HackMD
Security tracking
Summary
Schedule of tracking security issues of Flatcar
This table describes a rough schedule of who should be in charge of regularly tracking security issues for Flatcar, especially tracking issues from upstream projects like Gentoo Linux.
| Week of | Primary | Secondary |
|---|---|---|
| 2025-03-10 | Dongsu | Mathieu |
| 2025-03-17 | Mathieu | Sayan |
| 2025-03-24 | Sayan | Dongsu |
| 2025-03-31 | Dongsu | Mathieu |
| 2025-04-07 | Mathieu | Sayan |
| 2025-04-14 | Sayan | Dongsu |
what to do
Primary person should do so:
- Every day look into upstream security trackers like below:
- Gentoo security vulnerabilities. It might be useful to use
gorss+ RSS feed for this. - oss-security mailing list
- Golang announce mailing list
- Rust security announcements
- (optional) issue trackers of other distros like RedHat vulnerabilities
- Gentoo security vulnerabilities. It might be useful to use
- Whenever we discover any new CVE, we add it to the CVE spreadsheets (still private), and click the link (above left) to generate new issues. Then we should be able to see a new issue created in Flatcar GitHub issues with labels
securityandadvisory. - If an issue of updating the specific package affected by the new CVE is already open in Flatcar GitHub issues, then unfortunately we need to manually edit the existing issue to add the new CVE.
Security tracking meeting notes
2023-12-04 (Mon)
News
- High: intel-microcode CVE-2023-23583 https://github.com/flatcar/Flatcar/issues/1254
- update to >= 20231114
- weekly updates https://github.com/flatcar/scripts/pull/1460
- Unknown: gnutls CVE-2023-5981 https://github.com/flatcar/Flatcar/issues/1277
- update to >= 3.8.2
- ebuild exists, not stable yet
- Unknown: go CVE-2023-39326 https://groups.google.com/g/golang-announce/c/TABUsV4-FiU
- update to >= 1.20.12
- to be public on 2023-12-05
On-going issues
- High: vim https://github.com/flatcar/Flatcar/issues/1214
- update to >= 9.0.2068
- Medium: nvidia-drivers CVE-2023-31022 https://github.com/flatcar/Flatcar/issues/1228
- update to >= 535.129.03
- Medium: gcc CVE-2023-4039 https://github.com/flatcar/Flatcar/issues/1180
- update to >= 13.2.1_p20231014
- Medium: openssl CVE-2023-{3817,5363} https://github.com/flatcar/Flatcar/issues/1141
- update to >= 3.0.12
- needs manual updates
- Medium: nasm CVE-2019-8343 https://github.com/flatcar/Flatcar/issues/1100
- update to >= 2.16.01-r1
- Done: open-vm-tools CVE-2023-3405[89] https://github.com/flatcar/Flatcar/issues/1229
- did update to >= 12.3.5
2023-11-06 (Mon)
News
- High: vim https://github.com/flatcar/Flatcar/issues/1214
- update to >= 9.0.2068
- Medium: nvidia-drivers CVE-2023-31022 https://github.com/flatcar/Flatcar/issues/1228
- update to >= 535.129.03
- Unknown: open-vm-tools CVE-2023-3405[89] https://github.com/flatcar/Flatcar/issues/1229
- update to >= 12.3.5
- PR https://github.com/flatcar/scripts/pull/1318
- Unknown: Go CVE-2023-4528[34]
- update to >= 1.20.11
- https://groups.google.com/g/golang-announce/c/ZLYrkKN4Bd4
On-going issues
- Medium: gcc CVE-2023-4039 https://github.com/flatcar/Flatcar/issues/1180
- update to >= 13.2.1_p20231014
- Medium: openssl CVE-2023-{3817,5363} https://github.com/flatcar/Flatcar/issues/1141
- update to >= 3.0.12
- needs manual updates
- Done: glibc CVE-2023-4911 https://github.com/flatcar/Flatcar/issues/1198
- did update to 2.37-r7
- Done: Go CVE-2023-39323 https://github.com/flatcar/Flatcar/issues/1200
- did update to >= 1.20.9
- Done: grub CVE-2023-469[23] https://github.com/flatcar/Flatcar/issues/1199
- did update to 2.06-r9
- Done: libtirpc 1.3.4 https://github.com/flatcar/Flatcar/issues/1204
- did update to 1.3.4
- Done: samba CVE-2023-4091 https://github.com/flatcar/Flatcar/issues/1213
- did update to 4.18.8
2023-10-09 (Mon)
News
- High: glibc CVE-2023-4911 https://github.com/flatcar/Flatcar/issues/1198
- update to >= 2.37-r7
- Unknown: grub CVE-2023-469[23] https://github.com/flatcar/Flatcar/issues/1199
- update to >= 2.06-r9
- Unknown: Go CVE-2023-39323 https://github.com/flatcar/Flatcar/issues/1200
- update to >= 1.20.9
- PR https://github.com/flatcar/scripts/pull/1230
- Unknown: libtirpc 1.3.4 https://github.com/flatcar/Flatcar/issues/1204
- update to >= 1.3.4
On-going issues
- Medium: gcc CVE-2023-4039 https://github.com/flatcar/Flatcar/issues/1180
- TBD
- Medium: openssl CVE-2023-3817 https://github.com/flatcar/Flatcar/issues/1141
- update to >= 3.0.10
- needs manual updates
- Done: curl CVE-2023-38039 https://github.com/flatcar/Flatcar/issues/1178
- update to >= 8.3.0
- Done: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119
- did update to 5.4.6
- Done: mit-krb5 CVE-2023-36054 https://github.com/flatcar/Flatcar/issues/1159
- did update to 1.20.2
- Done: procps CVE-2023-4016 https://github.com/flatcar/Flatcar/issues/1160
