owned this note
owned this note
Published
Linked with GitHub
# Flatcar Container Linux Release - March 23rd
## Flatcar-linux-3185.0.0-Alpha
- AMD64-usr
- Platforms succeeded: All except Equinix Metal
- Platforms failed: Equinix Metal
- `cl.internet`: a known failure on s3.xlarge.x86 instance
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## Flatcar-linux-3139.1.1-Beta
- AMD64-usr
- Platforms succeeded: All except Equinix Metal
- Platforms failed:
- Equinix Metal
- `cl.internet`: a known failure on s3.xlarge.x86 instance
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All except AWS
- Platforms failed: AWS
- `coreos.update.badusr`: a known flaky test failure `failure checking if machine is running`
- Platforms not tested: None
VERDICT: _GO_
## Flatcar-linux-3033.2.4-Stable
- AMD64-usr
- Platforms succeeded: All except Equinix Metal
- Platforms failed: Equinix Metal amd64
- `cl.internet`: a known failure on s3.xlarge.x86 instance
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All except AWS
- Platforms failed: AWS
- `coreos.update.badusr`: a known flaky test failure `failure checking if machine is running`
- Platforms not tested: None
VERDICT: _GO_
## Communication
---
#### Guidelines / Things to Remember
- Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/
- [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post).
- Make sure the the LTS is referred to as `LTS-2021`, and not `LTS-2605`
---
### Announcement Message
Subject: Announcing new Alpha release 3185.0.0, Beta release 3139.1.1, Stable release 3033.2.4
Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, and Stable channel.
New **Alpha** Release **3185.0.0**
**Changes since Alpha-3165.0.0**
#### Security fixes
- Linux ([CVE-2022-25636](https://nvd.nist.gov/vuln/detail/CVE-2022-25636))
- Go ([CVE-2022-24921](https://nvd.nist.gov/vuln/detail/CVE-2022-24921))
- containerd ([CVE-2022-23648](https://nvd.nist.gov/vuln/detail/CVE-2022-23648))
- cryptsetup ([CVE-2021-4122](https://nvd.nist.gov/vuln/detail/CVE-2021-4122))
- intel-microcode ([CVE-2021-0127](https://nvd.nist.gov/vuln/detail/CVE-2021-0127), [CVE-2021-0146](https://nvd.nist.gov/vuln/detail/CVE-2021-0146))
- nvidia-drivers ([CVE-2022-21814](https://nvd.nist.gov/vuln/detail/CVE-2022-21814), [CVE-2022-21813](https://nvd.nist.gov/vuln/detail/CVE-2022-21813))
- openssl ([CVE-2022-0778](https://nvd.nist.gov/vuln/detail/CVE-2022-0778))
#### Bug fixes
- Reverted the Linux kernel commit which broke networking on AWS instances which use Intel 82559 NIC (c4/m4) ([Flatcar#665](https://github.com/flatcar-linux/Flatcar/issues/665), [coreos-overlay#1723](https://github.com/flatcar-linux/coreos-overlay/pull/1723))
- Re-added the `brd drbd nbd rbd xen-blkfront zram libarc4 lru_cache zsmalloc` kernel modules to the initramfs since they were missing compared to the Flatcar 3033.2.x releases where the 5.10 kernel is used ([bootengine#40](https://github.com/flatcar-linux/bootengine/pull/40))
#### Changes
- Merge the Flatcar Pro features into the regular Flatcar images ([coreos-overlay#1679](https://github.com/flatcar-linux/coreos-overlay/pull/1679))
- Besides Ignition v1 and v2 configurations, Ignition configurations with specification v3 (up to 3.3.0) are now supported, see the [docs section for details](https://www.flatcar.org/docs/latest/provisioning/ignition/specification/#ignition-v3)
- Made SELinux enabled by default in default containerd configuration file. ([coreos-overlay#1699](https://github.com/flatcar-linux/coreos-overlay/pull/1699))
- Removed `rngd.service` because it is not essential anymore for the kernel to boot fast in VM environments ([coreos-overlay#1700](https://github.com/flatcar-linux/coreos-overlay/pull/1700))
- Enabled `systemd-sysext.service` to activate systemd-sysext images on boot, to disable you will need to mask it. Also added a helper service `ensure-sysext.service` which reloads the systemd units to reevaluate the `sockets`, `timers`, and `multi-user` targets when `systemd-sysext.service` is (re)started, making it possible to enable units that are part of a sysext image ([init#65](https://github.com/flatcar-linux/init/pull/65))
- For amd64 `/usr/lib` used to be a symlink to `/usr/lib64` but now they became two separate folders as common in other distributions (and was the case for arm64 already). Compatibility symlinks exist in case `/usr/lib64` was used to access, e.g., the `modules` folder or the `systemd` folder ([coreos-overlay#1713](https://github.com/flatcar-linux/coreos-overlay/pull/1713), [flatcar-scripts#255](https://github.com/flatcar-linux/scripts/pull/255))
- Defined a systemd-sysext level that sysext images can match for instead of the OS version when they don't have a strong coupling, meaning the only metadata required is `SYSEXT_LEVEL=1.0` and `ID=flatcar` ([#643](https://github.com/flatcar-linux/Flatcar/issues/643))
- OpenStack: In addition to the `bz2` image, a `gz` compressed image is published. This allows Glance to directly consume the images by simply passing in the URL of the image.
