# Flatcar Container Linux Release - 2022-10-24
## Flatcar-linux-3402.0.0-Alpha
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## Flatcar-linux-3374.1.0-Beta
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## Communication
---
#### Guidelines / Things to Remember
- Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/
- [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as βFlatcar Container Linux Userβ, not with your personal user (this can be selected when drafting the post).
- Make sure the the LTS is referred to as `LTS-2021`, and not `LTS-2605`
---
### Announcement Message
Subject: Announcing new Alpha 3402.0.0, Beta 3374.1.0 release.
Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha 3402.0.0, Beta 3374.1.0 channel.
# New **Alpha** Release **3402.0.0**
_Changes since **Alpha 3374.0.0**_
#### Security fixes:
- Linux ([CVE-2022-2308](https://nvd.nist.gov/vuln/detail/CVE-2022-2308), [CVE-2022-3621](https://nvd.nist.gov/vuln/detail/CVE-2022-3621), [CVE-2022-3646](https://nvd.nist.gov/vuln/detail/CVE-2022-3646), [CVE-2022-3649](https://nvd.nist.gov/vuln/detail/CVE-2022-3649), [CVE-2022-40768](https://nvd.nist.gov/vuln/detail/CVE-2022-40768), [CVE-2022-41674](https://nvd.nist.gov/vuln/detail/CVE-2022-41674), [CVE-2022-42719](https://nvd.nist.gov/vuln/detail/CVE-2022-42719), [CVE-2022-42720](https://nvd.nist.gov/vuln/detail/CVE-2022-42720), [CVE-2022-42721](https://nvd.nist.gov/vuln/detail/CVE-2022-42721), [CVE-2022-42722](https://nvd.nist.gov/vuln/detail/CVE-2022-42722))
- bind-tools ([CVE-2022-2795](https://nvd.nist.gov/vuln/detail/CVE-2022-2795), [CVE-2022-2881](https://nvd.nist.gov/vuln/detail/CVE-2022-2881), [CVE-2022-2906](https://nvd.nist.gov/vuln/detail/CVE-2022-2906), [CVE-2022-3080](https://nvd.nist.gov/vuln/detail/CVE-2022-3080), [CVE-2022-38177](https://nvd.nist.gov/vuln/detail/CVE-2022-38177), [CVE-2022-38178](https://nvd.nist.gov/vuln/detail/CVE-2022-38178))
- curl ([CVE-2022-35252](https://nvd.nist.gov/vuln/detail/CVE-2022-35252))
- dbus ([CVE-2022-42010](https://nvd.nist.gov/vuln/detail/CVE-2022-42010), [CVE-2022-42011](https://nvd.nist.gov/vuln/detail/CVE-2022-42011), [CVE-2022-42012](https://nvd.nist.gov/vuln/detail/CVE-2022-42012))
- go ([CVE-2022-41715](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41715), [CVE-2022-2880](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2880), [CVE-2022-2879](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2879))
- libxml2 ([CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303), [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304))
- logrotate ([CVE-2022-1348](https://nvd.nist.gov/vuln/detail/CVE-2022-1348))
- vim ([CVE-2022-2042](https://nvd.nist.gov/vuln/detail/CVE-2022-2042), [CVE-2022-2124](https://nvd.nist.gov/vuln/detail/CVE-2022-2124), [CVE-2022-2125](https://nvd.nist.gov/vuln/detail/CVE-2022-2125), [CVE-2022-2126](https://nvd.nist.gov/vuln/detail/CVE-2022-2126), [CVE-2022-2129](https://nvd.nist.gov/vuln/detail/CVE-2022-2129), [CVE-2022-2175](https://nvd.nist.gov/vuln/detail/CVE-2022-2175), [CVE-2022-2182](https://nvd.nist.gov/vuln/detail/CVE-2022-2182), [CVE-2022-2183](https://nvd.nist.gov/vuln/detail/CVE-2022-2183), [CVE-2022-2206](https