- did update to 4.0.4
- Done: samba CVE-{2021-44142,2022-1615} https://github.com/flatcar/Flatcar/issues/1184
- did update to 4.18.4
2023-09-25 (Mon)
News
- High: curl CVE-2023-38039 https://github.com/flatcar/Flatcar/issues/1178
- update to >= 8.3.0
- High: samba CVE-{2021-44142,2022-1615} https://github.com/flatcar/Flatcar/issues/1184
- update to >= 4.17.5
- needs manual updates
- Medium: gcc CVE-2023-4039 https://github.com/flatcar/Flatcar/issues/1180
- TBD
- Done: glibc CVE-2023-{4527,4806} https://github.com/flatcar/Flatcar/issues/1179
- did update to 2.37-r5
On-going issues
- High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119
- update to >= 5.4.6
- in weekly updates
- Medium: mit-krb5 CVE-2023-36054 https://github.com/flatcar/Flatcar/issues/1159
- update to >= 1.20.2 or >= 1.21.1
- needs manual updates
- Medium: openssl CVE-2023-3817 https://github.com/flatcar/Flatcar/issues/1141
- update to >= 3.0.10,
- needs manual updates
- Medium: procps CVE-2023-4016 https://github.com/flatcar/Flatcar/issues/1160
- update to >= 4.0.4
- its ebuild is still unstable
- Done: Go CVE-2023-3931[89], CVE-2023-3932[0-2] https://github.com/flatcar/Flatcar/issues/1174
- did update to 1.20.8
- included in Alpha 3732.0.0
- Done: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097
- did update to 525.125.06
- included in Alpha 3732.0.0
2023-09-11 (Mon)
News
- Unknown: Go CVE-2023-3931[89], CVE-2023-3932[0-2] https://github.com/flatcar/Flatcar/issues/1174
- update to >= 1.20.8
- PR https://github.com/flatcar/scripts/pull/1129
- Done: open-vm-tools CVE-2023-20900 https://github.com/flatcar/Flatcar/issues/1164
- did update to 12.3.0
- PR https://github.com/flatcar/scripts/pull/1101
On-going issues
- High: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097
- update to >= 525.125.06
- PR https://github.com/flatcar/scripts/pull/1121
- High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119
- update to >= 5.4.6
- Gentoo ebuild is available, still unstable
- Medium: mit-krb5 CVE-2023-36054 https://github.com/flatcar/Flatcar/issues/1159
- update to >= 1.20.2 or >= 1.21.1
- Medium: openssl CVE-2023-3817 https://github.com/flatcar/Flatcar/issues/1141
- update to >= 3.0.10
- Medium: procps CVE-2023-4016 https://github.com/flatcar/Flatcar/issues/1160
- ebuild is there, still unstable
- Done: Downfall (intel-microcode and Kernel) CVE-2022-{40982,41804}, CVE-2023-23908 https://github.com/flatcar/Flatcar/issues/1155
- did update to intel-microcode >= 20230808_p20230804
- did update to Kernel >= 5.10.189, >= 5.15.125, >= 6.1.44
- Done: AMD Inception CVE-2023-20569 https://github.com/flatcar/Flatcar/issues/1156
- did update to Kernel >= 5.10.189, >= 5.15.125, >= 6.1.44
- Done: python CVE-2023-{40217,41105} https://bugs.gentoo.org/912976
- did update to 3.11.5
2023-08-28 (Mon)
News
- Medium: Downfall (intel-microcode and Kernel) CVE-2022-{40982,41804}, CVE-2023-23908 https://github.com/flatcar/Flatcar/issues/1155
- did update to intel-microcode >= 20230808_p20230804
- update to Kernel >= 5.10.189, >= 5.15.125, >= 6.1.44
- High: AMD Inception CVE-2023-20569 https://github.com/flatcar/Flatcar/issues/1156
- update to Kernel >= 5.10.189, >= 5.15.125, >= 6.1.44
- Medium: mit-krb5 CVE-2023-36054 https://github.com/flatcar/Flatcar/issues/1159
- update to >= 1.20.2 or >= 1.21.1
- Medium: openssl CVE-2023-3817 https://github.com/flatcar/Flatcar/issues/1141
- update to >= 3.0.10
- Medium: procps CVE-2023-4016 https://github.com/flatcar/Flatcar/issues/1160
- Unknown: python CVE-2023-{40217,41105} https://bugs.gentoo.org/912976
- update to >= 3.11.5
- Done: Rust CVE-2023-38497 https://github.com/flatcar/Flatcar/issues/1150
- did update to 1.71.1
On-going issues
- High: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097
- update to >= 525.125.06
- High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119
- update to >= 5.4.6
- Gentoo ebuild is available, still unstable
- Done: curl CVE-2023-32001 https://github.com/flatcar/Flatcar/issues/1123
- did update to 8.2.1
- Done: grub many CVEs https://github.com/flatcar/Flatcar/issues/1099
- did update to 2.06
- Done: Go CVE-2023-29409 https://github.com/flatcar/Flatcar/issues/1149
- update to >= 1.20.7 & 1.19.12
- Done: libarchive https://github.com/flatcar/Flatcar/issues/1138
- did update to 3.7.1
- Done: libxml2 20230428 https://github.com/flatcar/Flatcar/issues/1118
- did update to 2.11.4
- Done: linux-firmware & Kernel CVE-2023-20593 https://github.com/flatcar/Flatcar/issues/1134
- did update to linux-firmware = 20230625_p20230724
- did update to Kernel 6.1.41, 5.15.122, 5.10.187
- Done: openssl CVE-2023-{2975,3446} https://github.com/flatcar/Flatcar/issues/1122
- did update to 3.0.9-r2
- Done: shadow CVE-2023-29383, etc. https://github.com/flatcar/Flatcar/issues/1085
