# Security tracking
# Summary
* [Schedule of tracking security issues of Flatcar](#Schedule-of-tracking-security-issues-of-Flatcar)
* [What to do?](#what-to-do)
* [Security tracking meeting notes](#Security-tracking-meeting-notes)
* [2023-12-04 (Mon)](#2023-12-04-(Mon))
* [2023-11-06 (Mon)](#2023-11-06-(Mon))
* [2023-10-09 (Mon)](#2023-10-09-(Mon))
* [2023-09-25 (Mon)](#2023-09-25-(Mon))
* [2023-09-11 (Mon)](#2023-09-11-(Mon))
* [2023-08-28 (Mon)](#2023-08-28-(Mon))
* [2023-07-31 (Mon)](#2023-07-31-(Mon))
* [2023-07-17 (Mon)](#2023-07-17-(Mon))
* [2023-06-19 (Mon)](#2023-06-19-(Mon))
# Schedule of tracking security issues of Flatcar
This table describes a rough schedule of who should be in charge of regularly tracking security issues for Flatcar, especially tracking issues from upstream projects like Gentoo Linux.
| Week of | Primary | Secondary |
| ---------- | -------- | --------- |
| ~~2024-04-01~~ | ~~Dongsu~~ | ~~Mathieu~~ |
| ~~2024-04-08~~ | ~~Mathieu~~ | ~~Kai~~ |
| ~~2024-04-15~~ | ~~Kai~~ | ~~Sayan~~ |
| 2024-04-22 | Sayan | Dongsu |
| 2024-04-29 | Dongsu | Mathieu |
| 2024-05-06 | Mathieu | Kai |
| 2024-05-13 | Kai | Sayan |
| 2024-05-20 | Sayan | Dongsu |
| 2024-05-27 | Dongsu | Mathieu |
| 2024-06-03 | Mathieu | ? |
| 2024-06-10 | ? | Sayan |
| 2024-06-17 | Sayan | Dongsu |
## what to do
Primary person should do so:
* Every day look into upstream security trackers like below:
* [Gentoo security vulnerabilities](https://bugs.gentoo.org/buglist.cgi?bug_status=__open__&component=Vulnerabilities&list_id=6015515&product=Gentoo%20Security). It might be useful to use `gorss` + RSS feed for this.
* [oss-security mailing list](https://oss-security.openwall.org/wiki/mailing-lists/oss-security)
* [Golang announce mailing list](https://groups.google.com/g/golang-announce)
* [Rust security announcements](https://groups.google.com/g/rustlang-security-announcements)
* (optional) issue trackers of other distros like [RedHat vulnerabilities](https://bugzilla.redhat.com/buglist.cgi?component=vulnerability&product=Security%20Response&resolution=---)
* Whenever we discover any new CVE, we add it to the [CVE spreadsheets](https://docs.google.com/spreadsheets/d/1gAn7JyASTCydfC2ZllUx4qpS2hMTd5TWVykq6AVAf-c/edit#gid=0) (still private), and click the link (above left) to generate new issues. Then we should be able to see a new issue created in [Flatcar GitHub issues](https://github.com/flatcar/Flatcar/issues?q=is%3Aissue+is%3Aopen+label%3Aadvisory) with labels `security` and `advisory`.
* If an issue of updating the specific package affected by the new CVE is already open in [Flatcar GitHub issues](https://github.com/Flatcar/Flatcar/issues), then unfortunately we need to manually edit the existing issue to add the new CVE.
# Security tracking meeting notes
## 2023-12-04 (Mon)
### News
* High: intel-microcode CVE-2023-23583 https://github.com/flatcar/Flatcar/issues/1254
* update to >= 20231114
* weekly updates https://github.com/flatcar/scripts/pull/1460
* Unknown: gnutls CVE-2023-5981 https://github.com/flatcar/Flatcar/issues/1277
* update to >= 3.8.2
* ebuild exists, not stable yet
* Unknown: go CVE-2023-39326 https://groups.google.com/g/golang-announce/c/TABUsV4-FiU
* update to >= 1.20.12
* to be public on 2023-12-05
### On-going issues
* High: vim https://github.com/flatcar/Flatcar/issues/1214
* update to >= 9.0.2068
* Medium: nvidia-drivers CVE-2023-31022 https://github.com/flatcar/Flatcar/issues/1228
* update to >= 535.129.03
* Medium: gcc CVE-2023-4039 https://github.com/flatcar/Flatcar/issues/1180
* update to >= 13.2.1_p20231014
* Medium: openssl CVE-2023-{3817,5363} https://github.com/flatcar/Flatcar/issues/1141
* update to >= 3.0.12
* needs manual updates
* Medium: nasm CVE-2019-8343 https://github.com/flatcar/Flatcar/issues/1100
* update to >= 2.16.01-r1
* Done: open-vm-tools CVE-2023-3405[89] https://github.com/flatcar/Flatcar/issues/1229
* did update to >= 12.3.5
## 2023-11-06 (Mon)
### News
* High: vim https://github.com/flatcar/Flatcar/issues/1214
* update to >= 9.0.2068
* Medium: nvidia-drivers CVE-2023-31022 https://github.com/flatcar/Flatcar/issues/1228
* update to >= 535.129.03
* Unknown: open-vm-tools CVE-2023-3405[89] https://github.com/flatcar/Flatcar/issues/1229
* update to >= 12.3.5
* PR https://github.com/flatcar/scripts/pull/1318
* Unknown: Go CVE-2023-4528[34]
* update to >= 1.20.11
* https://groups.google.com/g/golang-announce/c/ZLYrkKN4Bd4
### On-going issues
* Medium: gcc CVE-2023-4039 https://github.com/flatcar/Flatcar/issues/1180
* update to >= 13.2.1_p20231014
* Medium: openssl CVE-2023-{3817,5363} https://github.com/flatcar/Flatcar/issues/1141
* update to >= 3.0.12
* needs manual updates
