# Flatcar Container Linux Release - March 7th ## Flatcar-linux-3165.0.0-Alpha - AMD64-usr - Platforms succeeded: All except Equinix Metal - Platforms failed: Equinix Metal - `cl.internet`: a known flaky test - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Flatcar-linux-3139.1.0-Beta - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All except AWS - Platforms failed: AWS - `coreos.update.badusr`: a known flaky test http://jenkins.infra.kinvolk.io:8080/job/os/job/kola/job/aws/1211/ - Platforms not tested: None VERDICT: _GO_ ## Flatcar-linux-3033.2.3-Stable - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All except AWS - Platforms failed: AWS - `coreos.update.badusr`: a known flaky test http://jenkins.infra.kinvolk.io:8080/job/os/job/kola/job/aws/1212/ - Platforms not tested: None VERDICT: _GO_ ## Flatcar-linux-2605.26.1-LTS - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Communication --- #### Guidelines - Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). --- ### Announcement Message Subject: Announcing new Alpha release 3165.0.0, Beta release 3139.1.0, Stable release 3033.2.3, LTS-2605 release 2605.26.1 Hello, We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, and LTS-2605 channel. New **Alpha** Release **3165.0.0** _Changes since **Alpha 3139.0.0**_ #### Security fixes - Linux ([CVE-2022-0492](https://nvd.nist.gov/vuln/detail/CVE-2022-0492), [CVE-2022-0516](https://nvd.nist.gov/vuln/detail/CVE-2022-0516), [CVE-2022-0435](https://nvd.nist.gov/vuln/detail/CVE-2022-0435), [CVE-2022-0487](https://nvd.nist.gov/vuln/detail/CVE-2022-0487), [CVE-2022-25375](https://nvd.nist.gov/vuln/detail/CVE-2022-25375), [CVE-2022-25258](https://nvd.nist.gov/vuln/detail/CVE-2022-25258), [CVE-2022-0847](https://nvd.nist.gov/vuln/detail/CVE-2022-0847)) - Go ([CVE-2022-23806](https://nvd.nist.gov/vuln/detail/CVE-2022-23806), [CVE-2022-23772](https://nvd.nist.gov/vuln/detail/CVE-2022-23772), [CVE-2022-23773](https://nvd.nist.gov/vuln/detail/CVE-2022-23773)) - systemd ([CVE-2021-3997](https://nvd.nist.gov/vuln/detail/CVE-2021-3997)) - cifs-utils ([CVE-2021-20208](https://nvd.nist.gov/vuln/detail/CVE-2021-20208)) - expat ([CVE-2022-25235](https://nvd.nist.gov/vuln/detail/CVE-2022-25235), [CVE-2022-25236](https://nvd.nist.gov/vuln/detail/CVE-2022-25236), [CVE-2022-25313](https://nvd.nist.gov/vuln/detail/CVE-2022-25313), [CVE-2022-25314](https://nvd.nist.gov/vuln/detail/CVE-2022-25314), [CVE-2022-25315](https://nvd.nist.gov/vuln/detail/CVE-2022-25315)) - duktape ([CVE-2021-46322](https://nvd.nist.gov/vuln/detail/CVE-2021-46322)) - libarchive ([CVE-2021-31566](https://nvd.nist.gov/vuln/detail/CVE-2021-31566), [CVE-2021-36976](https://nvd.nist.gov/vuln/detail/CVE-2021-36976)) - libxml2 ([CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308)) - shadow ([CVE-2013-4235](https://nvd.nist.gov/vuln/detail/CVE-2013-4235)) - vim ([CVE-2021-3984](https://nvd.nist.gov/vuln/detail/CVE-2021-3984), [CVE-2021-4019](https://nvd.nist.gov/vuln/detail/CVE-2021-4019), [CVE-2021-4069](https://nvd.nist.gov/vuln/detail/CVE-2021-4069), [CVE-2021-4136](https://nvd.nist.gov/vuln/detail/CVE-2021-4136), [CVE-2021-4173](https://nvd.nist.gov/vuln/detail/CVE-2021-4173),[ CVE-2021-4166](https://nvd.nist.gov/vuln/detail/CVE-2021-4166), [CVE-2021-4187](https://nvd.nist.gov/vuln/detail/CVE-2021-4187), [CVE-2021-4192](https://nvd.nist.gov/vuln/detail/CVE-2021-4192), [CVE-2021-4193](https://nvd.nist.gov/vuln/detail/CVE-2021-4193), [CVE-2022-0128](https://nvd.nist.gov/vuln/detail/CVE-2022-0128), [CVE-2022-0156](https://nvd.nist.gov/vuln/detail/CVE-2022-0156), [CVE-2022-0158](https://nvd.nist.gov/vuln/detail/CVE-2022-0158), [CVE-2022-0213](https://nvd.nist.gov/vuln/detail/CVE-2022-0213), [CVE-2022-0261](https://nvd.nist.gov/vuln/detail/CVE-2022-0261), [CVE-2022-0318](https://nvd.nist.gov/vuln/detail/CVE-2022-0318), [CVE-2022-0319](https://nvd.nist.gov/vuln/detail/CVE-2022-0319), [CVE-2022-0351](https://nvd.nist.gov/vuln/detail/CVE-2022-0351), [CVE-2022-0359](https://nvd.nist.gov/vuln/detail/CVE-2022-0359), [CVE-2022-0361](https://nvd.nist.gov/vuln/detail/CVE-2022-0361), [CVE-2022-0368](https://nvd.nist.gov/vuln/detail/CVE-2022-0368), [CVE-2022-0392](https://nvd.nist.gov/vuln/detail/CVE-2022-0392), [CVE-2022-0393](https://nvd.nist.gov/vuln/detail/CVE-2022-0393), [CVE-2022-0407](https://nvd.nist.gov/vuln/detail/CVE-2022-0407), [CVE-2022-0408](https://nvd.nist.gov/vuln/detail/CVE-2022-0408), [CVE-2022-0413](https://nvd.nist.gov/vuln/detail/CVE-2022-0413), [CVE-2022-0417](https://nvd.nist.gov/vuln/detail/CVE-2022-0417), [CVE-2022-0443](https://nvd.nist.gov/vuln/detail/CVE-2022-0443)) - SDK: squashfs-tools ([CVE-2021-40153](https://nvd.nist.gov/vuln/detail/CVE-2021-40153), [CVE-2021-41072](https://nvd.nist.gov/vuln/detail/CVE-2021-41072)) #### Bug fixes - Disabled the systemd-networkd settings `ManageForeignRoutes` and `ManageForeignRoutingPolicyRules` by default to ensure that CNIs like Cilium don't get their routes or routing policy rules discarded on network reconfiguration events ([Flatcar#620](https://github.com/flatcar-linux/Flatcar/issues/620)). - AWS: specify correct console (ttyS0) on kernel command line for ARM64 instances ([coreos-overlay#1628](https://github.com/flatcar-linux/coreos-overlay/pull/1628)) - Prevented hitting races when creating filesystems in Ignition, these races caused boot failures like `fsck[1343]: Failed to stat /dev/disk/by-label/ROOT: No such file or directory` when creating a btrfs root filesystem ([ignition#35](https://github.com/flatcar-linux/ignition/pull/35)) - Reverted the Linux kernel change to forbid xfrm id 0 for IPSec state because it broke Cilium ([Flatcar#626](https://github.com/flatcar-linux/Flatcar/issues/626), [coreos-overlay#1682](https://github.com/flatcar-linux/coreos-overlay/pull/1682)) - Added `auditd.service` but left it disabled by default, a custom configuration can be created by removing `/etc/audit/auditd.conf` and replacing it with an own file ([coreos-overlay#1636](https://github.com/flatcar-linux/coreos-overlay/pull/1636)) #### Changes - The systemd-networkd `ManageForeignRoutes` and `ManageForeignRoutingPolicyRules` settings are now disabled through a drop-in file and thus can only be enabled again by a drop-in file under `/etc/systemd/networkd.conf.d/` because drop-in files take precedence over `/etc/systemd/networkd.conf` ([init#61](https://github.com/flatcar-linux/init/pull/61)) - Bring in dependencies for NFS4 with Kerberos both in kernel and userspace. Tested against NFS4.1 server. ([coreos-overlay#1664](https://github.com/flatcar-linux/coreos-overlay/pull/1664)) - Added support for switching back to CGroupsV1 without requiring a reboot. Create `/etc/flatcar-cgroupv1` through ignition. ([coreos-overlay#1666](https://github.com/flatcar-linux/coreos-overlay/pull/1666)) - Azure VHD disks are now created using subformat=fixed, which makes them suitable for immediate upload to Azure using any tool. #### Updates - Linux ([5.15.25](https://lwn.net/Articles/885895)) (from 5.15.19) - Linux Firmware ([20220209](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220209)) - Go ([1.17.7](https://go.googlesource.com/go/+/refs/tags/go1.17.7)) - systemd ([250.3](https://github.com/systemd/systemd-stable/releases/tag/v250.3)) - bpftool ([5.15.8](https://lwn.net/Articles/878631/)) - bridge-utils ([1.7.1](https://git.kernel.org/pub/scm/network/bridge/bridge-utils.git/log/?h=v1.7.1)) - cifs-utils ([6.13](https://lkml.kernel.org/linux-cifs/CAKywueSqRGSFmeDHQacyu831BNUeGFxGg3vgBmozzhkGBCjyXQ@mail.gmail.com/T/)) - containerd ([1.6.0](https://github.com/containerd/containerd/releases/tag/v1.6.0)) - duktape ([2.7.0](https://github.com/svaarala/duktape/releases/tag/v2.7.0)) - expat ([2.4.6](https://github.com/libexpat/libexpat/blob/R_2_4_6/expat/Changes)) - kexec-tools ([2.0.22](https://www.spinics.net/lists/kexec/msg26864.html)) - libarchive ([3.5.3](https://github.com/libarchive/libarchive/releases/tag/v3.5.3)) - libmspack ([0.10.1_alpha](https://github.com/kyz/libmspack/blob/v0.10.1alpha/libmspack/ChangeLog)) - libxml2 ([2.9.13](http://www.xmlsoft.org/news.html)) - nfs-utils ([2.5.4](https://lore.kernel.org/linux-fsdevel/c8795653-7728-18a4-93dc-58943ad0fe09@redhat.com/)) - shadow ([4.11.1](https://github.com/shadow-maint/shadow/releases/tag/v4.11.1)) - vim ([8.2.4328](https://github.com/vim/vim/releases/tag/v8.2.4328)) - Azure: WALinuxAgent ([2.6.0.2](https://github.com/Azure/WALinuxAgent/releases/tag/v2.6.0.2)) - SDK: gcc-config ([2.5](https://gitweb.gentoo.org/proj/gcc-config.git/tag/?h=v2.5)) - SDK: iasl ([20200717](https://www.acpica.org/node/183)) - SDK: man-pages ([5.12-r2](https://man7.org/linux/man-pages/changelog.html#release_5.12)) - SDK: netperf ([2.7.0](https://github.com/HewlettPackard/netperf/blob/netperf-2.7.0/Release_Notes)) - SDK: squashfs-tools ([4.5_p20210914](https://lore.kernel.org/lkml/CAB3woddJss+ziGp-RjJ-yiax6pc_HLMdxk3Qk5nJdRgjpEYWBg@mail.gmail.com/)) New **Beta** Release **3139.1.0** _Changes since **Alpha 3139.0.0**_ #### Security fixes - Linux ([CVE-2022-0492](https://nvd.nist.gov/vuln/detail/CVE-2022-0492), [CVE-2022-0516](https://nvd.nist.gov/vuln/detail/CVE-2022-0516), [CVE-2022-0435](https://nvd.nist.gov/vuln/detail/CVE-2022-0435), [CVE-2022-0487](https://nvd.nist.gov/vuln/detail/CVE-2022-0487), [CVE-2022-25375](https://nvd.nist.gov/vuln/detail/CVE-2022-25375), [CVE-2022-25258](https://nvd.nist.gov/vuln/detail/CVE-2022-25258), [CVE-2022-0847](https://nvd.nist.gov/vuln/detail/CVE-2022-0847)) - go ([CVE-2022-23806](https://nvd.nist.gov/vuln/detail/CVE-2022-23806), [CVE-2022-23772](https://nvd.nist.gov/vuln/detail/CVE-2022-23772), [CVE-2022-23773](https://nvd.nist.gov/vuln/detail/CVE-2022-23773)) - expat ([CVE-2022-25235](https://nvd.nist.gov/vuln/detail/CVE-2022-25235), [CVE-2022-25236](https://nvd.nist.gov/vuln/detail/CVE-2022-25236), [CVE-2022-25313](https://nvd.nist.gov/vuln/detail/CVE-2022-25313), [CVE-2022-25314](https://nvd.nist.gov/vuln/detail/CVE-2022-25314), [CVE-2022-25315](https://nvd.nist.gov/vuln/detail/CVE-2022-25315)) #### Bug fixes - Disabled the systemd-networkd settings `ManageForeignRoutes` and `ManageForeignRoutingPolicyRules` by default to ensure that CNIs like Cilium don't get their routes or routing policy rules discarded on network reconfiguration events ([Flatcar#620](https://github.com/flatcar-linux/Flatcar/issues/620)). - Prevented hitting races when creating filesystems in Ignition, these races caused boot failures like `fsck[1343]: Failed to stat /dev/disk/by-label/ROOT: No such file or directory` when creating a btrfs root filesystem ([ignition#35](https://github.com/flatcar-linux/ignition/pull/35)) - Reverted the Linux kernel change to forbid xfrm id 0 for IPSec state because it broke Cilium ([Flatcar#626](https://github.com/flatcar-linux/Flatcar/issues/626), [coreos-overlay#1682](https://github.com/flatcar-linux/coreos-overlay/pull/1682)) #### Changes - Added support for switching back to CGroupsV1 without requiring a reboot. Create `/etc/flatcar-cgroupv1` through ignition. ([coreos-overlay#1666](https://github.com/flatcar-linux/coreos-overlay/pull/1666)) #### Updates - Linux ([5.15.25](https://lwn.net/Articles/885896)) (from 5.15.19) - ca-certificates ([3.75](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_75.html)) - Go ([1.17.7](https://go.googlesource.com/go/+/refs/tags/go1.17.7)) - expat ([2.4.6](https://github.com/libexpat/libexpat/blob/R_2_4_6/expat/Changes)) _Changes since **Beta 3066.1.2**_ #### Security fixes - GCC ([CVE-2020-13844](https://nvd.nist.gov/vuln/detail/CVE-2020-13844)) - Go ([CVE-2021-44716](https://nvd.nist.gov/vuln/detail/CVE-2021-44716), [CVE-2021-44717](https://nvd.nist.gov/vuln/detail/CVE-2021-44717), [CVE-2022-23806](https://nvd.nist.gov/vuln/detail/CVE-2022-23806), [CVE-2022-23772](https://nvd.nist.gov/vuln/detail/CVE-2022-23772), [CVE-2022-23773](https://nvd.nist.gov/vuln/detail/CVE-2022-23773)) - containerd ([CVE-2021-43816](https://nvd.nist.gov/vuln/detail/CVE-2021-43816)) - expat ([CVE-2022-25235](https://nvd.nist.gov/vuln/detail/CVE-2022-25235), [CVE-2022-25236](https://nvd.nist.gov/vuln/detail/CVE-2022-25236), [CVE-2022-25313](https://nvd.nist.gov/vuln/detail/CVE-2022-25313), [CVE-2022-25314](https://nvd.nist.gov/vuln/detail/CVE-2022-25314), [CVE-2022-25315](https://nvd.nist.gov/vuln/detail/CVE-2022-25315)) - ignition ([CVE-2020-14040](https://nvd.nist.gov/vuln/detail/CVE-2020-14040), [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561)) - krb5 ([CVE-2021-37750](https://nvd.nist.gov/vuln/detail/CVE-2021-37750)) - libarchive ([libarchive-1565](https://github.com/libarchive/libarchive/issues/1565), [libarchive-1566](https://github.com/libarchive/libarchive/issues/1566)) - openssh ([CVE-2021-41617](https://nvd.nist.gov/vuln/detail/CVE-2021-41617)) - openssl ([CVE-2021-4044](https://nvd.nist.gov/vuln/detail/CVE-2021-4044)) - torcx ([CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561), [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565)) - vim ([CVE-2021-3872](https://nvd.nist.gov/vuln/detail/CVE-2021-3872), [CVE-2021-3875](https://nvd.nist.gov/vuln/detail/CVE-2021-3875), [CVE-2021-3903](https://nvd.nist.gov/vuln/detail/CVE-2021-3903), [CVE-2021-3927](https://nvd.nist.gov/vuln/detail/CVE-2021-3927), [CVE-2021-3928](https://nvd.nist.gov/vuln/detail/CVE-2021-3928), [CVE-2021-3968](https://nvd.nist.gov/vuln/detail/CVE-2021-3968), [CVE-2021-3973](https://nvd.nist.gov/vuln/detail/CVE-2021-3973), [CVE-2021-3974](https://nvd.nist.gov/vuln/detail/CVE-2021-3974)) - SDK: edk2-ovmf ([CVE-2019-14584](https://nvd.nist.gov/vuln/detail/CVE-2019-14584), [CVE-2021-28210](https://nvd.nist.gov/vuln/detail/CVE-2021-28210), [CVE-2021-28211](https://nvd.nist.gov/vuln/detail/CVE-2021-28211), [CVE-2021-28213](https://nvd.nist.gov/vuln/detail/CVE-2021-28213)) - SDK: libxslt ([CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560)) - SDK: mantle ([CVE-2021-3121](https://nvd.nist.gov/vuln/detail/CVE-2021-3121), [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561), [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565)) - SDK: Rust ([CVE-2022-21658](https://nvd.nist.gov/vuln/detail/CVE-2022-21658)) - SDK: QEMU ([CVE-2020-35504](https://nvd.nist.gov/vuln/detail/CVE-2020-35504), [CVE-2020-35505](https://nvd.nist.gov/vuln/detail/CVE-2020-35505), [CVE-2020-35506](https://nvd.nist.gov/vuln/detail/CVE-2020-35506), [CVE-2020-35517](https://nvd.nist.gov/vuln/detail/CVE-2020-35517), [CVE-2021-20203](https://nvd.nist.gov/vuln/detail/CVE-2021-20203), [CVE-2021-20255](https://nvd.nist.gov/vuln/detail/CVE-2021-20255), [CVE-2021-20257](https://nvd.nist.gov/vuln/detail/CVE-2021-20257), [CVE-2021-20263](https://nvd.nist.gov/vuln/detail/CVE-2021-20263), [CVE-2021-3409](https://nvd.nist.gov/vuln/detail/CVE-2021-3409), [CVE-2021-3416](https://nvd.nist.gov/vuln/detail/CVE-2021-3416), [CVE-2021-3527](https://nvd.nist.gov/vuln/detail/CVE-2021-3527), [CVE-2021-3544](https://nvd.nist.gov/vuln/detail/CVE-2021-3544), [CVE-2021-3545](https://nvd.nist.gov/vuln/detail/CVE-2021-3545), [CVE-2021-3546](https://nvd.nist.gov/vuln/detail/CVE-2021-3546), [CVE-2021-3582](https://nvd.nist.gov/vuln/detail/CVE-2021-3582), [CVE-2021-3607](https://nvd.nist.gov/vuln/detail/CVE-2021-3607), [CVE-2021-3608](https://nvd.nist.gov/vuln/detail/CVE-2021-3608), [CVE-2021-3682](https://nvd.nist.gov/vuln/detail/CVE-2021-3682)) #### Bug fixes - Excluded the Kubenet cbr0 interface from networkd's DHCP config and set it to Unmanaged to prevent interference and ensure that it is not part of the network online check ([init#55](https://github.com/flatcar-linux/init/pull/55)) - Fixed the dracut emergency Ignition log printing that had a scripting error causing the cat command to fail ([bootengine#33](https://github.com/flatcar-linux/bootengine/pull/33)) - network: Accept ICMPv6 Router Advertisements to fix IPv6 address assignment in the default DHCP setting ([init#51](https://github.com/flatcar-linux/init/pull/51), [coreos-cloudinit#12](https://github.com/flatcar-linux/coreos-cloudinit/pull/12), [bootengine#30](https://github.com/flatcar-linux/bootengine/pull/30)) - flatcar-update: Stopped checking for the `USER` environment variable which may not be set in all environments, causing the script to fail unless a workaround was used like prepending an additional `sudo` invocation ([init#58](https://github.com/flatcar-linux/init/pull/58)) - Disabled the systemd-networkd settings `ManageForeignRoutes` and `ManageForeignRoutingPolicyRules` by default to ensure that CNIs like Cilium don't get their routes or routing policy rules discarded on network reconfiguration events ([Flatcar#620](https://github.com/flatcar-linux/Flatcar/issues/620)). - Prevented hitting races when creating filesystems in Ignition, these races caused boot failures like `fsck[1343]: Failed to stat /dev/disk/by-label/ROOT: No such file or directory` when creating a btrfs root filesystem ([ignition#35](https://github.com/flatcar-linux/ignition/pull/35)) - Reverted the Linux kernel change to forbid xfrm id 0 for IPSec state because it broke Cilium ([Flatcar#626](https://github.com/flatcar-linux/Flatcar/issues/626), [coreos-overlay#1682](https://github.com/flatcar-linux/coreos-overlay/pull/1682)) #### Changes - Update-engine now creates the `/run/reboot-required` flag file for [kured](https://github.com/weaveworks/kured) ([update_engine#15](https://github.com/flatcar-linux/update_engine/pull/15)) - Excluded special network interface devices like bridge, tunnel, vxlan, and veth devices from the default DHCP configuration to prevent networkd interference ([init#56](https://github.com/flatcar-linux/init/pull/56)) - Added CONFIG_NF_CT_NETLINK_HELPER (for libnetfilter_cthelper), CONFIG_NET_VRF (for virtual routing and forwarding) and CONFIG_KEY_DH_OPERATIONS (for keyutils) to the kernel config ([coreos-overlay#1524](https://github.com/flatcar-linux/coreos-overlay/pull/1524)) - Enabled the FIPS support