- did update to 4.13-r4
- Done: vim CVE-2023-26{09,10} https://github.com/flatcar/Flatcar/issues/1086
- did update to 9.0.1677
2023-07-31 (Mon)
News
- Medium: linux-firmware & Kernel CVE-2023-20593 https://github.com/flatcar/Flatcar/issues/1134
- update to linux-firmware >= 20230625_p20230724 - needs manual update
- update to Kernel 6.1.41, 5.15.122, 5.10.187
- Medium: curl CVE-2023-32001 https://github.com/flatcar/Flatcar/issues/1123
- update to >= 8.2.0
- Medium: openssl CVE-2023-{2975,3446} https://github.com/flatcar/Flatcar/issues/1122
- update to >= 3.0.9-r2
- Unknown: Go CVE-2023-29409 https://groups.google.com/g/golang-announce/c/7b0c3Z5Ko8g
- update to >= 1.20.7 & 1.19.12
- Unknown: Go golang.org/x/net/html CVE-2023-3978 https://groups.google.com/g/golang-announce/c/qB2Cuod1A14
- Unknown: libarchive https://github.com/flatcar/Flatcar/issues/1138
- update to >= 3.7.1
- Done: openssh CVE-2023-38408 https://github.com/flatcar/Flatcar/issues/1133
- update to >= 9.3_p2
On-going issues
- High: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097
- update to >= 525.125.06
- High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119
- update to >= 5.4.6
- Gentoo ebuild is available, still unstable
- High: vim CVE-2023-26{09,10} https://github.com/flatcar/Flatcar/issues/1086
- update to >= 9.0.1532, Gentoo ebuild for 9.0.1627 unstable available
- Low: shadow CVE-2023-29383, etc. https://github.com/flatcar/Flatcar/issues/1085
- update to >= 4.13-r4
- Unknown: libxml2 20230428 https://github.com/flatcar/Flatcar/issues/1118
- update to >= 2.11.4
- weekly PR https://github.com/flatcar/scripts/pull/1025
- Done: Go CVE-2023-29406 https://github.com/flatcar/Flatcar/issues/1117
- did update to 1.20.6, 1.19.11 https://github.com/flatcar/scripts/pull/988
- Done: openldap CVE-2023-2953 https://github.com/flatcar/Flatcar/issues/1120
- did update to 2.5.14
2023-07-17 (Mon)
News
- High: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097
- update to >= 525.125.06
- High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119
- update to >= 5.4.6
- Gentoo ebuild is available, still unstable
- High: openldap CVE-2023-2953 https://github.com/flatcar/Flatcar/issues/1120
- update to >= 2.6.4-r1
- Unknown: Go CVE-2023-29406 https://github.com/flatcar/Flatcar/issues/1117
- PR to update to 1.20.6, 1.19.11 https://github.com/flatcar/scripts/pull/988
- Unknown: libxml2 20230428 https://github.com/flatcar/Flatcar/issues/1118
- update to >= 2.11.4
- weekly PR https://github.com/flatcar/scripts/pull/987
- Done: protobuf CVE-2022-1941 https://github.com/flatcar/Flatcar/issues/1112
- did update to 21.9
On-going issues
- High: vim https://github.com/flatcar/Flatcar/issues/1086
- did update to 9.0.1503, fixed CVE-2023-2426
- other CVEs: update to >= 9.0.1532, Gentoo ebuild for 9.0.1627 unstable available
- Medium: binutils https://github.com/flatcar/Flatcar/issues/1053
- did update to 2.40, fixed CVE-2022-{38533, 4285}, CVE-2023-{1579,2222}.
- CVE-2023-1972 is still open, TBD
- Medium: ipxe CVE-2022-4087 https://github.com/flatcar/Flatcar/issues/1083
- update to 1.21.1_p20230601
- Medium: libarchive https://github.com/flatcar/Flatcar/issues/1054
- update to > 3.6.2, but no release available yet
- Low: shadow CVE-2023-29383, etc. https://github.com/flatcar/Flatcar/issues/1085
- update to >= 4.13-r4
- Done: libmicrohttpd CVE-2023-27371 https://github.com/flatcar/Flatcar/issues/1084
- did update to 0.9.76
- Done: ncurses CVE-2023-29491 https://github.com/flatcar/Flatcar/issues/1045
- did update to 6.4_20230527
- Done: openssl https://github.com/flatcar/Flatcar/issues/1050
- did update to 3.0.9
2023-06-19 (Mon)
News
- Medium: ipxe CVE-2022-4087 https://github.com/flatcar/Flatcar/issues/1083
- update to 1.21.1_p20230601
- Done: open-vm-tools CVE-2023-20867 https://github.com/flatcar/Flatcar/issues/1080
- did update to 12.2.5
On-going issues
- High: openssl https://github.com/flatcar/Flatcar/issues/1050
- update to >= 3.0.9
- Gentoo ebuild available, unstable
- High: vim https://github.com/flatcar/Flatcar/issues/1086
- update to >= 9.0.1532
- no Gentoo ebuild
- High/hold: binutils https://github.com/flatcar/Flatcar/issues/1053
- update to > 2.40, wait until Gentoo ebuild of 2.40 becomes stable
- High/blocked: ncurses CVE-2023-29491 https://github.com/flatcar/Flatcar/issues/1045
- update to >= 6.4_20230418, masked (not 20230408)
- Medium: libarchive https://github.com/flatcar/Flatcar/issues/1054
- update to > 3.6.2, but no release available yet
- Medium: libmicrohttpd CVE-2023-27371 https://github.com/flatcar/Flatcar/issues/1084
- update to >= 0.9.76
- Low: shadow CVE-2023-29383 https://github.com/flatcar/Flatcar/issues/1085
- update to >= 4.13-r3
- Done: Go 1.20.5 & 1.19.10 https://github.com/flatcar/Flatcar/issues/1069
- did update, to be released in Alpha 3634.0.0
