# Security tracking # Summary * [Schedule of tracking security issues of Flatcar](#Schedule-of-tracking-security-issues-of-Flatcar) * [What to do?](#what-to-do) * [Security tracking meeting notes](#Security-tracking-meeting-notes) * [2023-12-04 (Mon)](#2023-12-04-(Mon)) * [2023-11-06 (Mon)](#2023-11-06-(Mon)) * [2023-10-09 (Mon)](#2023-10-09-(Mon)) * [2023-09-25 (Mon)](#2023-09-25-(Mon)) * [2023-09-11 (Mon)](#2023-09-11-(Mon)) * [2023-08-28 (Mon)](#2023-08-28-(Mon)) * [2023-07-31 (Mon)](#2023-07-31-(Mon)) * [2023-07-17 (Mon)](#2023-07-17-(Mon)) * [2023-06-19 (Mon)](#2023-06-19-(Mon)) # Schedule of tracking security issues of Flatcar This table describes a rough schedule of who should be in charge of regularly tracking security issues for Flatcar, especially tracking issues from upstream projects like Gentoo Linux. | Week of | Primary | Secondary | | ---------- | -------- | --------- | | ~~2024-04-01~~ | ~~Dongsu~~ | ~~Mathieu~~ | | ~~2024-04-08~~ | ~~Mathieu~~ | ~~Kai~~ | | ~~2024-04-15~~ | ~~Kai~~ | ~~Sayan~~ | | 2024-04-22 | Sayan | Dongsu | | 2024-04-29 | Dongsu | Mathieu | | 2024-05-06 | Mathieu | Kai | | 2024-05-13 | Kai | Sayan | | 2024-05-20 | Sayan | Dongsu | | 2024-05-27 | Dongsu | Mathieu | | 2024-06-03 | Mathieu | ? | | 2024-06-10 | ? | Sayan | | 2024-06-17 | Sayan | Dongsu | ## what to do Primary person should do so: * Every day look into upstream security trackers like below: * [Gentoo security vulnerabilities](https://bugs.gentoo.org/buglist.cgi?bug_status=__open__&component=Vulnerabilities&list_id=6015515&product=Gentoo%20Security). It might be useful to use `gorss` + RSS feed for this. * [oss-security mailing list](https://oss-security.openwall.org/wiki/mailing-lists/oss-security) * [Golang announce mailing list](https://groups.google.com/g/golang-announce) * [Rust security announcements](https://groups.google.com/g/rustlang-security-announcements) * (optional) issue trackers of other distros like [RedHat vulnerabilities](https://bugzilla.redhat.com/buglist.cgi?component=vulnerability&product=Security%20Response&resolution=---) * Whenever we discover any new CVE, we add it to the [CVE spreadsheets](https://docs.google.com/spreadsheets/d/1gAn7JyASTCydfC2ZllUx4qpS2hMTd5TWVykq6AVAf-c/edit#gid=0) (still private), and click the link (above left) to generate new issues. Then we should be able to see a new issue created in [Flatcar GitHub issues](https://github.com/flatcar/Flatcar/issues?q=is%3Aissue+is%3Aopen+label%3Aadvisory) with labels `security` and `advisory`. * If an issue of updating the specific package affected by the new CVE is already open in [Flatcar GitHub issues](https://github.com/Flatcar/Flatcar/issues), then unfortunately we need to manually edit the existing issue to add the new CVE. # Security tracking meeting notes ## 2023-12-04 (Mon) ### News * High: intel-microcode CVE-2023-23583 https://github.com/flatcar/Flatcar/issues/1254 * update to >= 20231114 * weekly updates https://github.com/flatcar/scripts/pull/1460 * Unknown: gnutls CVE-2023-5981 https://github.com/flatcar/Flatcar/issues/1277 * update to >= 3.8.2 * ebuild exists, not stable yet * Unknown: go CVE-2023-39326 https://groups.google.com/g/golang-announce/c/TABUsV4-FiU * update to >= 1.20.12 * to be public on 2023-12-05 ### On-going issues * High: vim https://github.com/flatcar/Flatcar/issues/1214 * update to >= 9.0.2068 * Medium: nvidia-drivers CVE-2023-31022 https://github.com/flatcar/Flatcar/issues/1228 * update to >= 535.129.03 * Medium: gcc CVE-2023-4039 https://github.com/flatcar/Flatcar/issues/1180 * update to >= 13.2.1_p20231014 * Medium: openssl CVE-2023-{3817,5363} https://github.com/flatcar/Flatcar/issues/1141 * update to >= 3.0.12 * needs manual updates * Medium: nasm CVE-2019-8343 https://github.com/flatcar/Flatcar/issues/1100 * update to >= 2.16.01-r1 * Done: open-vm-tools CVE-2023-3405[89] https://github.com/flatcar/Flatcar/issues/1229 * did update to >= 12.3.5 ## 2023-11-06 (Mon) ### News * High: vim https://github.com/flatcar/Flatcar/issues/1214 * update to >= 9.0.2068 * Medium: nvidia-drivers CVE-2023-31022 https://github.com/flatcar/Flatcar/issues/1228 * update to >= 535.129.03 * Unknown: open-vm-tools CVE-2023-3405[89] https://github.com/flatcar/Flatcar/issues/1229 * update to >= 12.3.5 * PR https://github.com/flatcar/scripts/pull/1318 * Unknown: Go CVE-2023-4528[34] * update to >= 1.20.11 * https://groups.google.com/g/golang-announce/c/ZLYrkKN4Bd4 ### On-going issues * Medium: gcc CVE-2023-4039 https://github.com/flatcar/Flatcar/issues/1180 * update to >= 13.2.1_p20231014 * Medium: openssl CVE-2023-{3817,5363} https://github.com/flatcar/Flatcar/issues/1141 * update to >= 3.0.12 * needs manual updates * Done: glibc CVE-2023-4911 https://github.com/flatcar/Flatcar/issues/1198 * did update to 2.37-r7 * Done: Go CVE-2023-39323 https://github.com/flatcar/Flatcar/issues/1200 * did update to >= 1.20.9 * Done: grub CVE-2023-469[23] https://github.com/flatcar/Flatcar/issues/1199 * did update to 2.06-r9 * Done: libtirpc 1.3.4 https://github.com/flatcar/Flatcar/issues/1204 * did update to 1.3.4 * Done: samba CVE-2023-4091 https://github.com/flatcar/Flatcar/issues/1213 * did update to 4.18.8 ## 2023-10-09 (Mon) ### News * High: glibc CVE-2023-4911 https://github.com/flatcar/Flatcar/issues/1198 * update to >= 2.37-r7 * Unknown: grub CVE-2023-469[23] https://github.com/flatcar/Flatcar/issues/1199 * update to >= 2.06-r9 * Unknown: Go CVE-2023-39323 https://github.com/flatcar/Flatcar/issues/1200 * update to >= 1.20.9 * PR https://github.com/flatcar/scripts/pull/1230 * Unknown: libtirpc 1.3.4 https://github.com/flatcar/Flatcar/issues/1204 * update to >= 1.3.4 ### On-going issues * Medium: gcc CVE-2023-4039 https://github.com/flatcar/Flatcar/issues/1180 * TBD * Medium: openssl CVE-2023-3817 https://github.com/flatcar/Flatcar/issues/1141 * update to >= 3.0.10 * needs manual updates * Done: curl CVE-2023-38039 https://github.com/flatcar/Flatcar/issues/1178 * update to >= 8.3.0 * Done: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119 * did update to 5.4.6 * Done: mit-krb5 CVE-2023-36054 https://github.com/flatcar/Flatcar/issues/1159 * did update to 1.20.2 * Done: procps CVE-2023-4016 https://github.com/flatcar/Flatcar/issues/1160 * did update to 4.0.4 * Done: samba CVE-{2021-44142,2022-1615} https://github.com/flatcar/Flatcar/issues/1184 * did update to 4.18.4 ## 2023-09-25 (Mon) ### News * High: curl CVE-2023-38039 https://github.com/flatcar/Flatcar/issues/1178 * update to >= 8.3.0 * High: samba CVE-{2021-44142,2022-1615} https://github.com/flatcar/Flatcar/issues/1184 * update to >= 4.17.5 * needs manual updates * Medium: gcc CVE-2023-4039 https://github.com/flatcar/Flatcar/issues/1180 * TBD * Done: glibc CVE-2023-{4527,4806} https://github.com/flatcar/Flatcar/issues/1179 * did update to 2.37-r5 ### On-going issues * High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119 * update to >= 5.4.6 * in [weekly updates](https://github.com/flatcar/scripts/pull/1177) * Medium: mit-krb5 CVE-2023-36054 https://github.com/flatcar/Flatcar/issues/1159 * update to >= 1.20.2 or >= 1.21.1 * needs manual updates * Medium: openssl CVE-2023-3817 https://github.com/flatcar/Flatcar/issues/1141 * update to >= 3.0.10, * needs manual updates * Medium: procps CVE-2023-4016 https://github.com/flatcar/Flatcar/issues/1160 * update to >= 4.0.4 * its ebuild is still unstable * Done: Go CVE-2023-3931[89], CVE-2023-3932[0-2] https://github.com/flatcar/Flatcar/issues/1174 * did update to 1.20.8 * included in Alpha 3732.0.0 * Done: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097 * did update to 525.125.06 * included in Alpha 3732.0.0 ## 2023-09-11 (Mon) ### News * Unknown: Go CVE-2023-3931[89], CVE-2023-3932[0-2] https://github.com/flatcar/Flatcar/issues/1174 * update to >= 1.20.8 * PR https://github.com/flatcar/scripts/pull/1129 * Done: open-vm-tools CVE-2023-20900 https://github.com/flatcar/Flatcar/issues/1164 * did update to 12.3.0 * PR https://github.com/flatcar/scripts/pull/1101 ### On-going issues * High: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097 * update to >= 525.125.06 * PR https://github.com/flatcar/scripts/pull/1121 * High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119 * update to >= 5.4.6 * Gentoo ebuild is available, still unstable * Medium: mit-krb5 CVE-2023-36054 https://github.com/flatcar/Flatcar/issues/1159 * update to >= 1.20.2 or >= 1.21.1 * Medium: openssl CVE-2023-3817 https://github.com/flatcar/Flatcar/issues/1141 * update to >= 3.0.10 * Medium: procps CVE-2023-4016 https://github.com/flatcar/Flatcar/issues/1160 * ebuild is there, still unstable * Done: Downfall (intel-microcode and Kernel) CVE-2022-{40982,41804}, CVE-2023-23908 https://github.com/flatcar/Flatcar/issues/1155 * did update to intel-microcode >= 20230808_p20230804 * did update to Kernel >= 5.10.189, >= 5.15.125, >= 6.1.44 * Done: AMD Inception CVE-2023-20569 https://github.com/flatcar/Flatcar/issues/1156 * did update to Kernel >= 5.10.189, >= 5.15.125, >= 6.1.44 * Done: python CVE-2023-{40217,41105} https://bugs.gentoo.org/912976 * did update to 3.11.5 ## 2023-08-28 (Mon) ### News * Medium: Downfall (intel-microcode and Kernel) CVE-2022-{40982,41804}, CVE-2023-23908 https://github.com/flatcar/Flatcar/issues/1155 * did update to intel-microcode >= 20230808_p20230804 * update to Kernel >= 5.10.189, >= 5.15.125, >= 6.1.44 * High: AMD Inception CVE-2023-20569 https://github.com/flatcar/Flatcar/issues/1156 * update to Kernel >= 5.10.189, >= 5.15.125, >= 6.1.44 * Medium: mit-krb5 CVE-2023-36054 https://github.com/flatcar/Flatcar/issues/1159 * update to >= 1.20.2 or >= 1.21.1 * Medium: openssl CVE-2023-3817 https://github.com/flatcar/Flatcar/issues/1141 * update to >= 3.0.10 * Medium: procps CVE-2023-4016 https://github.com/flatcar/Flatcar/issues/1160 * Unknown: python CVE-2023-{40217,41105} https://bugs.gentoo.org/912976 * update to >= 3.11.5 * Done: Rust CVE-2023-38497 https://github.com/flatcar/Flatcar/issues/1150 * did update to 1.71.1 ### On-going issues * High: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097 * update to >= 525.125.06 * High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119 * update to >= 5.4.6 * Gentoo ebuild is available, still unstable * Done: curl CVE-2023-32001 https://github.com/flatcar/Flatcar/issues/1123 * did update to 8.2.1 * Done: grub many CVEs https://github.com/flatcar/Flatcar/issues/1099 * did update to 2.06 * Done: Go CVE-2023-29409 https://github.com/flatcar/Flatcar/issues/1149 * update to >= 1.20.7 & 1.19.12 * Done: libarchive https://github.com/flatcar/Flatcar/issues/1138 * did update to 3.7.1 * Done: libxml2 20230428 https://github.com/flatcar/Flatcar/issues/1118 * did update to 2.11.4 * Done: linux-firmware & Kernel CVE-2023-20593 https://github.com/flatcar/Flatcar/issues/1134 * did update to linux-firmware = 20230625_p20230724 * did update to Kernel 6.1.41, 5.15.122, 5.10.187 * Done: openssl