://nvd.nist.gov/vuln/detail/CVE-2022-2206), [CVE-2022-2207](https://nvd.nist.gov/vuln/detail/CVE-2022-2207), [CVE-2022-2208](https://nvd.nist.gov/vuln/detail/CVE-2022-2208), [CVE-2022-2210](https://nvd.nist.gov/vuln/detail/CVE-2022-2210), [CVE-2022-2231](https://nvd.nist.gov/vuln/detail/CVE-2022-2231), [CVE-2022-2257](https://nvd.nist.gov/vuln/detail/CVE-2022-2257), [CVE-2022-2264](https://nvd.nist.gov/vuln/detail/CVE-2022-2264), [CVE-2022-2284](https://nvd.nist.gov/vuln/detail/CVE-2022-2284), [CVE-2022-2285](https://nvd.nist.gov/vuln/detail/CVE-2022-2285), [CVE-2022-2286](https://nvd.nist.gov/vuln/detail/CVE-2022-2286), [CVE-2022-2287](https://nvd.nist.gov/vuln/detail/CVE-2022-2287), [CVE-2022-2288](https://nvd.nist.gov/vuln/detail/CVE-2022-2288), [CVE-2022-2289](https://nvd.nist.gov/vuln/detail/CVE-2022-2289), [CVE-2022-2304](https://nvd.nist.gov/vuln/detail/CVE-2022-2304), [CVE-2022-2343](https://nvd.nist.gov/vuln/detail/CVE-2022-2343), [CVE-2022-2344](https://nvd.nist.gov/vuln/detail/CVE-2022-2344), [CVE-2022-2345](https://nvd.nist.gov/vuln/detail/CVE-2022-2345), [CVE-2022-2522](https://nvd.nist.gov/vuln/detail/CVE-2022-2522), [CVE-2022-2816](https://nvd.nist.gov/vuln/detail/CVE-2022-2816), [CVE-2022-2817](https://nvd.nist.gov/vuln/detail/CVE-2022-2817), [CVE-2022-2819](https://nvd.nist.gov/vuln/detail/CVE-2022-2819), [CVE-2022-2845](https://nvd.nist.gov/vuln/detail/CVE-2022-2845), [CVE-2022-2849](https://nvd.nist.gov/vuln/detail/CVE-2022-2849), [CVE-2022-2862](https://nvd.nist.gov/vuln/detail/CVE-2022-2862), [CVE-2022-2874](https://nvd.nist.gov/vuln/detail/CVE-2022-2874), [CVE-2022-2889](https://nvd.nist.gov/vuln/detail/CVE-2022-2889), [CVE-2022-2923](https://nvd.nist.gov/vuln/detail/CVE-2022-2923), [CVE-2022-2946](https://nvd.nist.gov/vuln/detail/CVE-2022-2946), [CVE-2022-2980](https://nvd.nist.gov/vuln/detail/CVE-2022-2980), [CVE-2022-2982](https://nvd.nist.gov/vuln/detail/CVE-2022-2982), [CVE-2022-3016](https://nvd.nist.gov/vuln/detail/CVE-2022-3016), [CVE-2022-3099](https://nvd.nist.gov/vuln/detail/CVE-2022-3099), [CVE-2022-3134](https://nvd.nist.gov/vuln/detail/CVE-2022-3134), [CVE-2022-3153](https://nvd.nist.gov/vuln/detail/CVE-2022-3153), [CVE-2022-1725](https://nvd.nist.gov/vuln/detail/CVE-2022-1725), [CVE-2022-3234](https://nvd.nist.gov/vuln/detail/CVE-2022-3234), [CVE-2022-3235](https://nvd.nist.gov/vuln/detail/CVE-2022-3235), [CVE-2022-3278](https://nvd.nist.gov/vuln/detail/CVE-2022-3278), [CVE-2022-3256](https://nvd.nist.gov/vuln/detail/CVE-2022-3256), [CVE-2022-3296](https://nvd.nist.gov/vuln/detail/CVE-2022-3296), [CVE-2022-3297](https://nvd.nist.gov/vuln/detail/CVE-2022-3297), [CVE-2022-3324](https://nvd.nist.gov/vuln/detail/CVE-2022-3324), [CVE-2022-3352](https://nvd.nist.gov/vuln/detail/CVE-2022-3352))
- SDK: rust ([CVE-2022-36113](https://nvd.nist.gov/vuln/detail/CVE-2022-36113), [CVE-2022-36114](https://nvd.nist.gov/vuln/detail/CVE-2022-36114))
#### Bug fixes:
- Enabled IOMMU on arm64 kernels, the lack of which prevented some systems from booting ([coreos-overlay#2235](https://github.com/flatcar/coreos-overlay/pull/2235))