- Done: sudo CVE-2023-27320, CVE-2023-2848[67] https://github.com/flatcar/Flatcar/issues/1038
- did update to >= 1.9.13p2
2023-06-05 (Mon)
News
- High: openssl https://github.com/flatcar/Flatcar/issues/1050
- update to >= 3.0.9
- Gentoo ebuild available, unstable
- Medium: libarchive https://github.com/flatcar/Flatcar/issues/1054
- update to > 3.6.2, but no release available yet
- ?: Go 1.20.5 & 1.19.10 https://groups.google.com/g/golang-announce/c/1AItFMBjrfw
- to be released on 2023-06-06
On-going issues
- High: sudo CVE-2023-27320, CVE-2023-2848[67] https://github.com/flatcar/Flatcar/issues/1038
- update to >= 1.9.13p2
- PR https://github.com/flatcar/scripts/pull/872
- High: vim https://github.com/flatcar/security-nondisclosed/issues/333
- update to >= 9.0.1532
- no Gentoo ebuild
- High/hold: binutils https://github.com/flatcar/Flatcar/issues/1053
- update to > 2.40, wait until Gentoo ebuild of 2.40 becomes stable
- High/blocked: ncurses CVE-2023-29491 https://github.com/flatcar/Flatcar/issues/1045
- update to >= 6.4_20230418, masked (not 20230408)
- Medium: libmicrohttpd CVE-2023-27371 https://github.com/flatcar/security-nondisclosed/issues/329
- update to >= 0.9.76
- Low: shadow CVE-2023-29383 https://github.com/flatcar/security-nondisclosed/issues/325
- update to >= 4.13-r3
- Done: git https://github.com/kinvolk/security/issues/324
- did update to >= 2.39.3
2023-05-15 (Mon)
News
- High: vim https://github.com/kinvolk/security/issues/333
- update to >= 9.0.1532
- no Gentoo ebuild
On-going issues
- High: git https://github.com/kinvolk/security/issues/324
- update to >= 2.39.3
- weekly PR
- High: sudo CVE-2023-27320, CVE-2023-2848[67] https://github.com/kinvolk/security/issues/314
- update to >= 1.9.13p2
- High/hold: binutils https://github.com/kinvolk/security/issues/254
- update to > 2.40, wait until Gentoo ebuild becomes stable
- High/blocked: ncurses CVE-2023-29491 https://github.com/kinvolk/security/issues/323
- update to >= 6.4_20230418, masked (not 20230408)
- Medium: libmicrohttpd CVE-2023-27371 https://github.com/kinvolk/security/issues/329
- update to >= 0.9.76
- Medium/blocked: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302
- unclear if/when upstream could fix it in 20.10.x.
- Low: shadow CVE-2023-29383 https://github.com/kinvolk/security/issues/325
- update to >= 4.13-r3
- Done: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
- did update to 5.2_p15-r2
- Done: c-ares CVE-2022-4904 https://github.com/kinvolk/security/issues/300
- did update to 1.19
- Done: curl https://github.com/kinvolk/security/issues/319
- did update to 8.0.1
- Done: Go 1.19.9 https://github.com/kinvolk/security/issues/331
- did update to 1.19.9
- Done: libxml2 https://github.com/kinvolk/security/issues/322
- did update to 2.10.4
- Done: openssh CVE-2023-28531 https://github.com/kinvolk/security/issues/326
- did update to 9.3 in Alpha
- Done: openssl https://github.com/kinvolk/security/issues/318
- did update to 3.0.8-r4
2023-05-02 (Tue)
News
- Critical: openssh CVE-2023-28531 https://github.com/kinvolk/security/issues/326
- update to >= 9.3 in Alpha
- High(?): git https://github.com/kinvolk/security/issues/324
- update to >= 2.39.3
- Medium: libmicrohttpd CVE-2023-27371 https://github.com/kinvolk/security/issues/329
- update to >= 0.9.76
- Low: shadow CVE-2023-29383 https://github.com/kinvolk/security/issues/325
- update to >= 4.13-r3
- High/SDK: dnsmasq CVE-2023-28450 https://github.com/kinvolk/security/issues/327
- update to >= 2.90
- Medium/SDK: qemu CVE-2023-{0330,1544} https://github.com/kinvolk/security/issues/328
- not clear, maybe >= 8.0.0
- Unknwon/SDK: perl CVE-2023-31486 https://github.com/kinvolk/security/issues/330
- update to >= 5.36.1-r1
- Unknown: Go 1.19.9 https://groups.google.com/g/golang-announce/c/vFRFE07dbB8
- to be public 2023-05-02
On-going issues
- High: ncurses CVE-2023-29491 https://github.com/kinvolk/security/issues/323
- update to 6.4_20230401 (not 20230408)
- High: openssl https://github.com/kinvolk/security/issues/318
- update to >= 3.0.8-r4
- High: sudo CVE-2023-27320, CVE-2023-2848[67] https://github.com/kinvolk/security/issues/314
- update to >= 1.9.13p2
- High: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
- update to >= 5.2_p15-r2, not stable yet
- High: c-ares CVE-2022-4904 https://github.com/kinvolk/security/issues/300
- update to >= 1.19
- High/hold: binutils https://github.com/kinvolk/security/issues/254
- update to > 2.40, still unclear about fixes
- Medium: curl https://github.com/kinvolk/security/issues/319
- update to >= 8.0.1
- Medium: libxml2 https://github.com/kinvolk/security/issues/322
- update to >= 2.10.4
- weekly PR
- Medium/blocked: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302
- unclear if/when upstream could fix it in 20.10.x.