CVE-2023-{2975,3446} https://github.com/flatcar/Flatcar/issues/1122 * did update to 3.0.9-r2 * Done: shadow CVE-2023-29383, etc. https://github.com/flatcar/Flatcar/issues/1085 * did update to 4.13-r4 * Done: vim CVE-2023-26{09,10} https://github.com/flatcar/Flatcar/issues/1086 * did update to 9.0.1677 ## 2023-07-31 (Mon) ### News * Medium: linux-firmware & Kernel CVE-2023-20593 https://github.com/flatcar/Flatcar/issues/1134 * update to linux-firmware >= 20230625_p20230724 - needs manual update * update to Kernel 6.1.41, 5.15.122, 5.10.187 * Medium: curl CVE-2023-32001 https://github.com/flatcar/Flatcar/issues/1123 * update to >= 8.2.0 * Medium: openssl CVE-2023-{2975,3446} https://github.com/flatcar/Flatcar/issues/1122 * update to >= 3.0.9-r2 * Unknown: Go CVE-2023-29409 https://groups.google.com/g/golang-announce/c/7b0c3Z5Ko8g * update to >= 1.20.7 & 1.19.12 * Unknown: Go golang.org/x/net/html CVE-2023-3978 https://groups.google.com/g/golang-announce/c/qB2Cuod1A14 * Unknown: libarchive https://github.com/flatcar/Flatcar/issues/1138 * update to >= 3.7.1 * Done: openssh CVE-2023-38408 https://github.com/flatcar/Flatcar/issues/1133 * update to >= 9.3_p2 ### On-going issues * High: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097 * update to >= 525.125.06 * High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119 * update to >= 5.4.6 * Gentoo ebuild is available, still unstable * High: vim CVE-2023-26{09,10} https://github.com/flatcar/Flatcar/issues/1086 * update to >= 9.0.1532, Gentoo ebuild for 9.0.1627 unstable available * Low: shadow CVE-2023-29383, etc. https://github.com/flatcar/Flatcar/issues/1085 * update to >= 4.13-r4 * Unknown: libxml2 20230428 https://github.com/flatcar/Flatcar/issues/1118 * update to >= 2.11.4 * weekly PR https://github.com/flatcar/scripts/pull/1025 * Done: Go CVE-2023-29406 https://github.com/flatcar/Flatcar/issues/1117 * did update to 1.20.6, 1.19.11 https://github.com/flatcar/scripts/pull/988 * Done: openldap CVE-2023-2953 https://github.com/flatcar/Flatcar/issues/1120 * did update to 2.5.14 ## 2023-07-17 (Mon) ### News * High: nvidia-drivers CVE-2023-2551[56] https://github.com/flatcar/Flatcar/issues/1097 * update to >= 525.125.06 * High: lua CVE-2022-33099 https://github.com/flatcar/Flatcar/issues/1119 * update to >= 5.4.6 * Gentoo ebuild is available, still unstable * High: openldap CVE-2023-2953 https://github.com/flatcar/Flatcar/issues/1120 * update to >= 2.6.4-r1 * Unknown: Go CVE-2023-29406 https://github.com/flatcar/Flatcar/issues/1117 * PR to update to 1.20.6, 1.19.11 https://github.com/flatcar/scripts/pull/988 * Unknown: libxml2 20230428 https://github.com/flatcar/Flatcar/issues/1118 * update to >= 2.11.4 * weekly PR https://github.com/flatcar/scripts/pull/987 * Done: protobuf CVE-2022-1941 https://github.com/flatcar/Flatcar/issues/1112 * did update to 21.9 ### On-going issues * High: vim https://github.com/flatcar/Flatcar/issues/1086 * did update to 9.0.1503, fixed CVE-2023-2426 * other CVEs: update to >= 9.0.1532, Gentoo ebuild for 9.0.1627 unstable available * Medium: binutils https://github.com/flatcar/Flatcar/issues/1053 * did update to 2.40, fixed CVE-2022-{38533, 4285}, CVE-2023-{1579,2222}. * CVE-2023-1972 is still open, TBD * Medium: ipxe CVE-2022-4087 https://github.com/flatcar/Flatcar/issues/1083 * update to 1.21.1_p20230601 * Medium: libarchive https://github.com/flatcar/Flatcar/issues/1054 * update to > 3.6.2, but no release available yet * Low: shadow CVE-2023-29383, etc. https://github.com/flatcar/Flatcar/issues/1085 * update to >= 4.13-r4 * Done: libmicrohttpd CVE-2023-27371 https://github.com/flatcar/Flatcar/issues/1084 * did update to 0.9.76 * Done: ncurses CVE-2023-29491 https://github.com/flatcar/Flatcar/issues/1045 * did update to 6.4_20230527 * Done: openssl https://github.com/flatcar/Flatcar/issues/1050 * did update to 3.0.9 ## 2023-06-19 (Mon) ### News * Medium: ipxe CVE-2022-4087 https://github.com/flatcar/Flatcar/issues/1083 * update to 1.21.1_p20230601 * Done: open-vm-tools CVE-2023-20867 https://github.com/flatcar/Flatcar/issues/1080 * did update to 12.2.5 ### On-going issues * High: openssl https://github.com/flatcar/Flatcar/issues/1050 * update to >= 3.0.9 * Gentoo ebuild available, unstable * High: vim https://github.com/flatcar/Flatcar/issues/1086 * update to >= 9.0.1532 * no Gentoo ebuild * High/hold: binutils https://github.com/flatcar/Flatcar/issues/1053 * update to > 2.40, wait until Gentoo ebuild of 2.40 becomes stable * High/blocked: ncurses CVE-2023-29491 https://github.com/flatcar/Flatcar/issues/1045 * update to >= 6.4_20230418, masked (not 20230408) * Medium: libarchive https://github.com/flatcar/Flatcar/issues/1054 * update to > 3.6.2, but no release available yet * Medium: libmicrohttpd CVE-2023-27371 https://github.com/flatcar/Flatcar/issues/1084 * update to >= 0.9.76 * Low: shadow CVE-2023-29383 https://github.com/flatcar/Flatcar/issues/1085 * update to >= 4.13-r3 * Done: Go 1.20.5 & 1.19.10 https://github.com/flatcar/Flatcar/issues/1069 * did update, to be released in Alpha 3634.0.0 * Done: sudo CVE-2023-27320, CVE-2023-2848[67] https://github.com/flatcar/Flatcar/issues/1038 * did update to >= 1.9.13p2 ## 2023-06-05 (Mon) ### News * High: openssl https://github.com/flatcar/Flatcar/issues/1050 * update to >= 3.0.9 * Gentoo ebuild available, unstable * Medium: libarchive https://github.com/flatcar/Flatcar/issues/1054 * update to > 3.6.2, but no release available yet * ?: Go 1.20.5 & 1.19.10 