#### Changes:
- Added `CONFIG_NF_CONNTRACK_BRIDGE` (for nf_conntrack_bridge) and `CONFIG_NFT_BRIDGE_META` (for nft_meta_bridge) to the kernel config to allow using conntrack rules for bridges in nftables and to match on bridge interface names ([coreos-overlay#2207](https://github.com/flatcar/coreos-overlay/pull/2207))
- Change CONFIG_WIREGUARD kernel option to module to save space on boot partition ([coreos-overlay#2239](https://github.com/flatcar/coreos-overlay/pull/2239))
- Disable several arch specific arm64 kernel config options for unsupported platforms to save space on boot partition ([coreos-overlay#2239](https://github.com/flatcar/coreos-overlay/pull/2239))
- OpenStack: enabled `coreos-metadata-sshkeys@.service` to provision SSH keys from metadata. ([Flatcar#817](https://github.com/flatcar/Flatcar/issues/817), [coreos-overlay#2246](https://github.com/flatcar/coreos-overlay/pull/2246))
- Switched from `--strip-unneeded` to `--strip-debug` when installing kernel modules, which makes kernel stacktraces more accurate and makes debugging issues easier ([coreos-overlay#2196](https://github.com/flatcar/coreos-overlay/pull/2196))
- The flatcar-update tool got two new flags to customize ports used on the host while updating flatcar ([init#81](https://github.com/flatcar/init/pull/81))
- Add qemu-guest-agent to all amd64 images, it will be automatically enabled when qemu-ga virtio-port is detected ([coreos-overlay#2240](https://github.com/flatcar/coreos-overlay/pull/2240), [portage-stable#373](https://github.com/flatcar/portage-stable/pull/373))
#### Updates:
- Linux ([5.15.74](https://lwn.net/Articles/911275/) (includes [5.15.71](https://lwn.net/Articles/909679), [5.15.72](https://lwn.net/Articles/910398), [5.15.73](https://lwn.net/Articles/910957))
- Linux Firmware ([20221012](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20221012))
- bind-tools ([9.16.33](https://gitlab.isc.org/isc-projects/bind9/-/raw/v9_16_33/CHANGES))
- bpftool ([5.19.2](https://lwn.net/Articles/904957/))
- ca-certificates ([3.84](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_84.html))
- curl ([7.85](https://curl.se/mail/archive-2022-08/0012.html))
- dbus ([1.14.4](https://gitlab.freedesktop.org/dbus/dbus/-/raw/dbus-1.14.4/NEWS))
- Docker ([20.10.20](https://docs.docker.com/engine/release-notes/#201020))
- git ([2.37.3](https://github.com/git/git/blob/v2.37.3/Documentation/RelNotes/2.37.3.txt))
- glibc ([2.34](https://sourceware.org/pipermail/libc-alpha/2021-August/129718.html))
- Go ([1.18.7](https://go.dev/doc/devel/release#1.18.7))
- libxml2 ([2.10.3](https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3))
- logrotate ([3.20.1](https://github.com/logrotate/logrotate/releases/tag/3.20.1))
- nmap ([7.93](https://nmap.org/changelog.html#7.93))
- pahole ([1.23](https://git.kernel.org/pub/scm/devel/pahole/pahole.git/tag/?h=v1.23))
- strace ([5.19](https://github.com/strace/strace/releases/tag/v5.19))
- vim ([9.0.0655](https://github.com/vim/vim/releases/tag/v9.0.0655))
- wireguard-tools ([1.0.20210914](https://github.com/WireGuard/wireguard-tools/releases/tag/v1.0.20210914))
- zlib ([1.2.13](https://github.com/madler/zlib/releases/tag/v1.2.13))
- SDK: catalyst ([3.0.21](https://gitweb.gentoo.org/proj/catalyst.git/log/?h=3.0.21))