for the Linux kernel, which users can now choose through a kernel parameter in `grub.cfg` (check it taking effect with `cat /proc/sys/crypto/fips_enabled`) ([coreos-overlay#1602](https://github.com/flatcar-linux/coreos-overlay/pull/1602)) - Added support for switching back to CGroupsV1 without requiring a reboot. Create `/etc/flatcar-cgroupv1` through ignition. ([coreos-overlay#1666](https://github.com/flatcar-linux/coreos-overlay/pull/1666)) - Removed the pre-shipped `/etc/flatcar/update.conf` file, leaving it totally to the user to define the contents as it was unnecessarily overwriting the `/use/share/flatcar/update.conf` ([flatcar-linux/scripts#212](https://github.com/flatcar-linux/scripts/pull/212)) #### Updates - Linux ([5.15.25](https://lwn.net/Articles/885895)) (from 5.10.96) - GCC ([9.4.0](https://lists.gnu.org/archive/html/info-gnu/2021-06/msg00000.html)) - Go ([1.17.7](https://go.googlesource.com/go/+/refs/tags/go1.17.7)) - ca-certificates ([3.75](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_75.html)) - systemd ([249.7](https://github.com/systemd/systemd-stable/blob/v249.7/NEWS)) - acl ([2.3.1](https://git.savannah.nongnu.org/cgit/acl.git/log/?h=v2.3.1)) - attr ([2.5.1](https://git.savannah.nongnu.org/cgit/attr.git/log/?h=v2.5.1)) - audit ([3.0.6](https://listman.redhat.com/archives/linux-audit/2021-October/msg00000.html)) - boost ([1.76.0](https://www.boost.org/users/history/version_1_76_0.html)) - btrfs-progs ([5.15.1](https://btrfs.wiki.kernel.org/index.php/Changelog#btrfs-progs_v5.15_.28Nov_2021.29)) - coreutils ([8.32](https://lists.gnu.org/archive/html/coreutils-announce/2020-03/msg00000.html)) - diffutils ([3.8](https://lists.gnu.org/archive/html/info-gnu/2021-08/msg00000.html)) - ethtool ([5.10](https://git.kernel.org/pub/scm/network/ethtool/ethtool.git/tree/NEWS?h=v5.10)) - expat ([2.4.6](https://github.com/libexpat/libexpat/blob/R_2_4_6/expat/Changes)) - findutils ([4.8.0](https://savannah.gnu.org/forum/forum.php?forum_id=9914)) - glib ([2.68.4](https://gitlab.gnome.org/GNOME/glib/-/releases/2.68.4)) - i2c-tools ([4.2](https://git.kernel.org/pub/scm/utils/i2c-tools/i2c-tools.git/log/?h=v4.2)) - iproute2 ([5.15](https://lwn.net/ml/linux-kernel/20211101164705.6f4f2e41%40hermes.local/)) - ipset ([7.11](https://ipset.netfilter.org/changelog.html)) - ipvsadm ([1.27](http://archive.linuxvirtualserver.org/html/lvs-devel/2013-09/msg00011.html)) - iputils ([20210722](https://github.com/iputils/iputils/releases/tag/20210722)) - kmod ([29](https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/commit/?id=b6ecfc916a17eab8f93be5b09f4e4f845aabd3d1)) - libarchive ([3.5.2](https://github.com/libarchive/libarchive/releases/tag/v3.5.2)) - libcap-ng ([0.8.2](https://github.com/stevegrubb/libcap-ng/releases/tag/v0.8.2)) - libseccomp ([2.5.1](https://github.com/seccomp/libseccomp/releases/tag/v2.5.1)) - lshw ([02.19.2b_p20210121](https://www.ezix.org/project/wiki/HardwareLiSter#Changes)) - lsof ([4.94.0](https://github.com/lsof-org/lsof/releases/tag/4.94.0)) - openssh ([8.8](http://www.openssh.com/txt/release-8.8)) - openssl ([3.0.1](https://www.openssl.org/news/changelog.html#openssl-30)) - parted ([3.4](https://savannah.gnu.org/forum/forum.php?forum_id=9924) (includes [3.3](https://savannah.gnu.org/forum/forum.php?forum_id=9569))) - pciutils ([3.7.0](https://github.com/pciutils/pciutils/commit/864aecdea9c7db626856d8d452f6c784316a878c)) - polkit ([0.120](https://gitlab.freedesktop.org/polkit/polkit/-/blob/0.120/NEWS)) - runc ([1.1.0](https://github.com/opencontainers/runc/releases/tag/v1.1.0)) - sbsigntools ([0.9.4](https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/tag/?h=v0.9.4)) - sed ([4.8](https://savannah.gnu.org/forum/forum.php?forum_id=9647)) - usbutils ([014](https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usbutils.git/commit/?id=57fb18e59cce31a50a1ca62d1e192512c905ba00)) - vim ([8.2.3582](https://github.com/vim/vim/releases/tag/v8.2.3582)) - Azure: Python for OEM images ([3.9.8](https://www.python.org/downloads/release/python-398/)) - SDK: Linux headers ([5.15](https://lwn.net/Articles/876611/)) - SDK: edk2-ovmf ([202105](https://github.com/tianocore/edk2/releases/tag/edk2-stable202105)) - SDK: file ([5.40](https://mailman.astron.com/pipermail/file/2021-March/000478.html)) - SDK: ipxe ([1.21.1](https://github.com/ipxe/ipxe/releases/tag/v1.21.1)) - SDK: mantle ([0.18.0](https://github.com/flatcar-linux/mantle/releases/tag/v0.18.0)) - SDK: perf ([5.15](https://kernelnewbies.org/LinuxChanges#Linux_5.15.Tracing.2C_perf_and_BPF)) - SDK: Python ([3.9.8](https://www.python.org/downloads/release/python-398/)) - SDK: Rust ([1.58.1](https://github.com/rust-lang/rust/releases/tag/1.58.1)) - SDK: QEMU ([6.1.0](https://wiki.qemu.org/ChangeLog/6.1)) - SDK: seabios ([1.14.0](https://seabios.org/Releases#SeaBIOS_1.14.0)) - SDK: sgabios ([0.1_pre10](https://git.qemu.org/?p=sgabios.git;a=tree;h=a85446adb0e0)) New **Stable** Release **3033.2.3** _Changes since **Stable 3033.2.2**_ #### Security fixes - Linux ([CVE-2022-24448](https://nvd.nist.gov/vuln/detail/CVE-2022-24448), [CVE-2022-0617](https://nvd.nist.gov/vuln/detail/CVE-2022-0617), [CVE-2022-24959](https://nvd.nist.gov/vuln/detail/CVE-2022-24959), [CVE-2022-0492](https://nvd.nist.gov/vuln/detail/CVE-2022-0492), [CVE-2022-0516](https://nvd.nist.gov/vuln/detail/CVE-2022-0516), [CVE-2022-0435](https://nvd.nist.gov/vuln/detail/CVE-2022-0435), [CVE-2022-0487](https://nvd.nist.gov/vuln/detail/CVE-2022-0487), [CVE-2022-25375](https://nvd.nist.gov/vuln/detail/CVE-2022-25375), [CVE-2022-25258](https://nvd.nist.gov/vuln/detail/CVE-2022-25258), [CVE-2022-0847](https://nvd.nist.gov/vuln/detail/CVE-2022-0847)) - go ([CVE-2022-23806](https://nvd.nist.gov/vuln/detail/CVE-2022-23806), [CVE-2022-23772](https://nvd.nist.gov/vuln/detail/CVE-2022-23772), [CVE-2022-23773](https://nvd.nist.gov/vuln/detail/CVE-2022-23773)) - ignition ([CVE-2020-14040](https://nvd.nist.gov/vuln/detail/CVE-2020-14040)) - expat ([CVE-2022-25235](https://nvd.nist.gov/vuln/detail/CVE-2022-25235), [CVE-2022-25236](https://nvd.nist.gov/vuln/detail/CVE-2022-25236), [CVE-2022-25313](https://nvd.nist.gov/vuln/detail/CVE-2022-25313), [CVE-2022-25314](https://nvd.nist.gov/vuln/detail/CVE-2022-25314), [CVE-2022-25315](https://nvd.nist.gov/vuln/detail/CVE-2022-25315)) #### Bug fixes - Disabled the systemd-networkd settings `ManageForeignRoutes` and `ManageForeignRoutingPolicyRules` by default to ensure that CNIs like Cilium don't get their routes or routing policy rules discarded on network reconfiguration events ([Flatcar#620](https://github.com/flatcar-linux/Flatcar/issues/620)). - Prevented hitting races when creating filesystems in Ignition, these races caused boot failures like `fsck[1343]: Failed to stat /dev/disk/by-label/ROOT: No such file or directory` when creating a btrfs root filesystem ([ignition#35](https://github.com/flatcar-linux/ignition/pull/35)) - Reverted the Linux kernel change to forbid xfrm id 0 for IPSec state because it broke Cilium ([Flatcar#626](https://github.com/flatcar-linux/Flatcar/issues/626), [coreos-overlay#1682](https://github.com/flatcar-linux/coreos-overlay/pull/1682)) #### Updates - Linux ([5.10.102](https://lwn.net/Articles/885896)) (from 5.10.96) - Go ([1.17.7](https://go.googlesource.com/go/+/refs/tags/go1.17.7) (includes [1.17.6](https://go.googlesource.com/go/+/refs/tags/go1.17.6))) - expat ([2.4.6](https://github.com/libexpat/libexpat/blob/R_2_4_6/expat/Changes)) - ca-certificates ([3.75](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_75.html)) New **LTS-2605** Release **2605.26.1** _Changes since **LTS 2605.25.1**_ #### Security fixes - Linux ([CVE-2021-43976](https://nvd.nist.gov/vuln/detail/CVE-2021-43976), [CVE-2022-0330](https://nvd.nist.gov/vuln/detail/CVE-2022-0330), [CVE-2022-22942](https://nvd.nist.gov/vuln/detail/CVE-2022-22942), [CVE-2022-24448](https://nvd.nist.gov/vuln/detail/CVE-2022-24448), [CVE-2022-0617](https://nvd.nist.gov/vuln/detail/CVE-2022-0617), [CVE-2022-24959](https://nvd.nist.gov/vuln/detail/CVE-2022-24959)) #### Updates - Linux ([5.4.176](https://lwn.net/Articles/883443)) (from 5.4.173) Best, The Flatcar Container Linux Maintainers --- ### Security #### Alpha * Go * [CVE-2022-23806](https://nvd.nist.gov/vuln/detail/CVE-2022-23806) CVSSv3 score: 9.1(Critical) Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. * [CVE-2022-23772](https://nvd.nist.gov/vuln/detail/CVE-2022-23772) CVSSv3 score: 7.5(High) Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. * [CVE-2022-23773](https://nvd.nist.gov/vuln/detail/CVE-2022-23773) CVSSv3 score: 7.5(High) cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. * Linux * [CVE-2022-0492](https://nvd.nist.gov/vuln/detail/CVE-2022-0492) CVSSv3 score: 7.0(High) A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly. * [CVE-2022-0516](https://nvd.nist.gov/vuln/detail/CVE-2022-0516) CVSSv3 score: 7.8(High) A vulnerability was found in kvm_s390_guest_sida_op in the arch/s390/kvm/kvm-s390.c function in KVM for s390 in the Linux kernel. This flaw allows a local attacker with a normal user privilege to obtain unauthorized memory write access. * [CVE-2022-0435](https://nvd.nist.gov/vuln/detail/CVE-2022-0435) CVSSv3 score: 7.1(High) A stack overflow flaw was found in the Linux kernel’s TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network. * [CVE-2022-0487](https://nvd.nist.gov/vuln/detail/CVE-2022-0487) CVSSv3 score: 5.5(Medium) A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. In this flaw, a local attacker with a user privilege may impact system Confidentiality. This flaw affects kernel versions prior to 5.14 rc1. * [CVE-2022-25375](https://nvd.nist.gov/vuln/detail/CVE-2022-25375) CVSSv3 score: 5.5(Medium) An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory. * [CVE-2022-25258](https://nvd.nist.gov/vuln/detail/CVE-2022-25258) CVSSv3 score: 4.6(Medium) An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur. * [CVE-2022-0847](https://nvd.nist.gov/vuln/detail/CVE-2022-0847) CVSSv3 score: n/a A vulnerability in the Linux kernel since version 5.8 allows anybody to write arbitrary data to arbitrary files, even if the file is O_RDONLY, immutable or on a MS_RDONLY filesystem. It can be used to inject code into arbitrary processes. * cifs-utils * [CVE-2021-20208](https://nvd.nist.gov/vuln/detail/CVE-2021-20208) CVSSv3 score: 6.1(Medium) A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity. * duktape * [CVE-2021-46322](https://nvd.nist.gov/vuln/detail/CVE-2021-46322) CVSSv3 score: 5.5(Medium) Duktape v2.99.99 was discovered to contain a SEGV vulnerability via the component duk_push_tval in duktape/duk_api_stack.c. * expat * [CVE-2022-25235](https://nvd.nist.gov/vuln/detail/CVE-2022-25235) CVSSv3 score: 9.8(Critical) xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. * [CVE-2022-25236](https://nvd.nist.gov/vuln/detail/CVE-2022-25236) CVSSv3 score: 9.8(Critical) xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. * [CVE-2022-25313](https://nvd.nist.gov/vuln/detail/CVE-2022-25313) CVSSv3 score: 6.5(Medium) In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. * [CVE-2022-25314](https://nvd.nist.gov/vuln/detail/CVE-2022-25314) CVSSv3 score: 7.5(High) In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. * [CVE-2022-25315](https://nvd.nist.gov/vuln/detail/CVE-2022-25315) CVSSv3 score: 9.8(Critical) In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. * libarchive * [CVE-2021-31566](https://nvd.nist.gov/vuln/detail/CVE-2021-31566) CVSSv3 score: 4.4(Medium) An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system. * [CVE-2021-36976](https://nvd.nist.gov/vuln/detail/CVE-2021-36976) CVSSv3 score: 6.5(Medium) libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block). * libxml2 * [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308) CVSSv3 score: 8.1(High) valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. * shadow * [CVE-2013-4235](https://nvd.nist.gov/vuln/detail/CVE-2013-4235) CVSSv3 