owned this note
owned this note
Published
Linked with GitHub
# Flatcar Container Linux Release - 2022-07-21
## Flatcar-linux-Alpha-3305.0.0
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_ / _WAIT_ / _NO-GO_
## Flatcar-Linux-Beta-3277.1.0
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_ / _WAIT_ / _NO-GO_
## Flatcar-Linux-Stable-3227.2.0
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
## Flatcar-Linux-LTS-2022-3033.3.3
- AMD64-usr
- Platforms succeeded: All except for AWS and Equinix Metal
- Platforms failed: AWS, Equinix Metal
- AWS: flaky failure at cl.internet with m4.2xlarge: machine failed to start: ssh journalctl failed: time limit exceeded: dial tcp 34.222.214.75:22: i/o timeout
- Equinix Metal: flaky failure at cl.internet with s3.xlarge.x86: machine failed to start: ssh journalctl failed: time limit exceeded: dial tcp 139.178.90.27:22: i/o timeout"
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_ / _WAIT_ / _NO-GO_
## Communication
---
### Announcement Message
Subject: Announcing new Alpha 3305.0.0, Beta 3277.1.0, Stable 3227.2.0, LTS-2022 3033.3.3 releases.
Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable and LTS-2022 channels.
# New **Alpha** Release **3305.0.0**
_Changes since **Alpha 3277.0.0**_
## Security fixes:
- Linux ([CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655), [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318), [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365), [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740), [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741), [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742), [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743), [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744), [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918))
- cifs-utils ([CVE-2022-27239](https://nvd.nist.gov/vuln/detail/CVE-2022-27239), [CVE-2022-29869](https://nvd.nist.gov/vuln/detail/CVE-2022-29869))
- curl ([CVE-2022-32205](https://nvd.nist.gov/vuln/detail/CVE-2022-32205), [CVE-2022-32206](https://nvd.nist.gov/vuln/detail/CVE-2022-32206), [CVE-2022-32207](https://nvd.nist.gov/vuln/detail/CVE-2022-32207), [CVE-2022-32208](https://nvd.nist.gov/vuln/detail/CVE-2022-32208))
- gnupg ([CVE-2022-34903](https://nvd.nist.gov/vuln/detail/CVE-2022-34903))
- Go ([CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705), [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962), [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131), [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630), [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631), [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632), [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633), [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635), [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148))
## Bug fixes:
- Removed outdated LTS channel information printed on login ([init#75](https://github.com/flatcar-linux/init/pull/75))
- The Ignition v3 kargs directive failed before when used with the generic image where no `grub.cfg` exists, this was fixed by creating it first ([bootengine#47](https://github.com/flatcar-linux/bootengine/pull/47))
## Updates:
- Linux ([5.15.54](https://lwn.net/Articles/900911) (includes [5.15.53](https://lwn.net/Articles/900321), [5.15.52](https://lwn.net/Articles/899788), [5.15.51](https://lwn.net/Articles/899370), [5.15.50](https://lwn.net/Articles/899091), [5.15.49](https://lwn.net/Articles/898622)))
- Linux Firmware ([20220708](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220708))
- adcli ([0.9.1](https://gitlab.freedesktop.org/realmd/adcli/-/releases#0.9.1))
- ca-certificates ([3.80](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_80.html))
- cifs-utils ([6.15](https://lists.samba.org/archive/samba-technical/2022-April/137335.html))
- curl ([7.84.0](https://github.com/curl/curl/releases/tag/curl-7_84_0))
- gdb ([11.2](https://lists.gnu.org/archive/html/info-gnu/2022-01/msg00009.html))
- gnupg ([2.2.35](https://dev.gnupg.org/T5928))
- Go ([1.18.4](https://go.dev/doc/devel/release#go1.18.4))
- sudo ([1.9.10](https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_10))
- SDK: Rust ([1.62.0](https://github.com/rust-lang/rust/releases/tag/1.62.0))
# New **Beta** Release **3277.1.0**
_Changes since **Alpha 3277.0.0**_
## Security fixes:
- Linux ([CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655), [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318), [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365), [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740), [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741), [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742), [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743), [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744), [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918))
- Go ([CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705), [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962), [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131), [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630), [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631), [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632), [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633), [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635), [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148))