- SDK: cmake ([3.23.3](https://cmake.org/cmake/help/v3.23/release/3.23.html))
- SDK: libxslt ([1.1.37](https://gitlab.gnome.org/GNOME/libxslt/-/tags/v1.1.37))
- SDK: meson ([0.62.2](https://mesonbuild.com/Release-notes-for-0-62-0.html))
- SDK: ninja ([1.11.0](https://groups.google.com/g/ninja-build/c/R2oCyDctDf8/m/-U94Y5I8AgAJ?pli=1))
- SDK: Rust ([1.64.0](https://github.com/rust-lang/rust/releases/tag/1.64.0))
# New **Beta** Release **3374.1.0**
_Changes since **Beta 3346.1.0**_
#### Security fixes:
- Linux ([CVE-2022-2308](https://nvd.nist.gov/vuln/detail/CVE-2022-2308), [CVE-2022-40768](https://nvd.nist.gov/vuln/detail/CVE-2022-40768), [CVE-2022-41674](https://nvd.nist.gov/vuln/detail/CVE-2022-41674), [CVE-2022-42719](https://nvd.nist.gov/vuln/detail/CVE-2022-42719), [CVE-2022-42720](https://nvd.nist.gov/vuln/detail/CVE-2022-42720), [CVE-2022-42721](https://nvd.nist.gov/vuln/detail/CVE-2022-42721), [CVE-2022-42722](https://nvd.nist.gov/vuln/detail/CVE-2022-42722))
- Docker ([CVE-2022-36109](https://nvd.nist.gov/vuln/detail/CVE-2022-36109))
- GNU Libtasn1 ([Gentoo#866237](https://bugs.gentoo.org/866237))
- intel-microcode ([CVE-2022-21233](https://nvd.nist.gov/vuln/detail/CVE-2022-21233))
- libxml2 ([CVE-2016-3709](https://nvd.nist.gov/vuln/detail/CVE-2016-3709), [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309))
- polkit ([CVE-2021-4115](https://nvd.nist.gov/vuln/detail/CVE-2021-4115))
- rsync ([CVE-2022-29154](https://nvd.nist.gov/vuln/detail/CVE-2022-29154))
- unzip ([CVE-2022-0529](https://nvd.nist.gov/vuln/detail/CVE-2022-0529), [CVE-2022-0530](https://nvd.nist.gov/vuln/detail/CVE-2022-0530), [CVE-2021-4217](https://nvd.nist.gov/vuln/detail/CVE-2021-4217))
- zlib ([CVE-2022-37434](https://nvd.nist.gov/vuln/detail/CVE-2022-37434))
#### Changes:
- OpenStack: enabled `coreos-metadata-sshkeys@.service` to provision SSH keys from metadata. ([Flatcar#817](https://github.com/flatcar/Flatcar/issues/817), [coreos-overlay#2246](https://github.com/flatcar/coreos-overlay/pull/2246))
#### Updates:
- Linux ([5.15.74](https://lwn.net/Articles/911275/) (includes [5.15.71](https://lwn.net/Articles/909679), [5.15.72](https://lwn.net/Articles/910398), [5.15.73](https://lwn.net/Articles/910957))
- Linux Firmware ([20220913](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220913))
- ca-certificates ([3.84](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_84.html))
- Docker ([20.10.18](https://docs.docker.com/engine/release-notes/#201018))
- GNU Libtasn1 ([4.19.0](https://lists.gnu.org/archive/html/help-libtasn1/2022-08/msg00001.html))
- intel-microcode ([20220809](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220809))
- libxml2 ([2.10.2](https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.2))
- polkit ([121](https://gitlab.freedesktop.org/polkit/polkit/-/commit/827b0ddac5b1ef00a47fca4526fcf057bee5f1db))
- rsync ([3.2.6](https://github.com/WayneD/rsync/releases/tag/v3.2.6))
- runc ([1.1.4](https://github.com/opencontainers/runc/releases/tag/v1.1.4))
- unzip ([6.0_p27](https://metadata.ftp-master.debian.org/changelogs//main/u/unzip/unzip_6.0-27_changelog))
- SDK: libxslt ([1.1.35](https://gitlab.gnome.org/GNOME/libxslt/-/tags/v1.1.35))
