# Flatcar Container Linux Release - April 6th, 2022 ## Flatcar-linux-3200.0.0-Alpha - AMD64-usr - Platforms succeeded: All except Equinix Metal and GCP Pro - Platforms failed: - Equinix Metal - `cl.ignition.kargs`: a known issue - GCP Pro - `kubeadm.v1.22.7.cilium.base` etc.: a known failure due to max 63 chars limitation of a node name - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Flatcar-linux-3185.1.0-Beta - AMD64-usr - Platforms succeeded: All except Equinix Metal and GCP Pro - Platforms failed: - Equinix Metal - `cl.ignition.kargs`: a known issue - GCP Pro - `kubeadm.v1.22.7.cilium.base` etc.: a known failure due to max 63 chars limitation of a node name - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Flatcar-linux-3139.2.0-Stable - AMD64-usr - Platforms succeeded: All except GCP Pro - Platforms failed: GCP Pro - `kubeadm.v1.22.7.cilium.base` etc.: a known failure due to max 63 chars limitation of a node name - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Flatcar-linux-2605.27.1-LTS - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). - Make sure the the LTS is referred to as `LTS-2021`, and not `LTS-2605` --- ### Announcement Message Subject: Announcing new Alpha release 3200.0.0, Beta release 3185.1.0, Stable release 3139.2.0, LTS 2021 release 2605.27.1 Hello, We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, and LTS-2021 channel. **Please note, Linux Kernel 5.15 now lands in Stable, and systemd v250 in Beta.** New **Alpha** Release **3200.0.0** _Changes since **Alpha 3185.0.0**_ #### Security fixes: - Linux ([CVE-2022-1015](https://nvd.nist.gov/vuln/detail/CVE-2022-1015), [CVE-2022-1016](https://nvd.nist.gov/vuln/detail/CVE-2022-1016)) - containerd ([CVE-2022-24769](https://nvd.nist.gov/vuln/detail/CVE-2022-24769)) - util-linux ([CVE-2021-3995](https://nvd.nist.gov/vuln/detail/CVE-2021-3995), [CVE-2021-3996](https://nvd.nist.gov/vuln/detail/CVE-2021-3996), [CVE-2022-0563](https://nvd.nist.gov/vuln/detail/CVE-2022-0563)) - gnutls ([CVE-2021-4209](https://nvd.nist.gov/vuln/detail/CVE-2021-4209), [GNUTLS-SA-2022-01-17](https://gitlab.com/gnutls/gnutls/-/issues/1277)) - zlib ([CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032)) #### Bug fixes: - Made Ignition write the SSH keys into a file under `authorized_keys.d/ignition` again and added a call to `update-ssh-keys` after Ignition ran to create the merged `authorized_keys` file, which fixes the problem that keys added by Ignition get lost when `update-ssh-keys` runs ([init#66](https://github.com/flatcar-linux/init/pull/66)) #### Changes: - Enabled FIPS mode for cryptsetup ([flatcar-linux/coreos-overlay#1747](https://github.com/flatcar-linux/coreos-overlay/pull/1747)) - Added `cryptsetup` to the initramfs for the Ignition `luks` directive ([flatcar-linux/coreos-overlay#1760](https://github.com/flatcar-linux/coreos-overlay/pull/1760)) #### Updates: - Linux ([5.15.32](https://lwn.net/Articles/889438)) (from 5.15.30) - Docker ([20.10.14](https://docs.docker.com/engine/release-notes/#201014)) - bind-tools ([9.16.27](https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_16_27/CHANGES)) - ca-certificates ([3.77](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_77.html)) - conntrack-tools ([1.4.6](https://lists.netfilter.org/pipermail/netfilter-announce/2020/000240.html)) - containerd ([1.6.2](https://github.com/containerd/containerd/releases/tag/v1.6.2)) - e2fsprogs ([1.46.4](http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.46.4)) - elfutils ([0.186](https://sourceware.org/git/?p=elfutils.git;a=blob;f=NEWS;h=490932ae4ef9b5a3af01d2c8c616f14d57586046;hb=983e86fd89e8bf02f2d27ba5dce5bf078af4ceda)) - gnutls ([3.7.3](https://gitlab.com/gnutls/gnutls/-/merge_requests/1517)) - gzip ([1.11](https://lists.gnu.org/archive/html/info-gnu/2021-09/msg00002.html)) - jansson ([2.14](https://github.com/akheron/jansson/blob/v2.14/CHANGES)) - libbsd ([0.11.3](https://gitlab.freedesktop.org/libbsd/libbsd/-/commits/0.11.3/)) - libnetfilter_queue ([1.0.5](https://git.netfilter.org/libnetfilter_queue/log/?h=libnetfilter_queue-1.0.5)) - libpcap ([1.10.1](https://git.tcpdump.org/libpcap/blob/c7642e2cc0c5bd65754685b160d25dc23c76c6bd:/CHANGES)) - libtasn1 ([4.17.0](https://gitlab.com/gnutls/libtasn1/-/blob/v4.17.0/NEWS)) - liburing ([2.1](https://github.com/axboe/liburing/commits/liburing-2.1)) - mdadm ([4.2](https://lore.kernel.org/all/28fdbc45-96ca-7cdb-3ced-a5f65d978048@trained-monkey.org/T/)) - multipath-tools ([0.8.7](https://github.com/opensvc/multipath-tools/commits/0.8.7)) - nghttp2 ([1.45.1](https://github.com/nghttp2/nghttp2/releases/tag/v1.45.1)) - oniguruma ([6.9.7.1](https://github.com/kkos/oniguruma/releases/tag/v6.9.7.1)) - open-isns ([0.101](https://github.com/open-iscsi/open-isns/blob/v0.101/ChangeLog)) - pcre2 ([10.39](https://github.com/PhilipHazel/pcre2/blob/pcre2-10.39/NEWS)) - runc ([1.1.1](https://github.com/opencontainers/runc/releases/tag/v1.1.1)) - tcpdump ([4.99.1](https://git.tcpdump.org/tcpdump/blob/5f552b5e6e9fe05f7ad9681d51d0303233daba6a:/CHANGES)) - unzip ([6.0_p26](https://metadata.ftp-master.debian.org/changelogs//main/u/unzip/unzip_6.0-26_changelog)) - util-linux ([2.37.4](https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.37/v2.37.4-ChangeLog)) - zlib ([1.2.12](https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/ChangeLog#L4)) New **Beta** Release **3185.1.0** _Changes since **Beta 3139.1.1**_ #### Security fixes: - Linux ([CVE-2022-1015](https://nvd.nist.gov/vuln/detail/CVE-2022-1015), [CVE-2022-1016](https://nvd.nist.gov/vuln/detail/CVE-2022-1016)) - cifs-utils ([CVE-2021-20208](https://nvd.nist.gov/vuln/detail/CVE-2021-20208)) - containerd ([CVE-2022-23648](https://nvd.nist.gov/vuln/detail/CVE-2022-23648)) - cryptsetup ([CVE-2021-4122](https://nvd.nist.gov/vuln/detail/CVE-2021-4122)) - duktape ([CVE-2021-46322](https://nvd.nist.gov/vuln/detail/CVE-2021-46322)) - intel-microcode ([CVE-2021-0127](https://nvd.nist.gov/vuln/detail/CVE-2021-0127), [CVE-2021-0146](https://nvd.nist.gov/vuln/detail/CVE-2021-0146)) - libarchive ([CVE-2021-31566](https://nvd.nist.gov/vuln/detail/CVE-2021-31566), [CVE-2021-36976](https://nvd.nist.gov/vuln/detail/CVE-2021-36976)) - libxml2 ([CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308)) - nvidia-drivers ([CVE-2022-21814](https://nvd.nist.gov/vuln/detail/CVE-2022-21814), [CVE-2022-21813](https://nvd.nist.gov/vuln/detail/CVE-2022-21813)) - shadow ([CVE-2013-4235](https://nvd.nist.gov/vuln/detail/CVE-2013-4235)) - systemd ([CVE-2021-3997](https://nvd.nist.gov/vuln/detail/CVE-2021-3997)) - vim ([CVE-2021-3984](https://nvd.nist.gov/vuln/detail/CVE-2021-3984), [CVE-2021-4019](https://nvd.nist.gov/vuln/detail/CVE-2021-4019), [CVE-2021-4069](https://nvd.nist.gov/vuln/detail/CVE-2021-4069), [CVE-2021-4136](https://nvd.nist.gov/vuln/detail/CVE-2021-4136), [CVE-2021-4173](https://nvd.nist.gov/vuln/detail/CVE-2021-4173),[ CVE-2021-4166](https://nvd.nist.gov/vuln/detail/CVE-2021-4166), [CVE-2021-4187](https://nvd.nist.gov/vuln/detail/CVE-2021-4187), [CVE-2021-4192](https://nvd.nist.gov/vuln/detail/CVE-2021-4192), [CVE-2021-4193](https://nvd.nist.gov/vuln/detail/CVE-2021-4193), [CVE-2022-0128](https://nvd.nist.gov/vuln/detail/CVE-2022-0128), [CVE-2022-0156](https://nvd.nist.gov/vuln/detail/CVE-2022-0156), [CVE-2022-0158](https://nvd.nist.gov/vuln/detail/CVE-2022-0158), [CVE-2022-0213](https://nvd.nist.gov/vuln/detail/CVE-2022-0213), [CVE-2022-0261](https://nvd.nist.gov/vuln/detail/CVE-2022-0261), [CVE-2022-0318](https://nvd.nist.gov/vuln/detail/CVE-2022-0318), [CVE-2022-0319](https://nvd.nist.gov/vuln/detail/CVE-2022-0319), [CVE-2022-0351](https://nvd.nist.gov/vuln/detail/CVE-2022-0351), [CVE-2022-0359](https://nvd.nist.gov/vuln/detail/CVE-2022-0359), [CVE-2022-0361](https://nvd.nist.gov/vuln/detail/CVE-2022-0361), [CVE-2022-0368](https://nvd.nist.gov/vuln/detail/CVE-2022-0368), [CVE-2022-0392](https://nvd.nist.gov/vuln/detail/CVE-2022-0392), [CVE-2022-0393](https://nvd.nist.gov/vuln/detail/CVE-2022-0393), [CVE-2022-0407](https://nvd.nist.gov/vuln/detail/CVE-2022-0407), [CVE-2022-0408](https://nvd.nist.gov/vuln/detail/CVE-2022-0408), [CVE-2022-0413](https://nvd.nist.gov/vuln/detail/CVE-2022-0413), [CVE-2022-0417](https://nvd.nist.gov/vuln/detail/CVE-2022-0417), [CVE-2022-0443](https://nvd.nist.gov/vuln/detail/CVE-2022-0443)) - SDK: squashfs-tools ([CVE-2021-40153](https://nvd.nist.gov/vuln/detail/CVE-2021-40153), [CVE-2021-41072](https://nvd.nist.gov/vuln/detail/CVE-2021-41072)) #### Bug fixes: - AWS: specify correct console (ttyS0) on kernel command line for ARM64 instances ([coreos-overlay#1628](https://github.com/flatcar-linux/coreos-overlay/pull/1628)) - Made Ignition write the SSH keys into a file under `authorized_keys.d/ignition` again and added a call to `update-ssh-keys` after Ignition ran to create the merged `authorized_keys` file, which fixes the problem that keys added by Ignition get lost when `update-ssh-keys` runs ([init#66](https://github.com/flatcar-linux/init/pull/66)) #### Changes: - Added `auditd.service` but left it disabled by default, a custom configuration can be created by removing `/etc/audit/auditd.conf` and replacing it with an own file ([coreos-overlay#1636](https://github.com/flatcar-linux/coreos-overlay/pull/1636)) - The systemd-networkd `ManageForeignRoutes` and `ManageForeignRoutingPolicyRules` settings are now disabled through a drop-in file and thus can only be enabled again by a drop-in file under `/etc/systemd/networkd.conf.d/` because drop-in files take precedence over `/etc/systemd/networkd.conf` ([init#61](https://github.com/flatcar-linux/init/pull/61)) - Bring in dependencies for NFS4 with Kerberos both in kernel and userspace. Tested against NFS4.1 server. ([coreos-overlay#1664](https://github.com/flatcar-linux/coreos-overlay/pull/1664)) - Merge the Flatcar Pro features into the regular Flatcar images ([coreos-overlay#1679](https://github.com/flatcar-linux/coreos-overlay/pull/1679)) - Besides Ignition v1 and v2 configurations, Ignition configurations with specification v3 (up to 3.3.0) are now supported, see the [docs section for details](https://www.flatcar.org/docs/latest/provisioning/ignition/specification/#ignition-v3) - Made SELinux enabled by default in default containerd configuration file. ([coreos-overlay#1699](https://github.com/flatcar-linux/coreos-overlay/pull/1699)) - Removed rngd.service because it is not essential anymore for the kernel to boot fast in VM environments ([coreos-overlay#1700](https://github.com/flatcar-linux/coreos-overlay/pull/1700)) - Enabled `systemd-sysext.service` to activate systemd-sysext images on boot, to disable you will need to mask it. Also added a helper service `ensure-sysext.service` which reloads the systemd units to reevaluate the `sockets`, `timers`, and `multi-user` targets when `systemd-sysext.service` is (re)started, making it possible to enable units that are part of a sysext image ([coreos-overlay#65](https://github.com/flatcar-linux/init/pull/65)) - For amd64 `/usr/lib` used to be a symlink to `/usr/lib64` but now they became two separate folders as common in other distributions (and was the case for arm64 already). Compatibility symlinks exist in case `/usr/lib64` was used to access, e.g., the `modules` folder or the `systemd` folder ([coreos-overlay#1713](https://github.com/flatcar-linux/coreos-overlay/pull/1713), [scripts#255](https://github.com/flatcar-linux/scripts/pull/255)) - Enabled FIPS mode for cryptsetup ([coreos-overlay#1747](https://github.com/flatcar-linux/coreos-overlay/pull/1747)) - Added `cryptsetup` to the initramfs for the Ignition `luks` directive ([flatcar-linux/coreos-overlay#1760](https://github.com/flatcar-linux/coreos-overlay/pull/1760)) - Enabled FIPS mode for cryptsetup ([portage-stable#312](https://github.com/flatcar-linux/portage-stable/pull/312)) - Defined a systemd-sysext level that sysext images can match for instead of the OS version when they don't have a strong coupling, meaning the only metadata required is `SYSEXT_LEVEL=1.0` and `ID=flatcar` ([Flatcar#643](https://github.com/flatcar-linux/Flatcar/issues/643)) - Azure: Azure VHD disks are now created using subformat=fixed, which makes them suitable for immediate upload to Azure using any tool. - DigitalOcean: In addition to the `bz2` image, a `gz` compressed image is published. This helps against hitting the compression timeout that sometimes lets the image import fail. - OpenStack: In addition to the `bz2` image, a `gz` compressed image is published. This allows Glance to directly consume the images by simply passing in the URL of the image. - SDK: The image compression format is now configurable. Supported formats are: `bz2`, `gz`, `zip`, `none`, `zst`. Selecting the image format can now be done by passing the `--image_compression_formats` option. This flag gets a comma separated list of formats. #### Updates: - Linux ([5.15.32](https://lwn.net/Articles/889438)) (from 5.15.30) - Linux Firmware ([20220310](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220310)) - Docker ([20.10.13](https://docs.docker.com/engine/release-notes/#201013)) - bpftool ([5.15.8](https://lwn.net/Articles/878631/)) - bridge-utils ([1.7.1](https://git.kernel.org/pub/scm/network/bridge/bridge-utils.git/log/?h=v1.7.1)) - ca-certificates ([3.77](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_77.html)) - cifs-utils ([6.13](https://lkml.kernel.org/linux-cifs/CAKywueSqRGSFmeDHQacyu831BNUeGFxGg3vgBmozzhkGBCjyXQ@mail.gmail.com/T/)) - containerd ([1.6.1](https://github.com/containerd/containerd/releases/tag/v1.6.1)) - cryptsetup ([2.4.3](https://lore.kernel.org/all/572c18a7bf60cb1b0f67c3a03c531d7e7ed31832.camel@scientia.net/T/)) - dosfstools ([4.2](https://github.com/dosfstools/dosfstools/releases/tag/v4.2)) - duktape ([2.7.0](https://github.com/svaarala/duktape/releases/tag/v2.7.0)) - gcc ([10.3.0](https://gcc.gnu.org/gcc-10/changes.html)) - grep ([3.7](https://savannah.gnu.org/forum/forum.php?forum_id=10037)) - ignition ([2.13.0](https://github.com/coreos/ignition/releases/tag/v2.13.0)) - intel-microcode ([20220207_p20220207](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220207)) - iperf ([3.10.1](https://github.com/esnet/iperf/blob/master/RELNOTES.md#iperf-3101-2021-06-03)) - kexec-tools ([2.0.22](https://www.spinics.net/lists/kexec/msg26864.html)) - less ([590](https://www.greenwoodsoftware.com/less/news.590.html)) - libarchive ([3.5.3](https://github.com/libarchive/libarchive/releases/tag/v3.5.3)) - libmspack ([0.10.1_alpha](https://github.com/kyz/libmspack/blob/v0.10.1alpha/libmspack/ChangeLog)) - libxml2 ([2.9.13](http://www.xmlsoft.org/news.html)) - lsscsi ([0.32](https://sg.danny.cz/scsi/lsscsi.ChangeLog)) - nfs-utils ([2.5.4](https://lore.kernel.org/linux-fsdevel/c8795653-7728-18a4-93dc-58943ad0fe09@redhat.com/)) - nvidia-drivers ([510.47.03](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-510-47-03/index.html)) - nvme-cli ([1.16](https://github.com/linux-nvme/nvme-cli/commits/deee9cae1ac94760deebd71f8e5449061338666c)) - pam ([1.5.1_p20210622](https://github.com/linux-pam/linux-pam/commit/fe1307512fb8892b5ceb3d884c793af8dbd4c16a)) - pambase (20220214) - pinentry ([1.2.0](https://dev.gnupg.org/T5566)) - quota ([4.06](https://sourceforge.net/p/linuxquota/code/ci/0acd4cc6275122fd9864cb7b5d349e65a2622920/)) - rpcbind ([1.2.6](https://git.linux-nfs.org/?p=steved/rpcbind.git;a=shortlog;h=refs/tags/rpcbind-1_2_6)) - shadow ([4.11.1](https://github.com/shadow-maint/shadow/releases/tag/v4.11.1)) - socat ([1.7.4.3](https://repo.or.cz/socat.git/blob/refs/tags/tag-1.7.4.3:/CHANGES)) - systemd ([250.3](https://github.com/systemd/systemd-stable/releases/tag/v250.3)) - thin-provisioning-tools ([0.9.0](https://github.com/jthornber/thin-provisioning-tools/blob/d6d93c3157631b242a13a81d30f75453e576c55a/CHANGES#L1-L9)) - timezone-data ([2021a](https://mm.icann.org/pipermail/tz-announce/2021-January/000065.html)) - vim ([8.2.4328](https://github.com/vim/vim/releases/tag/v8.2.4328)) - whois ([5.5.11](https://github.com/rfc1036/whois/commit/5f5ba8312c04a759dad05723c035549273d07461)) - xfsprogs ([5.14.2](https://marc.info/?l=linux-xfs&m=163883318025390&w=2)) - Azure: WALinuxAgent ([2.6.0.2](https://github.com/Azure/WALinuxAgent/releases/tag/v2.6.0.2)) - VMWare: open-vm-tools ([12.0.0](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.0.0)) - SDK: gcc-config ([2.5](https://gitweb.gentoo.org/proj/gcc-config.git/tag/?h=v2.5)) - SDK: iasl ([20200717](https://www.acpica.org/node/183)) - SDK: man-db ([2.9.4](https://gitlab.com/cjwatson/man-db/-/tags/2.9.4)) - SDK: man-pages ([5.12-r2](https://man7.org/linux/man-pages/changelog.html#release_5.12)) - SDK: netperf ([2.7.0](https://github.com/HewlettPackard/netperf/blob/netperf-2.7.0/Release_Notes)) - SDK: Rust ([1.59.0](https://github.com/rust-lang/rust/releases/tag/1.59.0)) - SDK: squashfs-tools ([4.5_p20210914](https://lore.kernel.org/lkml/CAB3woddJss+ziGp-RjJ-yiax6pc_HLMdxk3Qk5nJdRgjpEYWBg@mail.gmail.com/)) _Changes since **Alpha 3185.0.0**_ #### Security fixes: - Linux ([CVE-2022-1015](https://nvd.nist.gov/vuln/detail/CVE-2022-1015), [CVE-2022-1016](https://nvd.nist.gov/vuln/detail/CVE-2022-1016)) #### Bug fixes: - Made Ignition write the SSH keys into a file under `authorized_keys.d/ignition` again and added a call to `update-ssh-keys` after Ignition ran to create the merged `authorized_keys` file, which fixes the problem that keys added by Ignition get lost when `update-ssh-keys` runs ([init#66](https://github.com/flatcar-linux/init/pull/66)) #### Changes: - Enabled FIPS mode for cryptsetup ([flatcar-linux/coreos-overlay#1747](https://github.com/flatcar-linux/coreos-overlay/pull/1747)) - Added `cryptsetup` to the initramfs for the Ignition `luks` directive ([flatcar-linux/coreos-overlay#1760](https://github.com/flatcar-linux/coreos-overlay/pull/1760)) - Enabled FIPS mode for cryptsetup ([portage-stable#312](https://github.com/flatcar-linux/portage-stable/pull/312)) #### Updates: - Linux ([5.15.32](https://lwn.net/Articles/889438)) (from 5.15.30) - ca-certificates ([3.77](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_77.html)) New **Stable** Release **3139.2.0** _Changes since **Stable 3033.2.4**_ #### Security fixes: - Linux ([CVE-2022-1015](https://nvd.nist.gov/vuln/detail/CVE-2022-1015), [CVE-2022-1016](https://nvd.nist.gov/vuln/detail/CVE-2022-1016)) - Go ([CVE-2021-44716](https://nvd.nist.gov/vuln/detail/CVE-2021-44716), [CVE-2021-44717](https://nvd.nist.gov/vuln/detail/CVE-2021-44717)) - containerd ([CVE-2021-43816](https://nvd.nist.gov/vuln/detail/CVE-2021-43816), [CVE-2022-24769](https://nvd.nist.gov/vuln/detail/CVE-2022-24769)) - gcc ([CVE-2020-13844](https://nvd.nist.gov/vuln/detail/CVE-2020-13844)) - Ignition ([CVE-2020-14040](https://nvd.nist.gov/vuln/detail/CVE-2020-14040), [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561)) - krb5 ([CVE-2021-37750](https://nvd.nist.gov/vuln/detail/CVE-2021-37750)) - libarchive ([libarchive-1565](https://github.com/libarchive/libarchive/issues/1565), [libarchive-1566](https://github.com/libarchive/libarchive/issues/1566)) - OpenSSH ([CVE-2021-41617](https://nvd.nist.gov/vuln/detail/CVE-2021-41617)) - openssl ([CVE-2021-4044](https://nvd.nist.gov/vuln/detail/CVE-2021-4044)) - torcx ([CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561), [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565)) - vim ([CVE-2021-3872](https://nvd.nist.gov/vuln/detail/CVE-2021-3872), [CVE-2021-3875](https://nvd.nist.gov/vuln/detail/CVE-2021-3875), [CVE-2021-3903](https://nvd.nist.gov/vuln/detail/CVE-2021-3903), [CVE-2021-3927](https://nvd.nist.gov/vuln/detail/CVE-2021-3927), [CVE-2021-3928](https://nvd.nist.gov/vuln/detail/CVE-2021-3928), [CVE-2021-3968](https://nvd.nist.gov/vuln/detail/CVE-2021-3968), [CVE-2021-3973](https://nvd.nist.gov/vuln/detail/CVE-2021-3973), [CVE-2021-3974](https://nvd.nist.gov/vuln/detail/CVE-2021-3974)) - SDK: edk2-ovmf ([CVE-2019-14584](https://nvd.nist.gov/vuln/detail/CVE-2019-14584), [CVE-2021-28210](https://nvd.nist.gov/vuln/detail/CVE-2021-28210), [CVE-2021-28211](https://nvd.nist.gov/vuln/detail/CVE-2021-28211), [CVE-2021-28213](https://nvd.nist.gov/vuln/detail/CVE-2021-28213)) - SDK: libxslt ([CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560)) - SDK: mantle ([CVE-2021-3121](https://nvd.nist.gov/vuln/detail/CVE-2021-3121), [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561), [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565)) - SDK: QEMU ([CVE-2020-35504](https://nvd.nist.gov/vuln/detail/CVE-2020-35504), [CVE-2020-35505](https://nvd.nist.gov/vuln/detail/CVE-2020-35505), [CVE-2020-35506](https://nvd.nist.gov/vuln/detail/CVE-2020-35506), [CVE-2020-35517](https://nvd.nist.gov/vuln/detail/CVE-2020-35517), [CVE-2021-20203](https://nvd.nist.gov/vuln/detail/CVE-2021-20203), [CVE-2021-20255](https://nvd.nist.gov/vuln/detail/CVE-2021-20255), [CVE-2021-20257](https://nvd.nist.gov/vuln/detail/CVE-2021-20257), [CVE-2021-20263](https://nvd.nist.gov/vuln/detail/CVE-2021-20263), [CVE-2021-3409](https://nvd.nist.gov/vuln/detail/CVE-2021-3409), [CVE-2021-3416](https://nvd.nist.gov/vuln/detail/CVE-2021-3416), [CVE-2021-3527](https://nvd.nist.gov/vuln/detail/CVE-2021-3527), [CVE-2021-3544](https://nvd.nist.gov/vuln/detail/CVE-2021-3544), [CVE-2021-3545](https://nvd.nist.gov/vuln/detail/CVE-2021-3545), [CVE-2021-3546](https://nvd.nist.gov/vuln/detail/CVE-2021-3546), [CVE-2021-3582](https://nvd.nist.gov/vuln/detail/CVE-2021-3582), [CVE-2021-3607](https://nvd.nist.gov/vuln/detail/CVE-2021-3607), [CVE-2021-3608](https://nvd.nist.gov/vuln/detail/CVE-2021-3608), [CVE-2021-3682](https://nvd.nist.gov/vuln/detail/CVE-2021-3682)) - SDK: Rust ([CVE-2022-21658](https://nvd.nist.gov/vuln/detail/CVE-2022-21658)) #### Bug fixes: - Excluded the Kubenet cbr0 interface from networkd's DHCP config and set it to Unmanaged to prevent interference and ensure that it is not part of the network online check ([init#55](https://github.com/flatcar-linux/init/pull/55)) - Fixed the dracut emergency Ignition log printing that had a scripting error causing the cat command to fail ([bootengine#33](https://github.com/flatcar-linux/bootengine/pull/33)) - network: Accept ICMPv6 Router Advertisements to fix IPv6 address assignment in the default DHCP setting ([init#51](https://github.com/flatcar-linux/init/pull/51), [coreos-cloudinit#12](https://github.com/flatcar-linux/coreos-cloudinit/pull/12), [bootengine#30](https://github.com/flatcar-linux/bootengine/pull/30)) - flatcar-update: Stopped checking for the `USER` environment variable which may not be set in all environments, causing the script to fail unless a workaround was used like prepending an additional `sudo` invocation ([init#58](https://github.com/flatcar-linux/init/pull/58)) - Reverted the Linux kernel commit which broke networking on AWS instances which use Intel 82559 NIC (c4/m4) ([Flatcar#665](https://github.com/flatcar-linux/Flatcar/issues/665), [coreos-overlay#1723](https://github.com/flatcar-linux/coreos-overlay/pull/1723)) - Re-added the `brd drbd nbd rbd xen-blkfront zram libarc4 lru_cache zsmalloc` kernel modules to the initramfs since they were missing compared to the Flatcar 3033.2.x releases where the 5.10 kernel is used ([bootengine#40](https://github.com/flatcar-linux/bootengine/pull/40)) #### Changes: - Added a new flatcar-update tool to the image to ease manual updates, rollbacks, channel/release jumping, and airgapped updates ([init#53](https://github.com/flatcar-linux/init/pull/53)) - Update-engine now creates the `/run/reboot-required` flag file for [kured](https://github.com/weaveworks/kured) ([update_engine#15](https://github.com/flatcar-linux/update_engine/pull/15)) - Excluded special network interface devices like bridge, tunnel, vxlan, and veth devices from the default DHCP configuration to prevent networkd interference ([init#56](https://github.com/flatcar-linux/init/pull/56)) - Added CONFIG_NF_CT_NETLINK_HELPER (for libnetfilter_cthelper), CONFIG_NET_VRF (for virtual routing and forwarding) and CONFIG_KEY_DH_OPERATIONS (for keyutils) to the kernel config ([coreos-overlay#1524](https://github.com/flatcar-linux/coreos-overlay/pull/1524)) - Enabled the FIPS support for the Linux kernel, which users can now choose through a kernel parameter in `grub.cfg` (check it taking effect with `cat /proc/sys/crypto/fips_enabled`) ([coreos-overlay#1602](https://github.com/flatcar-linux/coreos-overlay/pull/1602)) - Enabled FIPS mode for cryptsetup ([portage-stable#312](https://github.com/flatcar-linux/portage-stable/pull/312)) - Rework the way we set up the default python intepreter in SDK - it is now without specifying a version. This should work fine as long as we keep having one version of python in SDK. - Add a way to remove packages that are hard-blockers for update. A hard-blocker means that the package needs to be removed (for example with `emerge -C`) before an update can happen. - Removed the pre-shipped `/etc/flatcar/update.conf` file, leaving it totally to the user to define the contents as it was unnecessarily overwriting the `/use/share/flatcar/update.conf` ([scripts#212](https://github.com/flatcar-linux/scripts/pull/212)) #### Updates: - Linux ([5.15.32](https://lwn.net/Articles/889438)) (from 5.15.30) - Linux headers ([5.15](https://lwn.net/Articles/876611/)) - GCC [9.4.0](https://lists.gnu.org/archive/html/info-gnu/2021-06/msg00000.html) - acl ([2.3.1](https://git.savannah.nongnu.org/cgit/acl.git/log/?h=v2.3.1)) - attr ([2.5.1](https://git.savannah.nongnu.org/cgit/attr.git/log/?h=v2.5.1)) - audit ([3.0.6](https://listman.redhat.com/archives/linux-audit/2021-October/msg00000.html)) - boost ([1.76.0](https://www.boost.org/users/history/version_1_76_0.html)) - btrfs-progs ([5.15.1](https://btrfs.wiki.kernel.org/index.php/Changelog#btrfs-progs_v5.15_.28Nov_2021.29)) - ca-certificates ([3.77](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_77.html)) - containerd ([1.5.11](https://github.com/containerd/containerd/releases/tag/v1.5.11)) - coreutils ([8.32](https://lists.gnu.org/archive/html/coreutils-announce/2020-03/msg00000.html)) - diffutils ([3.8](https://lists.gnu.org/archive/html/info-gnu/2021-08/msg00000.html)) - ethtool ([5.10](https://git.kernel.org/pub/scm/network/ethtool/ethtool.git/tree/NEWS?h=v5.10)) - findutils ([4.8.0](https://savannah.gnu.org/forum/forum.php?forum_id=9914)) - glib ([2.68.4](https://gitlab.gnome.org/GNOME/glib/-/releases/2.68.4)) - i2c-tools ([4.2](https://git.kernel.org/pub/scm/utils/i2c-tools/i2c-tools.git/log/?h=v4.2)) - iproute2 ([5.15](https://lwn.net/ml/linux-kernel/20211101164705.6f4f2e41%40hermes.local/)) - ipset ([7.11](https://ipset.netfilter.org/changelog.html)) - iputils ([20210722](https://github.com/iputils/iputils/releases/tag/20210722)) - ipvsadm ([1.27](http://archive.linuxvirtualserver.org/html/lvs-devel/2013-09/msg00011.html)) - kmod ([29](https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/commit/?id=b6ecfc916a17eab8f93be5b09f4e4f845aabd3d1)) - libarchive [3.5.2](https://github.com/libarchive/libarchive/releases/tag/v3.5.2) - libcap-ng ([0.8.2](https://github.com/stevegrubb/libcap-ng/releases/tag/v0.8.2)) - libseccomp ([2.5.1](https://github.com/seccomp/libseccomp/releases/tag/v2.5.1)) - lshw ([02.19.2b_p20210121](https://www.ezix.org/project/wiki/HardwareLiSter#Changes)) - lsof ([4.94.0](https://github.com/lsof-org/lsof/releases/tag/4.94.0)) - openssh ([8.8](http://www.openssh.com/txt/release-8.8)) - openssl ([3.0.2](https://www.openssl.org/news/changelog.html#openssl-30)) - parted ([3.4](https://savannah.gnu.org/forum/forum.php?forum_id=9924) (includes [3.3](https://savannah.gnu.org/forum/forum.php?forum_id=9569))) - pciutils ([3.7.0](https://github.com/pciutils/pciutils/commit/864aecdea9c7db626856d8d452f6c784316a878c)) - polkit ([0.120](https://gitlab.freedesktop.org/polkit/polkit/-/blob/0.120/NEWS)) - runc ([1.1.0](https://github.com/opencontainers/runc/releases/tag/v1.1.0)) - sbsigntools ([0.9.4](https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/tag/?h=v0.9.4)) - sed ([4.8](https://savannah.gnu.org/forum/forum.php?forum_id=9647)) - usbutils ([014](https://github.com/gregkh/usbutils/commit/57fb18e59cce31a50a1ca62d1e192512c905ba00)) - vim [8.2.3582](https://github.com/vim/vim/releases/tag/v8.2.3582) - Azure: Python for OEM images ([3.9.8](https://www.python.org/downloads/release/python-398/)) - Azure: WALinuxAgent ([2.6.0.2](https://github.com/Azure/WALinuxAgent/releases/tag/v2.6.0.2)) - SDK: edk2-ovmf [202105](https://github.com/tianocore/edk2/releases/tag/edk2-stable202105) - SDK: file ([5.40](https://mailman.astron.com/pipermail/file/2021-March/000478.html)) - SDK: ipxe [1.21.1](https://github.com/ipxe/ipxe/releases/tag/v1.21.1) - SDK: mantle ([0.18.0](https://github.com/flatcar-linux/mantle/releases/tag/v0.18.0)) - SDK: perf ([5.15](https://kernelnewbies.org/LinuxChanges#Linux_5.15.Tracing.2C_perf_and_BPF)) - SDK: Python ([3.9.8](https://www.python.org/downloads/release/python-398/)) - SDK: qemu ([6.1.0](https://wiki.qemu.org/ChangeLog/6.1) - SDK: Rust ([1.58.1](https://github.com/rust-lang/rust/releases/tag/1.58.1)) - SDK: seabios [1.14.0](https://seabios.org/Releases#SeaBIOS_1.14.0) - SDK: sgabios [0.1_pre10](https://git.qemu.org/?p=sgabios.git;a=tree;h=a85446adb0e0) _Changes since **Beta 3139.1.1**_ #### Security fixes: - Linux ([CVE-2022-1015](https://nvd.nist.gov/vuln/detail/CVE-2022-1015), [CVE-2022-1016](https://nvd.nist.gov/vuln/detail/CVE-2022-1016)) - containerd ([CVE-2022-24769](https://nvd.nist.gov/vuln/detail/CVE-2022-24769)) #### Changes: - Enabled FIPS mode for cryptsetup ([portage-stable#312](https://github.com/flatcar-linux/portage-stable/pull/312)) #### Updates: - Linux ([5.15.32](https://lwn.net/Articles/889438)) (from 5.15.30) - ca-certificates ([3.77](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_77.html)) - containerd ([1.5.11](https://github.com/containerd/containerd/releases/tag/v1.5.11)) - Azure: WALinuxAgent ([2.6.0.2](https://github.com/Azure/WALinuxAgent/releases/tag/v2.6.0.2)) New **LTS-2021** Release **2605.27.1** _Changes since **LTS 2605.26.1**_ #### Security fixes: - Linux ([CVE-2022-0492](https://nvd.nist.gov/vuln/detail/CVE-2022-0492), [CVE-2022-0001](https://nvd.nist.gov/vuln/detail/CVE-2022-0001), [CVE-2022-0002](https://nvd.nist.gov/vuln/detail/CVE-2022-0002), [CVE-2022-1011](https://nvd.nist.gov/vuln/detail/CVE-2022-1011), [CVE-2022-1016](https://nvd.nist.gov/vuln/detail/CVE-2022-1016), [CVE-2022-23036](https://nvd.nist.gov/vuln/detail/CVE-2022-23036), [CVE-2022-23037](https://nvd.nist.gov/vuln/detail/CVE-2022-23037), [CVE-2022-23038](https://nvd.nist.gov/vuln/detail/CVE-2022-23038), [CVE-2022-23039](https://nvd.nist.gov/vuln/detail/CVE-2022-23039), [CVE-2022-23040](https://nvd.nist.gov/vuln/detail/CVE-2022-23040), [CVE-2022-23041](https://nvd.nist.gov/vuln/detail/CVE-2022-23041), [CVE-2022-23042](https://nvd.nist.gov/vuln/detail/CVE-2022-23042), [CVE-2022-23960](https://nvd.nist.gov/vuln/detail/CVE-2022-23960), [CVE-2022-25636](https://nvd.nist.gov/vuln/detail/CVE-2022-25636), [CVE-2022-27666](https://nvd.nist.gov/vuln/detail/CVE-2022-27666), [CVE-2022-28356](https://nvd.nist.gov/vuln/detail/CVE-2022-28356)) #### Updates: - Linux ([5.4.188](https://lwn.net/Articles/889440)) (from 5.4.181) - ca-certificates ([3.77](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_77.html)) Best, The Flatcar Container Linux Maintainers --- ### Security **Subject**: Security issues fixed with the latest Alpha-3200.0.0, Beta-3185.1.0, Stable-3139.2.0, LTS-2021 2605.27.1 release(s) **Security fix**: With the Alpha-3200.0.0, Beta-3185.1.0, Stable-3139.2.0, LTS-2021 2605.27.1 release(s) we ship a fix for the CVEs listed below. #### Alpha * Linux * [CVE-2022-1015](https://nvd.nist.gov/vuln/detail/CVE-2022-1015) CVSSv3 score: n/a It pertains to an out of bounds access in nf_tables expression evaluation due to validation of user register indices. It leads to local privilege escalation, for example by overwriting a stack return address OOB with a crafted nft_expr_payload. * [CVE-2022-1016](https://nvd.nist.gov/vuln/detail/CVE-2022-1016) CVSSv3 score: n/a It pertains to uninitialized stack data in the nft_do_chain routine. CVE-2022-1016 is exploitable starting from commit 96518518cc41 (original merge of nf_tables), v3.13-rc1, and has been fixed in commit 4c905f6740a3 ("netfilter: nf_tables: initialize registers in nft_do_chain()"). * containerd * [CVE-2022-24769](https://nvd.nist.gov/vuln/detail/CVE-2022-24769) CVSSv3 score: n/a Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting. * gnutls * [CVE-2021-4209](https://nvd.nist.gov/vuln/detail/CVE-2021-4209) CVSSv3 score: n/a Using gnutls with guile disabled, null