- Done: nvidia-drivers https://github.com/kinvolk/security/issues/253
- did update to 525.85.12
- Done: vim https://github.com/kinvolk/security/issues/307
- did update to 9.0.1225
- Done: zstd https://github.com/kinvolk/security/issues/332
- did update to 1.5.4
2023-04-17 (Mon)
News
- Medium: libxml2 https://github.com/kinvolk/security/issues/322
- update to >= 2.10.4
- Unknown: ncurses CVE-2023-29491 https://github.com/kinvolk/security/issues/323
- update to 6.4_20230401 (not 20230408)
- Done: docker CVE-2023-2884[0-2] https://github.com/kinvolk/security/issues/320
- update to >= 20.10.24
- Done: go CVE-2023-2453[4678] https://github.com/kinvolk/security/issues/321
- update to >= 1.19.8
On-going issues
- High: binutils https://github.com/kinvolk/security/issues/254
- update to > 2.40 (?)
- High: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253
- 525.85.12 WIP PR
- High: openssl CVE-2023-0464 https://github.com/kinvolk/security/issues/318
- update to >= 3.0.9
- High: vim https://github.com/kinvolk/security/issues/307
- update to >= 9.0.1225
- High/blocked: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
- No upstream fix
- Medium: curl https://github.com/kinvolk/security/issues/319
- update to >= 8.0.1
- Medium/blocked: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302
- unclear if/when upstream could fix it in 20.10.x.
- Unknown: sudo CVE-2023-27320 https://github.com/kinvolk/security/issues/314
- update to >= 1.9.13p2
- Done: runc CVE-2023-27561 https://github.com/kinvolk/security/issues/316
- regression of CVE-2019-19921
- updated to 1.1.5
- Done: tar CVE-2022-48303 https://github.com/kinvolk/security/issues/312
2023-03-06 (Mon)
News
- Unknown: runc CVE-2023-27561 https://github.com/kinvolk/security/issues/316
- regression of CVE-2019-19921
- upstream fix is available https://github.com/opencontainers/runc/pull/3756
- High: tar CVE-2022-48303 https://github.com/kinvolk/security/issues/312
- Fix is in upstream, but no release yet
- Low: sudo CVE-2023-27320 https://github.com/kinvolk/security/issues/314
- update to >= 1.9.13p2
- Low/SDK: pkgconf CVE-2023-24056 https://github.com/kinvolk/security/issues/313
- update to >= 1.8.1
- weekly PR
- Low/SDK: python CVE-2023-24329 https://github.com/kinvolk/security/issues/315
- update to >= 3.10.10_p2
- weekly PR
On-going issues
- Critical(?): curl CVE-2023-2391[4-6] https://github.com/kinvolk/security/issues/304
- update to 7.88.0
- weekly PR
- unclear if that is so critical
- High: gnutls CVE-2023-0361 https://github.com/kinvolk/security/issues/308
- update to 3.7.9
- weekly PR
- High: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253
- 525.85.12 WIP PR
- High: vim https://github.com/kinvolk/security/issues/307
- update to >= 9.0.1225
- High: git CVE-2023-22490, CVE-2023-23946 https://github.com/kinvolk/security/issues/305
- update to 2.39.2, 2.38.4
- weekly PR
- High/blocked: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
- No upstream fix
- Medium: binutils https://github.com/kinvolk/security/issues/254
- update to 2.40
- Medium: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302
- unclear if/when upstream could fix it in 20.10.x.
- Done: dnsmasq CVE-2022-0934 https://github.com/kinvolk/security/issues/204
- did update to 2.89, PR
- Done: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209
- did update to >= 1.46.6, PR
- Done: Go CVE-2022-4172[3-5] https://github.com/kinvolk/security/issues/310
- did update to 1.19.6
- Done: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
- did update golang.org/x/text to 0.3.8
- Done: intel-microcode https://github.com/kinvolk/security/issues/309
- did update to 20230214, PR
- Done: less CVE-2022-46663 https://github.com/kinvolk/security/issues/301
- did update to 608-r2, PR
2023-02-20 (Mon)
News
- High: Go CVE-2022-4172[3-5] https://github.com/kinvolk/security/issues/310
- update to 1.19.6
- High: intel-microcode https://github.com/kinvolk/security/issues/309
- update to 20230214
- High: less CVE-2022-46663 https://github.com/kinvolk/security/issues/301
- update to 608-r2 https://github.com/flatcar/portage-stable/pull/418
- Medium: curl CVE-2023-2391[4-6] https://github.com/kinvolk/security/issues/304
- update to 7.88.0
- Medium: git CVE-2023-22490, CVE-2023-23946 https://github.com/kinvolk/security/issues/305
- update to 2.39.2, 2.38.4
- Medium: gnutls CVE-2023-0361 https://github.com/kinvolk/security/issues/308
- update to 3.7.9
On-going issues
- High: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209
- update to >= 1.46.6
- High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
- update golang.org/x/text to 0.3.8, done only in mantle.