- DigitalOcean: In addition to the `bz2` image, a `gz` compressed image is published. This helps against hitting the compression timeout that sometimes lets the image import fail.
- SDK: The image compression format is now configurable. Supported formats are: `bz2`, `gz`, `zip`, `none`, `zst`. Selecting the image format can now be done by passing the `--image_compression_formats` option. This flag gets a comma separated list of formats.
#### Updates
- Linux ([5.15.30](https://lwn.net/Articles/888521) (from 5.15.25, includes [5.15.26](https://lwn.net/Articles/886569), [5.15.27](https://lwn.net/Articles/887219), [5.15.28](https://lwn.net/Articles/887638), [5.15.29](https://lwn.net/Articles/888116)))
- Linux Firmware ([20220310](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220310))
- Go ([1.17.8](https://go.googlesource.com/go/+/refs/tags/go1.17.8))
- ca-certificates ([3.76](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_76.html))
- containerd ([1.6.1](https://github.com/containerd/containerd/releases/tag/v1.6.1))
- cryptsetup ([2.4.3](https://lore.kernel.org/all/572c18a7bf60cb1b0f67c3a03c531d7e7ed31832.camel@scientia.net/T/))
- Docker ([20.10.13](https://docs.docker.com/engine/release-notes/#201013))
- dosfstools ([4.2](https://github.com/dosfstools/dosfstools/releases/tag/v4.2))
- grep ([3.7](https://savannah.gnu.org/forum/forum.php?forum_id=10037))
- ignition ([2.13.0](https://github.com/coreos/ignition/releases/tag/v2.13.0))
- intel-microcode ([20220207_p20220207](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220207))
- iperf ([3.10.1](https://github.com/esnet/iperf/blob/master/RELNOTES.md#iperf-3101-2021-06-03))
- less ([590](https://www.greenwoodsoftware.com/less/news.590.html))
- lsscsi ([0.32](https://sg.danny.cz/scsi/lsscsi.ChangeLog))
- nvidia-drivers ([510.47.03](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-510-47-03/index.html))
- nvme-cli ([1.16](https://github.com/linux-nvme/nvme-cli/commits/deee9cae1ac94760deebd71f8e5449061338666c))
- openssl ([3.0.2](https://www.openssl.org/news/changelog.html#openssl-30))
- pam ([1.5.1_p20210622](https://github.com/linux-pam/linux-pam/commit/fe1307512fb8892b5ceb3d884c793af8dbd4c16a))
- pambase (20220214)
- pinentry ([1.2.0](https://dev.gnupg.org/T5566))
- quota ([4.06](https://sourceforge.net/p/linuxquota/code/ci/0acd4cc6275122fd9864cb7b5d349e65a2622920/))
- rpcbind ([1.2.6](https://git.linux-nfs.org/?p=steved/rpcbind.git;a=shortlog;h=refs/tags/rpcbind-1_2_6))
- socat ([1.7.4.3](https://repo.or.cz/socat.git/blob/refs/tags/tag-1.7.4.3:/CHANGES))
- thin-provisioning-tools ([0.9.0](https://github.com/jthornber/thin-provisioning-tools/blob/d6d93c3157631b242a13a81d30f75453e576c55a/CHANGES#L1-L9))
- timezone-data ([2021a](https://mm.icann.org/pipermail/tz-announce/2021-January/000065.html))
- whois ([5.5.11](https://github.com/rfc1036/whois/commit/5f5ba8312c04a759dad05723c035549273d07461))
- xfsprogs ([5.14.2](https://marc.info/?l=linux-xfs&m=163883318025390&w=2))
- VMWare: open-vm-tools ([12.0.0](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.0.0))
- SDK: man-db ([2.9.4](https://gitlab.com/cjwatson/man-db/-/tags/2.9.4))
- SDK: Rust ([1.59.0](https://github.com/rust-lang/rust/releases/tag/1.59.0))
New **Beta** Release **3139.1.1**
**Changes since Beta-3139.1.0**
#### Security fixes
- Linux ([CVE-2022-25636](https://nvd.nist.gov/vuln/detail/CVE-2022-25636))
- Go ([CVE-2022-24921](https://nvd.nist.gov/vuln/detail/CVE-2022-24921))