score: 4.7(Medium) shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees * squashfs-tools * [CVE-2021-40153](https://nvd.nist.gov/vuln/detail/CVE-2021-40153) CVSSv3 score: 8.1(High) squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination. * [CVE-2021-41072](https://nvd.nist.gov/vuln/detail/CVE-2021-41072) CVSSv3 score: 8.1(High) squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem. * systemd * [CVE-2021-3997](https://nvd.nist.gov/vuln/detail/CVE-2021-3997) CVSSv3 score: 5.5(Medium) A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp. * vim * [CVE-2021-3984](https://nvd.nist.gov/vuln/detail/CVE-2021-3984) CVSSv3 score: 7.8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-4019](https://nvd.nist.gov/vuln/detail/CVE-2021-4019) CVSSv3 score: 7.8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-4069](https://nvd.nist.gov/vuln/detail/CVE-2021-4069) CVSSv3 score: 7.8(High) vim is vulnerable to Use After Free * [CVE-2021-4136](https://nvd.nist.gov/vuln/detail/CVE-2021-4136) CVSSv3 score: 7.8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-4173](https://nvd.nist.gov/vuln/detail/CVE-2021-4173) CVSSv3 score: 7.8(High) vim is vulnerable to Use After Free * [CVE-2021-4166](https://nvd.nist.gov/vuln/detail/CVE-2021-4166) CVSSv3 score: 7.1(High) vim is vulnerable to Out-of-bounds Read * [CVE-2021-4187](https://nvd.nist.gov/vuln/detail/CVE-2021-4187) CVSSv3 score: 7.8(High) vim is vulnerable to Use After Free * [CVE-2021-4192](https://nvd.nist.gov/vuln/detail/CVE-2021-4192) CVSSv3 score: 7.8(High) vim is vulnerable to Use After Free * [CVE-2021-4193](https://nvd.nist.gov/vuln/detail/CVE-2021-4193) CVSSv3 score: 5.5(Medium) vim is vulnerable to Out-of-bounds Read * [CVE-2022-0128](https://nvd.nist.gov/vuln/detail/CVE-2022-0128) CVSSv3 score: 7.8(High) vim is vulnerable to Out-of-bounds Read * [CVE-2022-0156](https://nvd.nist.gov/vuln/detail/CVE-2022-0156) CVSSv3 score: 5.5(Medium) vim is vulnerable to Use After Free * [CVE-2022-0158](https://nvd.nist.gov/vuln/detail/CVE-2022-0158) CVSSv3 score: 3.3(Low) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2022-0213](https://nvd.nist.gov/vuln/detail/CVE-2022-0213) CVSSv3 score: 6.6(Medium) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2022-0261](https://nvd.nist.gov/vuln/detail/CVE-2022-0261) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0318](https://nvd.nist.gov/vuln/detail/CVE-2022-0318) CVSSv3 score: 9.8(Critical) Heap-based Buffer Overflow in vim/vim prior to 8.2. * [CVE-2022-0319](https://nvd.nist.gov/vuln/detail/CVE-2022-0319) CVSSv3 score: 5.5(Medium) Out-of-bounds Read in vim/vim prior to 8.2. * [CVE-2022-0351](https://nvd.nist.gov/vuln/detail/CVE-2022-0351) CVSSv3 score: 7.8(High) Access of Memory Location Before Start of Buffer in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0359](https://nvd.nist.gov/vuln/detail/CVE-2022-0359) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0361](https://nvd.nist.gov/vuln/detail/CVE-2022-0361) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0368](https://nvd.nist.gov/vuln/detail/CVE-2022-0368) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0392](https://nvd.nist.gov/vuln/detail/CVE-2022-0392) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim prior to 8.2. * [CVE-2022-0393](https://nvd.nist.gov/vuln/detail/CVE-2022-0393) CVSSv3 score: 7.1(High) Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0407](https://nvd.nist.gov/vuln/detail/CVE-2022-0407) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0408](https://nvd.nist.gov/vuln/detail/CVE-2022-0408) CVSSv3 score: 7.8(High) Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0413](https://nvd.nist.gov/vuln/detail/CVE-2022-0413) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 8.2. * [CVE-2022-0417](https://nvd.nist.gov/vuln/detail/CVE-2022-0417) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow GitHub repository vim/vim prior to 8.2. * [CVE-2022-0443](https://nvd.nist.gov/vuln/detail/CVE-2022-0443) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 8.2. #### Beta * Linux * [CVE-2022-24448](https://nvd.nist.gov/vuln/detail/CVE-2022-24448) CVSSv3 score: 3.3(Low) An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor. * [CVE-2022-0617](https://nvd.nist.gov/vuln/detail/CVE-2022-0617) CVSSv3 score: 5.5(Medium) A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. * [CVE-2022-24959](https://nvd.nist.gov/vuln/detail/CVE-2022-24959) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c. * [CVE-2022-0492](https://nvd.nist.gov/vuln/detail/CVE-2022-0492) CVSSv3 score: n/a A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly. * [CVE-2022-0516](https://nvd.nist.gov/vuln/detail/CVE-2022-0516) CVSSv3 score: n/a * [CVE-2022-0435](https://nvd.nist.gov/vuln/detail/CVE-2022-0435) CVSSv3 score: n/a * [CVE-2022-0487](https://nvd.nist.gov/vuln/detail/CVE-2022-0487) CVSSv3 score: 5.5(Medium) A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. In this flaw, a local attacker with a user privilege may impact system Confidentiality. This flaw affects kernel versions prior to 5.14 rc1. * [CVE-2022-25375](https://nvd.nist.gov/vuln/detail/CVE-2022-25375) CVSSv3 score: 5.5(Medium) An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory. * [CVE-2022-25258](https://nvd.nist.gov/vuln/detail/CVE-2022-25258) CVSSv3 score: 4.6(Medium) An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur. * [CVE-2022-0847](https://nvd.nist.gov/vuln/detail/CVE-2022-0847) CVSSv3 score: n/a A vulnerability in the Linux kernel since version 5.8 allows anybody to write arbitrary data to arbitrary files, even if the file is O_RDONLY, immutable or on a MS_RDONLY filesystem. It can be used to inject code into arbitrary processes. * GCC * [CVE-2020-13844](https://nvd.nist.gov/vuln/detail/CVE-2020-13844) CVSSv3 score: n/a Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka "straight-line speculation." * Go * [CVE-2021-44716](https://nvd.nist.gov/vuln/detail/CVE-2021-44716) CVSSv3 