pointer may passed to memcpy as argument 2, causing null pointer dereference. * [GNUTLS-SA-2022-01-17](https://gitlab.com/gnutls/gnutls/-/issues/1277) CVSSv3 score: n/a When a single trust list object is shared among multiple threads, calls to gnutls_x509_trust_list_verify_crt2() was able to corrupt temporary memory where internal copy of an issuer certificate is stored. The code path is only taken when a PKCS#11 based trust store is enabled and the issuer certificate is already stored as trusted. * util-linux * [CVE-2021-3995](https://nvd.nist.gov/vuln/detail/CVE-2021-3995) CVSSv3 score: n/a This issue is related to parsing the /proc/self/mountinfo file allows an unprivileged user to unmount other user's filesystems that are either world-writable themselves or mounted in a world-writable directory. * [CVE-2021-3996](https://nvd.nist.gov/vuln/detail/CVE-2021-3996) CVSSv3 score: n/a Improper UID check in libmount allows an unprivileged user to unmount FUSE filesystems of users with similar UID. * [CVE-2022-0563](https://nvd.nist.gov/vuln/detail/CVE-2022-0563) CVSSv3 score: 5.5(Medium) A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. * zlib * [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) CVSSv3 score: 7.5(High) zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. #### Beta * Linux * [CVE-2022-1015](https://nvd.nist.gov/vuln/detail/CVE-2022-1015) CVSSv3 score: n/a It pertains to an out of bounds access in nf_tables expression evaluation due to validation of user register indices. It leads to local privilege escalation, for example by overwriting a stack return address OOB with a crafted nft_expr_payload. * [CVE-2022-1016](https://nvd.nist.gov/vuln/detail/CVE-2022-1016) CVSSv3 score: n/a It pertains to uninitialized stack data in the nft_do_chain routine. CVE-2022-1016 is exploitable starting from commit 96518518cc41 (original merge of nf_tables), v3.13-rc1, and has been fixed in commit 4c905f6740a3 ("netfilter: nf_tables: initialize registers in nft_do_chain()"). * SDK: squashfs-tools * [CVE-2021-40153](https://nvd.nist.gov/vuln/detail/CVE-2021-40153) CVSSv3 score: 8.1(High) squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination. * [CVE-2021-41072](https://nvd.nist.gov/vuln/detail/CVE-2021-41072) CVSSv3 score: 8.1(High) squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem. * cifs-utils * [CVE-2021-20208](https://nvd.nist.gov/vuln/detail/CVE-2021-20208) CVSSv3 score: 6.1(Medium) A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity. * containerd * [CVE-2022-23648](https://nvd.nist.gov/vuln/detail/CVE-2022-23648) CVSSv3 score: n/a containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue. * cryptsetup * [CVE-2021-4122](https://nvd.nist.gov/vuln/detail/CVE-2021-4122) CVSSv3 score: n/a An attacker can modify on-disk metadata to simulate decryption in progress with crashed (unfinished) reencryption step and persistently decrypt part of the LUKS device. * duktape * [CVE-2021-46322](https://nvd.nist.gov/vuln/detail/CVE-2021-46322) CVSSv3 score: 5.5(Medium) Duktape v2.99.99 was discovered to contain a SEGV vulnerability via the component duk_push_tval in duktape/duk_api_stack.c. * intel-microcode * [CVE-2021-0127](https://nvd.nist.gov/vuln/detail/CVE-2021-0127) CVSSv3 score: 5.5(Medium) Insufficient control flow management in some Intel(R) Processors may allow an authenticated user to potentially enable a denial of service via local access. * [CVE-2021-0146](https://nvd.nist.gov/vuln/detail/CVE-2021-0146) CVSSv3 score: 6.8(Medium) Hardware allows activation of test or debug logic at runtime for some Intel(R) processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access. * libarchive * [CVE-2021-31566](https://nvd.nist.gov/vuln/detail/CVE-2021-31566) CVSSv3 score: n/a Some modes, times, ACLs and file flags especially on directories are set on archive_write_close() time. An archive can contain multiple entries with the same path. If a directory entry is marked for post-processing and a symlink entry with the same path "replaces" the directory with the symlink, the "fixup" postprocessing may alter the link target instead of the file itself. * [CVE-2021-36976](https://nvd.nist.gov/vuln/detail/CVE-2021-36976) CVSSv3 score: 6.5(Medium) libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block). * libxml2 * [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308) CVSSv3 score: 7.5(High) valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. * nvidia-drivers * [CVE-2022-21814](https://nvd.nist.gov/vuln/detail/CVE-2022-21814) CVSSv3 score: n/a NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver package, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service. * [CVE-2022-21813](https://nvd.nist.gov/vuln/detail/CVE-2022-21813) CVSSv3 score: n/a NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service. * shadow * [CVE-2013-4235](https://nvd.nist.gov/vuln/detail/CVE-2013-4235) CVSSv3 score: 4.7(Medium) shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees * systemd * [CVE-2021-3997](https://nvd.nist.gov/vuln/detail/CVE-2021-3997) CVSSv3 score: n/a Uncontrolled recursion in systemd's systemd-tmpfiles. It will be fixed in 250.2 and a backport has been done for 249.8. * vim * [CVE-2021-3984](https://nvd.nist.gov/vuln/detail/CVE-2021-3984) CVSSv3 score: 7.8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-4019](https://nvd.nist.gov/vuln/detail/CVE-2021-4019) CVSSv3 score: 7.8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-4069](https://nvd.nist.gov/vuln/detail/CVE-2021-4069) CVSSv3 score: 7.8(High) vim is vulnerable to Use After Free * [CVE-2021-4136](https://nvd.nist.gov/vuln/detail/CVE-2021-4136) CVSSv3 score: 7.8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-4173](https://nvd.nist.gov/vuln/detail/CVE-2021-4173) CVSSv3 score: 7.8(High) vim is vulnerable to Use After Free * [CVE-2021-4166](https://nvd.nist.gov/vuln/detail/CVE-2021-4166) CVSSv3 score: 7.1(High) vim is vulnerable to Out-of-bounds Read * [CVE-2021-4187](https://nvd.nist.gov/vuln/detail/CVE-2021-4187) CVSSv3 score: 7.8(High) vim is vulnerable to Use After Free * [CVE-2021-4192](https://nvd.nist.gov/vuln/detail/CVE-2021-4192) CVSSv3 score: 7.8(High) vim is vulnerable to Use After Free * [CVE-2021-4193](https://nvd.nist.gov/vuln/detail/CVE-2021-4193) CVSSv3 score: 5.5(Medium) vim is vulnerable to Out-of-bounds Read * [CVE-2022-0128](https://nvd.nist.gov/vuln/detail/CVE-2022-0128) CVSSv3 score: 7.8(High) vim is vulnerable to Out-of-bounds Read * [CVE-2022-0156](https://nvd.nist.gov/vuln/detail/CVE-2022-0156) CVSSv3 