Flatcar Container Linux
      • Sharing URL Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Customize slides
      • Note Permission
      • Read
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • Write
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • Engagement control Commenting, Suggest edit, Emoji Reply
    • Invite by email
      Invitee

      This note has no invitees

    • Publish Note

      Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

      Your note will be visible on your profile and discoverable by anyone.
      Your note is now live.
      This note is visible on your profile and discoverable online.
      Everyone on the web can find and read all notes of this public team.
      See published notes
      Unpublish note
      Please check the box to agree to the Community Guidelines.
      View profile
    • Commenting
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
      • Everyone
    • Suggest edit
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
    • Emoji Reply
    • Enable
    • Versions and GitHub Sync
    • Note settings
    • Note Insights
    • Engagement control
    • Transfer ownership
    • Delete this note
    • Insert from template
    • Import from
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
    • Export to
      • Dropbox
      • Google Drive
      • Gist
    • Download
      • Markdown
      • HTML
      • Raw HTML
Menu Note settings Versions and GitHub Sync Note Insights Sharing URL Help
Menu
Options
Engagement control Transfer ownership Delete this note
Import from
Dropbox Google Drive Gist Clipboard
Export to
Dropbox Google Drive Gist
Download
Markdown HTML Raw HTML
Back
Sharing URL Link copied
/edit
View mode
  • Edit mode
  • View mode
  • Book mode
  • Slide mode
Edit mode View mode Book mode Slide mode
Customize slides
Note Permission
Read
Owners
  • Owners
  • Signed-in users
  • Everyone
Owners Signed-in users Everyone
Write
Owners
  • Owners
  • Signed-in users
  • Everyone
Owners Signed-in users Everyone
Engagement control Commenting, Suggest edit, Emoji Reply
  • Invite by email
    Invitee