- High: vim https://github.com/kinvolk/security/issues/307
- update to >= 9.0.1225
- High/blocked: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
- No upstream fix
- High/blocked: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253
- 515.86.01 WIP PR
- Medium: binutils https://github.com/kinvolk/security/issues/254
- update to 2.40
- Medium: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302
- Low: c-ares 1.19 stack overflow https://github.com/kinvolk/security/issues/300
- Done: Kernel (netfilter) CVE-2023-0179 https://github.com/kinvolk/security/issues/297
- Done: containerd CVE-2023-251[57]3 https://github.com/kinvolk/security/issues/311
- Did update to 1.6.18
- Done: curl CVE-2022-4355[12] https://github.com/kinvolk/security/issues/288
- Did update to 7.87.0
- Done: openssh 9.2 double free https://github.com/kinvolk/security/issues/303
- Did update to 9.2
- Done: openssl 3.0.8 https://github.com/kinvolk/security/issues/299
- Did update to 3.0.8
- Done: sudo CVE-2023-22809 https://github.com/kinvolk/security/issues/298
- Did update to >= 1.9.12p2
2023-02-06 (Mon)
News
- c-ares 1.19 stack overflow https://github.com/kinvolk/security/issues/300
- docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302
- openssh 9.2 double free https://github.com/kinvolk/security/issues/303
- Gentoo has an ebuild
On-going issues
- High: Kernel (netfilter) CVE-2023-0179 https://github.com/kinvolk/security/issues/297
- Update to 5.15.88, 5.10.163.
- Fixed in LTS, Beta, Alpha. Not in Stable.
- High: curl CVE-2022-4355[12] https://github.com/kinvolk/security/issues/288
- Update to 7.87.0
- PR https://github.com/flatcar/portage-stable/pull/412
- High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
- update golang.org/x/text to 0.3.8, done only in mantle.
- High: sudo CVE-2023-22809 https://github.com/kinvolk/security/issues/298
- update to >= 1.9.12p2
- PR https://github.com/flatcar/coreos-overlay/pull/2426
- High: vim https://github.com/kinvolk/security/issues/283
- update to >= 9.0.1189
- High/blocked: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
- No upstream fix
- High/blocked: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253
- 515.86.01 WIP PR
- Medium: binutils https://github.com/kinvolk/security/issues/254
- update to 2.40
- Low: pax-utils https://github.com/kinvolk/security/issues/296
- No upstream fix
- Flatcar might not be affected
2023-01-23 (Mon)
News
- Kernel (netfilter) https://github.com/kinvolk/security/issues/297
- Fix is not in mainline
- pax-utils https://github.com/kinvolk/security/issues/296
- No upstream fix
- Flatcar might not be affected
- sudo CVE-2023-22809 https://github.com/kinvolk/security/issues/298
- update to >= 1.9.12p2
On-going issues
- Critical: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
- No upstream fix
- Kernel(nfs4) CVE-2022-4379 https://github.com/kinvolk/security/issues/285
- Fix is in mainline and 6.1, but not in other Stable releases
- High: curl CVE-2022-4355[12] https://github.com/kinvolk/security/issues/288
- Update to 7.87.0
- amd64 in PR https://github.com/flatcar/portage-stable/pull/409
- High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
- upgrade golang.org/x/text to 0.3.8, done only in mantle.
- High: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253
- 515.86.01 WIP PR
- High: vim https://github.com/kinvolk/security/issues/283
- Did update to >= 9.0.1000
- To-do update to >= 9.0.1145
- Medium: binutils https://github.com/kinvolk/security/issues/254
- Did update to 2.39
- To-do update to 2.40
- Done: Kernel(procfs) CVE-2022-4378 https://github.com/kinvolk/security/issues/284
- Did update to 5.15.82+, 5.10.158+
- Done: git CVE-2022-{23521,41903} https://github.com/kinvolk/security/issues/295
- Did update to 2.37.5 & 2.38.3
- Done: glib many issues https://github.com/kinvolk/security/issues/291
- Did update to 2.74.4, PR https://github.com/flatcar/portage-stable/pull/401
- Done: rust (cargo) https://github.com/kinvolk/security/issues/293
- Did update to 1.66.1
2023-01-09 (Mon)
News
- Kernel(nfs4) CVE-2022-4379 https://github.com/kinvolk/security/issues/285
- Fix is in mainline, but not in Stable releases
- Kernel(kpti) CVE-2022-4543 https://github.com/kinvolk/security/issues/290
- No update from upstream
- curl CVE-2022-4355[12] https://github.com/kinvolk/security/issues/288
- Update to 7.87.0
- PR https://github.com/flatcar/portage-stable/pull/403
- glib many issues https://github.com/kinvolk/security/issues/291
- update to >= 2.74.3-r3
- PR https://github.com/flatcar/portage-stable/pull/401
- bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
- No upstream fix
- Done: libksba CVE-2022-47629 https://github.com/kinvolk/security/issues/292
- did update to 1.6.3, PR https://github.com/flatcar/portage-stable/pull/402
On-going issues
- Critical: vim https://github.com/kinvolk/security/issues/283
- update to >= 9.0.1000 and later >= 9.0.1145
- Kernel(procfs) CVE-2022-4378 https://github.com/kinvolk/security/issues/284
- update to >= 5.15.82, 5.10.158
- High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
- upgrade golang.org/x/text to 0.3.8, done only in mantle.