* Done: glibc CVE-2023-4911 https://github.com/flatcar/Flatcar/issues/1198
* did update to 2.37-r7
* Done: Go CVE-2023-39323 https://github.com/flatcar/Flatcar/issues/1200
* did update to >= 1.20.9
* Done: grub CVE-2023-469[23] https://github.com/flatcar/Flatcar/issues/1199
* did update to 2.06-r9
* Done: libtirpc 1.3.4 https://github.com/flatcar/Flatcar/issues/1204
* did update to 1.3.4
* Done: samba CVE-2023-4091 https://github.com/flatcar/Flatcar/issues/1213
* did update to 4.18.8
## 2023-10-09 (Mon)
### News
* High: glibc CVE-2023-4911 https://github.com/flatcar/Flatcar/issues/1198
* update to >= 2.37-r7
* Unknown: grub CVE-2023-469[23] https://github.com/flatcar/Flatcar/issues/1199
* update to >= 2.06-r9
* Unknown: Go CVE-2023-39323 https://github.com/flatcar/Flatcar/issues/1200
* update to >= 1.20.9
* PR https://github.com/flatcar/scripts/pull/1230
* Unknown: libtirpc 1.3.4 https://github.com/flatcar/Flatcar/issues/1204
* update to >= 1.3.4
### On-going issues
* Medium: gcc CVE-2023-4039 https://github.com/flatcar/Flatcar/issues/1180
* TBD
* Medium: openssl CVE-2023-3817 https://github.com/flatcar/Flatcar/issues/1141
* update to >= 3.0.10
* needs manual updates
* Done: curl CVE-2023-38039 https://github.com/flatcar/Flatcar/issues/1178
* update to >= 8.3.0
* Done: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119
* did update to 5.4.6
* Done: mit-krb5 CVE-2023-36054 https://github.com/flatcar/Flatcar/issues/1159
* did update to 1.20.2
* Done: procps CVE-2023-4016 https://github.com/flatcar/Flatcar/issues/1160
* did update to 4.0.4
* Done: samba CVE-{2021-44142,2022-1615} https://github.com/flatcar/Flatcar/issues/1184
* did update to 4.18.4
## 2023-09-25 (Mon)
### News
* High: curl CVE-2023-38039 https://github.com/flatcar/Flatcar/issues/1178
* update to >= 8.3.0
* High: samba CVE-{2021-44142,2022-1615} https://github.com/flatcar/Flatcar/issues/1184
* update to >= 4.17.5
* needs manual updates
* Medium: gcc CVE-2023-4039 https://github.com/flatcar/Flatcar/issues/1180
* TBD
* Done: glibc CVE-2023-{4527,4806} https://github.com/flatcar/Flatcar/issues/1179
* did update to 2.37-r5
### On-going issues
* High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119
* update to >= 5.4.6
* in [weekly updates](https://github.com/flatcar/scripts/pull/1177)
* Medium: mit-krb5 CVE-2023-36054 https://github.com/flatcar/Flatcar/issues/1159
* update to >= 1.20.2 or >= 1.21.1
* needs manual updates
* Medium: openssl CVE-2023-3817 https://github.com/flatcar/Flatcar/issues/1141
* update to >= 3.0.10,
* needs manual updates
* Medium: procps CVE-2023-4016 https://github.com/flatcar/Flatcar/issues/1160
* update to >= 4.0.4
* its ebuild is still unstable
* Done: Go CVE-2023-3931[89], CVE-2023-3932[0-2] https://github.com/flatcar/Flatcar/issues/1174
* did update to 1.20.8
* included in Alpha 3732.0.0
* Done: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097
* did update to 525.125.06
* included in Alpha 3732.0.0
## 2023-09-11 (Mon)
### News
* Unknown: Go CVE-2023-3931[89], CVE-2023-3932[0-2] https://github.com/flatcar/Flatcar/issues/1174
* update to >= 1.20.8
* PR https://github.com/flatcar/scripts/pull/1129
* Done: open-vm-tools CVE-2023-20900 https://github.com/flatcar/Flatcar/issues/1164
* did update to 12.3.0
* PR https://github.com/flatcar/scripts/pull/1101
### On-going issues
* High: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097
* update to >= 525.125.06
* PR https://github.com/flatcar/scripts/pull/1121
* High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119
* update to >= 5.4.6
* Gentoo ebuild is available, still unstable
* Medium: mit-krb5 CVE-2023-36054 https://github.com/flatcar/Flatcar/issues/1159
* update to >= 1.20.2 or >= 1.21.1
* Medium: openssl CVE-2023-3817 https://github.com/flatcar/Flatcar/issues/1141
* update to >= 3.0.10
* Medium: procps CVE-2023-4016 https://github.com/flatcar/Flatcar/issues/1160
* ebuild is there, still unstable
* Done: Downfall (intel-microcode and Kernel) CVE-2022-{40982,41804}, CVE-2023-23908 https://github.com/flatcar/Flatcar/issues/1155
* did update to intel-microcode >= 20230808_p20230804
* did update to Kernel >= 5.10.189, >= 5.15.125, >= 6.1.44
* Done: AMD Inception CVE-2023-20569 https://github.com/flatcar/Flatcar/issues/1156
* did update to Kernel >= 5.10.189, >= 5.15.125, >= 6.1.44
* Done: python CVE-2023-{40217,41105} https://bugs.gentoo.org/912976
* did update to 3.11.5
## 2023-08-28 (Mon)
### News
* Medium: Downfall (intel-microcode and Kernel) CVE-2022-{40982,41804}, CVE-2023-23908 https://github.com/flatcar/Flatcar/issues/1155
* did update to intel-microcode >= 20230808_p20230804
* update to Kernel >= 5.10.189, >= 5.15.125, >= 6.1.44