_Changes since **Alpha 3374.0.0**_
#### Security fixes:
- Linux ([CVE-2022-2308](https://nvd.nist.gov/vuln/detail/CVE-2022-2308), [CVE-2022-40768](https://nvd.nist.gov/vuln/detail/CVE-2022-40768), [CVE-2022-41674](https://nvd.nist.gov/vuln/detail/CVE-2022-41674), [CVE-2022-42719](https://nvd.nist.gov/vuln/detail/CVE-2022-42719), [CVE-2022-42720](https://nvd.nist.gov/vuln/detail/CVE-2022-42720), [CVE-2022-42721](https://nvd.nist.gov/vuln/detail/CVE-2022-42721), [CVE-2022-42722](https://nvd.nist.gov/vuln/detail/CVE-2022-42722))
#### Changes:
- OpenStack: enabled `coreos-metadata-sshkeys@.service` to provision SSH keys from metadata. ([Flatcar#817](https://github.com/flatcar/Flatcar/issues/817), [coreos-overlay#2246](https://github.com/flatcar/coreos-overlay/pull/2246))
#### Updates:
- Linux ([5.15.74](https://lwn.net/Articles/911275/) (includes [5.15.71](https://lwn.net/Articles/909679), [5.15.72](https://lwn.net/Articles/910398), [5.15.73](https://lwn.net/Articles/910957))
- ca-certificates ([3.84](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_84.html))
Best,
The Flatcar Container Linux Maintainers
---
### Security
**Subject**: Security issues fixed with the latest Alpha, Beta release(s)
**Security fix**: With the Alpha 3402.0.0, Beta 3374.1.0 release(s) we ship fixes for the CVEs listed below.
#### Alpha 3402.0.0
* Linux
* [CVE-2022-2308](https://nvd.nist.gov/vuln/detail/CVE-2022-2308) CVSSv3 score: 6.5(Medium)
A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.
* [CVE-2022-3621](https://nvd.nist.gov/vuln/detail/CVE-2022-3621) CVSSv3 score: n/a
A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920.
* [CVE-2022-3646](https://nvd.nist.gov/vuln/detail/CVE-2022-3646) CVSSv3 score: n/a
A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability.
* [CVE-2022-3649](https://nvd.nist.gov/vuln/detail/CVE-2022-3649) CVSSv3 score: n/a
A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992.
* [CVE-2022-40768](https://nvd.nist.gov/vuln/detail/CVE-2022-40768) CVSSv3 score: 5.5(Medium)
drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.
* [CVE-2022-41674](https://nvd.nist.gov/vuln/detail/CVE-2022-41674) CVSSv3 score: 8.1(High)
An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.
* [CVE-2022-42719](https://nvd.nist.gov/vuln/detail/CVE-2022-42719) CVSSv3 score: 8.8(High)
A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.
* [CVE-2022-42720](https://nvd.nist.gov/vuln/detail/CVE-2022-42720) CVSSv3 score: 7.8(High)
Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code.
* [CVE-2022-42721](https://nvd.nist.gov/vuln/detail/CVE-2022-42721) CVSSv3 score: 5.5(Medium)
A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code.
* [CVE-2022-42722](https://nvd.nist.gov/vuln/detail/CVE-2022-42722) CVSSv3 score: 5.5(Medium)
In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices.
* SDK: rust
* [CVE-2022-36113](https://nvd.nist.gov/vuln/detail/CVE-2022-36113) CVSSv3 score: 8.1(High)
Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write "ok" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. Mitigations We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to exercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.