https://groups.google.com/g/golang-announce/c/1AItFMBjrfw * to be released on 2023-06-06 ### On-going issues * High: sudo CVE-2023-27320, CVE-2023-2848[67] https://github.com/flatcar/Flatcar/issues/1038 * update to >= 1.9.13p2 * PR https://github.com/flatcar/scripts/pull/872 * High: vim https://github.com/flatcar/security-nondisclosed/issues/333 * update to >= 9.0.1532 * no Gentoo ebuild * High/hold: binutils https://github.com/flatcar/Flatcar/issues/1053 * update to > 2.40, wait until Gentoo ebuild of 2.40 becomes stable * High/blocked: ncurses CVE-2023-29491 https://github.com/flatcar/Flatcar/issues/1045 * update to >= 6.4_20230418, masked (not 20230408) * Medium: libmicrohttpd CVE-2023-27371 https://github.com/flatcar/security-nondisclosed/issues/329 * update to >= 0.9.76 * Low: shadow CVE-2023-29383 https://github.com/flatcar/security-nondisclosed/issues/325 * update to >= 4.13-r3 * Done: git https://github.com/kinvolk/security/issues/324 * did update to >= 2.39.3 ## 2023-05-15 (Mon) ### News * High: vim https://github.com/kinvolk/security/issues/333 * update to >= 9.0.1532 * no Gentoo ebuild ### On-going issues * High: git https://github.com/kinvolk/security/issues/324 * update to >= 2.39.3 * weekly [PR](https://github.com/flatcar/scripts/pull/821) * High: sudo CVE-2023-27320, CVE-2023-2848[67] https://github.com/kinvolk/security/issues/314 * update to >= 1.9.13p2 * High/hold: binutils https://github.com/kinvolk/security/issues/254 * update to > 2.40, wait until Gentoo ebuild becomes stable * High/blocked: ncurses CVE-2023-29491 https://github.com/kinvolk/security/issues/323 * update to >= 6.4_20230418, masked (not 20230408) * Medium: libmicrohttpd CVE-2023-27371 https://github.com/kinvolk/security/issues/329 * update to >= 0.9.76 * Medium/blocked: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302 * unclear if/when upstream could fix it in 20.10.x. * Low: shadow CVE-2023-29383 https://github.com/kinvolk/security/issues/325 * update to >= 4.13-r3 * Done: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294 * did update to 5.2_p15-r2 * Done: c-ares CVE-2022-4904 https://github.com/kinvolk/security/issues/300 * did update to 1.19 * Done: curl https://github.com/kinvolk/security/issues/319 * did update to 8.0.1 * Done: Go 1.19.9 https://github.com/kinvolk/security/issues/331 * did update to 1.19.9 * Done: libxml2 https://github.com/kinvolk/security/issues/322 * did update to 2.10.4 * Done: openssh CVE-2023-28531 https://github.com/kinvolk/security/issues/326 * did update to 9.3 in Alpha * Done: openssl https://github.com/kinvolk/security/issues/318 * did update to 3.0.8-r4 ## 2023-05-02 (Tue) ### News * Critical: openssh CVE-2023-28531 https://github.com/kinvolk/security/issues/326 * update to >= 9.3 in Alpha * High(?): git https://github.com/kinvolk/security/issues/324 * update to >= 2.39.3 * Medium: libmicrohttpd CVE-2023-27371 https://github.com/kinvolk/security/issues/329 * update to >= 0.9.76 * Low: shadow CVE-2023-29383 https://github.com/kinvolk/security/issues/325 * update to >= 4.13-r3 * High/SDK: dnsmasq CVE-2023-28450 https://github.com/kinvolk/security/issues/327 * update to >= 2.90 * Medium/SDK: qemu CVE-2023-{0330,1544} https://github.com/kinvolk/security/issues/328 * not clear, maybe >= 8.0.0 * Unknwon/SDK: perl CVE-2023-31486 https://github.com/kinvolk/security/issues/330 * update to >= 5.36.1-r1 * Unknown: Go 1.19.9 https://groups.google.com/g/golang-announce/c/vFRFE07dbB8 * to be public 2023-05-02 ### On-going issues * High: ncurses CVE-2023-29491 https://github.com/kinvolk/security/issues/323 * update to 6.4_20230401 (not 20230408) * High: openssl https://github.com/kinvolk/security/issues/318 * update to >= 3.0.8-r4 * High: sudo CVE-2023-27320, CVE-2023-2848[67] https://github.com/kinvolk/security/issues/314 * update to >= 1.9.13p2 * High: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294 * update to >= 5.2_p15-r2, not stable yet * High: c-ares CVE-2022-4904 https://github.com/kinvolk/security/issues/300 * update to >= 1.19 * High/hold: binutils https://github.com/kinvolk/security/issues/254 * update to > 2.40, still unclear about fixes * Medium: curl https://github.com/kinvolk/security/issues/319 * update to >= 8.0.1 * Medium: libxml2 https://github.com/kinvolk/security/issues/322 * update to >= 2.10.4 * weekly [PR](https://github.com/flatcar/scripts/pull/737) * Medium/blocked: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302 * unclear if/when upstream could fix it in 20.10.x. * Done: nvidia-drivers https://github.com/kinvolk/security/issues/253 * did update to 525.85.12 * Done: vim https://github.com/kinvolk/security/issues/307 * did update to 9.0.1225 * Done: zstd https://github.com/kinvolk/security/issues/332 * did update to 1.5.4 ## 2023-04-17 (Mon) ### News * Medium: libxml2 https://github.com/kinvolk/security/issues/322 * update to >= 2.10.4 * Unknown: ncurses CVE-2023-29491 https://github.com/kinvolk/security/issues/323 * update to 6.4_20230401 (not 20230408) * Done: docker CVE-2023-2884[0-2] https://github.com/kinvolk/security/issues/320 * update to >= 20.10.24 * Done: go CVE-2023-2453[4678] https://github.com/kinvolk/security/issues/321 * update to >= 1.19.8 ### On-going issues * High: binutils https://github.com/kinvolk/security/issues/254 * update to > 2.40 (?) * High: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253 * 525.85.12 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2480) * High: openssl CVE-2023-0464 