* High: AMD Inception CVE-2023-20569 https://github.com/flatcar/Flatcar/issues/1156
* update to Kernel >= 5.10.189, >= 5.15.125, >= 6.1.44
* Medium: mit-krb5 CVE-2023-36054 https://github.com/flatcar/Flatcar/issues/1159
* update to >= 1.20.2 or >= 1.21.1
* Medium: openssl CVE-2023-3817 https://github.com/flatcar/Flatcar/issues/1141
* update to >= 3.0.10
* Medium: procps CVE-2023-4016 https://github.com/flatcar/Flatcar/issues/1160
* Unknown: python CVE-2023-{40217,41105} https://bugs.gentoo.org/912976
* update to >= 3.11.5
* Done: Rust CVE-2023-38497 https://github.com/flatcar/Flatcar/issues/1150
* did update to 1.71.1
### On-going issues
* High: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097
* update to >= 525.125.06
* High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119
* update to >= 5.4.6
* Gentoo ebuild is available, still unstable
* Done: curl CVE-2023-32001 https://github.com/flatcar/Flatcar/issues/1123
* did update to 8.2.1
* Done: grub many CVEs https://github.com/flatcar/Flatcar/issues/1099
* did update to 2.06
* Done: Go CVE-2023-29409 https://github.com/flatcar/Flatcar/issues/1149
* update to >= 1.20.7 & 1.19.12
* Done: libarchive https://github.com/flatcar/Flatcar/issues/1138
* did update to 3.7.1
* Done: libxml2 20230428 https://github.com/flatcar/Flatcar/issues/1118
* did update to 2.11.4
* Done: linux-firmware & Kernel CVE-2023-20593 https://github.com/flatcar/Flatcar/issues/1134
* did update to linux-firmware = 20230625_p20230724
* did update to Kernel 6.1.41, 5.15.122, 5.10.187
* Done: openssl CVE-2023-{2975,3446} https://github.com/flatcar/Flatcar/issues/1122
* did update to 3.0.9-r2
* Done: shadow CVE-2023-29383, etc. https://github.com/flatcar/Flatcar/issues/1085
* did update to 4.13-r4
* Done: vim CVE-2023-26{09,10} https://github.com/flatcar/Flatcar/issues/1086
* did update to 9.0.1677
## 2023-07-31 (Mon)
### News
* Medium: linux-firmware & Kernel CVE-2023-20593 https://github.com/flatcar/Flatcar/issues/1134
* update to linux-firmware >= 20230625_p20230724 - needs manual update
* update to Kernel 6.1.41, 5.15.122, 5.10.187
* Medium: curl CVE-2023-32001 https://github.com/flatcar/Flatcar/issues/1123
* update to >= 8.2.0
* Medium: openssl CVE-2023-{2975,3446} https://github.com/flatcar/Flatcar/issues/1122
* update to >= 3.0.9-r2
* Unknown: Go CVE-2023-29409 https://groups.google.com/g/golang-announce/c/7b0c3Z5Ko8g
* update to >= 1.20.7 & 1.19.12
* Unknown: Go golang.org/x/net/html CVE-2023-3978 https://groups.google.com/g/golang-announce/c/qB2Cuod1A14
* Unknown: libarchive https://github.com/flatcar/Flatcar/issues/1138
* update to >= 3.7.1
* Done: openssh CVE-2023-38408 https://github.com/flatcar/Flatcar/issues/1133
* update to >= 9.3_p2
### On-going issues
* High: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097
* update to >= 525.125.06
* High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119
* update to >= 5.4.6
* Gentoo ebuild is available, still unstable
* High: vim CVE-2023-26{09,10} https://github.com/flatcar/Flatcar/issues/1086
* update to >= 9.0.1532, Gentoo ebuild for 9.0.1627 unstable available
* Low: shadow CVE-2023-29383, etc. https://github.com/flatcar/Flatcar/issues/1085
* update to >= 4.13-r4
* Unknown: libxml2 20230428 https://github.com/flatcar/Flatcar/issues/1118
* update to >= 2.11.4
* weekly PR https://github.com/flatcar/scripts/pull/1025
* Done: Go CVE-2023-29406 https://github.com/flatcar/Flatcar/issues/1117
* did update to 1.20.6, 1.19.11 https://github.com/flatcar/scripts/pull/988
* Done: openldap CVE-2023-2953 https://github.com/flatcar/Flatcar/issues/1120
* did update to 2.5.14
## 2023-07-17 (Mon)
### News
* High: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097
* update to >= 525.125.06
* High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119
* update to >= 5.4.6
* Gentoo ebuild is available, still unstable
* High: openldap CVE-2023-2953 https://github.com/flatcar/Flatcar/issues/1120
* update to >= 2.6.4-r1
* Unknown: Go CVE-2023-29406 https://github.com/flatcar/Flatcar/issues/1117
* PR to update to 1.20.6, 1.19.11 https://github.com/flatcar/scripts/pull/988
* Unknown: libxml2 20230428 https://github.com/flatcar/Flatcar/issues/1118
* update to >= 2.11.4
* weekly PR https://github.com/flatcar/scripts/pull/987
* Done: protobuf CVE-2022-1941 https://github.com/flatcar/Flatcar/issues/1112
* did update to 21.9
### On-going issues
* High: vim https://github.com/flatcar/Flatcar/issues/1086
* did update to 9.0.1503, fixed CVE-2023-2426
* other CVEs: update to >= 9.0.1532, Gentoo ebuild for 9.0.1627 unstable available
* Medium: binutils https://github.com/flatcar/Flatcar/issues/1053
* did update to 2.40, fixed CVE-2022-{38533, 4285}, CVE-2023-{1579,2222}.