* [CVE-2022-36114](https://nvd.nist.gov/vuln/detail/CVE-2022-36114) CVSSv3 score: 6.5(Medium)
Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a "zip bomb"), exhausting the disk space on the machine using Cargo to download the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. We recommend users of alternate registries to excercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as the same concerns about build scripts and procedural macros apply here.
* bind-tools
* [CVE-2022-2795](https://nvd.nist.gov/vuln/detail/CVE-2022-2795) CVSSv3 score: 7.5(High)
By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.
* [CVE-2022-2881](https://nvd.nist.gov/vuln/detail/CVE-2022-2881) CVSSv3 score: 8.2(High)
The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.
* [CVE-2022-2906](https://nvd.nist.gov/vuln/detail/CVE-2022-2906) CVSSv3 score: n/a
An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.
* [CVE-2022-3080](https://nvd.nist.gov/vuln/detail/CVE-2022-3080) CVSSv3 score: n/a
By sending specific queries to the resolver, an attacker can cause named to crash.
* [CVE-2022-38177](https://nvd.nist.gov/vuln/detail/CVE-2022-38177) CVSSv3 score: n/a
By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.
* [CVE-2022-38178](https://nvd.nist.gov/vuln/detail/CVE-2022-38178) CVSSv3 score: n/a
By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.
* curl
* [CVE-2022-35252](https://nvd.nist.gov/vuln/detail/CVE-2022-35252) CVSSv3 score: 3.7(Low)
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
* dbus
* [CVE-2022-42010](https://nvd.nist.gov/vuln/detail/CVE-2022-42010) CVSSv3 score: 6.5(Medium)
An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.
* [CVE-2022-42011](https://nvd.nist.gov/vuln/detail/CVE-2022-42011) CVSSv3 score: 6.5(Medium)
An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.
* [CVE-2022-42012](https://nvd.nist.gov/vuln/detail/CVE-2022-42012) CVSSv3 score: 6.5(Medium)
An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.
* libxml2
* [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303) CVSSv3 score: n/a
Fix integer overflows with XML_PARSE_HUGE
* [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304) CVSSv3 score: n/a
Fix dict corruption caused by entity reference cycles
* logrotate
* [CVE-2022-1348](https://nvd.nist.gov/vuln/detail/CVE-2022-1348) CVSSv3 score: 6.5(Medium)
A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.
* vim
* [CVE-2022-2042](https://nvd.nist.gov/vuln/detail/CVE-2022-2042) CVSSv3 score: 9.8(Critical)
Use After Free in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2124](https://nvd.nist.gov/vuln/detail/CVE-2022-2124) CVSSv3 score: 7.8(High)
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2125](https://nvd.nist.gov/vuln/detail/CVE-2022-2125) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2126](https://nvd.nist.gov/vuln/detail/CVE-2022-2126) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2129](https://nvd.nist.gov/vuln/detail/CVE-2022-2129) CVSSv3 score: 7.8(High)
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2175](https://nvd.nist.gov/vuln/detail/CVE-2022-2175) CVSSv3 score: 7.8(High)
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2182](https://nvd.nist.gov/vuln/detail/CVE-2022-2182) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2183](https://nvd.nist.gov/vuln/detail/CVE-2022-2183) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2206](https://nvd.nist.gov/vuln/detail/CVE-2022-2206) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2207](https://nvd.nist.gov/vuln/detail/CVE-2022-2207) CVSSv3 score: 9.8(Critical)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2208](https://nvd.nist.gov/vuln/detail/CVE-2022-2208) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163.
* [CVE-2022-2210](https://nvd.nist.gov/vuln/detail/CVE-2022-2210) CVSSv3 score: 7.8(High)
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2231](https://nvd.nist.gov/vuln/detail/CVE-2022-2231) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2257](https://nvd.nist.gov/vuln/detail/CVE-2022-2257) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2264](https://nvd.nist.gov/vuln/detail/CVE-2022-2264) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2284](https://nvd.nist.gov/vuln/detail/CVE-2022-2284) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2285](https://nvd.nist.gov/vuln/detail/CVE-2022-2285) CVSSv3 score: 7.8(High)
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2286](https://nvd.nist.gov/vuln/detail/CVE-2022-2286) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2287](https://nvd.nist.gov/vuln/detail/CVE-2022-2287) CVSSv3 score: 7.1(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2288](https://nvd.nist.gov/vuln/detail/CVE-2022-2288) CVSSv3 score: 7.8(High)
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2289](https://nvd.nist.gov/vuln/detail/CVE-2022-2289) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2304](https://nvd.nist.gov/vuln/detail/CVE-2022-2304) CVSSv3 score: 7.8(High)
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2343](https://nvd.nist.gov/vuln/detail/CVE-2022-2343) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044.