## Bug fixes:
- The Ignition v3 kargs directive failed before when used with the generic image where no `grub.cfg` exists, this was fixed by creating it first ([bootengine#47](https://github.com/flatcar-linux/bootengine/pull/47))
## Updates:
- Linux ([5.15.55](https://lwn.net/Articles/901380) (includes [5.15.54](https://lwn.net/Articles/900911), [5.15.53](https://lwn.net/Articles/900321), [5.15.52](https://lwn.net/Articles/899788), [5.15.51](https://lwn.net/Articles/899370), [5.15.50](https://lwn.net/Articles/899091), [5.15.49](https://lwn.net/Articles/898622)))
- ca-certificates ([3.80](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_80.html))
- Go ([1.18.4](https://go.dev/doc/devel/release#go1.18.4))
_Changes since **Beta 3227.1.1**_
## Security fixes:
- Linux ([CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655), [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318), [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365), [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740), [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741), [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742), [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743), [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744), [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918))
- curl ([CVE-2022-22576](https://nvd.nist.gov/vuln/detail/CVE-2022-22576), [CVE-2022-27774](https://nvd.nist.gov/vuln/detail/CVE-2022-27774), [CVE-2022-27775](https://nvd.nist.gov/vuln/detail/CVE-2022-27775), [CVE-2022-27776](https://nvd.nist.gov/vuln/detail/CVE-2022-27776), [CVE-2022-27778](https://nvd.nist.gov/vuln/detail/CVE-2022-27778), [CVE-2022-27779](https://nvd.nist.gov/vuln/detail/CVE-2022-27779), [CVE-2022-27780](https://nvd.nist.gov/vuln/detail/CVE-2022-27780), [CVE-2022-27781](https://nvd.nist.gov/vuln/detail/CVE-2022-27781), [CVE-2022-27782](https://nvd.nist.gov/vuln/detail/CVE-2022-27782), [CVE-2022-30115](https://nvd.nist.gov/vuln/detail/CVE-2022-30115))
- docker ([CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526))
- git ([CVE-2022-24765](https://nvd.nist.gov/vuln/detail/CVE-2022-24765))
- go ([CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705), [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962), [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131), [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630), [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631), [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632), [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633), [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635), [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148), [CVE-2022-29526](https://nvd.nist.gov/vuln/detail/CVE-2022-29526))
- ignition ([CVE-2022-1706](https://nvd.nist.gov/vuln/detail/CVE-2022-1706))
- intel-microcode ([CVE-2022-21151](https://nvd.nist.gov/vuln/detail/CVE-2022-21151))
- libxml2 ([CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824))
- ncurses ([CVE-2022-29458](https://nvd.nist.gov/vuln/detail/CVE-2022-29458))
- openssl ([CVE-2022-1292](https://nvd.nist.gov/vuln/detail/CVE-2022-1292), [CVE-2022-1343](https://nvd.nist.gov/vuln/detail/CVE-2022-1343), [CVE-2022-1434](https://nvd.nist.gov/vuln/detail/CVE-2022-1434), [CVE-2022-1473](https://nvd.nist.gov/vuln/detail/CVE-2022-1473))
- rsync ([CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032))
- runc ([CVE-2022-29162](https://nvd.nist.gov/vuln/detail/CVE-2022-29162))
- torcx ([CVE-2022-27191](https://nvd.nist.gov/vuln/detail/CVE-2022-27191))
- SDK: qemu ([CVE-2021-20203](https://nvd.nist.gov/vuln/detail/CVE-2021-20203), [CVE-2021-3713](https://nvd.nist.gov/vuln/detail/CVE-2021-3713), [CVE-2021-3930](https://nvd.nist.gov/vuln/detail/CVE-2021-3930), [CVE-2021-3947](https://nvd.nist.gov/vuln/detail/CVE-2021-3947), [CVE-2021-4145](https://nvd.nist.gov/vuln/detail/CVE-2021-4145), [CVE-2022-26353](https://nvd.nist.gov/vuln/detail/CVE-2022-26353), [CVE-2022-26354](https://nvd.nist.gov/vuln/detail/CVE-2022-26354))
## Bug fixes:
- The Ignition v3 kargs directive failed before when used with the generic image where no `grub.cfg` exists, this was fixed by creating it first ([bootengine#47](https://github.com/flatcar-linux/bootengine/pull/47))
## Changes:
- Added efibootmgr binary to the image ([coreos-overlay#1955](https://github.com/flatcar-linux/coreos-overlay/pull/1955))
- Added VMware networking configuration in the initramfs via guestinfo settings ([bootengine#44](https://github.com/flatcar-linux/bootengine/pull/44), [flatcar#717](https://github.com/flatcar-linux/Flatcar/issues/717))
- Enabled `containerd.service` unit, `br_netfilter` and `overlay` modules by default to follow Kubernetes requirements ([coreos-overlay#1944](https://github.com/flatcar-linux/coreos-overlay/pull/1944), [init#72](https://github.com/flatcar-linux/init/pull/72))
- flatcar-install: Added option to create UEFI boot entry ([init#74](https://github.com/flatcar-linux/init/pull/74))
- VMWare: Added `ignition-delete-config.service` to remove Ignition config from VM metadata, see also [here](https://coreos.github.io/ignition/operator-notes/#automatic-config-deletion) ([coreos-overlay#1948](https://github.com/flatcar-linux/coreos-overlay/pull/1948))
## Updates:
- Linux ([5.15.55](https://lwn.net/Articles/901380) (includes [5.15.54](https://lwn.net/Articles/900911), [5.15.53](https://lwn.net/Articles/900321), [5.15.52](https://lwn.net/Articles/899788), [5.15.51](https://lwn.net/Articles/899370), [5.15.50](https://lwn.net/Articles/899091), [5.15.49](https://lwn.net/Articles/898622)))
- Linux Firmware ([20220610](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220610))