* CVE-2023-1972 is still open, TBD
* Medium: ipxe CVE-2022-4087 https://github.com/flatcar/Flatcar/issues/1083
* update to 1.21.1_p20230601
* Medium: libarchive https://github.com/flatcar/Flatcar/issues/1054
* update to > 3.6.2, but no release available yet
* Low: shadow CVE-2023-29383, etc. https://github.com/flatcar/Flatcar/issues/1085
* update to >= 4.13-r4
* Done: libmicrohttpd CVE-2023-27371 https://github.com/flatcar/Flatcar/issues/1084
* did update to 0.9.76
* Done: ncurses CVE-2023-29491 https://github.com/flatcar/Flatcar/issues/1045
* did update to 6.4_20230527
* Done: openssl https://github.com/flatcar/Flatcar/issues/1050
* did update to 3.0.9
## 2023-06-19 (Mon)
### News
* Medium: ipxe CVE-2022-4087 https://github.com/flatcar/Flatcar/issues/1083
* update to 1.21.1_p20230601
* Done: open-vm-tools CVE-2023-20867 https://github.com/flatcar/Flatcar/issues/1080
* did update to 12.2.5
### On-going issues
* High: openssl https://github.com/flatcar/Flatcar/issues/1050
* update to >= 3.0.9
* Gentoo ebuild available, unstable
* High: vim https://github.com/flatcar/Flatcar/issues/1086
* update to >= 9.0.1532
* no Gentoo ebuild
* High/hold: binutils https://github.com/flatcar/Flatcar/issues/1053
* update to > 2.40, wait until Gentoo ebuild of 2.40 becomes stable
* High/blocked: ncurses CVE-2023-29491 https://github.com/flatcar/Flatcar/issues/1045
* update to >= 6.4_20230418, masked (not 20230408)
* Medium: libarchive https://github.com/flatcar/Flatcar/issues/1054
* update to > 3.6.2, but no release available yet
* Medium: libmicrohttpd CVE-2023-27371 https://github.com/flatcar/Flatcar/issues/1084
* update to >= 0.9.76
* Low: shadow CVE-2023-29383 https://github.com/flatcar/Flatcar/issues/1085
* update to >= 4.13-r3
* Done: Go 1.20.5 & 1.19.10 https://github.com/flatcar/Flatcar/issues/1069
* did update, to be released in Alpha 3634.0.0
* Done: sudo CVE-2023-27320, CVE-2023-2848[67] https://github.com/flatcar/Flatcar/issues/1038
* did update to >= 1.9.13p2
## 2023-06-05 (Mon)
### News
* High: openssl https://github.com/flatcar/Flatcar/issues/1050
* update to >= 3.0.9
* Gentoo ebuild available, unstable
* Medium: libarchive https://github.com/flatcar/Flatcar/issues/1054
* update to > 3.6.2, but no release available yet
* ?: Go 1.20.5 & 1.19.10 https://groups.google.com/g/golang-announce/c/1AItFMBjrfw
* to be released on 2023-06-06
### On-going issues
* High: sudo CVE-2023-27320, CVE-2023-2848[67] https://github.com/flatcar/Flatcar/issues/1038
* update to >= 1.9.13p2
* PR https://github.com/flatcar/scripts/pull/872
* High: vim https://github.com/flatcar/security-nondisclosed/issues/333
* update to >= 9.0.1532
* no Gentoo ebuild
* High/hold: binutils https://github.com/flatcar/Flatcar/issues/1053
* update to > 2.40, wait until Gentoo ebuild of 2.40 becomes stable
* High/blocked: ncurses CVE-2023-29491 https://github.com/flatcar/Flatcar/issues/1045
* update to >= 6.4_20230418, masked (not 20230408)
* Medium: libmicrohttpd CVE-2023-27371 https://github.com/flatcar/security-nondisclosed/issues/329
* update to >= 0.9.76
* Low: shadow CVE-2023-29383 https://github.com/flatcar/security-nondisclosed/issues/325
* update to >= 4.13-r3
* Done: git https://github.com/kinvolk/security/issues/324
* did update to >= 2.39.3
## 2023-05-15 (Mon)
### News
* High: vim https://github.com/kinvolk/security/issues/333
* update to >= 9.0.1532
* no Gentoo ebuild
### On-going issues
* High: git https://github.com/kinvolk/security/issues/324
* update to >= 2.39.3
* weekly [PR](https://github.com/flatcar/scripts/pull/821)
* High: sudo CVE-2023-27320, CVE-2023-2848[67] https://github.com/kinvolk/security/issues/314
* update to >= 1.9.13p2
* High/hold: binutils https://github.com/kinvolk/security/issues/254
* update to > 2.40, wait until Gentoo ebuild becomes stable
* High/blocked: ncurses CVE-2023-29491 https://github.com/kinvolk/security/issues/323
* update to >= 6.4_20230418, masked (not 20230408)
* Medium: libmicrohttpd CVE-2023-27371 https://github.com/kinvolk/security/issues/329
* update to >= 0.9.76
* Medium/blocked: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302
* unclear if/when upstream could fix it in 20.10.x.
* Low: shadow CVE-2023-29383 https://github.com/kinvolk/security/issues/325
* update to >= 4.13-r3
* Done: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
* did update to 5.2_p15-r2
* Done: c-ares CVE-2022-4904 https://github.com/kinvolk/security/issues/300
* did update to 1.19
* Done: curl https://github.com/kinvolk/security/issues/319
* did update to 8.0.1
* Done: Go 1.19.9 https://github.com/kinvolk/security/issues/331
* did update to 1.19.9
* Done: libxml2 https://github.com/kinvolk/security/issues/322
* did update to 2.10.4
* Done: openssh CVE-2023-28531 https://github.com/kinvolk/security/issues/326
* did update to 9.3 in Alpha
* Done: openssl https://github.com/kinvolk/security/issues/318
* did update to 3.0.8-r4
## 2023-05-02 (Tue)
### News
* Critical: openssh CVE-2023-28531 https://github.com/kinvolk/security/issues/326
* update to >= 9.3 in Alpha
* High(?): git https://github.com/kinvolk/security/issues/324
* update to >= 2.39.3
* Medium: libmicrohttpd CVE-2023-27371 https://github.com/kinvolk/security/issues/329
* update to >= 0.9.76
* Low: shadow CVE-2023-29383 https://github.com/kinvolk/security/issues/325
* update to >= 4.13-r3
* High/SDK: dnsmasq CVE-2023-28450 https://github.com/kinvolk/security/issues/327
* update to >= 2.90
* Medium/SDK: qemu CVE-2023-{0330,1544} https://github.com/kinvolk/security/issues/328
* not clear, maybe >= 8.0.0
* Unknwon/SDK: perl CVE-2023-31486 https://github.com/kinvolk/security/issues/330
* update to >= 5.36.1-r1
* Unknown: Go 1.19.9 https://groups.google.com/g/golang-announce/c/vFRFE07dbB8
* to be public 2023-05-02
### On-going issues
* High: ncurses CVE-2023-29491 https://github.com/kinvolk/security/issues/323
* update to 6.4_20230401 (not 20230408)
* High: openssl https://github.com/kinvolk/security/issues/318
* update to >= 3.0.8-r4
* High: sudo CVE-2023-27320, CVE-2023-2848[67] https://github.com/kinvolk/security/issues/314
* update to >= 1.9.13p2
* High: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
* update to >= 5.2_p15-r2, not stable yet
* High: c-ares CVE-2022-4904 https://github.com/kinvolk/security/issues/300
* update to >= 1.19
* High/hold: binutils https://github.com/kinvolk/security/issues/254
* update to > 2.40, still unclear about fixes
* Medium: curl https://github.com/kinvolk/security/issues/319
* update to >= 8.0.1
* Medium: libxml2 https://github.com/kinvolk/security/issues/322
* update to >= 2.10.4
* weekly [PR](https://github.com/flatcar/scripts/pull/737)
* Medium/blocked: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302
* unclear if/when upstream could fix it in 20.10.x.