    This note has no invitees

    • Publish Note

    Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

    Your note will be visible on your profile and discoverable by anyone.
    Your note is now live.
    This note is visible on your profile and discoverable online.
    Everyone on the web can find and read all notes of this public team.
    See published notes
    Unpublish note
    Please check the box to agree to the Community Guidelines.
    View profile
    Engagement control
    Commenting
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    • Everyone
    Suggest edit
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    Emoji Reply
    Enable
    Import from Dropbox Google Drive Gist Clipboard
       owned this note    owned this note      
    Published Linked with GitHub
    Subscribed
    • Any changes
      Be notified of any changes
    • Mention me
      Be notified of mention me
    • Unsubscribe
    Subscribe
    # Flatcar Container Linux Release - 2022-07-21 ## Flatcar-linux-Alpha-3305.0.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ / _WAIT_ / _NO-GO_ ## Flatcar-Linux-Beta-3277.1.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ / _WAIT_ / _NO-GO_ ## Flatcar-Linux-Stable-3227.2.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None ## Flatcar-Linux-LTS-2022-3033.3.3 - AMD64-usr - Platforms succeeded: All except for AWS and Equinix Metal - Platforms failed: AWS, Equinix Metal - AWS: flaky failure at cl.internet with m4.2xlarge: machine failed to start: ssh journalctl failed: time limit exceeded: dial tcp 34.222.214.75:22: i/o timeout - Equinix Metal: flaky failure at cl.internet with s3.xlarge.x86: machine failed to start: ssh journalctl failed: time limit exceeded: dial tcp 139.178.90.27:22: i/o timeout" - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ / _WAIT_ / _NO-GO_ ## Communication --- ### Announcement Message Subject: Announcing new Alpha 3305.0.0, Beta 3277.1.0, Stable 3227.2.0, LTS-2022 3033.3.3 releases. Hello, We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable and LTS-2022 channels. # New **Alpha** Release **3305.0.0** _Changes since **Alpha 3277.0.0**_ ## Security fixes: - Linux ([CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655), [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318), [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365), [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740), [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741), [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742), [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743), [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744), [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918)) - cifs-utils ([CVE-2022-27239](https://nvd.nist.gov/vuln/detail/CVE-2022-27239), [CVE-2022-29869](https://nvd.nist.gov/vuln/detail/CVE-2022-29869)) - curl ([CVE-2022-32205](https://nvd.nist.gov/vuln/detail/CVE-2022-32205), [CVE-2022-32206](https://nvd.nist.gov/vuln/detail/CVE-2022-32206), [CVE-2022-32207](https://nvd.nist.gov/vuln/detail/CVE-2022-32207), [CVE-2022-32208](https://nvd.nist.gov/vuln/detail/CVE-2022-32208)) - gnupg ([CVE-2022-34903](https://nvd.nist.gov/vuln/detail/CVE-2022-34903)) - Go ([CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705), [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962), [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131), [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630), [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631), [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632), [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633), [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635), [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148)) ## Bug fixes: - Removed outdated LTS channel information printed on login ([init#75](https://github.com/flatcar-linux/init/pull/75)) - The Ignition v3 kargs directive failed before when used with the generic image where no `grub.cfg` exists, this was fixed by creating it first ([bootengine#47](https://github.com/flatcar-linux/bootengine/pull/47)) ## Updates: - Linux ([5.15.54](https://lwn.net/Articles/900911) (includes [5.15.53](https://lwn.net/Articles/900321), [5.15.52](https://lwn.net/Articles/899788), [5.15.51](https://lwn.net/Articles/899370), [5.15.50](https://lwn.net/Articles/899091), [5.15.49](https://lwn.net/Articles/898622))) - Linux Firmware ([20220708](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220708)) - adcli ([0.9.1](https://gitlab.freedesktop.org/realmd/adcli/-/releases#0.9.1)) - ca-certificates ([3.80](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_80.html)) - cifs-utils ([6.15](https://lists.samba.org/archive/samba-technical/2022-April/137335.html)) - curl ([7.84.0](https://github.com/curl/curl/releases/tag/curl-7_84_0)) - gdb ([11.2](https://lists.gnu.org/archive/html/info-gnu/2022-01/msg00009.html)) - gnupg ([2.2.35](https://dev.gnupg.org/T5928)) - Go ([1.18.4](https://go.dev/doc/devel/release#go1.18.4)) - sudo ([1.9.10](https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_10)) - SDK: Rust ([1.62.0](https://github.com/rust-lang/rust/releases/tag/1.62.0)) # New **Beta** Release **3277.1.0** _Changes since **Alpha 3277.0.0**_ ## Security fixes: - Linux ([CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655), [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318), [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365), [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740), [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741), [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742), [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743), [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744), [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918)) - Go ([CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705), [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962), [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131), [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630), [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631), [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632), [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633), [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635), [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148)) ## Bug fixes: - The Ignition v3 kargs directive failed before when used with the generic image where no `grub.cfg` exists, this was fixed by creating it first ([bootengine#47](https://github.com/flatcar-linux/bootengine/pull/47)) ## Updates: - Linux ([5.15.55](https://lwn.net/Articles/901380) (includes [5.15.54](https://lwn.net/Articles/900911), [5.15.53](https://lwn.net/Articles/900321), [5.15.52](https://lwn.net/Articles/899788), [5.15.51](https://lwn.net/Articles/899370), [5.15.50](https://lwn.net/Articles/899091), [5.15.49](https://lwn.net/Articles/898622))) - ca-certificates ([3.80](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_80.html)) - Go ([1.18.4](https://go.dev/doc/devel/release#go1.18.4)) _Changes since **Beta 3227.1.1**_ ## Security fixes: - Linux ([CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655), [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318), [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365), [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740), [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741), [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742), [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743), [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744), [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918)) - curl ([CVE-2022-22576](https://nvd.nist.gov/vuln/detail/CVE-2022-22576), [CVE-2022-27774](https://nvd.nist.gov/vuln/detail/CVE-2022-27774), [CVE-2022-27775](https://nvd.nist.gov/vuln/detail/CVE-2022-27775), [CVE-2022-27776](https://nvd.nist.gov/vuln/detail/CVE-2022-27776), [CVE-2022-27778](https://nvd.nist.gov/vuln/detail/CVE-2022-27778), [CVE-2022-27779](https://nvd.nist.gov/vuln/detail/CVE-2022-27779), [CVE-2022-27780](https://nvd.nist.gov/vuln/detail/CVE-2022-27780), [CVE-2022-27781](https://nvd.nist.gov/vuln/detail/CVE-2022-27781), [CVE-2022-27782](https://nvd.nist.gov/vuln/detail/CVE-2022-27782), [CVE-2022-30115](https://nvd.nist.gov/vuln/detail/CVE-2022-30115)) - docker ([CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526)) - git ([CVE-2022-24765](https://nvd.nist.gov/vuln/detail/CVE-2022-24765)) - go ([CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705), [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962), [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131), [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630), [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631), [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632), [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633), [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635), [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148), [CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526)) - ignition ([CVE-2022-1706](https://nvd.nist.gov/vuln/detail/CVE-2022-1706)) - intel-microcode ([CVE-2022-21151](https://nvd.nist.gov/vuln/detail/CVE-2022-21151)) - libxml2 ([CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824)) - ncurses ([CVE-2022-29458](https://nvd.nist.gov/vuln/detail/CVE-2022-29458)) - openssl ([CVE-2022-1292](https://nvd.nist.gov/vuln/detail/CVE-2022-1292), [CVE-2022-1343](https://nvd.nist.gov/vuln/detail/CVE-2022-1343), [CVE-2022-1434](https://nvd.nist.gov/vuln/detail/CVE-2022-1434), [CVE-2022-1473](https://nvd.nist.gov/vuln/detail/CVE-2022-1473)) - rsync ([CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032)) - runc ([CVE-2022-29162](https://nvd.nist.gov/vuln/detail/CVE-2022-29162)) - torcx ([CVE-2022-27191](https://nvd.nist.gov/vuln/detail/CVE-2022-27191)) - SDK: qemu ([CVE-2021-20203](https://nvd.nist.gov/vuln/detail/CVE-2021-20203), [CVE-2021-3713](https://nvd.nist.gov/vuln/detail/CVE-2021-3713), [CVE-2021-3930](https://nvd.nist.gov/vuln/detail/CVE-2021-3930), [CVE-2021-3947](https://nvd.nist.gov/vuln/detail/CVE-2021-3947), [CVE-2021-4145](https://nvd.nist.gov/vuln/detail/CVE-2021-4145), [CVE-2022-26353](https://nvd.nist.gov/vuln/detail/CVE-2022-26353), [CVE-2022-26354](https://nvd.nist.gov/vuln/detail/CVE-2022-26354)) ## Bug fixes: - The Ignition v3 kargs directive failed before when used with the generic image where no `grub.cfg` exists, this was fixed by creating it first ([bootengine#47](https://github.com/flatcar-linux/bootengine/pull/47)) ## Changes: - Added efibootmgr binary to the image ([coreos-overlay#1955](https://github.com/flatcar-linux/coreos-overlay/pull/1955)) - Added VMware networking configuration in the initramfs via guestinfo settings ([bootengine#44](https://github.com/flatcar-linux/bootengine/pull/44), [flatcar#717](https://github.com/flatcar-linux/Flatcar/issues/717)) - Enabled `containerd.service` unit, `br_netfilter` and `overlay` modules by default to follow Kubernetes requirements ([coreos-overlay#1944](https://github.com/flatcar-linux/coreos-overlay/pull/1944), [init#72](https://github.com/flatcar-linux/init/pull/72)) - flatcar-install: Added option to create UEFI boot entry ([init#74](https://github.com/flatcar-linux/init/pull/74)) - VMWare: Added `ignition-delete-config.service` to remove Ignition config from VM metadata, see also [here](https://coreos.github.io/ignition/operator-notes/#automatic-config-deletion) ([coreos-overlay#1948](https://github.com/flatcar-linux/coreos-overlay/pull/1948)) ## Updates: - Linux ([5.15.55](https://lwn.net/Articles/901380) (includes [5.15.54](https://lwn.net/Articles/900911), [5.15.53](https://lwn.net/Articles/900321), [5.15.52](https://lwn.net/Articles/899788), [5.15.51](https://lwn.net/Articles/899370), [5.15.50](https://lwn.net/Articles/899091), [5.15.49](https://lwn.net/Articles/898622))) - Linux Firmware ([20220610](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220610)) - Docker ([20.10.17](https://docs.docker.com/engine/release-notes/#201017)) - Go ([1.18.4](https://go.dev/doc/devel/release#go1.18.4)) - ca-certificates ([3.80](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_80.html)) - curl [7.83.1](https://curl.se/mail/lib-2022-05/0010.html) - dbus ([1.12.22](https://gitlab.freedesktop.org/dbus/dbus/-/blob/177ab044bc87cbc4ded75d21b900795a6fefef76/NEWS)) - e2fsprogs ([1.46.5](http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.46.5)) - gdbm ([1.22](https://lists.gnu.org/archive/html/info-gnu/2021-10/msg00006.html)) - git ([2.35.3](https://github.com/git/git/blob/v2.35.3/Documentation/RelNotes/2.35.3.txt)) - ignition ([2.14.0](https://github.com/coreos/ignition/releases/tag/v2.14.0)) - intel-microcode ([20220510](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220510)) - ldb ([2.4.1](https://gitlab.com/samba-team/samba/-/commit/a795e0c84597aa045d011e663dbad3cdabf0f1e6)) - libxml2 ([2.9.14](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14)) - ncurses ([6.3_p20220423](https://lists.gnu.org/archive/html/info-gnu/2021-11/msg00001.html)) - open-vm-tools ([12.0.5](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.0.5)) - openssl ([3.0.3](https://www.openssl.org/news/changelog.html#openssl-30)) - python ([3.9.12](https://www.python.org/downloads/release/python-3912/)) - rsync ([3.2.4](https://download.samba.org/pub/rsync/NEWS.html#3.2.4)) - runc ([1.1.3](https://github.com/opencontainers/runc/releases/tag/v1.1.3)) - samba ([4.15.4](https://www.samba.org/samba/history/samba-4.15.4.html)) - sqlite ([3.38.1](https://www.sqlite.org/releaselog/3_38_1.html)) - talloc ([2.3.3](https://gitlab.com/samba-team/samba/-/commit/bc1ee7ca0640f0136e5af7dcc4ca8ed0a5893053)) - tevent ([0.11.0](https://gitlab.com/samba-team/samba/-/commit/de4e8a1af9564f6056f9af90867c2f013449051c)) - new: acpid ([2.0.33](https://sourceforge.net/p/acpid2/code/ci/2.0.33/tree/Changelog)) - OEM: distro ([1.7.0](https://github.com/python-distro/distro/releases/tag/v1.7.0)) - OEM: python ([3.9.12](https://www.python.org/downloads/release/python-3912/)) - SDK: qemu ([7.0.0](https://wiki.qemu.org/ChangeLog/7.0)) - SDK: Rust ([1.61.0](https://github.com/rust-lang/rust/releases/tag/1.61.0)) # New **Stable** Release **3227.2.0** _Changes since **Beta 3227.1.1**_ ## Security fixes: - Linux ([CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655), [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318), [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365), [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740), [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741), [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742), [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743), [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744), [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918)) - Go ([CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705), [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962), [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131), [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630), [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631), [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632), [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633), [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635), [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148)) ## Bug fixes: - The Ignition v3 kargs directive failed before when used with the generic image where no `grub.cfg` exists, this was fixed by creating it first ([bootengine#47](https://github.com/flatcar-linux/bootengine/pull/47)) ## Changes: - Enabled `containerd.service` unit, `br_netfilter` and `overlay` modules by default to follow Kubernetes requirements ([coreos-overlay#1944](https://github.com/flatcar-linux/coreos-overlay/pull/1944), [init#72](https://github.com/flatcar-linux/init/pull/72)) ## Updates: - Linux ([5.15.55](https://lwn.net/Articles/901380) (includes [5.15.54](https://lwn.net/Articles/900911), [5.15.53](https://lwn.net/Articles/900321), [5.15.52](https://lwn.net/Articles/899788), [5.15.51](https://lwn.net/Articles/899370), [5.15.50](https://lwn.net/Articles/899091), [5.15.49](https://lwn.net/Articles/898622))) - Go ([1.17.12](https://go.dev/doc/devel/release#go1.17.12)) - ca-certificates ([3.80](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_80.html)) **Changes compared to stable-3139.2.3** ## Security fixes: - Linux ([CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655), [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318), [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365), [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740), [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741), [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742), [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743), [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744), [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918)) - Go ([CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705), [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962), [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131), [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630), [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631), [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632), [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633), [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635), [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148)) - cifs-utils ([CVE-2021-20208](https://nvd.nist.gov/vuln/detail/CVE-2021-20208)) - containerd ([CVE-2022-23648](https://nvd.nist.gov/vuln/detail/CVE-2022-23648), [CVE-2022-24769](https://nvd.nist.gov/vuln/detail/CVE-2022-24769), [CVE-2022-31030](https://nvd.nist.gov/vuln/detail/CVE-2022-31030)) - cryptsetup ([CVE-2021-4122](https://nvd.nist.gov/vuln/detail/CVE-2021-4122)) - duktape ([CVE-2021-46322](https://nvd.nist.gov/vuln/detail/CVE-2021-46322)) - gnutls ([CVE-2021-4209](https://nvd.nist.gov/vuln/detail/CVE-2021-4209), [GNUTLS-SA-2022-01-17](https://gitlab.com/gnutls/gnutls/-/issues/1277)) - gzip,xz-utils ([CVE-2022-1271](https://nvd.nist.gov/vuln/detail/CVE-2022-1271)) - intel-microcode ([CVE-2021-0127](https://nvd.nist.gov/vuln/detail/CVE-2021-0127), [CVE-2021-0146](https://nvd.nist.gov/vuln/detail/CVE-2021-0146)) - libarchive ([CVE-2021-31566](https://nvd.nist.gov/vuln/detail/CVE-2021-31566), [CVE-2021-36976](https://nvd.nist.gov/vuln/detail/CVE-2021-36976), [CVE-2022-26280](https://nvd.nist.gov/vuln/detail/CVE-2022-26280)) - libxml2 ([CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308)) - nvidia-drivers ([CVE-2022-28181](https://nvd.nist.gov/vuln/detail/CVE-2022-28181), [CVE-2022-28183](https://nvd.nist.gov/vuln/detail/CVE-2022-28183), [CVE-2022-28184](https://nvd.nist.gov/vuln/detail/CVE-2022-28184), [CVE-2022-28185](https://nvd.nist.gov/vuln/detail/CVE-2022-28185)) - shadow ([CVE-2013-4235](https://nvd.nist.gov/vuln/detail/CVE-2013-4235)) - systemd ([CVE-2021-3997](https://nvd.nist.gov/vuln/detail/CVE-2021-3997)) - util-linux ([CVE-2021-3995](https://nvd.nist.gov/vuln/detail/CVE-2021-3995), [CVE-2021-3996](https://nvd.nist.gov/vuln/detail/CVE-2021-3996), [CVE-2022-0563](https://nvd.nist.gov/vuln/detail/CVE-2022-0563)) - vim ([CVE-2021-3984](https://nvd.nist.gov/vuln/detail/CVE-2021-3984), [CVE-2021-4019](https://nvd.nist.gov/vuln/detail/CVE-2021-4019), [CVE-2021-4069](https://nvd.nist.gov/vuln/detail/CVE-2021-4069), [CVE-2021-4136](https://nvd.nist.gov/vuln/detail/CVE-2021-4136), [CVE-2021-4173](https://nvd.nist.gov/vuln/detail/CVE-2021-4173),[ CVE-2021-4166](https://nvd.nist.gov/vuln/detail/CVE-2021-4166), [CVE-2021-4187](https://nvd.nist.gov/vuln/detail/CVE-2021-4187), [CVE-2021-4192](https://nvd.nist.gov/vuln/detail/CVE-2021-4192), [CVE-2021-4193](https://nvd.nist.gov/vuln/detail/CVE-2021-4193), [CVE-2022-0128](https://nvd.nist.gov/vuln/detail/CVE-2022-0128), [CVE-2022-0156](https://nvd.nist.gov/vuln/detail/CVE-2022-0156), [CVE-2022-0158](https://nvd.nist.gov/vuln/detail/CVE-2022-0158), [CVE-2022-0213](https://nvd.nist.gov/vuln/detail/CVE-2022-0213), [CVE-2022-0261](https://nvd.nist.gov/vuln/detail/CVE-2022-0261), [CVE-2022-0318](https://nvd.nist.gov/vuln/detail/CVE-2022-0318), [CVE-2022-0319](https://nvd.nist.gov/vuln/detail/CVE-2022-0319), [CVE-2022-0351](https://nvd.nist.gov/vuln/detail/CVE-2022-0351), [CVE-2022-0359](https://nvd.nist.gov/vuln/detail/CVE-2022-0359), [CVE-2022-0361](https://nvd.nist.gov/vuln/detail/CVE-2022-0361), [CVE-2022-0368](https://nvd.nist.gov/vuln/detail/CVE-2022-0368), [CVE-2022-0392](https://nvd.nist.gov/vuln/detail/CVE-2022-0392), [CVE-2022-0393](https://nvd.nist.gov/vuln/detail/CVE-2022-0393), [CVE-2022-0407](https://nvd.nist.gov/vuln/detail/CVE-2022-0407), [CVE-2022-0408](https://nvd.nist.gov/vuln/detail/CVE-2022-0408), [CVE-2022-0413](https://nvd.nist.gov/vuln/detail/CVE-2022-0413), [CVE-2022-0417](https://nvd.nist.gov/vuln/detail/CVE-2022-0417), [CVE-2022-0443](https://nvd.nist.gov/vuln/detail/CVE-2022-0443)) - zlib ([CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032)) - SDK: squashfs-tools ([CVE-2021-40153](https://nvd.nist.gov/vuln/detail/CVE-2021-40153), [CVE-2021-41072](https://nvd.nist.gov/vuln/detail/CVE-2021-41072)) ## Bug fixes: - Added `networkd` translation to `files` section when converting from Ignition 2.x to Ignition 3.x ([coreos-overlay#1910](https://github.com/flatcar-linux/coreos-overlay/pull/1910), [flatcar#741](https://github.com/flatcar-linux/Flatcar/issues/741)) - Added a remount action as `systemd-sysext.service` drop-in unit to restore the OEM partition mount after the overlay mounts in `/usr` are done ([init#69](https://github.com/flatcar-linux/init/pull/69)) - Fixed Ignition's OEM ID to be `metal` to follow the Ignition upstream change which otherwise resulted in a broken boot when the Flatcar OEM ID `pxe` was used ([bootengine#45](https://github.com/flatcar-linux/bootengine/pull/45)) - Made Ignition write the SSH keys into a file under `authorized_keys.d/ignition` again and added a call to `update-ssh-keys` after Ignition ran to create the merged `authorized_keys` file, which fixes the problem that keys added by Ignition get lost when `update-ssh-keys` runs ([init#66](https://github.com/flatcar-linux/init/pull/66)) - Skipped starting `ensure-sysext.service` if `systemd-sysext.service` won't be started, to prevent reporting a dependency failure ([Flatcar#710](https://github.com/flatcar-linux/Flatcar/issues/710)) - The Ignition v3 kargs directive failed before when used with the generic image where no `grub.cfg` exists, this was fixed by creating it first ([bootengine#47](https://github.com/flatcar-linux/bootengine/pull/47)) ## Changes: - Added `auditd.service` but left it disabled by default, a custom configuration can be created by removing `/etc/audit/auditd.conf` and replacing it with an own file ([coreos-overlay#1636](https://github.com/flatcar-linux/coreos-overlay/pull/1636)) - Added `cryptsetup` to the initramfs for the Ignition `luks` directive ([flatcar-linux/coreos-overlay#1760](https://github.com/flatcar-linux/coreos-overlay/pull/1760)) - Besides Ignition v1 and v2 configurations, Ignition configurations with specification v3 (up to 3.3.0) are now supported, see the [docs section for details](https://www.flatcar.org/docs/latest/provisioning/ignition/specification/#ignition-v3) - Bring in dependencies for NFS4 with Kerberos both in kernel and userspace. Tested against NFS4.1 server. [coreos-overlay#1664](https://github.com/flatcar-linux/coreos-overlay/pull/1664) - Enabled `CONFIG_INTEL_RAPL` on AMD64 Kernel config to compile `intel_rapl_common` module in order to allow power monitoring on modern Intel processors ([coreos-overlay#1801](https://github.com/flatcar-linux/coreos-overlay/pull/1801)) - Enabled `containerd.service` unit, `br_netfilter` and `overlay` modules by default to follow Kubernetes requirements ([coreos-overlay#1944](https://github.com/flatcar-linux/coreos-overlay/pull/1944), [init#72](https://github.com/flatcar-linux/init/pull/72)) - Enabled `systemd-sysext.service` to activate systemd-sysext images on boot, to