score: 5.5(Medium) vim is vulnerable to Use After Free * [CVE-2022-0158](https://nvd.nist.gov/vuln/detail/CVE-2022-0158) CVSSv3 score: 3.3(Low) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2022-0213](https://nvd.nist.gov/vuln/detail/CVE-2022-0213) CVSSv3 score: 6.6(Medium) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2022-0261](https://nvd.nist.gov/vuln/detail/CVE-2022-0261) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0318](https://nvd.nist.gov/vuln/detail/CVE-2022-0318) CVSSv3 score: 9.8(Critical) Heap-based Buffer Overflow in vim/vim prior to 8.2. * [CVE-2022-0319](https://nvd.nist.gov/vuln/detail/CVE-2022-0319) CVSSv3 score: 5.5(Medium) Out-of-bounds Read in vim/vim prior to 8.2. * [CVE-2022-0351](https://nvd.nist.gov/vuln/detail/CVE-2022-0351) CVSSv3 score: 7.8(High) Access of Memory Location Before Start of Buffer in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0359](https://nvd.nist.gov/vuln/detail/CVE-2022-0359) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0361](https://nvd.nist.gov/vuln/detail/CVE-2022-0361) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0368](https://nvd.nist.gov/vuln/detail/CVE-2022-0368) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0392](https://nvd.nist.gov/vuln/detail/CVE-2022-0392) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim prior to 8.2. * [CVE-2022-0393](https://nvd.nist.gov/vuln/detail/CVE-2022-0393) CVSSv3 score: 7.1(High) Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0407](https://nvd.nist.gov/vuln/detail/CVE-2022-0407) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0408](https://nvd.nist.gov/vuln/detail/CVE-2022-0408) CVSSv3 score: 7.8(High) Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0413](https://nvd.nist.gov/vuln/detail/CVE-2022-0413) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0417](https://nvd.nist.gov/vuln/detail/CVE-2022-0417) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow GitHub repository vim/vim prior to 8.2. * [CVE-2022-0443](https://nvd.nist.gov/vuln/detail/CVE-2022-0443) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 8.2. #### Stable * Linux * [CVE-2022-1015](https://nvd.nist.gov/vuln/detail/CVE-2022-1015) CVSSv3 score: n/a It pertains to an out of bounds access in nf_tables expression evaluation due to validation of user register indices. It leads to local privilege escalation, for example by overwriting a stack return address OOB with a crafted nft_expr_payload. * [CVE-2022-1016](https://nvd.nist.gov/vuln/detail/CVE-2022-1016) CVSSv3 score: n/a It pertains to uninitialized stack data in the nft_do_chain routine. CVE-2022-1016 is exploitable starting from commit 96518518cc41 (original merge of nf_tables), v3.13-rc1, and has been fixed in commit 4c905f6740a3 ("netfilter: nf_tables: initialize registers in nft_do_chain()"). * Go * [CVE-2021-44716](https://nvd.nist.gov/vuln/detail/CVE-2021-44716) CVSSv3 score: 7.5(High) net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. * [CVE-2021-44717](https://nvd.nist.gov/vuln/detail/CVE-2021-44717) CVSSv3 score: 4.8(Medium) Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. * Ignition * [CVE-2020-14040](https://nvd.nist.gov/vuln/detail/CVE-2020-14040) CVSSv3 score: 7.5(High) The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. * [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561) CVSSv3 score: n/a Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack. * OpenSSH * [CVE-2021-41617](https://nvd.nist.gov/vuln/detail/CVE-2021-41617) CVSSv3 score: 7(High) sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. * QEMU * [CVE-2020-35504](https://nvd.nist.gov/vuln/detail/CVE-2020-35504) CVSSv3 score: 6(Medium) A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. * [CVE-2020-35505](https://nvd.nist.gov/vuln/detail/CVE-2020-35505) CVSSv3 score: 4.4(Medium) A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. * [CVE-2020-35506](https://nvd.nist.gov/vuln/detail/CVE-2020-35506) CVSSv3 score: 6.7(Medium) A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. * [CVE-2020-35517](https://nvd.nist.gov/vuln/detail/CVE-2020-35517) CVSSv3 score: 8.2(High) A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices. * [CVE-2021-20203](https://nvd.nist.gov/vuln/detail/CVE-2021-20203) CVSSv3 score: 3.2(Low) An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. * [CVE-2021-20255](https://nvd.nist.gov/vuln/detail/CVE-2021-20255) CVSSv3 score: 5.5(Medium) A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. * [CVE-2021-20257](https://nvd.nist.gov/vuln/detail/CVE-2021-20257) CVSSv3 score: 6.5(Medium) An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. * [CVE-2021-20263](https://nvd.nist.gov/vuln/detail/CVE-2021-20263) CVSSv3 score: 3.3(Low) A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest. * [CVE-2021-3409](https://nvd.nist.gov/vuln/detail/CVE-2021-3409) CVSSv3 score: 5.7(Medium) The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. * [CVE-2021-3416](https://nvd.nist.gov/vuln/detail/CVE-2021-3416) CVSSv3 score: 6(Medium) A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. * [CVE-2021-3527](https://nvd.nist.gov/vuln/detail/CVE-2021-3527) CVSSv3 score: 5.5(Medium) A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. * [CVE-2021-3544](https://nvd.nist.gov/vuln/detail/CVE-2021-3544) CVSSv3 score: 6.5(Medium) Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. * [CVE-2021-3545](https://nvd.nist.gov/vuln/detail/CVE-2021-3545) CVSSv3 score: 6.5(Medium) An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host. * [CVE-2021-3546](https://nvd.nist.gov/vuln/detail/CVE-2021-3546) CVSSv3 score: 8.2(High) An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process. * [CVE-2021-3582](https://nvd.nist.gov/vuln/detail/CVE-2021-3582) CVSSv3 score: 6.5(Medium) A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_CMD_CREATE_MR" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability. * [CVE-2021-3607](https://nvd.nist.gov/vuln/detail/CVE-2021-3607) CVSSv3 score: 6(Medium) An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability. * [CVE-2021-3608](https://nvd.nist.gov/vuln/detail/CVE-2021-3608) CVSSv3 score: 6(Medium) A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability. * [CVE-2021-3682](https://nvd.nist.gov/vuln/detail/CVE-2021-3682) CVSSv3 score: 8.5(High) A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. * SDK: edk2-ovmf * [CVE-2019-14584](https://nvd.nist.gov/vuln/detail/CVE-2019-14584) CVSSv3 score: 7.8(High) Null pointer dereference in Tianocore EDK2 may allow an authenticated