* Done: nvidia-drivers https://github.com/kinvolk/security/issues/253
* did update to 525.85.12
* Done: vim https://github.com/kinvolk/security/issues/307
* did update to 9.0.1225
* Done: zstd https://github.com/kinvolk/security/issues/332
* did update to 1.5.4
## 2023-04-17 (Mon)
### News
* Medium: libxml2 https://github.com/kinvolk/security/issues/322
* update to >= 2.10.4
* Unknown: ncurses CVE-2023-29491 https://github.com/kinvolk/security/issues/323
* update to 6.4_20230401 (not 20230408)
* Done: docker CVE-2023-2884[0-2] https://github.com/kinvolk/security/issues/320
* update to >= 20.10.24
* Done: go CVE-2023-2453[4678] https://github.com/kinvolk/security/issues/321
* update to >= 1.19.8
### On-going issues
* High: binutils https://github.com/kinvolk/security/issues/254
* update to > 2.40 (?)
* High: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253
* 525.85.12 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2480)
* High: openssl CVE-2023-0464 https://github.com/kinvolk/security/issues/318
* update to >= 3.0.9
* High: vim https://github.com/kinvolk/security/issues/307
* update to >= 9.0.1225
* High/blocked: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
* No upstream fix
* Medium: curl https://github.com/kinvolk/security/issues/319
* update to >= 8.0.1
* Medium/blocked: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302
* unclear if/when upstream could fix it in 20.10.x.
* Unknown: sudo CVE-2023-27320 https://github.com/kinvolk/security/issues/314
* update to >= 1.9.13p2
* Done: runc CVE-2023-27561 https://github.com/kinvolk/security/issues/316
* regression of CVE-2019-19921
* updated to 1.1.5
* Done: tar CVE-2022-48303 https://github.com/kinvolk/security/issues/312
## 2023-03-06 (Mon)
### News
* Unknown: runc CVE-2023-27561 https://github.com/kinvolk/security/issues/316
* regression of CVE-2019-19921
* upstream fix is available https://github.com/opencontainers/runc/pull/3756
* High: tar CVE-2022-48303 https://github.com/kinvolk/security/issues/312
* Fix is in upstream, but no release yet
* Low: sudo CVE-2023-27320 https://github.com/kinvolk/security/issues/314
* update to >= 1.9.13p2
* Low/SDK: pkgconf CVE-2023-24056 https://github.com/kinvolk/security/issues/313
* update to >= 1.8.1
* weekly [PR](https://github.com/flatcar/portage-stable/pull/423)
* Low/SDK: python CVE-2023-24329 https://github.com/kinvolk/security/issues/315
* update to >= 3.10.10_p2
* weekly [PR](https://github.com/flatcar/portage-stable/pull/423)
### On-going issues
* Critical(?): curl CVE-2023-2391[4-6] https://github.com/kinvolk/security/issues/304
* update to 7.88.0
* weekly [PR](https://github.com/flatcar/portage-stable/pull/423)
* unclear if that is so critical
* High: gnutls CVE-2023-0361 https://github.com/kinvolk/security/issues/308
* update to 3.7.9
* weekly [PR](https://github.com/flatcar/portage-stable/pull/423)
* High: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253
* 525.85.12 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2480)
* High: vim https://github.com/kinvolk/security/issues/307
* update to >= 9.0.1225
* High: git CVE-2023-22490, CVE-2023-23946 https://github.com/kinvolk/security/issues/305
* update to 2.39.2, 2.38.4
* weekly [PR](https://github.com/flatcar/portage-stable/pull/423)
* High/blocked: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
* No upstream fix
* Medium: binutils https://github.com/kinvolk/security/issues/254
* update to 2.40
* Medium: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302
* unclear if/when upstream could fix it in 20.10.x.
* Done: dnsmasq CVE-2022-0934 https://github.com/kinvolk/security/issues/204
* did update to 2.89, [PR](https://github.com/flatcar/portage-stable/pull/421)
* Done: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209
* did update to >= 1.46.6, [PR](https://github.com/flatcar/portage-stable/pull/420)
* Done: Go CVE-2022-4172[3-5] https://github.com/kinvolk/security/issues/310
* did update to 1.19.6
* Done: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
* did update golang.org/x/text to 0.3.8
* Done: intel-microcode https://github.com/kinvolk/security/issues/309
* did update to 20230214, [PR](https://github.com/flatcar/coreos-overlay/pull/2474)
* Done: less CVE-2022-46663 https://github.com/kinvolk/security/issues/301
* did update to 608-r2, [PR](https://github.com/flatcar/portage-stable/pull/418)
## 2023-02-20 (Mon)
### News
* High: Go CVE-2022-4172[3-5] https://github.com/kinvolk/security/issues/310
* update to 1.19.6
* High: intel-microcode https://github.com/kinvolk/security/issues/309
* update to 20230214
* High: less CVE-2022-46663 https://github.com/kinvolk/security/issues/301
* update to 608-r2 https://github.com/flatcar/portage-stable/pull/418
* Medium: curl CVE-2023-2391[4-6] https://github.com/kinvolk/security/issues/304
* update to 7.88.0
* Medium: git CVE-2023-22490, CVE-2023-23946 https://github.com/kinvolk/security/issues/305
* update to 2.39.2, 2.38.4
* Medium: gnutls CVE-2023-0361 https://github.com/kinvolk/security/issues/308
* update to 3.7.9
### On-going issues
* High: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209
* update to >= 1.46.6
* High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
* update golang.org/x/text to 0.3.8, done only in mantle.
