Flatcar Container Linux Release - March 21th, 2023

# Flatcar Container Linux Release - March 21th, 2023 ## Alpha 3549.0.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). - Make sure the the LTS is referred to as `LTS-2021`, and not `LTS-2605` --- ### Announcement Message Subject: Announcing new releases Alpha 3549.0.0 Hello, We are pleased to announce a new Flatcar Container Linux release for the Alpha channel. #### New Alpha Release 3549.0.0 _Changes since **Alpha 3535.0.0**_ #### Security fixes: - Go ([CVE-2023-24532](https://nvd.nist.gov/vuln/detail/CVE-2023-24532)) - GnuTLS ([CVE-2023-0361](https://nvd.nist.gov/vuln/detail/CVE-2023-0361)) - curl ([CVE-2023-23914](https://nvd.nist.gov/vuln/detail/CVE-2023-23914), [CVE-2023-23915](https://nvd.nist.gov/vuln/detail/CVE-2023-23915), [CVE-2023-23916](https://nvd.nist.gov/vuln/detail/CVE-2023-23916)) - git ([CVE-2023-22490](https://nvd.nist.gov/vuln/detail/CVE-2023-22490), [CVE-2023-23946](https://nvd.nist.gov/vuln/detail/CVE-2023-23946)) - pkgconf ([CVE-2023-24056](https://nvd.nist.gov/vuln/detail/CVE-2023-24056)) - python ([CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329)) - vim ([CVE-2023-0288](https://nvd.nist.gov/vuln/detail/CVE-2023-0288), [CVE-2023-0433](https://nvd.nist.gov/vuln/detail/CVE-2023-0433)) #### Bug fixes: - Restored the support to specify OEM partition files in Ignition when `/usr/share/oem` is given as initrd mount point ([bootengine#58](https://github.com/flatcar/bootengine/pull/58)) #### Changes: - Added `pigz` to the image, a parallel gzip implementation, which is useful to speed up the (de)compression for large container image imports/exports ([coreos-overlay#2504](https://github.com/flatcar/coreos-overlay/pull/2504)) - Added new image signing pub key to `flatcar-install`, needed for download verification of releases built from July 2023 onwards, if you have copies of `flatcar-install` or the image signing pub key, you need to update them as well ([init#92](https://github.com/flatcar/init/pull/92)) - Enabled elfutils support in systemd-coredump. A backtrace will now appear in the journal for any program that dumps core ([coreos-overlay#2489](https://github.com/flatcar/coreos-overlay/pull/2489)) - Specifying the OEM filesystem in Ignition to write files to `/usr/share/oem` is not needed anymore ([bootengine#58](https://github.com/flatcar/bootengine/pull/58)) #### Updates: - Go ([1.19.7](https://go.dev/doc/devel/release#go1.19.7)) - Linux ([5.15.103](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v5.15.103) (includes [5.15.102](https://lwn.net/Articles/925991), [5.15.101](https://lwn.net/Articles/925939), [5.15.100](https://lwn.net/Articles/925913), [5.15.99](https://lwn.net/Articles/925844))) - Linux Firmware ([20230310](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20230310)) - Rust ([1.68.0](https://github.com/rust-lang/rust/releases/tag/1.68.0)) - ca-certificates ([3.89](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_89.html)) - open-vm-tools ([12.2.0](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.2.0)) - GLib ([2.74.5](https://gitlab.gnome.org/GNOME/glib/-/tags/2.74.5)) - GnuTLS ([3.8.0](https://gitlab.com/gnutls/gnutls/-/blob/3.8.0/NEWS)) - SDK: portage ([3.0.44](https://gitweb.gentoo.org/proj/portage.git/tree/NEWS?h=portage-3.0.44)) - SDK: python ([3.10.10](https://docs.python.org/3.10/whatsnew/changelog.html#python-3-10-10-final)) - bind tools ([9.16.37](https://bind9.readthedocs.io/en/v9_16_37/notes.html#notes-for-bind-9-16-37)) - curl ([7.88.1](https://curl.se/changes.html#7_88_1) (includes [7.88.0](https://curl.se/changes.html#7_88_0))) - diffutils ([3.9](https://savannah.gnu.org/forum/forum.php?forum_id=10282)) - gcc ([12.2.1](https://gcc.gnu.org/gcc-12/changes.html)) - git ([2.39.2](https://github.com/git/git/blob/v2.39.2/Documentation/RelNotes/2.39.2.txt)) - libpcap ([1.10.3](https://git.tcpdump.org/libpcap/blob/refs/tags/libpcap-1.10.3:/CHANGES) (includes [1.10.2](https://git.tcpdump.org/libpcap/blob/refs/tags/libpcap-1.10.2:/CHANGES))) - qemu guest agent ([7.1.0](https://wiki.qemu.org/ChangeLog/7.1#Guest_agent)) - socat ([1.7.4.4](https://repo.or.cz/socat.git/blob/refs/tags/tag-1.7.4.4:/CHANGES)) - traceroute (2.1.1) - vim ([9.0.1363](https://github.com/vim/vim/releases/tag/v9.0.1363)) --- ### Security With the Alpha 3549.0.0 release we ship fixes for the CVEs listed below. #### Alpha 3549.0.0 * GnuTLS * [CVE-2023-0361](https://nvd.nist.gov/vuln/detail/CVE-2023-0361) CVSSv3 score: 7.5(High) A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection. * Go * [CVE-2023-24532](https://nvd.nist.gov/vuln/detail/CVE-2023-24532) CVSSv3 score: 5.3(Medium) The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh. * curl * [CVE-2023-23914](https://nvd.nist.gov/vuln/detail/CVE-2023-23914) CVSSv3 score: 9.1(Critical) A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on. * [CVE-2023-23915](https://nvd.nist.gov/vuln/detail/CVE-2023-23915) CVSSv3 score: 6.5(Medium) A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS. * [CVE-2023-23916](https://nvd.nist.gov/vuln/detail/CVE-2023-23916) CVSSv3 score: 7.5(High) An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors. * git * [CVE-2023-22490](https://nvd.nist.gov/vuln/detail/CVE-2023-22490) CVSSv3 score: n/a Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs. * [CVE-2023-23946](https://nvd.nist.gov/vuln/detail/CVE-2023-23946) CVSSv3 score: 7.5(High) Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link. * pkgconf * [CVE-2023-24056](https://nvd.nist.gov/vuln/detail/CVE-2023-24056) CVSSv3 score: 5.5(Medium) In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred bytes can expand to one billion bytes. * python * [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329) CVSSv3 score: 7.5(High) An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. * vim * [CVE-2023-0288](https://nvd.nist.gov/vuln/detail/CVE-2023-0288) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189. * [CVE-2023-0433](https://nvd.nist.gov/vuln/detail/CVE-2023-0433) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225. Best, The Flatcar Container Linux Maintainers --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Alpha 3549.0.0 Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/ Tracking issue: https://github.com/flatcar/Flatcar/issues/977 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/@flatcar/SJ4VBJzg3 Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. @MAINTAINER @MAINTAINER @MAINTAINER #### Mastodon _The toot (from [@flatcar](https://hachyderm.io/@flatcar)) and tweet (from @flatcar) go out after the changelog update has been published; they include a link to the web changelog._ _Toot:_ New Flatcar Alpha release now available! 🐖 Added pigz package (faster gzip) 📦 Many package updates: Linux, gcc, GnuTLS and more 🔒 CVE fixes & security patches: git, curl, GnuTLS and more 🔑 Rotated signing key 💩 Improved coredumps 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #linux #cloudnative #containers #updates #pigz _Tweet:_ New Flatcar Alpha release now available! 🐖 Added pigz package (faster gzip) 📦 Many package updates: Linux, gcc, GnuTLS and more 🔒 CVE fixes & security patches: git, curl, GnuTLS and more 🔑 Rotated signing key 💩 Improved coredumps 📜 Release notes: https://www.flatcar.org/releases/ #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome Flatcar releases of this month: - Alpha 3549.0.0 (new major) These releases include: 📦 Package updates: Linux, gcc, GnuTLS and more 🔒 CVE fixes & security patches: git, curl, GnuTLS and more 📜 Release notes at the usual spot: https://www.flatcar.org/releases/