022-4269](https://nvd.nist.gov/vuln/detail/CVE-2022-4269) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action "mirred") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition. Best, The Flatcar Container Linux Maintainers --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Alpha 3637.0.0, Beta 3602.1.1, Stable 3510.2.3, LTS 3033.3.14 Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/ Tracking issue: https://github.com/flatcar/Flatcar/issues/1075 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/8JL2aHykTjyn-J4k_JN8gQ?both Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. @MAINTAINER @MAINTAINER @MAINTAINER #### Mastodon _The toot (from [@flatcar](https://hachyderm.io/@flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar releases for all channels 📦 Many package updates: Linux, nvme-cli, strace and others 🔒 CVE fixes & security patches: Go, c-ares, sudo and others 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome Flatcar releases of this month: - Alpha 3637.0.0 (new major) - Beta 3602.1.1 (maintenance release) - Stable 3510.2.3 (maintenance release) - LTS-2022 3033.3.14 (maintenance release) These releases include: 📦 Many package updates: Linux, nvme-cli, strace and others 🔒 CVE fixes & security patches: Go, c-ares, sudo and others 📜 Release notes at the usual spot: https://www.flatcar.org/releases/