* High: vim https://github.com/kinvolk/security/issues/307
* update to >= 9.0.1225
* High/blocked: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
* No upstream fix
* High/blocked: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253
* 515.86.01 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2160)
* Medium: binutils https://github.com/kinvolk/security/issues/254
* update to 2.40
* Medium: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302
* Low: c-ares 1.19 stack overflow https://github.com/kinvolk/security/issues/300
* Done: Kernel (netfilter) CVE-2023-0179 https://github.com/kinvolk/security/issues/297
* Done: containerd CVE-2023-251[57]3 https://github.com/kinvolk/security/issues/311
* Did update to 1.6.18
* Done: curl CVE-2022-4355[12] https://github.com/kinvolk/security/issues/288
* Did update to 7.87.0
* Done: openssh 9.2 double free https://github.com/kinvolk/security/issues/303
* Did update to 9.2
* Done: openssl 3.0.8 https://github.com/kinvolk/security/issues/299
* Did update to 3.0.8
* Done: sudo CVE-2023-22809 https://github.com/kinvolk/security/issues/298
* Did update to >= 1.9.12p2
## 2023-02-06 (Mon)
### News
* c-ares 1.19 stack overflow https://github.com/kinvolk/security/issues/300
* docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302
* openssh 9.2 double free https://github.com/kinvolk/security/issues/303
* Gentoo has an ebuild
### On-going issues
* High: Kernel (netfilter) CVE-2023-0179 https://github.com/kinvolk/security/issues/297
* Update to 5.15.88, 5.10.163.
* Fixed in LTS, Beta, Alpha. Not in Stable.
* High: curl CVE-2022-4355[12] https://github.com/kinvolk/security/issues/288
* Update to 7.87.0
* PR https://github.com/flatcar/portage-stable/pull/412
* High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
* update golang.org/x/text to 0.3.8, done only in mantle.
* High: sudo CVE-2023-22809 https://github.com/kinvolk/security/issues/298
* update to >= 1.9.12p2
* PR https://github.com/flatcar/coreos-overlay/pull/2426
* High: vim https://github.com/kinvolk/security/issues/283
* update to >= 9.0.1189
* High/blocked: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
* No upstream fix
* High/blocked: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253
* 515.86.01 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2160)
* Medium: binutils https://github.com/kinvolk/security/issues/254
* update to 2.40
* Low: pax-utils https://github.com/kinvolk/security/issues/296
* No upstream fix
* Flatcar might not be affected
## 2023-01-23 (Mon)
### News
* Kernel (netfilter) https://github.com/kinvolk/security/issues/297
* Fix is not in mainline
* pax-utils https://github.com/kinvolk/security/issues/296
* No upstream fix
* Flatcar might not be affected
* sudo CVE-2023-22809 https://github.com/kinvolk/security/issues/298
* update to >= 1.9.12p2
### On-going issues
* Critical: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
* No upstream fix
* Kernel(nfs4) CVE-2022-4379 https://github.com/kinvolk/security/issues/285
* Fix is in mainline and 6.1, but not in other Stable releases
* High: curl CVE-2022-4355[12] https://github.com/kinvolk/security/issues/288
* Update to 7.87.0
* amd64 in PR https://github.com/flatcar/portage-stable/pull/409
* High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
* upgrade golang.org/x/text to 0.3.8, done only in mantle.
* High: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253
* 515.86.01 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2160)
* High: vim https://github.com/kinvolk/security/issues/283
* Did update to >= 9.0.1000
* To-do update to >= 9.0.1145
* Medium: binutils https://github.com/kinvolk/security/issues/254
* Did update to 2.39
* To-do update to 2.40
* Done: Kernel(procfs) CVE-2022-4378 https://github.com/kinvolk/security/issues/284
* Did update to 5.15.82+, 5.10.158+
* Done: git CVE-2022-{23521,41903} https://github.com/kinvolk/security/issues/295
* Did update to 2.37.5 & 2.38.3
* Done: glib many issues https://github.com/kinvolk/security/issues/291
* Did update to 2.74.4, PR https://github.com/flatcar/portage-stable/pull/401
* Done: rust (cargo) https://github.com/kinvolk/security/issues/293
* Did update to 1.66.1
## 2023-01-09 (Mon)
### News
* Kernel(nfs4) CVE-2022-4379 https://github.com/kinvolk/security/issues/285
* Fix is in mainline, but not in Stable releases
* Kernel(kpti) CVE-2022-4543 https://github.com/kinvolk/security/issues/290
* No update from upstream
* curl CVE-2022-4355[12] https://github.com/kinvolk/security/issues/288
* Update to 7.87.0
* PR https://github.com/flatcar/portage-stable/pull/403
* glib many issues https://github.com/kinvolk/security/issues/291
* update to >= 2.74.3-r3
* PR https://github.com/flatcar/portage-stable/pull/401
* bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294
* No upstream fix
* Done: libksba CVE-2022-47629 https://github.com/kinvolk/security/issues/292
* did update to 1.6.3, PR https://github.com/flatcar/portage-stable/pull/402
### On-going issues
* Critical: vim https://github.com/kinvolk/security/issues/283
* update to >= 9.0.1000 and later >= 9.0.1145
* Kernel(procfs) CVE-2022-4378 https://github.com/kinvolk/security/issues/284
* update to >= 5.15.82, 5.10.158
* High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
* upgrade golang.org/x/text to 0.3.8, done only in mantle.