disable you will need to mask it. Also added a helper service `ensure-sysext.service` which reloads the systemd units to reevaluate the `sockets`, `timers`, and `multi-user` targets when `systemd-sysext.service` is (re)started, making it possible to enable units that are part of a sysext image ([init#65](https://github.com/flatcar-linux/init/pull/65)) - For amd64 `/usr/lib` used to be a symlink to `/usr/lib64` but now they became two separate folders as common in other distributions (and was the case for arm64 already). Compatibility symlinks exist in case `/usr/lib64` was used to access, e.g., the `modules` folder or the `systemd` folder ([coreos-overlay#1713](https://github.com/flatcar-linux/coreos-overlay/pull/1713), [scripts#255](https://github.com/flatcar-linux/scripts/pull/255)) - Made SELinux enabled by default in default containerd configuration file. ([coreos-overlay#1699](https://github.com/flatcar-linux/coreos-overlay/pull/1699)) - Removed rngd.service because it is not essential anymore for the kernel to boot fast in VM environments ([coreos-overlay#1700](https://github.com/flatcar-linux/coreos-overlay/pull/1700)) - The systemd-networkd `ManageForeignRoutes` and `ManageForeignRoutingPolicyRules` settings are now disabled through a drop-in file and thus can only be enabled again by a drop-in file under `/etc/systemd/networkd.conf.d/` because drop-in files take precedence over `/etc/systemd/networkd.conf` ([init#61](https://github.com/flatcar-linux/init/pull/61)) - Azure VHD disks are now created using subformat=fixed, which makes them suitable for immediate upload to Azure using any tool. - Defined a systemd-sysext level that sysext images can match for instead of the OS version when they don't have a strong coupling, meaning the only metadata required is `SYSEXT_LEVEL=1.0` and `ID=flatcar` ([Flatcar#643](https://github.com/flatcar-linux/Flatcar/issues/643)) - ARM64: Added [cifs-utils](https://wiki.samba.org/index.php/LinuxCIFS_utils) for ARM64 - ARM64: Added [sssd](https://sssd.io/), [adcli](https://www.freedesktop.org/software/realmd/adcli/adcli.html) and realmd for ARM64 - AWS EC2: Removed the setup of `/etc/hostname` from the instance metadata because it used a long FQDN but we can just use use the hostname set via DHCP ([Flatcar#707](https://github.com/flatcar-linux/Flatcar/issues/707)) - Azure: Set up `/etc/hostname` from instance metadata with Afterburn - DigitalOcean: In addition to the `bz2` image, a `gz` compressed image is published. This helps against hitting the compression timeout that sometimes lets the image import fail. - OpenStack: In addition to the `bz2` image, a `gz` compressed image is published. This allows Glance to directly consume the images by simply passing in the URL of the image. - SDK: The image compression format is now configurable. Supported formats are: `bz2`, `gz`, `zip`, `none`, `zst`. Selecting the image format can now be done by passing the `--image_compression_formats` option. This flag gets a comma separated list of formats. - SDK / ARM64: Added [go-tspi](https://pkg.go.dev/github.com/coreos/go-tspi) bindings for ARM64 ## Updates: - Linux ([5.15.55](https://lwn.net/Articles/901380) (includes [5.15.54](https://lwn.net/Articles/900911), [5.15.53](https://lwn.net/Articles/900321), [5.15.52](https://lwn.net/Articles/899788), [5.15.51](https://lwn.net/Articles/899370), [5.15.50](https://lwn.net/Articles/899091), [5.15.49](https://lwn.net/Articles/898622), [5.15.48](https://lwn.net/Articles/898124), [5.15.47](https://lwn.net/Articles/897904), [5.15.46](https://lwn.net/Articles/897377), [5.15.45](https://lwn.net/Articles/897167), [5.15.44](https://lwn.net/Articles/896647), [5.15.43](https://lwn.net/Articles/896231), [5.15.42](https://lwn.net/Articles/896226), [5.15.41](https://lwn.net/Articles/895645), [5.15.40](https://lwn.net/Articles/895318), [5.15.39](https://lwn.net/Articles/895070), [5.15.38](https://lwn.net/Articles/894357), [5.15.37](https://lwn.net/Articles/893264), [5.15.36](https://lwn.net/Articles/892812), [5.15.35](https://lwn.net/Articles/892002))) - Linux Firmware ([20220411](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220411) (includes [20220310](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220310), [20220209](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220209))) - Docker ([20.10.14](https://docs.docker.com/engine/release-notes/#201014) (includes [20.10.13](https://docs.docker.com/engine/release-notes/#201013))) - Go ([1.17.12](https://go.dev/doc/devel/release#go1.17.12)) - afterburn ([5.2.0](https://github.com/coreos/afterburn/releases/tag/v5.2.0)) - bind-tools ([9.16.27](https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_16_27/CHANGES)) - bpftool ([5.15.8](https://lwn.net/Articles/878631/)) - bridge-utils ([1.7.1](https://git.kernel.org/pub/scm/network/bridge/bridge-utils.git/log/?h=v1.7.1)) - ca-certificates ([3.80](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_80.html) (includes [3.79](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_79.html), [3.78](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_78.html), [3.77](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_77.html), [3.76](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_76.html), [3.75](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_75.html))) - cifs-utils ([6.13](https://lkml.kernel.org/linux-cifs/CAKywueSqRGSFmeDHQacyu831BNUeGFxGg3vgBmozzhkGBCjyXQ@mail.gmail.com/T/)) - conntrack-tools ([1.4.6](https://lists.netfilter.org/pipermail/netfilter-announce/2020/000240.html)) - containerd ([1.6.6](https://github.com/containerd/containerd/releases/tag/v1.6.6) (includes [1.6.5](https://github.com/containerd/containerd/releases/tag/v1.6.5), [1.6.4](https://github.com/containerd/containerd/releases/tag/v1.6.4), [1.6.3](https://github.com/containerd/containerd/releases/tag/v1.6.3), [1.6.2](https://github.com/containerd/containerd/releases/tag/v1.6.2), [1.6.1](https://github.com/containerd/containerd/releases/tag/v1.6.1), [1.6.0](https://github.com/containerd/containerd/releases/tag/v1.6.0))) - cryptsetup ([2.4.3](https://lore.kernel.org/all/572c18a7bf60cb1b0f67c3a03c531d7e7ed31832.camel@scientia.net/T/)) - dosfstools ([4.2](https://github.com/dosfstools/dosfstools/releases/tag/v4.2)) - duktape ([2.7.0](https://github.com/svaarala/duktape/releases/tag/v2.7.0)) - e2fsprogs ([1.46.4](http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.46.4)) - elfutils ([0.186](https://sourceware.org/git/?p=elfutils.git;a=blob;f=NEWS;h=490932ae4ef9b5a3af01d2c8c616f14d57586046;hb=983e86fd89e8bf02f2d27ba5dce5bf078af4ceda)) - gcc ([10.3.0](https://gcc.gnu.org/gcc-10/changes.html)) - gnutls ([3.7.3](https://gitlab.com/gnutls/gnutls/-/merge_requests/1517)) - grep ([3.7](https://savannah.gnu.org/forum/forum.php?forum_id=10037)) - gzip ([1.12](https://savannah.gnu.org/forum/forum.php?forum_id=10157) (includes [1.11](https://lists.gnu.org/archive/html/info-gnu/2021-09/msg00002.html))) - ignition ([2.13.0](https://github.com/coreos/ignition/releases/tag/v2.13.0)) - intel-microcode ([20220207_p20220207](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220207)) - iperf ([3.10.1](https://github.com/esnet/iperf/blob/master/RELNOTES.md#iperf-3101-2021-06-03)) - jansson ([2.14](https://github.com/akheron/jansson/blob/v2.14/CHANGES)) - kexec-tools ([2.0.22](https://www.spinics.net/lists/kexec/msg26864.html)) - less ([590](https://www.greenwoodsoftware.com/less/news.590.html)) - libarchive ([3.6.1](https://github.com/libarchive/libarchive/releases/tag/v3.6.1) (includes [3.5.3](https://github.com/libarchive/libarchive/releases/tag/v3.5.3))) - libbsd ([0.11.3](https://gitlab.freedesktop.org/libbsd/libbsd/-/commits/0.11.3/)) - libmspack ([0.10.1_alpha](https://github.com/kyz/libmspack/blob/v0.10.1alpha/libmspack/ChangeLog)) - libnetfilter_queue ([1.0.5](https://git.netfilter.org/libnetfilter_queue/log/?h=libnetfilter_queue-1.0.5)) - libpcap ([1.10.1](https://git.tcpdump.org/libpcap/blob/c7642e2cc0c5bd65754685b160d25dc23c76c6bd:/CHANGES)) - libtasn1 ([4.17.0](https://gitlab.com/gnutls/libtasn1/-/blob/v4.17.0/NEWS)) - liburing ([2.1](https://github.com/axboe/liburing/commits/liburing-2.1)) - libxml2 ([2.9.13](http://www.xmlsoft.org/news.html)) - lsscsi ([0.32](https://sg.danny.cz/scsi/lsscsi.ChangeLog)) - mdadm ([4.2](https://lore.kernel.org/all/28fdbc45-96ca-7cdb-3ced-a5f65d978048@trained-monkey.org/T/)) - multipath-tools ([0.8.7](https://github.com/opensvc/multipath-tools/commits/0.8.7)) - nfs-utils ([2.5.4](https://lore.kernel.org/linux-fsdevel/c8795653-7728-18a4-93dc-58943ad0fe09@redhat.com/)) - nghttp2 ([1.45.1](https://github.com/nghttp2/nghttp2/releases/tag/v1.45.1)) - nvidia-drivers ([510.73.05](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-510-73-05/index.html)) - nvme-cli ([1.16](https://github.com/linux-nvme/nvme-cli/commits/deee9cae1ac94760deebd71f8e5449061338666c)) - oniguruma ([6.9.7.1](https://github.com/kkos/oniguruma/releases/tag/v6.9.7.1)) - open-isns ([0.101](https://github.com/open-iscsi/open-isns/blob/v0.101/ChangeLog)) - pam ([1.5.1_p20210622](https://github.com/linux-pam/linux-pam/commit/fe1307512fb8892b5ceb3d884c793af8dbd4c16a)) - pambase (20220214) - pcre2 ([10.39](https://github.com/PhilipHazel/pcre2/blob/pcre2-10.39/NEWS)) - pinentry ([1.2.0](https://dev.gnupg.org/T5566)) - quota ([4.06](https://sourceforge.net/p/linuxquota/code/ci/0acd4cc6275122fd9864cb7b5d349e65a2622920/)) - rpcbind ([1.2.6](https://git.linux-nfs.org/?p=steved/rpcbind.git;a=shortlog;h=refs/tags/rpcbind-1_2_6)) - runc ([1.1.1](https://github.com/opencontainers/runc/releases/tag/v1.1.1)) - socat ([1.7.4.3](https://repo.or.cz/socat.git/blob/refs/tags/tag-1.7.4.3:/CHANGES)) - shadow ([4.11.1](https://github.com/shadow-maint/shadow/releases/tag/v4.11.1)) - systemd ([250.3](https://github.com/systemd/systemd-stable/releases/tag/v250.3)) - timezone-data ([2021a](https://mm.icann.org/pipermail/tz-announce/2021-January/000065.html)) - tcpdump ([4.99.1](https://git.tcpdump.org/tcpdump/blob/5f552b5e6e9fe05f7ad9681d51d0303233daba6a:/CHANGES)) - thin-provisioning-tools ([0.9.0](https://github.com/jthornber/thin-provisioning-tools/blob/d6d93c3157631b242a13a81d30f75453e576c55a/CHANGES#L1-L9)) - unzip ([6.0_p26](https://metadata.ftp-master.debian.org/changelogs//main/u/unzip/unzip_6.0-26_changelog)) - util-linux ([2.37.4](https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.37/v2.37.4-ChangeLog)) - vim ([8.2.4328](https://github.com/vim/vim/releases/tag/v8.2.4328)) - whois ([5.5.11](https://github.com/rfc1036/whois/commit/5f5ba8312c04a759dad05723c035549273d07461)) - xfsprogs ([5.14.2](https://marc.info/?l=linux-xfs&m=163883318025390&w=2)) - zlib ([1.2.12](https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/ChangeLog#L4)) - SDK: gcc-config ([2.5](https://gitweb.gentoo.org/proj/gcc-config.git/tag/?h=v2.5)) - SDK: iasl ([20200717](https://www.acpica.org/node/183)) - SDK: man-db ([2.9.4](https://gitlab.com/cjwatson/man-db/-/tags/2.9.4)) - SDK: man-pages ([5.12-r2](https://man7.org/linux/man-pages/changelog.html#release_5.12)) - SDK: netperf ([2.7.0](https://github.com/HewlettPackard/netperf/blob/netperf-2.7.0/Release_Notes)) - SDK: Rust ([1.60.0](https://github.com/rust-lang/rust/releases/tag/1.60.0) (includes [1.59.0](https://github.com/rust-lang/rust/releases/tag/1.59.0))) - SDK: squashfs-tools ([4.5_p20210914](https://lore.kernel.org/lkml/CAB3woddJss+ziGp-RjJ-yiax6pc_HLMdxk3Qk5nJdRgjpEYWBg@mail.gmail.com/)) - VMware: open-vm-tools ([12.0.0](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.0.0)) # New **LTS-2022** Release **3033.3.3** Changes since lts-3033.3.2 ## Security fixes: - Linux ([CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655), [CVE-2021-33656](https://nvd.nist.gov/vuln/detail/CVE-2021-33656), [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318), [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365), [CVE-2022-32296](https://nvd.nist.gov/vuln/detail/CVE-2022-32296), [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740), [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741), [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742), [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743), [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744), [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918)) - containerd ([CVE-2022-31030](https://nvd.nist.gov/vuln/detail/CVE-2022-31030)) ## Bug fixes: - Removed outdated LTS channel information printed on login ([init#75](https://github.com/flatcar-linux/init/pull/75)) ## Changes: - Enabled `containerd.service` unit, `br_netfilter` and `overlay` modules by default to follow Kubernetes requirements ([coreos-overlay#1944](https://github.com/flatcar-linux/coreos-overlay/pull/1944), [init#72](https://github.com/flatcar-linux/init/pull/72)) - DigitalOcean: In addition to the `bz2` image, a `gz` compressed image is published. This helps against hitting the compression timeout that sometimes lets the image import fail. - OpenStack: In addition to the `bz2` image, a `gz` compressed image is published. This allows Glance to directly consume the images by simply passing in the URL of the image. - SDK: The image compression format is now configurable. Supported formats are: `bz2`, `gz`, `zip`, `none`, `zst`. Selecting the image format can now be done by passing the `--image_compression_formats` option. This flag gets a comma separated list of formats. ## Updates: - Linux ([5.10.131](https://lwn.net/Articles/901381/) (includes [5.10.130](https://lwn.net/Articles/900910), [5.10.129](https://lwn.net/Articles/900322), [5.10.128](https://lwn.net/Articles/899789), [5.10.127](https://lwn.net/Articles/899371), [5.10.126](https://lwn.net/Articles/899121), [5.10.125](https://lwn.net/Articles/899090), [5.10.124](https://lwn.net/Articles/898623))) - ca-certificates ([3.80](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_80.html)) - containerd ([1.5.13](https://github.com/containerd/containerd/releases/tag/v1.5.13)) Best, The Flatcar Container Linux Maintainers --- ### Security **Subject**: Security issues fixed with the latest Alpha 3305.0.0, Beta 3277.1.0, Stable 3227.2.0, LTS-2022 3033.3.3 releases **Security fix**: With the Alpha 3305.0.0, Beta 3277.1.0, Stable 3227.2.0, LTS-2022 3033.3.3 releases we ship fixes for the CVEs listed below. #### Alpha 3305.0.0 * Linux * [CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655) CVSSv3 score: n/a When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. * [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318) CVSSv3 score: 5.5(Medium) There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges. * [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743) CVSSv3 score: 7.8(High) network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed. * [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744) CVSSv3 score: 4.7(Medium) Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages. * [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. * cifs-utils * [CVE-2022-27239](https://nvd.nist.gov/vuln/detail/CVE-2022-27239) CVSSv3 score: 7.8(High) In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges. * [CVE-2022-29869](https://nvd.nist.gov/vuln/detail/CVE-2022-29869) CVSSv3 score: 5.3(Medium) cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file. * curl * [CVE-2022-32205](https://nvd.nist.gov/vuln/detail/CVE-2022-32205) CVSSv3 score: 4.3(Medium) A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method. * [CVE-2022-32206](https://nvd.nist.gov/vuln/detail/CVE-2022-32206) CVSSv3 score: 6.5(Medium) curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors. * [CVE-2022-32207](https://nvd.nist.gov/vuln/detail/CVE-2022-32207) CVSSv3 score: 9.8(Critical) When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended. * [CVE-2022-32208](https://nvd.nist.gov/vuln/detail/CVE-2022-32208) CVSSv3 score: 5.9(Medium) When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. * gnupg * [CVE-2022-34903](https://nvd.nist.gov/vuln/detail/CVE-2022-34903) CVSSv3 score: 6.5(Medium) GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line. * Go * [CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705) CVSSv3 score: n/a net/http: improper sanitization of Transfer-Encoding header. The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid. * [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962) CVSSv3 score: n/a go/parser: stack exhaustion in all Parse* functions. Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion. * [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131) CVSSv3 score: n/a encoding/xml: stack exhaustion in Decoder.Skip. Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion. * [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630) CVSSv3 score: n/a io/fs: stack exhaustion in Glob. Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. * [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631) CVSSv3 score: n/a compress/gzip: stack exhaustion in Reader.Read. Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion. * [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632) CVSSv3 score: n/a path/filepath: stack exhaustion in Glob. Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. * [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633) CVSSv3 score: n/a encoding/xml: stack exhaustion in Unmarshal. Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion. * [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635) CVSSv3 score: n/a encoding/gob: stack exhaustion in Decoder.Decode. Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. * [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148) CVSSv3 score: n/a net/http: When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected. #### Beta 3277.1.0 * Linux * [CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655) CVSSv3 score: n/a When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. * [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318) CVSSv3 score: 5.5(Medium) There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges. * [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743) CVSSv3 score: 7.8(High) network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed. * [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744) CVSSv3 score: 4.7(Medium) Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages. * [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. * Go * [CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705) CVSSv3 score: n/a net/http: improper sanitization of Transfer-Encoding header. The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid. * [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962) CVSSv3 score: n/a go/parser: stack exhaustion in all Parse* functions. Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion. * [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131) CVSSv3 score: n/a encoding/xml: stack exhaustion in Decoder.Skip. Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion. * [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630) CVSSv3 score: n/a io/fs: stack exhaustion in Glob. Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. * [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631) CVSSv3 score: n/a compress/gzip: stack exhaustion in Reader.Read. Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion. * [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632) CVSSv3 score: n/a path/filepath: stack exhaustion in Glob. Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. * [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633) CVSSv3 score: n/a encoding/xml: stack exhaustion in Unmarshal. Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion. * [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635) CVSSv3 score: n/a encoding/gob: stack exhaustion in Decoder.Decode. Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. * [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148) CVSSv3 score: n/a net/http: When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected. #### Stable 3227.2.0 * Linux * [CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655) CVSSv3 score: n/a When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. * [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318) CVSSv3 score: 5.5(Medium) There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges. * [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743) CVSSv3 score: 7.8(High) network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed. * [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744) CVSSv3 score: 4.7(Medium) Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages. * [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. * Go * [CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705) CVSSv3 score: n/a net/http: improper sanitization of Transfer-Encoding header. The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid. * [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962) CVSSv3 score: n/a go/parser: stack exhaustion in all Parse* functions. Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion. * [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131) CVSSv3 score: n/a encoding/xml: stack exhaustion in Decoder.Skip. Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion. * [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630) CVSSv3 score: n/a io/fs: stack exhaustion in Glob. Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. * [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631) CVSSv3 score: n/a compress/gzip: stack exhaustion in Reader.Read. Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion. * [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632) CVSSv3 score: n/a path/filepath: stack exhaustion in Glob. Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. * [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633) CVSSv3 score: n/a encoding/xml: stack exhaustion in Unmarshal. Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion. * [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635) CVSSv3 score: n/a encoding/gob: stack exhaustion in Decoder.Decode. Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. * [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148) CVSSv3 score: n/a net/http: When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected. #### LTS-2022 3033.3.3 * Linux * [CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655) CVSSv3 score: n/a When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. * [CVE-2021-33656](https://nvd.nist.gov/vuln/detail/CVE-2021-33656) CVSSv3 score: n/a When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds. * [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318) CVSSv3 score: 5.5(Medium) There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges. * [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-32296](https://nvd.nist.gov/vuln/detail/CVE-2022-32296) CVSSv3 score: 3.3(Low) The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used. * [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743) CVSSv3 score: 7.8(High) network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed. * [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744) CVSSv3 score: 4.7(Medium) Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages. * [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. * containerd * [CVE-2022-31030](https://nvd.nist.gov/vuln/detail/CVE-2022-31030) CVSSv3 score: n/a containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used. --- ### Communication #### Twitter _The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar releases now available for Alpha+Beta+Stable+LTS-2022! 🚀 New major version bumps for Alpha, Beta, and Stable 🩹 Fix a bug when running ignition v3 with kargs directive. 📦 Many package updates: Linux Kernel, Go, containerd, gnupg 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome Flatcar releases of this month: - Alpha 3305.0.0 (new major) - Beta 3277.1.0 (new major) - Stable 3227.2.0 (new major) - LTS-2022 3033.3.3 (maintenance release) These releases include: 🚀 New major version bumps for Alpha, Beta, and Stable 🩹 Fix a bug when running ignition v3 with kargs directive. 📦 Many package updates: Linux Kernel, Go, containerd, gnupg 📜 Release notes in usual spot: https://www.flatcar.org/releases/