- systemd ([CVE-2021-3997](https://nvd.nist.gov/vuln/detail/CVE-2021-3997))
- containerd ([CVE-2022-23648](https://nvd.nist.gov/vuln/detail/CVE-2022-23648))
- openssl ([CVE-2022-0778](https://nvd.nist.gov/vuln/detail/CVE-2022-0778))
#### Bug fixes
- Reverted the Linux kernel commit which broke networking on AWS instances which use Intel 82559 NIC (c4/m4) ([Flatcar#665](https://github.com/flatcar-linux/Flatcar/issues/665), [coreos-overlay#1723](https://github.com/flatcar-linux/coreos-overlay/pull/1723))
- Re-added the `brd drbd nbd rbd xen-blkfront zram libarc4 lru_cache zsmalloc` kernel modules to the initramfs since they were missing compared to the Flatcar 3033.2.x releases where the 5.10 kernel is used ([bootengine#40](https://github.com/flatcar-linux/bootengine/pull/40))
#### Changes
- (none)
#### Updates
- Linux ([5.15.30](https://lwn.net/Articles/888521) (from 5.15.25, includes [5.15.26](https://lwn.net/Articles/886569), [5.15.27](https://lwn.net/Articles/887219), [5.15.28](https://lwn.net/Articles/887638), [5.15.29](https://lwn.net/Articles/888116)))
- Go ([1.17.8](https://go.googlesource.com/go/+/refs/tags/go1.17.8))
- systemd ([249.10](https://github.com/systemd/systemd-stable/releases/tag/v249.10))
- ca-certificates ([3.76](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_76.html))
- containerd ([1.5.10](https://github.com/containerd/containerd/releases/tag/v1.5.10))
- openssl ([3.0.2](https://www.openssl.org/news/changelog.html#openssl-30))
New **Stable** Release **3033.2.4**
**Changes since Stable-3033.2.3**
#### Security fixes
- Linux ([CVE-2022-25636](https://nvd.nist.gov/vuln/detail/CVE-2022-25636))
- Go ([CVE-2022-24921](https://nvd.nist.gov/vuln/detail/CVE-2022-24921))
- systemd ([CVE-2021-3997](https://nvd.nist.gov/vuln/detail/CVE-2021-3997))
- containerd ([CVE-2022-23648](https://nvd.nist.gov/vuln/detail/CVE-2022-23648))
- openssl ([CVE-2022-0778](https://nvd.nist.gov/vuln/detail/CVE-2022-0778))
#### Bug fixes
- Reverted the Linux kernel commit which broke networking on AWS instances which use Intel 82559 NIC (c4/m4) ([Flatcar#665](https://github.com/flatcar-linux/Flatcar/issues/665), [coreos-overlay#1720](https://github.com/flatcar-linux/coreos-overlay/pull/1720))
#### Changes
- Added support for switching back to CGroupsV1 without requiring a reboot. Create `/etc/flatcar-cgroupv1` through ignition. ([coreos-overlay#1666](https://github.com/flatcar-linux/coreos-overlay/pull/1666))
#### Updates
- Linux ([5.10.107](https://lwn.net/Articles/888522) (from 5.10.102, includes [5.10.103](https://lwn.net/Articles/886570), [5.10.104](https://lwn.net/Articles/887220), [5.10.105](https://lwn.net/Articles/887639), [5.10.106](https://lwn.net/Articles/888115)))
- Go ([1.17.8](https://go.googlesource.com/go/+/refs/tags/go1.17.8))
- systemd ([249.10](https://github.com/systemd/systemd-stable/releases/tag/v249.10))
- ca-certificates ([3.76](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_76.html))
- containerd ([1.5.10](https://github.com/containerd/containerd/releases/tag/v1.5.10))
- openssl ([1.1.1n](https://www.openssl.org/news/changelog.html#openssl-111))
Best,
The Flatcar Container Linux Maintainers
---
### Security
**Subject**: Security issues fixed with the latest Alpha-3185.0.0, Beta-3139.1.1, Stable-3033.2.4 releases
**Security fix**: With the Alpha-3185.0.0, Beta-3139.1.1 and Stable-3033.2.4 releases we ship a fix for the CVEs listed below.