* High: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253
* Sayan, 515.86.01 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2160)
* Done: Go CVE-2022-41717 https://github.com/kinvolk/security/issues/281
* did update to >= 1.19.4
* Done: systemd CVE-2022-3821: https://github.com/kinvolk/security/issues/277
* Kzesimir, PR https://github.com/flatcar/coreos-overlay/pull/2363
* Done: systemd-coredump CVE-2022-4415: https://github.com/kinvolk/security/issues/287
* Done: systemd-coredump deadlock CVE-2022-45873 https://github.com/kinvolk/security/issues/282
* Kzesimir, PR https://github.com/flatcar/coreos-overlay/pull/2363
## 2022-12-12 (Mon)
### News
* Kernel(procfs) CVE-2022-4378 https://github.com/kinvolk/security/issues/284
* update to >= 5.15.82, 5.10.158
* Go CVE-2022-41717 https://github.com/kinvolk/security/issues/281
* update to >= 1.19.4
* nvidia-drivers CVE-2022-`346[78]*`,-`422[56]*` https://github.com/kinvolk/security/issues/253
* update to >= 515.86.01.
* systemd-coredump deadlock CVE-2022-45873 https://github.com/kinvolk/security/issues/282
* fix is in v252, not to be backported to v250
* vim CVE-2022-{3491,3520,3591,4141} https://github.com/kinvolk/security/issues/283
* update to >= 9.0.1000
* Done: libarchive CVE-2022-36227 https://github.com/kinvolk/security/issues/280
* did update to 3.6.1-r1
* Done: containerd CVE-2022-23471 https://github.com/kinvolk/security/issues/286
* did update to 1.6.12
### On-going issues
* High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
* upgrade golang.org/x/text to 0.3.8
* High: grub multiple vulns https://github.com/kinvolk/security/issues/67
* Sayan, WIP [PR](https://github.com/flatcar-linux/coreos-overlay/pull/2098)
* High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253
* Sayan, 515.65.01 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2160)
* Medium: systemd CVE-2022-3821: https://github.com/kinvolk/security/issues/277
* need to update to >= 250.8, but not trivial
* Done: cpio CVE-2021-38185: https://github.com/kinvolk/security/issues/118
* Did update to 2.13
* Done: libksba CVE-2022-3515: https://github.com/kinvolk/security/issues/279
* Did update to 1.6.2, [PR](https://github.com/flatcar/portage-stable/pull/389)
* Done: python https://github.com/kinvolk/security/issues/257
* python-oem to be done
* Done: sudo CVE-2022-43995 https://github.com/kinvolk/security/issues/276
* Did update to 1.9.12p1 [PR](https://github.com/flatcar/coreos-overlay/pull/2309)
## 2022-11-21 (Mon)
### News
* libksba CVE-2022-3515: https://github.com/kinvolk/security/issues/279
* 1.6.2, WIP [PR](https://github.com/flatcar/portage-stable/pull/389)
* systemd CVE-2022-3821: https://github.com/kinvolk/security/issues/277
* need to update to >= 250.8, but not trivial
* Done: vim CVE-2022-3705: https://github.com/kinvolk/security/issues/278
* did update to 9.0.0828
### On-going issues
* High: cpio CVE-2021-38185: https://github.com/kinvolk/security/issues/118
* Gentoo updated to 2.13
* Weekly updates are not picking up
* High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
* upgrade golang.org/x/text to 0.3.8
* High: grub multiple vulns https://github.com/kinvolk/security/issues/67
* Sayan, WIP [PR](https://github.com/flatcar-linux/coreos-overlay/pull/2098)
* High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253
* Sayan, 515.65.01 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2160)
* High: sudo CVE-2022-43995 https://github.com/kinvolk/security/issues/276
* Sayan, 1.9.12p1 WIP
* Done: Kernel io_uring CVE-2022-2602: https://github.com/kinvolk/security/issues/268
* All released, except for Stable with pending release with >= 5.15.75
* Done: curl CVE-2022-{32221,35260,42915,42916} https://github.com/kinvolk/security/issues/273
* did update to 7.86.0, PR https://github.com/flatcar/portage-stable/pull/380
* Done: expat CVE-2022-43680 https://github.com/kinvolk/security/issues/275
* did update to 2.5.0, PR https://github.com/flatcar/portage-stable/pull/380
* Done: openssh 9.1_p1: https://github.com/kinvolk/security/issues/271
* merged PR https://github.com/flatcar/coreos-overlay/pull/2268
## 2022-11-07 (Mon)
### News
* High: curl CVE-2022-{32221,35260,42915,42916} https://github.com/kinvolk/security/issues/273
* update to 7.86.0, PR https://github.com/flatcar/portage-stable/pull/380
* High: expat CVE-2022-43680 https://github.com/kinvolk/security/issues/275
* update to 2.5.0, PR https://github.com/flatcar/portage-stable/pull/380
* High: sudo CVE-2022-43995 https://github.com/kinvolk/security/issues/276
* update to [1.9.12p1](https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_12p1)
* WONTFIX/High: go [CVE-2022-41716](https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM)
* Flatcar not affected, only Windows
### On-going issues
* High: Kernel io_uring CVE-2022-2602: https://github.com/kinvolk/security/issues/268
* fix is in >= 5.15.75, >= 5.10.150
* High: cpio CVE-2021-38185: https://github.com/kinvolk/security/issues/118
* Gentoo updated to 2.13
* Weekly updates are not picking up
* High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
* upgrade golang.org/x/text to 0.3.8
* High: grub multiple vulns https://github.com/kinvolk/security/issues/67
* Sayan, WIP [PR](https://github.com/flatcar-linux/coreos-overlay/pull/2098)
* High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253
* Sayan: 515.65.01 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2160)
* openssh 9.1_p1: https://github.com/kinvolk/security/issues/271
* Krzesimir, WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2268)
* High/blocked: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209
* no upstream release, only [1.46rc1](https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/tag/?h=v1.46.6-rc1)
* Done: git CVE-2022-392{53,60}: https://github.com/kinvolk/security/issues/270
* did upgrade to 2.37.4
* Done: multipath-tools CVE-2022-4197[34] https://github.com/kinvolk/security/issues/266
* did upgrade to 0.9.3
* Done: openssl CVE-2022-3358: https://github.com/kinvolk/security/issues/267
* fixed in 3.0.6+, will be included in the next Stable, Beta, Alpha.
* Done: openssl CVE-2022-3602, CVE-2022-3786: https://github.com/kinvolk/security/issues/274
* fixed in 3.0.7, will be included in the next Stable, Beta, Alpha.