https://github.com/kinvolk/security/issues/318 * update to >= 3.0.9 * High: vim https://github.com/kinvolk/security/issues/307 * update to >= 9.0.1225 * High/blocked: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294 * No upstream fix * Medium: curl https://github.com/kinvolk/security/issues/319 * update to >= 8.0.1 * Medium/blocked: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302 * unclear if/when upstream could fix it in 20.10.x. * Unknown: sudo CVE-2023-27320 https://github.com/kinvolk/security/issues/314 * update to >= 1.9.13p2 * Done: runc CVE-2023-27561 https://github.com/kinvolk/security/issues/316 * regression of CVE-2019-19921 * updated to 1.1.5 * Done: tar CVE-2022-48303 https://github.com/kinvolk/security/issues/312 ## 2023-03-06 (Mon) ### News * Unknown: runc CVE-2023-27561 https://github.com/kinvolk/security/issues/316 * regression of CVE-2019-19921 * upstream fix is available https://github.com/opencontainers/runc/pull/3756 * High: tar CVE-2022-48303 https://github.com/kinvolk/security/issues/312 * Fix is in upstream, but no release yet * Low: sudo CVE-2023-27320 https://github.com/kinvolk/security/issues/314 * update to >= 1.9.13p2 * Low/SDK: pkgconf CVE-2023-24056 https://github.com/kinvolk/security/issues/313 * update to >= 1.8.1 * weekly [PR](https://github.com/flatcar/portage-stable/pull/423) * Low/SDK: python CVE-2023-24329 https://github.com/kinvolk/security/issues/315 * update to >= 3.10.10_p2 * weekly [PR](https://github.com/flatcar/portage-stable/pull/423) ### On-going issues * Critical(?): curl CVE-2023-2391[4-6] https://github.com/kinvolk/security/issues/304 * update to 7.88.0 * weekly [PR](https://github.com/flatcar/portage-stable/pull/423) * unclear if that is so critical * High: gnutls CVE-2023-0361 https://github.com/kinvolk/security/issues/308 * update to 3.7.9 * weekly [PR](https://github.com/flatcar/portage-stable/pull/423) * High: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253 * 525.85.12 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2480) * High: vim https://github.com/kinvolk/security/issues/307 * update to >= 9.0.1225 * High: git CVE-2023-22490, CVE-2023-23946 https://github.com/kinvolk/security/issues/305 * update to 2.39.2, 2.38.4 * weekly [PR](https://github.com/flatcar/portage-stable/pull/423) * High/blocked: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294 * No upstream fix * Medium: binutils https://github.com/kinvolk/security/issues/254 * update to 2.40 * Medium: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302 * unclear if/when upstream could fix it in 20.10.x. * Done: dnsmasq CVE-2022-0934 https://github.com/kinvolk/security/issues/204 * did update to 2.89, [PR](https://github.com/flatcar/portage-stable/pull/421) * Done: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209 * did update to >= 1.46.6, [PR](https://github.com/flatcar/portage-stable/pull/420) * Done: Go CVE-2022-4172[3-5] https://github.com/kinvolk/security/issues/310 * did update to 1.19.6 * Done: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269 * did update golang.org/x/text to 0.3.8 * Done: intel-microcode https://github.com/kinvolk/security/issues/309 * did update to 20230214, [PR](https://github.com/flatcar/coreos-overlay/pull/2474) * Done: less CVE-2022-46663 https://github.com/kinvolk/security/issues/301 * did update to 608-r2, [PR](https://github.com/flatcar/portage-stable/pull/418) ## 2023-02-20 (Mon) ### News * High: Go CVE-2022-4172[3-5] https://github.com/kinvolk/security/issues/310 * update to 1.19.6 * High: intel-microcode https://github.com/kinvolk/security/issues/309 * update to 20230214 * High: less CVE-2022-46663 https://github.com/kinvolk/security/issues/301 * update to 608-r2 https://github.com/flatcar/portage-stable/pull/418 * Medium: curl CVE-2023-2391[4-6] https://github.com/kinvolk/security/issues/304 * update to 7.88.0 * Medium: git CVE-2023-22490, CVE-2023-23946 https://github.com/kinvolk/security/issues/305 * update to 2.39.2, 2.38.4 * Medium: gnutls CVE-2023-0361 https://github.com/kinvolk/security/issues/308 * update to 3.7.9 ### On-going issues * High: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209 * update to >= 1.46.6 * High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269 * update golang.org/x/text to 0.3.8, done only in mantle. * High: vim https://github.com/kinvolk/security/issues/307 * update to >= 9.0.1225 * High/blocked: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294 * No upstream fix * High/blocked: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253 * 515.86.01 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2160) * Medium: binutils https://github.com/kinvolk/security/issues/254 * update to 2.40 * Medium: docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302 * Low: c-ares 1.19 stack overflow https://github.com/kinvolk/security/issues/300 * Done: Kernel (netfilter) CVE-2023-0179 https://github.com/kinvolk/security/issues/297 * Done: containerd CVE-2023-251[57]3 https://github.com/kinvolk/security/issues/311 * Did update to 1.6.18 * Done: curl CVE-2022-4355[12] https://github.com/kinvolk/security/issues/288 * Did update to 7.87.0 * Done: openssh 9.2 double free https://github.com/kinvolk/security/issues/303 * Did update to 9.2 * Done: openssl 3.0.8 https://github.com/kinvolk/security/issues/299 * Did update to 3.0.8 * Done: sudo CVE-2023-22809 https://github.com/kinvolk/security/issues/298 * Did update to >= 1.9.12p2 ## 2023-02-06 (Mon) ### News * c-ares 1.19 stack overflow https://github.com/kinvolk/security/issues/300 * docker CVE-2022-37708 https://github.com/kinvolk/security/issues/302 * openssh 9.2 double free https://github.com/kinvolk/security/issues/303 * Gentoo has an ebuild ### On-going issues * High: Kernel (netfilter) CVE-2023-0179 https://github.com/kinvolk/security/issues/297 * Update to 5.15.88, 5.10.163. * Fixed in LTS, Beta, Alpha. Not in Stable. * High: curl CVE-2022-4355[12] https://github.com/kinvolk/security/issues/288 * Update to 7.87.0 * PR https://github.com/flatcar/portage-stable/pull/412 * High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269 * update golang.org/x/text to 0.3.8, done only in mantle. * High: sudo CVE-2023-22809 https://github.com/kinvolk/security/issues/298 * update to >= 1.9.12p2 * PR https://github.com/flatcar/coreos-overlay/pull/2426 * High: vim https://github.com/kinvolk/security/issues/283 * update to >= 9.0.1189 * High/blocked: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294 * No upstream fix * High/blocked: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253 * 515.86.01 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2160) * Medium: binutils https://github.com/kinvolk/security/issues/254 * update to 2.40 * Low: pax-utils https://github.com/kinvolk/security/issues/296 * No upstream fix * Flatcar might not be affected ## 2023-01-23 (Mon) ### News * Kernel (netfilter) https://github.com/kinvolk/security/issues/297 * Fix is not in mainline * pax-utils https://github.com/kinvolk/security/issues/296 * No upstream fix * Flatcar might not be affected * sudo CVE-2023-22809 https://github.com/kinvolk/security/issues/298 * update to >= 1.9.12p2 ### On-going issues * Critical: bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294 * No upstream fix * Kernel(nfs4) CVE-2022-4379 https://github.com/kinvolk/security/issues/285 * Fix is in mainline and 6.1, but not in other Stable releases * High: curl CVE-2022-4355[12] https://github.com/kinvolk/security/issues/288 * Update to 7.87.0 * amd64 in PR https://github.com/flatcar/portage-stable/pull/409 * High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269 * upgrade golang.org/x/text to 0.3.8, done only in mantle. * High: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253 * 515.86.01 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2160) * High: vim https://github.com/kinvolk/security/issues/283 * Did update to >= 9.0.1000 * To-do update to >= 9.0.1145 * Medium: binutils https://github.com/kinvolk/security/issues/254 * Did update to 2.39 * To-do update to 2.40 * Done: Kernel(procfs) CVE-2022-4378 https://github.com/kinvolk/security/issues/284 * Did update to 5.15.82+, 5.10.158+ * Done: git CVE-2022-{23521,41903} https://github.com/kinvolk/security/issues/295 * Did update to 2.37.5 & 2.38.3 * Done: glib many issues https://github.com/kinvolk/security/issues/291 * Did update to 2.74.4, PR https://github.com/flatcar/portage-stable/pull/401 * Done: rust (cargo) https://github.com/kinvolk/security/issues/293 * Did update to 1.66.1 ## 2023-01-09 (Mon) ### News * Kernel(nfs4) CVE-2022-4379 https://github.com/kinvolk/security/issues/285 * Fix is in mainline, but not in Stable releases * Kernel(kpti) CVE-2022-4543 https://github.com/kinvolk/security/issues/290 * No update from upstream * curl CVE-2022-4355[12] https://github.com/kinvolk/security/issues/288 * Update to 7.87.0 * PR https://github.com/flatcar/portage-stable/pull/403 * glib many issues https://github.com/kinvolk/security/issues/291 * update to >= 2.74.3-r3 * PR https://github.com/flatcar/portage-stable/pull/401 * bash CVE-2022-3715 https://github.com/kinvolk/security/issues/294 * No upstream fix * Done: libksba CVE-2022-47629 https://github.com/kinvolk/security/issues/292 * did update to 1.6.3, PR https://github.com/flatcar/portage-stable/pull/402 ### On-going issues * Critical: vim https://github.com/kinvolk/security/issues/283 * update to >= 9.0.1000 and later >= 9.0.1145 * Kernel(procfs) CVE-2022-4378 https://github.com/kinvolk/security/issues/284 * update to >= 5.15.82, 5.10.158 * High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269 * upgrade golang.org/x/text to 0.3.8, done only in mantle. * High: nvidia-drivers many CVEs https://github.com/kinvolk/security/issues/253 * Sayan, 515.86.01 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2160) * Done: Go CVE-2022-41717 https://github.com/kinvolk/security/issues/281 * did update to >= 1.19.4 * Done: systemd CVE-2022-3821: https://github.com/kinvolk/security/issues/277 * Kzesimir, PR https://github.com/flatcar/coreos-overlay/pull/2363 * Done: systemd-coredump CVE-2022-4415: https://github.com/kinvolk/security/issues/287 * Done: systemd-coredump deadlock CVE-2022-45873 https://github.com/kinvolk/security/issues/282 * Kzesimir, PR https://github.com/flatcar/coreos-overlay/pull/2363 ## 2022-12-12 (Mon) ### News * Kernel(procfs) CVE-2022-4378 https://github.com/kinvolk/security/issues/284 * update to >= 5.15.82, 5.10.158 * Go CVE-2022-41717 https://github.com/kinvolk/security/issues/281 * update to >= 1.19.4 * nvidia-drivers CVE-2022-`346[78]*`,-`422[56]*` https://github.com/kinvolk/security/issues/253 * update to >= 515.86.01. * systemd-coredump deadlock CVE-2022-45873 https://github.com/kinvolk/security/issues/282 * fix is in v252, not to be backported to v250 * vim CVE-2022-{3491,3520,3591,4141} https://github.com/kinvolk/security/issues/283 * update to >= 