* [CVE-2022-2344](https://nvd.nist.gov/vuln/detail/CVE-2022-2344) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.
* [CVE-2022-2345](https://nvd.nist.gov/vuln/detail/CVE-2022-2345) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0046.
* [CVE-2022-2522](https://nvd.nist.gov/vuln/detail/CVE-2022-2522) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061.
* [CVE-2022-2816](https://nvd.nist.gov/vuln/detail/CVE-2022-2816) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0212.
* [CVE-2022-2817](https://nvd.nist.gov/vuln/detail/CVE-2022-2817) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0213.
* [CVE-2022-2819](https://nvd.nist.gov/vuln/detail/CVE-2022-2819) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0211.
* [CVE-2022-2845](https://nvd.nist.gov/vuln/detail/CVE-2022-2845) CVSSv3 score: 7.8(High)
Buffer Over-read in GitHub repository vim/vim prior to 9.0.0218.
* [CVE-2022-2849](https://nvd.nist.gov/vuln/detail/CVE-2022-2849) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0220.
* [CVE-2022-2862](https://nvd.nist.gov/vuln/detail/CVE-2022-2862) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0221.
* [CVE-2022-2874](https://nvd.nist.gov/vuln/detail/CVE-2022-2874) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0224.
* [CVE-2022-2889](https://nvd.nist.gov/vuln/detail/CVE-2022-2889) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0225.
* [CVE-2022-2923](https://nvd.nist.gov/vuln/detail/CVE-2022-2923) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240.
* [CVE-2022-2946](https://nvd.nist.gov/vuln/detail/CVE-2022-2946) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0246.
* [CVE-2022-2980](https://nvd.nist.gov/vuln/detail/CVE-2022-2980) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0259.
* [CVE-2022-2982](https://nvd.nist.gov/vuln/detail/CVE-2022-2982) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0260.
* [CVE-2022-3016](https://nvd.nist.gov/vuln/detail/CVE-2022-3016) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0286.
* [CVE-2022-3099](https://nvd.nist.gov/vuln/detail/CVE-2022-3099) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0360.
* [CVE-2022-3134](https://nvd.nist.gov/vuln/detail/CVE-2022-3134) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0389.
* [CVE-2022-3153](https://nvd.nist.gov/vuln/detail/CVE-2022-3153) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404.
* [CVE-2022-1725](https://nvd.nist.gov/vuln/detail/CVE-2022-1725) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.4959.
* [CVE-2022-3234](https://nvd.nist.gov/vuln/detail/CVE-2022-3234) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.
* [CVE-2022-3235](https://nvd.nist.gov/vuln/detail/CVE-2022-3235) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0490.
* [CVE-2022-3278](https://nvd.nist.gov/vuln/detail/CVE-2022-3278) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552.
* [CVE-2022-3256](https://nvd.nist.gov/vuln/detail/CVE-2022-3256) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0530.
* [CVE-2022-3296](https://nvd.nist.gov/vuln/detail/CVE-2022-3296) CVSSv3 score: 7.8(High)
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.
* [CVE-2022-3297](https://nvd.nist.gov/vuln/detail/CVE-2022-3297) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0579.
* [CVE-2022-3324](https://nvd.nist.gov/vuln/detail/CVE-2022-3324) CVSSv3 score: 7.8(High)
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.
* [CVE-2022-3352](https://nvd.nist.gov/vuln/detail/CVE-2022-3352) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0614.