- High: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253
- Sayan, 515.86.01 WIP PR
- Done: Go CVE-2022-41717 https://github.com/kinvolk/security/issues/281
- did update to >= 1.19.4
- Done: systemd CVE-2022-3821: https://github.com/kinvolk/security/issues/277
- Kzesimir, PR https://github.com/flatcar/coreos-overlay/pull/2363
- Done: systemd-coredump CVE-2022-4415: https://github.com/kinvolk/security/issues/287
- Done: systemd-coredump deadlock CVE-2022-45873 https://github.com/kinvolk/security/issues/282
- Kzesimir, PR https://github.com/flatcar/coreos-overlay/pull/2363
2022-12-12 (Mon)
News
- Kernel(procfs) CVE-2022-4378 https://github.com/kinvolk/security/issues/284
- update to >= 5.15.82, 5.10.158
- Go CVE-2022-41717 https://github.com/kinvolk/security/issues/281
- update to >= 1.19.4
- nvidia-drivers CVE-2022-
346[78]*,-422[56]*https://github.com/kinvolk/security/issues/253- update to >= 515.86.01.
- systemd-coredump deadlock CVE-2022-45873 https://github.com/kinvolk/security/issues/282
- fix is in v252, not to be backported to v250
- vim CVE-2022-{3491,3520,3591,4141} https://github.com/kinvolk/security/issues/283
- update to >= 9.0.1000
- Done: libarchive CVE-2022-36227 https://github.com/kinvolk/security/issues/280
- did update to 3.6.1-r1
- Done: containerd CVE-2022-23471 https://github.com/kinvolk/security/issues/286
- did update to 1.6.12
On-going issues
- High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
- upgrade golang.org/x/text to 0.3.8
- High: grub multiple vulns https://github.com/kinvolk/security/issues/67
- Sayan, WIP PR
- High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253
- Sayan, 515.65.01 WIP PR
- Medium: systemd CVE-2022-3821: https://github.com/kinvolk/security/issues/277
- need to update to >= 250.8, but not trivial
- Done: cpio CVE-2021-38185: https://github.com/kinvolk/security/issues/118
- Did update to 2.13
- Done: libksba CVE-2022-3515: https://github.com/kinvolk/security/issues/279
- Did update to 1.6.2, PR
- Done: python https://github.com/kinvolk/security/issues/257
- python-oem to be done
- Done: sudo CVE-2022-43995 https://github.com/kinvolk/security/issues/276
- Did update to 1.9.12p1 PR
2022-11-21 (Mon)
News
- libksba CVE-2022-3515: https://github.com/kinvolk/security/issues/279
- 1.6.2, WIP PR
- systemd CVE-2022-3821: https://github.com/kinvolk/security/issues/277
- need to update to >= 250.8, but not trivial
- Done: vim CVE-2022-3705: https://github.com/kinvolk/security/issues/278
- did update to 9.0.0828
On-going issues
- High: cpio CVE-2021-38185: https://github.com/kinvolk/security/issues/118
- Gentoo updated to 2.13
- Weekly updates are not picking up
- High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
- upgrade golang.org/x/text to 0.3.8
- High: grub multiple vulns https://github.com/kinvolk/security/issues/67
- Sayan, WIP PR
- High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253
- Sayan, 515.65.01 WIP PR
- High: sudo CVE-2022-43995 https://github.com/kinvolk/security/issues/276
- Sayan, 1.9.12p1 WIP
- Done: Kernel io_uring CVE-2022-2602: https://github.com/kinvolk/security/issues/268
- All released, except for Stable with pending release with >= 5.15.75
- Done: curl CVE-2022-{32221,35260,42915,42916} https://github.com/kinvolk/security/issues/273
- did update to 7.86.0, PR https://github.com/flatcar/portage-stable/pull/380
- Done: expat CVE-2022-43680 https://github.com/kinvolk/security/issues/275
- did update to 2.5.0, PR https://github.com/flatcar/portage-stable/pull/380
- Done: openssh 9.1_p1: https://github.com/kinvolk/security/issues/271
2022-11-07 (Mon)
News
- High: curl CVE-2022-{32221,35260,42915,42916} https://github.com/kinvolk/security/issues/273
- update to 7.86.0, PR https://github.com/flatcar/portage-stable/pull/380
- High: expat CVE-2022-43680 https://github.com/kinvolk/security/issues/275
- update to 2.5.0, PR https://github.com/flatcar/portage-stable/pull/380
- High: sudo CVE-2022-43995 https://github.com/kinvolk/security/issues/276
- update to 1.9.12p1
- WONTFIX/High: go CVE-2022-41716
- Flatcar not affected, only Windows
On-going issues
- High: Kernel io_uring CVE-2022-2602: https://github.com/kinvolk/security/issues/268
- fix is in >= 5.15.75, >= 5.10.150
- High: cpio CVE-2021-38185: https://github.com/kinvolk/security/issues/118
- Gentoo updated to 2.13
- Weekly updates are not picking up
- High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
- upgrade golang.org/x/text to 0.3.8
- High: grub multiple vulns https://github.com/kinvolk/security/issues/67
- Sayan, WIP PR
- High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253
- Sayan: 515.65.01 WIP PR
- openssh 9.1_p1: https://github.com/kinvolk/security/issues/271
- Krzesimir, WIP PR
- High/blocked: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209
- no upstream release, only 1.46rc1
- Done: git CVE-2022-392{53,60}: https://github.com/kinvolk/security/issues/270
- did upgrade to 2.37.4
- Done: multipath-tools CVE-2022-4197[34] https://github.com/kinvolk/security/issues/266
- did upgrade to 0.9.3
- Done: openssl CVE-2022-3358: https://github.com/kinvolk/security/issues/267
- fixed in 3.0.6+, will be included in the next Stable, Beta, Alpha.
- Done: openssl CVE-2022-3602, CVE-2022-3786: https://github.com/kinvolk/security/issues/274
- fixed in 3.0.7, will be included in the next Stable, Beta, Alpha.