9.0.1000 * Done: libarchive CVE-2022-36227 https://github.com/kinvolk/security/issues/280 * did update to 3.6.1-r1 * Done: containerd CVE-2022-23471 https://github.com/kinvolk/security/issues/286 * did update to 1.6.12 ### On-going issues * High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269 * upgrade golang.org/x/text to 0.3.8 * High: grub multiple vulns https://github.com/kinvolk/security/issues/67 * Sayan, WIP [PR](https://github.com/flatcar-linux/coreos-overlay/pull/2098) * High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253 * Sayan, 515.65.01 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2160) * Medium: systemd CVE-2022-3821: https://github.com/kinvolk/security/issues/277 * need to update to >= 250.8, but not trivial * Done: cpio CVE-2021-38185: https://github.com/kinvolk/security/issues/118 * Did update to 2.13 * Done: libksba CVE-2022-3515: https://github.com/kinvolk/security/issues/279 * Did update to 1.6.2, [PR](https://github.com/flatcar/portage-stable/pull/389) * Done: python https://github.com/kinvolk/security/issues/257 * python-oem to be done * Done: sudo CVE-2022-43995 https://github.com/kinvolk/security/issues/276 * Did update to 1.9.12p1 [PR](https://github.com/flatcar/coreos-overlay/pull/2309) ## 2022-11-21 (Mon) ### News * libksba CVE-2022-3515: https://github.com/kinvolk/security/issues/279 * 1.6.2, WIP [PR](https://github.com/flatcar/portage-stable/pull/389) * systemd CVE-2022-3821: https://github.com/kinvolk/security/issues/277 * need to update to >= 250.8, but not trivial * Done: vim CVE-2022-3705: https://github.com/kinvolk/security/issues/278 * did update to 9.0.0828 ### On-going issues * High: cpio CVE-2021-38185: https://github.com/kinvolk/security/issues/118 * Gentoo updated to 2.13 * Weekly updates are not picking up * High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269 * upgrade golang.org/x/text to 0.3.8 * High: grub multiple vulns https://github.com/kinvolk/security/issues/67 * Sayan, WIP [PR](https://github.com/flatcar-linux/coreos-overlay/pull/2098) * High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253 * Sayan, 515.65.01 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2160) * High: sudo CVE-2022-43995 https://github.com/kinvolk/security/issues/276 * Sayan, 1.9.12p1 WIP * Done: Kernel io_uring CVE-2022-2602: https://github.com/kinvolk/security/issues/268 * All released, except for Stable with pending release with >= 5.15.75 * Done: curl CVE-2022-{32221,35260,42915,42916} https://github.com/kinvolk/security/issues/273 * did update to 7.86.0, PR https://github.com/flatcar/portage-stable/pull/380 * Done: expat CVE-2022-43680 https://github.com/kinvolk/security/issues/275 * did update to 2.5.0, PR https://github.com/flatcar/portage-stable/pull/380 * Done: openssh 9.1_p1: https://github.com/kinvolk/security/issues/271 * merged PR https://github.com/flatcar/coreos-overlay/pull/2268 ## 2022-11-07 (Mon) ### News * High: curl CVE-2022-{32221,35260,42915,42916} https://github.com/kinvolk/security/issues/273 * update to 7.86.0, PR https://github.com/flatcar/portage-stable/pull/380 * High: expat CVE-2022-43680 https://github.com/kinvolk/security/issues/275 * update to 2.5.0, PR https://github.com/flatcar/portage-stable/pull/380 * High: sudo CVE-2022-43995 https://github.com/kinvolk/security/issues/276 * update to [1.9.12p1](https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_12p1) * WONTFIX/High: go [CVE-2022-41716](https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM) * Flatcar not affected, only Windows ### On-going issues * High: Kernel io_uring CVE-2022-2602: https://github.com/kinvolk/security/issues/268 * fix is in >= 5.15.75, >= 5.10.150 * High: cpio CVE-2021-38185: https://github.com/kinvolk/security/issues/118 * Gentoo updated to 2.13 * Weekly updates are not picking up * High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269 * upgrade golang.org/x/text to 0.3.8 * High: grub multiple vulns https://github.com/kinvolk/security/issues/67 * Sayan, WIP [PR](https://github.com/flatcar-linux/coreos-overlay/pull/2098) * High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253 * Sayan: 515.65.01 WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2160) * openssh 9.1_p1: https://github.com/kinvolk/security/issues/271 * Krzesimir, WIP [PR](https://github.com/flatcar/coreos-overlay/pull/2268) * High/blocked: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209 * no upstream release, only [1.46rc1](https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/tag/?h=v1.46.6-rc1) * Done: git CVE-2022-392{53,60}: https://github.com/kinvolk/security/issues/270 * did upgrade to 2.37.4 * Done: multipath-tools CVE-2022-4197[34] https://github.com/kinvolk/security/issues/266 * did upgrade to 0.9.3 * Done: openssl CVE-2022-3358: https://github.com/kinvolk/security/issues/267 * fixed in 3.0.6+, will be included in the next Stable, Beta, Alpha. * Done: openssl CVE-2022-3602, CVE-2022-3786: https://github.com/kinvolk/security/issues/274 * fixed in 3.0.7, will be included in the next Stable, Beta, Alpha. ## 2022-10-24 (Mon) ### News * High: git CVE-2022-392{53,60}: https://github.com/kinvolk/security/issues/270 * upgrade to >= 2.37.4 * High: go/text CVE-2022-32149: https://github.com/kinvolk/security/issues/269 * upgrade golang.org/x/text to 0.3.8 * High/blocked: openssl CVE-2022-3358: https://github.com/kinvolk/security/issues/267 * fixed in 3.0.6, but hold due to regressions in the version. * openssh 