## 2022-10-24 (Mon)
### News
* High: git CVE-2022-392{53,60}: https://github.com/kinvolk/security/issues/270
* upgrade to >= 2.37.4
* High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269
* upgrade golang.org/x/text to 0.3.8
* High/blocked: openssl CVE-2022-3358: https://github.com/kinvolk/security/issues/267
* fixed in 3.0.6, but hold due to regressions in the version.
* openssh 9.1_p1: https://github.com/kinvolk/security/issues/271
* release fixes memory safety problems
* Kernel io_uring CVE-2022-2602: https://github.com/kinvolk/security/issues/268
* fix is only in mainline, but not in LTS kernels 5.15 & 5.10
* Done: libxml2: https://github.com/kinvolk/security/issues/272
* did upgrade to 2.10.3
### On-going issues
* High: grub multiple vulns https://github.com/kinvolk/security/issues/67
* Sayan, WIP PR https://github.com/flatcar-linux/coreos-overlay/pull/2098
* High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253
* Sayan: 515.65.01 WIP PR https://github.com/flatcar/coreos-overlay/pull/2160
* High/blocked: cpio CVE-2021-38185: https://github.com/kinvolk/security/issues/118
* Gentoo stared updating to 2.13, but unkeyworded
* High/blocked: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209
* no upstream release
* Done: Kernel io-uring CVE-2022-3176
* Fixed in 5.10.141, also in Flatcar releases
* Done: bind-tools: https://github.com/kinvolk/security/issues/263
* did upgrade to 9.16.33
* Done: curl CVE-2022-35252: https://github.com/kinvolk/security/issues/250
* did upgrade to 7.85.0
* Done: dbus: https://github.com/kinvolk/security/issues/264
* did upgrade to 1.14.4
* Done: go: https://github.com/kinvolk/security/issues/262
* did upgrade to 1.18.7
* Done: vim: https://github.com/kinvolk/security/issues/265
* did upgrade to 9.0.0655
## 2022-10-10 (Mon)
### News
* vim: https://github.com/kinvolk/security/issues/265
* upgrade to >= 9.0.0655
* dbus: https://github.com/kinvolk/security/issues/264
* upgrade to >= 1.14.4
* go: https://github.com/kinvolk/security/issues/262
* upgrade to >=1.18.7
* Kernel io-uring CVE-2022-3176
* Published. Fixed in >= 5.10.141
### On-going issues
* Critical: vim - multiple CVEs https://github.com/kinvolk/security/issues/265
* Krzesimir, WIP PR: https://github.com/flatcar/portage-stable/pull/369, https://github.com/flatcar/coreos-overlay/pull/2210
* Done: https://github.com/flatcar/coreos-overlay/pull/2140, https://github.com/kinvolk/security/issues/249
* High: grub multiple vulns https://github.com/kinvolk/security/issues/67
* Sayan, WIP PR https://github.com/flatcar-linux/coreos-overlay/pull/2098
* High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253
* Sayan: 515.65.01 WIP PR https://github.com/flatcar/coreos-overlay/pull/2160
* High/blocked: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209
* no upstream release
* Medium: binutils CVE-2022-38533 https://github.com/kinvolk/security/issues/254
* no Gentoo update yet
* bind-tools: https://github.com/kinvolk/security/issues/263
* Krzesimir, WIP PR: https://github.com/flatcar/portage-stable/pull/370
* go: https://github.com/kinvolk/security/issues/262
* WIP PR: https://github.com/flatcar/coreos-overlay/pull/2208
* Kernel issues:
* Done: nat IRC CVE-2022-2663: https://github.com/kinvolk/security/issues/241
* Fixed in Kernel v5.15.68, v5.10.143, v5.4.213
* Done: slab-out-of-bound read in bpf CVE-2022-2905 https://seclists.org/oss-sec/2022/q3/146
* Fixed in Kernel 5.15.64, 5.10.140, for next Flatcar releases
## 2022-09-26 (Mon)
### News
* Critical: expat CVE-2022-40674 https://github.com/kinvolk/security/issues/261
* Dongsu: update to 2.4.9
* rust CVE-2022-3611[34] https://github.com/kinvolk/security/issues/259
* update to >= 1.63.0-r1
* bind CVE-2022-2795 etc. https://seclists.org/oss-sec/2022/q3/217
* Flatcar is not affected
* Kernel io-uring CVE-2022-3176
* about to be published
### On-going issues
* Critical: vim - multiple CVEs https://github.com/kinvolk/security/issues/249
* no Gentoo update yet
* Krzesimir updating to 9.0.0453 https://github.com/flatcar/coreos-overlay/pull/2140
* Kernel issues:
* nat IRC CVE-2022-2663: https://github.com/kinvolk/security/issues/241
* Fixed in Kernel v5.15.68, v5.10.143, v5.4.213
* Done: slab-out-of-bound read in bpf CVE-2022-2905 https://seclists.org/oss-sec/2022/q3/146
* Fixed in Kernel 5.15.64, 5.10.140, for next Flatcar releases
* High: grub multiple vulns https://github.com/kinvolk/security/issues/67
* Sayan, WIP PR https://github.com/flatcar-linux/coreos-overlay/pull/2098
* High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253
* Sayan: 515.65.01 WIP PR https://github.com/flatcar/coreos-overlay/pull/2160
* High/blocked: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209
* no upstream release
* Medium: binutils CVE-2022-38533 https://github.com/kinvolk/security/issues/254
* no Gentoo update yet
* Done: docker CVE-2022-36109 https://github.com/kinvolk/security/issues/256
* Done: go CVE-2022-27664, CVE-2022-32190 https://github.com/kinvolk/security/issues/255
* Done: intel-microcode CVE-2022-21233 https://github.com/kinvolk/security/issues/248
* Done: libtasn1 4.19.0 https://github.com/kinvolk/security/issues/251
* Done: libxml2 CVE-2016-3709 https://github.com/kinvolk/security/issues/245
* Done: rsync CVE-2022-29154: https://github.com/kinvolk/security/issues/238
* Done: zlib CVE-2022-37434 https://github.com/kinvolk/security/issues/246