user to potentially enable escalation of privilege via local access. * [CVE-2021-28210](https://nvd.nist.gov/vuln/detail/CVE-2021-28210) CVSSv3 score: 7.8(High) An unlimited recursion in DxeCore in EDK II. * [CVE-2021-28211](https://nvd.nist.gov/vuln/detail/CVE-2021-28211) CVSSv3 score: 6.7(Medium) A heap overflow in LzmaUefiDecompressGetInfo function in EDK II. * [CVE-2021-28213](https://nvd.nist.gov/vuln/detail/CVE-2021-28213) CVSSv3 score: 7.5(High) Example EDK2 encrypted private key in the IpSecDxe.efi present potential security risks. * SDK: libxslt * [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560) CVSSv3 score: 8.8(High) Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. * SDK: mantle * [CVE-2021-3121](https://nvd.nist.gov/vuln/detail/CVE-2021-3121) CVSSv3 score: 8.6(High) An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. * [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561) CVSSv3 score: n/a Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack. * [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565) CVSSv3 score: n/a Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed unauthenticated clients to cause a panic in SSH servers. * SDK: rust * [CVE-2022-21658](https://nvd.nist.gov/vuln/detail/CVE-2022-21658) CVSSv3 score: 6.3(Medium) Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions. * containerd * [CVE-2021-43816](https://nvd.nist.gov/vuln/detail/CVE-2021-43816) CVSSv3 score: 9.1(Critical) containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible. * [CVE-2022-24769](https://nvd.nist.gov/vuln/detail/CVE-2022-24769) CVSSv3 score: n/a Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting. * gcc * [CVE-2020-13844](https://nvd.nist.gov/vuln/detail/CVE-2020-13844) CVSSv3 score: 5.5(Medium) Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka "straight-line speculation." * krb5 * [CVE-2021-37750](https://nvd.nist.gov/vuln/detail/CVE-2021-37750) CVSSv3 score: 6.5(Medium) The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field. * openssl * [CVE-2021-4044](https://nvd.nist.gov/vuln/detail/CVE-2021-4044) CVSSv3 score: 7.5(High) Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). * torcx * [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561) CVSSv3 score: n/a Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack. * [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565) CVSSv3 score: n/a Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed unauthenticated clients to cause a panic in SSH servers. * vim * [CVE-2021-3872](https://nvd.nist.gov/vuln/detail/CVE-2021-3872) CVSSv3 score: 7.8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-3875](https://nvd.nist.gov/vuln/detail/CVE-2021-3875) CVSSv3 score: 5.5(Medium) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-3903](https://nvd.nist.gov/vuln/detail/CVE-2021-3903) CVSSv3 score: 7.8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-3927](https://nvd.nist.gov/vuln/detail/CVE-2021-3927) CVSSv3 score: 7.8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-3928](https://nvd.nist.gov/vuln/detail/CVE-2021-3928) CVSSv3 score: 7.8(High) vim is vulnerable to Use of Uninitialized Variable * [CVE-2021-3968](https://nvd.nist.gov/vuln/detail/CVE-2021-3968) CVSSv3 score: 8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-3973](https://nvd.nist.gov/vuln/detail/CVE-2021-3973) CVSSv3 score: 7.8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-3974](https://nvd.nist.gov/vuln/detail/CVE-2021-3974) CVSSv3 score: 7.8(High) vim is vulnerable to Use After Free #### LTS * Linux * [CVE-2022-0001](https://nvd.nist.gov/vuln/detail/CVE-2022-0001) CVSSv3 score: 6.5(Medium) Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. * [CVE-2022-0002](https://nvd.nist.gov/vuln/detail/CVE-2022-0002) CVSSv3 score: 6.5(Medium) Non-transparent sharing of branch predictor within a context in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. * [CVE-2022-1011](https://nvd.nist.gov/vuln/detail/CVE-2022-1011) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel FUSE filesystem was found in the way user triggers write(). A local user could use this flaw to get some unauthorized access to some data from the FUSE filesystem and as result potentially privilege escalation too. * [CVE-2022-1016](https://nvd.nist.gov/vuln/detail/CVE-2022-1016) CVSSv3 score: n/a It pertains to uninitialized stack data in the nft_do_chain routine. CVE-2022-1016 is exploitable starting from commit 96518518cc41 (original merge of nf_tables), v3.13-rc1, and has been fixed in commit 4c905f6740a3 ("netfilter: nf_tables: initialize registers in nft_do_chain()"). * [CVE-2022-23036](https://nvd.nist.gov/vuln/detail/CVE-2022-23036) CVSSv3 score: 7(High) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 * [CVE-2022-23037](https://nvd.nist.gov/vuln/detail/CVE-2022-23037) CVSSv3 score: 7(High) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 * [CVE-2022-23038](https://nvd.nist.gov/vuln/detail/CVE-2022-23038) CVSSv3 score: 7(High) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 * [CVE-2022-23039](https://nvd.nist.gov/vuln/detail/CVE-2022-23039) CVSSv3 score: 7(High) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 * [CVE-2022-23040](https://nvd.nist.gov/vuln/detail/CVE-2022-23040) CVSSv3 score: 7(High) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 * [CVE-2022-23041](https://nvd.nist.gov/vuln/detail/CVE-2022-23041) CVSSv3 score: 7(High) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 * [CVE-2022-23042](https://nvd.nist.gov/vuln/detail/CVE-2022-23042) CVSSv3 score: 7(High) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 * [CVE-2022-23960](https://nvd.nist.gov/vuln/detail/CVE-2022-23960) CVSSv3 score: 5.6(Medium) Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information. * [CVE-2022-25636](https://nvd.nist.gov/vuln/detail/CVE-2022-25636) CVSSv3 score: 7.8(High) net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload. * [CVE-2022-27666](https://nvd.nist.gov/vuln/detail/CVE-2022-27666) CVSSv3 score: 7.8(High) A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat. * [CVE-2022-28356](https://nvd.nist.gov/vuln/detail/CVE-2022-28356) CVSSv3 score: n/a In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc.c. --- ### Twitter _The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar releases now available for all channels! 📦 Highlights! 5.15 kernel lands in Stable, systemd v250 now in Beta.. 🔒 CVE fixes & security patches: openssh, openssl, vim, gcc and many more 📜 Release notes at the usual spot: https://www.flatcar.org/releases/