#### Beta 3374.1.0
* Docker
* [CVE-2022-36109](https://nvd.nist.gov/vuln/detail/CVE-2022-36109) CVSSv3 score: n/a
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.
* Linux
* [CVE-2022-2308](https://nvd.nist.gov/vuln/detail/CVE-2022-2308) CVSSv3 score: 6.5(Medium)
A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.
* [CVE-2022-40768](https://nvd.nist.gov/vuln/detail/CVE-2022-40768) CVSSv3 score: 5.5(Medium)
drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.
* [CVE-2022-41674](https://nvd.nist.gov/vuln/detail/CVE-2022-41674) CVSSv3 score: 8.1(High)
An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.
* [CVE-2022-42719](https://nvd.nist.gov/vuln/detail/CVE-2022-42719) CVSSv3 score: 8.8(High)
A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.
* [CVE-2022-42720](https://nvd.nist.gov/vuln/detail/CVE-2022-42720) CVSSv3 score: 7.8(High)
Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code.
* [CVE-2022-42721](https://nvd.nist.gov/vuln/detail/CVE-2022-42721) CVSSv3 score: 5.5(Medium)
A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code.
* [CVE-2022-42722](https://nvd.nist.gov/vuln/detail/CVE-2022-42722) CVSSv3 score: 5.5(Medium)
In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices.
* intel-microcode
* [CVE-2022-21233](https://nvd.nist.gov/vuln/detail/CVE-2022-21233) CVSSv3 score: 5.5(Medium)
Improper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.
* libxml2
* [CVE-2016-3709](https://nvd.nist.gov/vuln/detail/CVE-2016-3709) CVSSv3 score: 6.1(Medium)
Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
* [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309) CVSSv3 score: 7.5(High)
NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
* polkit
* [CVE-2021-4115](https://nvd.nist.gov/vuln/detail/CVE-2021-4115) CVSSv3 score: 5.5(Medium)
There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. The highest threat from this vulnerability is to availability. NOTE: Polkit process outage duration is tied to the failing process being reaped and a new one being spawned
* rsync
* [CVE-2022-29154](https://nvd.nist.gov/vuln/detail/CVE-2022-29154) CVSSv3 score: 7.4(High)
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
* unzip
* [CVE-2022-0529](https://nvd.nist.gov/vuln/detail/CVE-2022-0529) CVSSv3 score: 5.5(Medium)
A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
* [CVE-2022-0530](https://nvd.nist.gov/vuln/detail/CVE-2022-0530) CVSSv3 score: 5.5(Medium)
A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
* [CVE-2021-4217](https://nvd.nist.gov/vuln/detail/CVE-2021-4217) CVSSv3 score: 7.8(High)
A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
* zlib
* [CVE-2022-37434](https://nvd.nist.gov/vuln/detail/CVE-2022-37434) CVSSv3 score: 9.8(Critical)
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
---
### Communication
#### Go/No-Go message for Matrix/Slack
Go/No-Go Meeting for Alpha 3402.0.0, Beta 3374.1.0
Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/
Tracking issue: https://github.com/flatcar/Flatcar/issues/879
The Go/No-Go document is in our HackMD @flatcar namespace
Link: https://hackmd.io/UplvERGgREKFgV7CXGclMQ
Please give your Go/No-Go vote with π for Go, β for No-Go, and β for Wait.
Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat.
#### Twitter
_The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._
New Flatcar releases now available for Alpha and Beta
π¦ Package updates: Linux, Go, Docker, git, glibc and more
π CVE fixes & security patches: Linux, bind-tools, vim and more
π Release notes at the usual spot: https://www.flatcar.org/releases/
#### Kubernetes Slack
_This goes in the #flatcar channel_
Please welcome Flatcar releases of this month:
- Alpha 3402.0.0 (major release)
- Beta 3374.1.0 (major release)
New Flatcar releases now available for Alpha and Beta
π¦ Package updates: Linux, Go, Docker, git, glibc and more
π CVE fixes & security patches: Linux, bind-tools, vim and more
π Release notes at the usual spot: https://www.flatcar.org/releases/
Sign in with Wallet
Connect another wallet