2022-10-24 (Mon)
News
- High: git CVE-2022-392{53,60}: https://github.com/kinvolk/security/issues/270
- upgrade to >= 2.37.4
- High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
- upgrade golang.org/x/text to 0.3.8
- High/blocked: openssl CVE-2022-3358: https://github.com/kinvolk/security/issues/267
- fixed in 3.0.6, but hold due to regressions in the version.
- openssh 9.1_p1: https://github.com/kinvolk/security/issues/271
- release fixes memory safety problems
- Kernel io_uring CVE-2022-2602: https://github.com/kinvolk/security/issues/268
- fix is only in mainline, but not in LTS kernels 5.15 & 5.10
- Done: libxml2: https://github.com/kinvolk/security/issues/272
- did upgrade to 2.10.3
On-going issues
- High: grub multiple vulns https://github.com/kinvolk/security/issues/67
- High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253
- Sayan: 515.65.01 WIP PR https://github.com/flatcar/coreos-overlay/pull/2160
- High/blocked: cpio CVE-2021-38185: https://github.com/kinvolk/security/issues/118
- Gentoo stared updating to 2.13, but unkeyworded
- High/blocked: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209
- no upstream release
- Done: Kernel io-uring CVE-2022-3176
- Fixed in 5.10.141, also in Flatcar releases
- Done: bind-tools: https://github.com/kinvolk/security/issues/263
- did upgrade to 9.16.33
- Done: curl CVE-2022-35252: https://github.com/kinvolk/security/issues/250
- did upgrade to 7.85.0
- Done: dbus: https://github.com/kinvolk/security/issues/264
- did upgrade to 1.14.4
- Done: go: https://github.com/kinvolk/security/issues/262
- did upgrade to 1.18.7
- Done: vim: https://github.com/kinvolk/security/issues/265
- did upgrade to 9.0.0655
2022-10-10 (Mon)
News
- vim: https://github.com/kinvolk/security/issues/265
- upgrade to >= 9.0.0655
- dbus: https://github.com/kinvolk/security/issues/264
- upgrade to >= 1.14.4
- go: https://github.com/kinvolk/security/issues/262
- upgrade to >=1.18.7
- Kernel io-uring CVE-2022-3176
- Published. Fixed in >= 5.10.141
On-going issues
- Critical: vim - multiple CVEs https://github.com/kinvolk/security/issues/265
- High: grub multiple vulns https://github.com/kinvolk/security/issues/67
- High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253
- Sayan: 515.65.01 WIP PR https://github.com/flatcar/coreos-overlay/pull/2160
- High/blocked: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209
- no upstream release
- Medium: binutils CVE-2022-38533 https://github.com/kinvolk/security/issues/254
- no Gentoo update yet
- bind-tools: https://github.com/kinvolk/security/issues/263
- Krzesimir, WIP PR: https://github.com/flatcar/portage-stable/pull/370
- go: https://github.com/kinvolk/security/issues/262
- Kernel issues:
- Done: nat IRC CVE-2022-2663: https://github.com/kinvolk/security/issues/241
- Fixed in Kernel v5.15.68, v5.10.143, v5.4.213
- Done: slab-out-of-bound read in bpf CVE-2022-2905 https://seclists.org/oss-sec/2022/q3/146
- Fixed in Kernel 5.15.64, 5.10.140, for next Flatcar releases
- Done: nat IRC CVE-2022-2663: https://github.com/kinvolk/security/issues/241
2022-09-26 (Mon)
News
- Critical: expat CVE-2022-40674 https://github.com/kinvolk/security/issues/261
- Dongsu: update to 2.4.9
- rust CVE-2022-3611[34] https://github.com/kinvolk/security/issues/259
- update to >= 1.63.0-r1
- bind CVE-2022-2795 etc. https://seclists.org/oss-sec/2022/q3/217
- Flatcar is not affected
- Kernel io-uring CVE-2022-3176
- about to be published
On-going issues
- Critical: vim - multiple CVEs https://github.com/kinvolk/security/issues/249
- no Gentoo update yet
- Krzesimir updating to 9.0.0453 https://github.com/flatcar/coreos-overlay/pull/2140
- Kernel issues:
- nat IRC CVE-2022-2663: https://github.com/kinvolk/security/issues/241
- Fixed in Kernel v5.15.68, v5.10.143, v5.4.213
- Done: slab-out-of-bound read in bpf CVE-2022-2905 https://seclists.org/oss-sec/2022/q3/146
- Fixed in Kernel 5.15.64, 5.10.140, for next Flatcar releases
- nat IRC CVE-2022-2663: https://github.com/kinvolk/security/issues/241
- High: grub multiple vulns https://github.com/kinvolk/security/issues/67
- High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253
- Sayan: 515.65.01 WIP PR https://github.com/flatcar/coreos-overlay/pull/2160
- High/blocked: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209
- no upstream release
- Medium: binutils CVE-2022-38533 https://github.com/kinvolk/security/issues/254
- no Gentoo update yet
- Done: docker CVE-2022-36109 https://github.com/kinvolk/security/issues/256
- Done: go CVE-2022-27664, CVE-2022-32190 https://github.com/kinvolk/security/issues/255
- Done: intel-microcode CVE-2022-21233 https://github.com/kinvolk/security/issues/248
- Done: libtasn1 4.19.0 https://github.com/kinvolk/security/issues/251
- Done: libxml2 CVE-2016-3709 https://github.com/kinvolk/security/issues/245
- Done: rsync CVE-2022-29154: https://github.com/kinvolk/security/issues/238
- Done: zlib CVE-2022-37434 https://github.com/kinvolk/security/issues/246