score: 7.5(High) net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. * [CVE-2021-44717](https://nvd.nist.gov/vuln/detail/CVE-2021-44717) CVSSv3 score: 4.8(Medium) Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. * [CVE-2022-23806](https://nvd.nist.gov/vuln/detail/CVE-2022-23806) CVSSv3 score: 9.1(Critical) Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. * [CVE-2022-23772](https://nvd.nist.gov/vuln/detail/CVE-2022-23772) CVSSv3 score: 7.5(High) Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. * [CVE-2022-23773](https://nvd.nist.gov/vuln/detail/CVE-2022-23773) CVSSv3 score: 7.5(High) cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. * SDK: QEMU * [CVE-2020-35504](https://nvd.nist.gov/vuln/detail/CVE-2020-35504) CVSSv3 score: 6(Medium) A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. * [CVE-2020-35505](https://nvd.nist.gov/vuln/detail/CVE-2020-35505) CVSSv3 score: 4.4(Medium) A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. * [CVE-2020-35506](https://nvd.nist.gov/vuln/detail/CVE-2020-35506) CVSSv3 score: 6.7(Medium) A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. * [CVE-2020-35517](https://nvd.nist.gov/vuln/detail/CVE-2020-35517) CVSSv3 score: 8.2(High) A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices. * [CVE-2021-20203](https://nvd.nist.gov/vuln/detail/CVE-2021-20203) CVSSv3 score: 3.2(Low) An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. * [CVE-2021-20255](https://nvd.nist.gov/vuln/detail/CVE-2021-20255) CVSSv3 score: 5.5(Medium) A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. * [CVE-2021-20257](https://nvd.nist.gov/vuln/detail/CVE-2021-20257) CVSSv3 score: n/a * [CVE-2021-20263](https://nvd.nist.gov/vuln/detail/CVE-2021-20263) CVSSv3 score: 3.3(Low) A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest. * [CVE-2021-3409](https://nvd.nist.gov/vuln/detail/CVE-2021-3409) CVSSv3 score: 5.7(Medium) The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. * [CVE-2021-3416](https://nvd.nist.gov/vuln/detail/CVE-2021-3416) CVSSv3 score: 6(Medium) A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. * [CVE-2021-3527](https://nvd.nist.gov/vuln/detail/CVE-2021-3527) CVSSv3 score: 5.5(Medium) A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. * [CVE-2021-3544](https://nvd.nist.gov/vuln/detail/CVE-2021-3544) CVSSv3 score: 6.5(Medium) Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. * [CVE-2021-3545](https://nvd.nist.gov/vuln/detail/CVE-2021-3545) CVSSv3 score: 6.5(Medium) An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host. * [CVE-2021-3546](https://nvd.nist.gov/vuln/detail/CVE-2021-3546) CVSSv3 score: 8.2(High) An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process. * [CVE-2021-3582](https://nvd.nist.gov/vuln/detail/CVE-2021-3582) CVSSv3 score: n/a * [CVE-2021-3607](https://nvd.nist.gov/vuln/detail/CVE-2021-3607) CVSSv3 score: n/a An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability. * [CVE-2021-3608](https://nvd.nist.gov/vuln/detail/CVE-2021-3608) CVSSv3 score: n/a A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability. * [CVE-2021-3682](https://nvd.nist.gov/vuln/detail/CVE-2021-3682) CVSSv3 score: 8.5(High) A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. * SDK: Rust * [CVE-2022-21658](https://nvd.nist.gov/vuln/detail/CVE-2022-21658) CVSSv3 score: 6.3(Medium) Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions. * SDK: edk2-ovmf * [CVE-2019-14584](https://nvd.nist.gov/vuln/detail/CVE-2019-14584) CVSSv3 score: 7.8(High) Null pointer dereference in Tianocore EDK2 may allow an authenticated user to potentially enable escalation of privilege via local access. * [CVE-2021-28210](https://nvd.nist.gov/vuln/detail/CVE-2021-28210) CVSSv3 score: 7.8(High) An unlimited recursion in DxeCore in EDK II. * [CVE-2021-28211](https://nvd.nist.gov/vuln/detail/CVE-2021-28211) CVSSv3 score: 6.7(Medium) A heap overflow in LzmaUefiDecompressGetInfo function in EDK II. * [CVE-2021-28213](https://nvd.nist.gov/vuln/detail/CVE-2021-28213) CVSSv3 score: 7.5(High) Example EDK2 encrypted private key in the IpSecDxe.efi present potential security risks. * SDK: libxslt * [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560) CVSSv3 score: 8.8(High) Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. * SDK: mantle * [CVE-2021-3121](https://nvd.nist.gov/vuln/detail/CVE-2021-3121) CVSSv3 score: 8.6(High) An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. * [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561) CVSSv3 score: n/a Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack. * [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565) CVSSv3 score: n/a Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed unauthenticated clients to cause a panic in SSH servers. * containerd * [CVE-2021-43816](https://nvd.nist.gov/vuln/detail/CVE-2021-43816) CVSSv3 score: 9.1(Critical) containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible. * expat * [CVE-2022-25235](https://nvd.nist.gov/vuln/detail/CVE-2022-25235) CVSSv3 score: 9.8(Critical) xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. * [CVE-2022-25236](https://nvd.nist.gov/vuln/detail/CVE-2022-25236) CVSSv3 score: 9.8(Critical) xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. * [CVE-2022-25313](https://nvd.nist.gov/vuln/detail/CVE-2022-25313) CVSSv3 score: 6.5(Medium) In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. * [CVE-2022-25314](https://nvd.nist.gov/vuln/detail/CVE-2022-25314) CVSSv3 score: 7.5(High) In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. * [CVE-2022-25315](https://nvd.nist.gov/vuln/detail/CVE-2022-25315) CVSSv3 score: 9.8(Critical) In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. * ignition * [CVE-2020-14040](https://nvd.nist.gov/vuln/detail/CVE-2020-14040) CVSSv3 score: 7.5(High) The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. * [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561) CVSSv3 score: n/a Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack. * krb5 * [CVE-2021-37750](https://nvd.nist.gov/vuln/detail/CVE-2021-37750) CVSSv3 score: 6.5(Medium) The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field. * openssh * [CVE-2021-41617](https://nvd.nist.gov/vuln/detail/CVE-2021-41617) CVSSv3 score: 7(High) sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. * openssl * [CVE-2021-4044](https://nvd.nist.gov/vuln/detail/CVE-2021-4044) CVSSv3 score: 7.5(High) Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). * torcx * [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561) CVSSv3 score: n/a Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack. * [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565) CVSSv3 score: n/a Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed unauthenticated clients to cause a panic in SSH servers. * vim * [CVE-2021-3872](https://nvd.nist.gov/vuln/detail/CVE-2021-3872) CVSSv3 score: 7.8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-3875](https://nvd.nist.gov/vuln/detail/CVE-2021-3875) CVSSv3 score: 5.5(Medium) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-3903](https://nvd.nist.gov/vuln/detail/CVE-2021-3903) CVSSv3 score: 7.8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-3927](https://nvd.nist.gov/vuln/detail/CVE-2021-3927) CVSSv3 score: 7.8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-3928](https://nvd.nist.gov/vuln/detail/CVE-2021-3928) CVSSv3 score: 7.8(High) vim is vulnerable to Use of Uninitialized Variable * [CVE-2021-3968](https://nvd.nist.gov/vuln/detail/CVE-2021-3968) CVSSv3 score: 8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-3973](https://nvd.nist.gov/vuln/detail/CVE-2021-3973) CVSSv3 score: 7.8(High) vim is vulnerable to Heap-based Buffer Overflow * [CVE-2021-3974](https://nvd.nist.gov/vuln/detail/CVE-2021-3974) CVSSv3 score: 7.8(High) vim is vulnerable to Use After Free #### Stable * Linux * [CVE-2022-24448](https://nvd.nist.gov/vuln/detail/CVE-2022-24448) CVSSv3 score: 3.3(Low) An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor. * [CVE-2022-0617](https://nvd.nist.gov/vuln/detail/CVE-2022-0617) CVSSv3 score: 5.5(Medium) A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. * [CVE-2022-24959](https://nvd.nist.gov/vuln/detail/CVE-2022-24959) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c. * [CVE-2022-0492](https://nvd.nist.gov/vuln/detail/CVE-2022-0492) CVSSv3 score: n/a A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly. * [CVE-2022-0516](https://nvd.nist.gov/vuln/detail/CVE-2022-0516) CVSSv3 score: n/a * [CVE-2022-0435](https://nvd.nist.gov/vuln/detail/CVE-2022-0435) CVSSv3 score: n/a * [CVE-2022-0487](https://nvd.nist.gov/vuln/detail/CVE-2022-0487) CVSSv3 score: 5.5(Medium) A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. In this flaw, a local attacker with a user privilege may impact system Confidentiality. This flaw affects kernel versions prior to 5.14 rc1. * [CVE-2022-25375](https://nvd.nist.gov/vuln/detail/CVE-2022-25375) CVSSv3 score: 5.5(Medium) An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory. * [CVE-2022-25258](https://nvd.nist.gov/vuln/detail/CVE-2022-25258) CVSSv3 score: 4.6(Medium) An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur. * [CVE-2022-0847](https://nvd.nist.gov/vuln/detail/CVE-2022-0847) CVSSv3 score: n/a A vulnerability in the Linux kernel since version 5.8 allows anybody to write arbitrary data to arbitrary files, even if the file is O_RDONLY, immutable or on a MS_RDONLY filesystem. It can be used to inject code into arbitrary processes. * expat * [CVE-2022-25235](https://nvd.nist.gov/vuln/detail/CVE-2022-25235) CVSSv3 score: 9.8(Critical) xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. * [CVE-2022-25236](https://nvd.nist.gov/vuln/detail/CVE-2022-25236) CVSSv3 score: 9.8(Critical) xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. * [CVE-2022-25313](https://nvd.nist.gov/vuln/detail/CVE-2022-25313) CVSSv3 score: 6.5(Medium) In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. * [CVE-2022-25314](https://nvd.nist.gov/vuln/detail/CVE-2022-25314) CVSSv3 score: 7.5(High) In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. * [CVE-2022-25315](https://nvd.nist.gov/vuln/detail/CVE-2022-25315) CVSSv3 score: 9.8(Critical) In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. * go * [CVE-2022-23806](https://nvd.nist.gov/vuln/detail/CVE-2022-23806) CVSSv3 score: 9.1(Critical) Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. * [CVE-2022-23772](https://nvd.nist.gov/vuln/detail/CVE-2022-23772) CVSSv3 score: 7.5(High) Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. * [CVE-2022-23773](https://nvd.nist.gov/vuln/detail/CVE-2022-23773) CVSSv3 score: 7.5(High) cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. * ignition * [CVE-2020-14040](https://nvd.nist.gov/vuln/detail/CVE-2020-14040) CVSSv3 score: 7.5(High) The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. #### LTS * Linux * [CVE-2021-43976](https://nvd.nist.gov/vuln/detail/CVE-2021-43976) CVSSv3 score: 4.6(Medium) In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic). * [CVE-2022-0330](https://nvd.nist.gov/vuln/detail/CVE-2022-0330) CVSSv3 score: n/a * [CVE-2022-22942](https://nvd.nist.gov/vuln/detail/CVE-2022-22942) CVSSv3 score: n/a * [CVE-2022-24448](https://nvd.nist.gov/vuln/detail/CVE-2022-24448) CVSSv3 score: 3.3(Low) An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor. * [CVE-2022-0617](https://nvd.nist.gov/vuln/detail/CVE-2022-0617) CVSSv3 score: 5.5(Medium) A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. * [CVE-2022-24959](https://nvd.nist.gov/vuln/detail/CVE-2022-24959) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c. --- ### Twitter _The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar releases now available for all channels! 📦 Many package updates: [highlight], [highlight] ... 🔒 CVE fixes & security patches: [highlight fix], [highlight fix] ... 📜 Release notes at the usual spot: https://www.flatcar.org/releases/