9.1_p1: https://github.com/kinvolk/security/issues/271 * release fixes memory safety problems * Kernel io_uring CVE-2022-2602: https://github.com/kinvolk/security/issues/268 * fix is only in mainline, but not in LTS kernels 5.15 & 5.10 * Done: libxml2: https://github.com/kinvolk/security/issues/272 * did upgrade to 2.10.3 ### On-going issues * High: grub multiple vulns https://github.com/kinvolk/security/issues/67 * Sayan, WIP PR https://github.com/flatcar-linux/coreos-overlay/pull/2098 * High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253 * Sayan: 515.65.01 WIP PR https://github.com/flatcar/coreos-overlay/pull/2160 * High/blocked: cpio CVE-2021-38185: https://github.com/kinvolk/security/issues/118 * Gentoo stared updating to 2.13, but unkeyworded * High/blocked: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209 * no upstream release * Done: Kernel io-uring CVE-2022-3176 * Fixed in 5.10.141, also in Flatcar releases * Done: bind-tools: https://github.com/kinvolk/security/issues/263 * did upgrade to 9.16.33 * Done: curl CVE-2022-35252: https://github.com/kinvolk/security/issues/250 * did upgrade to 7.85.0 * Done: dbus: https://github.com/kinvolk/security/issues/264 * did upgrade to 1.14.4 * Done: go: https://github.com/kinvolk/security/issues/262 * did upgrade to 1.18.7 * Done: vim: https://github.com/kinvolk/security/issues/265 * did upgrade to 9.0.0655 ## 2022-10-10 (Mon) ### News * vim: https://github.com/kinvolk/security/issues/265 * upgrade to >= 9.0.0655 * dbus: https://github.com/kinvolk/security/issues/264 * upgrade to >= 1.14.4 * go: https://github.com/kinvolk/security/issues/262 * upgrade to >=1.18.7 * Kernel io-uring CVE-2022-3176 * Published. Fixed in >= 5.10.141 ### On-going issues * Critical: vim - multiple CVEs https://github.com/kinvolk/security/issues/265 * Krzesimir, WIP PR: https://github.com/flatcar/portage-stable/pull/369, https://github.com/flatcar/coreos-overlay/pull/2210 * Done: https://github.com/flatcar/coreos-overlay/pull/2140, https://github.com/kinvolk/security/issues/249 * High: grub multiple vulns https://github.com/kinvolk/security/issues/67 * Sayan, WIP PR https://github.com/flatcar-linux/coreos-overlay/pull/2098 * High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253 * Sayan: 515.65.01 WIP PR https://github.com/flatcar/coreos-overlay/pull/2160 * High/blocked: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209 * no upstream release * Medium: binutils CVE-2022-38533 https://github.com/kinvolk/security/issues/254 * no Gentoo update yet * bind-tools: https://github.com/kinvolk/security/issues/263 * Krzesimir, WIP PR: https://github.com/flatcar/portage-stable/pull/370 * go: https://github.com/kinvolk/security/issues/262 * WIP PR: https://github.com/flatcar/coreos-overlay/pull/2208 * Kernel issues: * Done: nat IRC CVE-2022-2663: https://github.com/kinvolk/security/issues/241 * Fixed in Kernel v5.15.68, v5.10.143, v5.4.213 * Done: slab-out-of-bound read in bpf CVE-2022-2905 https://seclists.org/oss-sec/2022/q3/146 * Fixed in Kernel 5.15.64, 5.10.140, for next Flatcar releases ## 2022-09-26 (Mon) ### News * Critical: expat CVE-2022-40674 https://github.com/kinvolk/security/issues/261 * Dongsu: update to 2.4.9 * rust CVE-2022-3611[34] https://github.com/kinvolk/security/issues/259 * update to >= 1.63.0-r1 * bind CVE-2022-2795 etc. https://seclists.org/oss-sec/2022/q3/217 * Flatcar is not affected * Kernel io-uring CVE-2022-3176 * about to be published ### On-going issues * Critical: vim - multiple CVEs https://github.com/kinvolk/security/issues/249 * no Gentoo update yet * Krzesimir updating to 9.0.0453 https://github.com/flatcar/coreos-overlay/pull/2140 * Kernel issues: * nat IRC CVE-2022-2663: https://github.com/kinvolk/security/issues/241 * Fixed in Kernel v5.15.68, v5.10.143, v5.4.213 * Done: slab-out-of-bound read in bpf CVE-2022-2905 https://seclists.org/oss-sec/2022/q3/146 * Fixed in Kernel 5.15.64, 5.10.140, for next Flatcar releases * High: grub multiple vulns https://github.com/kinvolk/security/issues/67 * Sayan, WIP PR https://github.com/flatcar-linux/coreos-overlay/pull/2098 * High: nvidia-drivers CVE-2022-3160[78], CVE-2022-31615 https://github.com/kinvolk/security/issues/253 * Sayan: 515.65.01 WIP PR https://github.com/flatcar/coreos-overlay/pull/2160 * High/blocked: e2fsprogs CVE-2022-1304 https://github.com/kinvolk/security/issues/209 * no upstream release * Medium: binutils CVE-2022-38533 https://github.com/kinvolk/security/issues/254 * no Gentoo update yet * Done: docker CVE-2022-36109 https://github.com/kinvolk/security/issues/256 * Done: go CVE-2022-27664, CVE-2022-32190 https://github.com/kinvolk/security/issues/255 * Done: intel-microcode CVE-2022-21233 https://github.com/kinvolk/security/issues/248 * Done: libtasn1 4.19.0 https://github.com/kinvolk/security/issues/251 * Done: libxml2 CVE-2016-3709 https://github.com/kinvolk/security/issues/245 * Done: rsync CVE-2022-29154: https://github.com/kinvolk/security/issues/238 * Done: zlib CVE-2022-37434 https://github.com/kinvolk/security/issues/246
Last changed by  
Flatcar Container Linux
1624

Read more

Flatcar Container Linux Release - April 16th 2024

AMD64-usr

4/16/2024
Flatcar Container Linux Release - ${DATE}

AMD64-usr

4/16/2024
Flatcar Container Linux Release - March 19th 2024

AMD64-usr

3/20/2024
CAPI sysext deadlines

Meetings are conducted bi-weekly on Thursdays

2/23/2024
Read more from Flatcar Container Linux
Published on HackMD