## Alpha 3689.0.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All except EM - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ / _NO-GO_ / _WAIT_ ## Beta 3602.1.4 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All except EM - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ / _NO-GO_ / _WAIT_ ## Stable 3510.2.6 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All except EM - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ / _NO-GO_ / _WAIT_ ## LTS 3033.3.16 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All except EM - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ / _NO-GO_ / _WAIT_ ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). --- ### Announcement Message Subject: Announcing new releases Alpha 3689.0.0, Beta 3602.1.4, Stable 3510.2.6, LTS 3033.3.16 Hello, We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, LTS channel. **Note**: All channels have fixes and workarounds against transient execution CPU vulnerabilities in certain AMD CPUs of the Zen 2 AMD microarchitecture, a.k.a. `Zenbleed`. ## New Alpha Release 3689.0.0 _Changes since **Alpha 3665.0.0**_ #### Security fixes: - Linux ([CVE-2022-48502](https://nvd.nist.gov/vuln/detail/CVE-2022-48502), [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593), [CVE-2023-2898](https://nvd.nist.gov/vuln/detail/CVE-2023-2898), [CVE-2023-31248](https://nvd.nist.gov/vuln/detail/CVE-2023-31248), [CVE-2023-35001](https://nvd.nist.gov/vuln/detail/CVE-2023-35001), [CVE-2023-3611](https://nvd.nist.gov/vuln/detail/CVE-2023-3611), [CVE-2023-3776](https://nvd.nist.gov/vuln/detail/CVE-2023-3776), [CVE-2023-3863](https://nvd.nist.gov/vuln/detail/CVE-2023-3863)) - Go ([CVE-2023-29406](https://nvd.nist.gov/vuln/detail/CVE-2023-29406), [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409)) - OpenSSH ([CVE-2023-38408](https://nvd.nist.gov/vuln/detail/CVE-2023-38408)) - OpenSSL ([CVE-2023-2975](https://nvd.nist.gov/vuln/detail/CVE-2023-2975), [CVE-2023-3446](https://nvd.nist.gov/vuln/detail/CVE-2023-3446)) - libxml2 ([libxml2-20230428](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.4)) - linux-firmware ([CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593)) - openldap ([CVE-2023-2953](https://nvd.nist.gov/vuln/detail/CVE-2023-2953)) - shadow ([CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383)) #### Updates: - Linux ([6.1.43](https://lwn.net/Articles/940338) (includes [6.1.42](https://lwn.net/Articles/939423), [6.1.41](https://lwn.net/Articles/939103), [6.1.40](https://lwn.net/Articles/939015), [6.1.39](https://lwn.net/Articles/938619))) - Go ([1.20.7](https://go.dev/doc/devel/release#go1.20.7)) - ca-certificates ([3.92](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_92.html)) - containerd ([1.7.3](https://github.com/containerd/containerd/releases/tag/v1.7.3)) - git ([2.41.0](https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.41.0.txt)) - iperf ([3.14](https://github.com/esnet/iperf/blob/master/RELNOTES.md#iperf-314-2023-07-07)) - libxml2 ([2.11.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.4)) - libxslt ([1.1.38](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.38)) - openldap ([2.5.14](https://openldap.org/software/release/changes_lts.html) (includes [2.5](https://openldap.org/software/release/changes_lts.html))) - runc ([1.1.8](https://github.com/opencontainers/runc/releases/tag/v1.1.8)) - SDK: pahole ([1.25](https://github.com/acmel/dwarves/blob/master/changes-v1.25)) - SDK: Rust ([1.71.0](https://github.com/rust-lang/rust/releases/tag/1.71.0)) ## New Beta Release 3602.1.4 _Changes since **Beta 3602.1.3**_ #### Security fixes: - Linux ([CVE-2022-48502](https://nvd.nist.gov/vuln/detail/CVE-2022-48502), [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593), [CVE-2023-2898](https://nvd.nist.gov/vuln/detail/CVE-2023-2898), [CVE-2023-31248](https://nvd.nist.gov/vuln/detail/CVE-2023-31248), [CVE-2023-35001](https://nvd.nist.gov/vuln/detail/CVE-2023-35001), [CVE-2023-3611](https://nvd.nist.gov/vuln/detail/CVE-2023-3611), [CVE-2023-3776](https://nvd.nist.gov/vuln/detail/CVE-2023-3776), [CVE-2023-38432](https://nvd.nist.gov/vuln/detail/CVE-2023-38432), [CVE-2023-3863](https://nvd.nist.gov/vuln/detail/CVE-2023-3863)) - OpenSSH ([CVE-2023-38408](https://nvd.nist.gov/vuln/detail/CVE-2023-38408)) - linux-firmware ([CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593)) #### Updates: - Linux ([5.15.124](https://lwn.net/Articles/940339) (includes [5.15.123](https://lwn.net/Articles/939424), [5.15.122](https://lwn.net/Articles/939104), [5.15.121](https://lwn.net/Articles/939016))) - ca-certificates ([3.92](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_92.html)) - linux-firmware ([20230625](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20230625)) ## New Stable Release 3510.2.6 _Changes since **Stable 3510.2.5**_ #### Security fixes: - Linux ([CVE-2022-48502](https://nvd.nist.gov/vuln/detail/CVE-2022-48502), [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593), [CVE-2023-2898](https://nvd.nist.gov/vuln/detail/CVE-2023-2898), [CVE-2023-31248](https://nvd.nist.gov/vuln/detail/CVE-2023-31248), [CVE-2023-35001](https://nvd.nist.gov/vuln/detail/CVE-2023-35001), [CVE-2023-3611](https://nvd.nist.gov/vuln/detail/CVE-2023-3611), [CVE-2023-3776](https://nvd.nist.gov/vuln/detail/CVE-2023-3776), [CVE-2023-38432](https://nvd.nist.gov/vuln/detail/CVE-2023-38432), [CVE-2023-3863](https://nvd.nist.gov/vuln/detail/CVE-2023-3863)) - linux-firmware ([CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593)) #### Updates: - Linux ([5.15.122](https://lwn.net/Articles/939104) (includes [5.15.121](https://lwn.net/Articles/939016), [5.15.120](https://lwn.net/Articles/937404))) - ca-certificates ([3.92](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_92.html)) - linux-firmware ([20230625](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20230625)) ## New LTS Release 3033.3.16 _Changes since **LTS 3033.3.15**_ #### Security fixes: - Linux ([CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593), [CVE-2023-2898](https://nvd.nist.gov/vuln/detail/CVE-2023-2898), [CVE-2023-31248](https://nvd.nist.gov/vuln/detail/CVE-2023-31248), [CVE-2023-3390](https://nvd.nist.gov/vuln/detail/CVE-2023-3390), [CVE-2023-35001](https://nvd.nist.gov/vuln/detail/CVE-2023-35001), [CVE-2023-3610](https://nvd.nist.gov/vuln/detail/CVE-2023-3610), [CVE-2023-3611](https://nvd.nist.gov/vuln/detail/CVE-2023-3611), [CVE-2023-3776](https://nvd.nist.gov/vuln/detail/CVE-2023-3776), [CVE-2023-3863](https://nvd.nist.gov/vuln/detail/CVE-2023-3863)) - linux-firmware ([CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593)) #### Updates: - Linux ([5.10.188](https://lwn.net/Articles/939425) (includes [5.10.187](https://lwn.net/Articles/939105))) - ca-certificates ([3.92](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_92.html)) - linux-firmware ([20230625](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20230625)) ### Detailed Security Report **Security fix**: With the Alpha 3689.0.0, Beta 3602.1.4, Stable 3510.2.6, LTS 3033.3.16 release(s) we ship fixes for the CVEs listed below. #### Alpha 3689.0.0 * Go * [CVE-2023-29406](https://nvd.nist.gov/vuln/detail/CVE-2023-29406) CVSSv3 score: 6.5(Medium) The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. * [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) CVSSv3 score: n/a Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. * Linux * [CVE-2022-48502](https://nvd.nist.gov/vuln/detail/CVE-2022-48502) CVSSv3 score: 7.1(High) An issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c. * [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593) CVSSv3 score: 5.5(Medium) An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. * [CVE-2023-2898](https://nvd.nist.gov/vuln/detail/CVE-2023-2898) CVSSv3 score: 4.7(Medium) There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem. * [CVE-2023-31248](https://nvd.nist.gov/vuln/detail/CVE-2023-31248) CVSSv3 score: n/a Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace * [CVE-2023-35001](https://nvd.nist.gov/vuln/detail/CVE-2023-35001) CVSSv3 score: n/a Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace * [CVE-2023-3611](https://nvd.nist.gov/vuln/detail/CVE-2023-3611) CVSSv3 score: n/a An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. * [CVE-2023-3776](https://nvd.nist.gov/vuln/detail/CVE-2023-3776) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f. * [CVE-2023-3863](https://nvd.nist.gov/vuln/detail/CVE-2023-3863) CVSSv3 score: 4.1(Medium) A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue. * OpenSSH * [CVE-2023-38408](https://nvd.nist.gov/vuln/detail/CVE-2023-38408) CVSSv3 score: 9.8(Critical) The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. * OpenSSL * [CVE-2023-2975](https://nvd.nist.gov/vuln/detail/CVE-2023-2975) CVSSv3 score: 5.3(Medium) Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be mislead by removing adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue. * [CVE-2023-3446](https://nvd.nist.gov/vuln/detail/CVE-2023-3446) CVSSv3 score: 5.3(Medium) Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. * linux-firmware * [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593) CVSSv3 score: 5.5(Medium) An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. * openldap * [CVE-2023-2953](https://nvd.nist.gov/vuln/detail/CVE-2023-2953) CVSSv3 score: 7.5(High) A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function. * shadow * [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) CVSSv3 score: 3.3(Low) In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account. #### Beta 3602.1.4 * Linux * [CVE-2022-48502](https://nvd.nist.gov/vuln/detail/CVE-2022-48502) CVSSv3 score: 7.1(High) An issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c. * [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593) CVSSv3 score: 5.5(Medium) An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. * [CVE-2023-2898](https://nvd.nist.gov/vuln/detail/CVE-2023-2898) CVSSv3 score: 4.7(Medium) There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem. * [CVE-2023-31248](https://nvd.nist.gov/vuln/detail/CVE-2023-31248) CVSSv3 score: n/a Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace * [CVE-2023-35001](https://nvd.nist.gov/vuln/detail/CVE-2023-35001) CVSSv3 score: n/a Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace * [CVE-2023-3611](https://nvd.nist.gov/vuln/detail/CVE-2023-3611) CVSSv3 score: n/a An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. * [CVE-2023-3776](https://nvd.nist.gov/vuln/detail/CVE-2023-3776) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f. * [CVE-2023-38432](https://nvd.nist.gov/vuln/detail/CVE-2023-38432) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read. * [CVE-2023-3863](https://nvd.nist.gov/vuln/detail/CVE-2023-3863) CVSSv3 score: 4.1(Medium) A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue. * OpenSSH * [CVE-2023-38408](https://nvd.nist.gov/vuln/detail/CVE-2023-38408) CVSSv3 score: 9.8(Critical) The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. * linux-firmware * [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593) CVSSv3 score: 5.5(Medium) An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. #### Stable 3510.2.6 * Linux * [CVE-2022-48502](https://nvd.nist.gov/vuln/detail/CVE-2022-48502) CVSSv3 score: 7.1(High) An issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c. * [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593) CVSSv3 score: 5.5(Medium) An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. * [CVE-2023-2898](https://nvd.nist.gov/vuln/detail/CVE-2023-2898) CVSSv3 score: 4.7(Medium) There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem. * [CVE-2023-31248](https://nvd.nist.gov/vuln/detail/CVE-2023-31248) CVSSv3 score: n/a Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace * [CVE-2023-35001](https://nvd.nist.gov/vuln/detail/CVE-2023-35001) CVSSv3 score: n/a Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace * [CVE-2023-3611](https://nvd.nist.gov/vuln/detail/CVE-2023-3611) CVSSv3 score: n/a An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. * [CVE-2023-3776](https://nvd.nist.gov/vuln/detail/CVE-2023-3776) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f. * [CVE-2023-38432](https://nvd.nist.gov/vuln/detail/CVE-2023-38432) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read. * [CVE-2023-3863](https://nvd.nist.gov/vuln/detail/CVE-2023-3863) CVSSv3 score: 4.1(Medium) A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue. * linux-firmware * [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593) CVSSv3 score: 5.5(Medium) An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. #### LTS 3033.3.16 * Linux * [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593) CVSSv3 score: 5.5(Medium) An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. * [CVE-2023-2898](https://nvd.nist.gov/vuln/detail/CVE-2023-2898) CVSSv3 score: 4.7(Medium) There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem. * [CVE-2023-31248](https://nvd.nist.gov/vuln/detail/CVE-2023-31248) CVSSv3 score: n/a Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace * [CVE-2023-3390](https://nvd.nist.gov/vuln/detail/CVE-2023-3390) CVSSv3 score: n/a A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97. * [CVE-2023-35001](https://nvd.nist.gov/vuln/detail/CVE-2023-35001) CVSSv3 score: n/a Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace * [CVE-2023-3610](https://nvd.nist.gov/vuln/detail/CVE-2023-3610) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. * [CVE-2023-3611](https://nvd.nist.gov/vuln/detail/CVE-2023-3611) CVSSv3 score: n/a An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. * [CVE-2023-3776](https://nvd.nist.gov/vuln/detail/CVE-2023-3776) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f. * [CVE-2023-3863](https://nvd.nist.gov/vuln/detail/CVE-2023-3863) CVSSv3 score: 4.1(Medium) A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue. * linux-firmware * [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593) CVSSv3 score: 5.5(Medium) An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. Best, The Flatcar Container Linux Maintainers --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Alpha 3689.0.0, Beta 3602.1.4, Stable 3510.2.6, LTS 3033.3.16 Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/ Tracking issue: https://github.com/flatcar/Flatcar/issues/1153 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/FM1G2effQua60-Jlx-4nVg Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. @MAINTAINER @MAINTAINER @MAINTAINER #### Mastodon _The toot (from [@flatcar](https://hachyderm.io/@flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar releases for all channels 📦 Many package updates: Linux Kernel, linux-firmware, OpenSSL, containerd 🔒 CVE fixes & security patches: Zenbleed fixes in Kernel and firmware, OpenSSL, etc 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #linux #cloudnative #containers #updates #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome Flatcar releases of this month: - Alpha 3689.0.0 (new major) - Beta 3602.1.4 (maintenance release) - Stable 3510.2.6 (maintenance release) - LTS 3033.3.16 (maintenance release) These releases include: New Flatcar releases for all channels 📦 Many package updates: Linux Kernel, linux-firmware, OpenSSL, containerd 🔒 CVE fixes & security patches: Zenbleed fixes in Kernel and firmware, OpenSSL, etc 📜 Release notes at the usual spot: https://www.flatcar.org/releases/