#### Alpha
* Linux
* [CVE-2022-25636](https://nvd.nist.gov/vuln/detail/CVE-2022-25636) CVSSv3 score: 7.8(High)
net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.
* Go
* [CVE-2022-24921](https://nvd.nist.gov/vuln/detail/CVE-2022-24921) CVSSv3 score: 7.5(High)
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
* containerd
* [CVE-2022-23648](https://nvd.nist.gov/vuln/detail/CVE-2022-23648) CVSSv3 score: 7.5(High)
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.
* cryptsetup
* [CVE-2021-4122](https://nvd.nist.gov/vuln/detail/CVE-2021-4122) CVSSv3 score: 5.9(Medium)
An attacker can modify on-disk metadata to simulate decryption in
progress with crashed (unfinished) reencryption step and persistently
decrypt part of the LUKS device.
* intel-microcode
* [CVE-2021-0127](https://nvd.nist.gov/vuln/detail/CVE-2021-0127) CVSSv3 score: 5.5(Medium)
Insufficient control flow management in some Intel(R) Processors may allow an authenticated user to potentially enable a denial of service via local access.
* nvidia-drivers
* [CVE-2022-21814](https://nvd.nist.gov/vuln/detail/CVE-2022-21814) CVSSv3 score: 6.1(Medium)
NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver package, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service.
* [CVE-2022-21813](https://nvd.nist.gov/vuln/detail/CVE-2022-21813) CVSSv3 score: 6.1(Medium)
NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service.
* openssl
* [CVE-2022-0778](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) CVSSv3 score: 7.5(High)
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).
#### Beta
* Linux
* [CVE-2022-25636](https://nvd.nist.gov/vuln/detail/CVE-2022-25636) CVSSv3 score: 7.8(High)
net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.
* Go
* [CVE-2022-24921](https://nvd.nist.gov/vuln/detail/CVE-2022-24921) CVSSv3 score: 7.5(High)
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
* containerd
* [CVE-2022-23648](https://nvd.nist.gov/vuln/detail/CVE-2022-23648) CVSSv3 score: 7.5(High)
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.
* openssl
* [CVE-2022-0778](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) CVSSv3 score: 7.5(High)
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).
* systemd
* [CVE-2021-3997](https://nvd.nist.gov/vuln/detail/CVE-2021-3997) CVSSv3 score: 5.5(Medium)
Uncontrolled recursion in systemd's systemd-tmpfiles.
#### Stable
* Linux
* [CVE-2022-25636](https://nvd.nist.gov/vuln/detail/CVE-2022-25636) CVSSv3 score: 7.8(High)
net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.
* Go
* [CVE-2022-24921](https://nvd.nist.gov/vuln/detail/CVE-2022-24921) CVSSv3 score: 7.5(High)
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
* containerd
* [CVE-2022-23648](https://nvd.nist.gov/vuln/detail/CVE-2022-23648) CVSSv3 score: 7.5(High)
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.
* openssl
* [CVE-2022-0778](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) CVSSv3 score: 7.5(High)
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).
* systemd
* [CVE-2021-3997](https://nvd.nist.gov/vuln/detail/CVE-2021-3997) CVSSv3 score: 5.5(Medium)
Uncontrolled recursion in systemd's systemd-tmpfiles.
---
### Twitter
_The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._
New Flatcar releases now available for Alpha+Beta+Stable!
📦 Many package updates: containerd, openssl, systemd
:gift: Ignition v3 is now supported alongside v1 and v2
🔒 CVE fixes & security patches: CVE-2022-23648 for containerd, CVE-2022-0778 for openssl
📜 Release notes at the usual spot: https://www.flatcar.org/releases/