    Import from clipboard

    Paste your markdown or webpage here...

    Advanced permission required

    Your current role can only read. Ask the system administrator to acquire write and comment permission.

    This team is disabled

    Sorry, this team is disabled. You can't edit this note.

    This note is locked

    Sorry, only owner can edit this note.

    Reach the limit

    Sorry, you've reached the max length this note can be.
    Please reduce the content or divide it to more notes, thank you!

    Import from Gist

    Import from Snippet

    or

    Export to Snippet

    Are you sure?

    Do you really want to delete this note?
    All users will lose their connection.

    Create a note from template

    Create a note from template

    Oops...
    This template has been removed or transferred.
    Upgrade
    All
    • All
    • Team
    No template.

    Create a template

    Upgrade

    Delete template

    Do you really want to delete this template?
    Turn this template into a regular note and keep its content, versions, and comments.

    This page need refresh

    You have an incompatible client version.
    Refresh to update.
    New version available!
    See releases notes here
    Refresh to enjoy new features.
    Your user state has changed.
    Refresh to load new user state.

    Sign in

    Forgot password

    or

    By clicking below, you agree to our terms of service.

    Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in with Wallet
    Wallet ( )
    Connect another wallet

    New to HackMD? Sign up

    Help

    • English
    • 中文
    • Français
    • Deutsch
    • 日本語
    • Español
    • Català
    • Ελληνικά
    • Português
    • italiano
    • Türkçe
    • Русский
    • Nederlands
    • hrvatski jezik
    • język polski
    • Українська
    • हिन्दी
    • svenska
    • Esperanto
    • dansk

    Documents

    Help & Tutorial

    How to use Book mode

    Slide Example

    API Docs

    Edit in VSCode

    Install browser extension

    Contacts

    Feedback

    Discord

    Send us email

    Resources

    Releases

    Pricing

    Blog

    Policy

    Terms

    Privacy

    Cheatsheet

    Syntax Example Reference
    # Header Header 基本排版
    - Unordered List
    • Unordered List
    1. Ordered List
    1. Ordered List
    - [ ] Todo List
    • Todo List
    > Blockquote
    Blockquote
    **Bold font** Bold font
    *Italics font* Italics font
    ~~Strikethrough~~ Strikethrough
    19^th^ 19th
    H~2~O H2O
    ++Inserted text++ Inserted text
    ==Marked text== Marked text
    [link text](https:// "title") Link
    ![image alt](https:// "title") Image
    `Code` Code 在筆記中貼入程式碼
    ```javascript
    var i = 0;
    ```    		 
    var i = 0;
    :smile: :smile: Emoji list
    {%youtube youtube_id %} Externals
    $L^aT_eX$ LaTeX
    :::info
    This is a alert area.
    :::

    This is a alert area.
    Versions and GitHub Sync
    Get Full History Access

    • Edit version name
    • Delete

    revision author avatar     named on  

    More Less

    Note content is identical to the latest version.
    Compare
      Choose a version
      No search result
      Version not found
    Sign in to link this note to GitHub
    Learn more
    This note is not linked with GitHub
     

    Feedback

    Submission failed, please try again

    Thanks for your support.

    On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

    Please give us some advice and help us improve HackMD.

     

    Thanks for your feedback

    Remove version name

    Do you want to remove this version name and description?

    Transfer ownership

    Transfer to
      Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

        Link with GitHub

        Please authorize HackMD on GitHub
        • Please sign in to GitHub and install the HackMD app on your GitHub repo.
        • HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.
        Learn more  Sign in to GitHub

        Push the note to GitHub Push to GitHub Pull a file from GitHub

          Authorize again
         

        Choose which file to push to

        Select repo
        Refresh Authorize more repos
        Select branch
        Select file
        Select branch
        Choose version(s) to push
        • Save a new version and push
        • Choose from existing versions
        Include title and tags
        Available push count

        Pull from GitHub

         
        File from GitHub
        File from HackMD

        GitHub Link Settings

        File linked

        Linked by
        File path
        Last synced branch
        Available push count

        Danger Zone

        Unlink
        You will no longer receive notification when GitHub file changes after unlink.

        Syncing

        Push failed

        Push successfully