- Docker ([20.10.17](https://docs.docker.com/engine/release-notes/#201017))
- Go ([1.18.4](https://go.dev/doc/devel/release#go1.18.4))
- ca-certificates ([3.80](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_80.html))
- curl [7.83.1](https://curl.se/mail/lib-2022-05/0010.html)
- dbus ([1.12.22](https://gitlab.freedesktop.org/dbus/dbus/-/blob/177ab044bc87cbc4ded75d21b900795a6fefef76/NEWS))
- e2fsprogs ([1.46.5](http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.46.5))
- gdbm ([1.22](https://lists.gnu.org/archive/html/info-gnu/2021-10/msg00006.html))
- git ([2.35.3](https://github.com/git/git/blob/v2.35.3/Documentation/RelNotes/2.35.3.txt))
- ignition ([2.14.0](https://github.com/coreos/ignition/releases/tag/v2.14.0))
- intel-microcode ([20220510](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220510))
- ldb ([2.4.1](https://gitlab.com/samba-team/samba/-/commit/a795e0c84597aa045d011e663dbad3cdabf0f1e6))
- libxml2 ([2.9.14](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14))
- ncurses ([6.3_p20220423](https://lists.gnu.org/archive/html/info-gnu/2021-11/msg00001.html))
- open-vm-tools ([12.0.5](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.0.5))
- openssl ([3.0.3](https://www.openssl.org/news/changelog.html#openssl-30))
- python ([3.9.12](https://www.python.org/downloads/release/python-3912/))
- rsync ([3.2.4](https://download.samba.org/pub/rsync/NEWS.html#3.2.4))
- runc ([1.1.3](https://github.com/opencontainers/runc/releases/tag/v1.1.3))
- samba ([4.15.4](https://www.samba.org/samba/history/samba-4.15.4.html))
- sqlite ([3.38.1](https://www.sqlite.org/releaselog/3_38_1.html))
- talloc ([2.3.3](https://gitlab.com/samba-team/samba/-/commit/bc1ee7ca0640f0136e5af7dcc4ca8ed0a5893053))
- tevent ([0.11.0](https://gitlab.com/samba-team/samba/-/commit/de4e8a1af9564f6056f9af90867c2f013449051c))
- new: acpid ([2.0.33](https://sourceforge.net/p/acpid2/code/ci/2.0.33/tree/Changelog))
- OEM: distro ([1.7.0](https://github.com/python-distro/distro/releases/tag/v1.7.0))
- OEM: python ([3.9.12](https://www.python.org/downloads/release/python-3912/))
- SDK: qemu ([7.0.0](https://wiki.qemu.org/ChangeLog/7.0))
- SDK: Rust ([1.61.0](https://github.com/rust-lang/rust/releases/tag/1.61.0))
# New **Stable** Release **3227.2.0**
_Changes since **Beta 3227.1.1**_
## Security fixes:
- Linux ([CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655), [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318), [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365), [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740), [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741), [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742), [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743), [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744), [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918))
- Go ([CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705), [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962), [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131), [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630), [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631), [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632), [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633), [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635), [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148))
## Bug fixes:
- The Ignition v3 kargs directive failed before when used with the generic image where no `grub.cfg` exists, this was fixed by creating it first ([bootengine#47](https://github.com/flatcar-linux/bootengine/pull/47))
## Changes:
- Enabled `containerd.service` unit, `br_netfilter` and `overlay` modules by default to follow Kubernetes requirements ([coreos-overlay#1944](https://github.com/flatcar-linux/coreos-overlay/pull/1944), [init#72](https://github.com/flatcar-linux/init/pull/72))
## Updates:
- Linux ([5.15.55](https://lwn.net/Articles/901380) (includes [5.15.54](https://lwn.net/Articles/900911), [5.15.53](https://lwn.net/Articles/900321), [5.15.52](https://lwn.net/Articles/899788), [5.15.51](https://lwn.net/Articles/899370), [5.15.50](https://lwn.net/Articles/899091), [5.15.49](https://lwn.net/Articles/898622)))
- Go ([1.17.12](https://go.dev/doc/devel/release#go1.17.12))
- ca-certificates ([3.80](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_80.html))
**Changes compared to stable-3139.2.3**
## Security fixes:
- Linux ([CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655), [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318), [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365), [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740), [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741), [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742), [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743), [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744), [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918))
- Go ([CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705), [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962), [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131), [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630), [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631), [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632), [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633), [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635), [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148))
- cifs-utils ([CVE-2021-20208](https://nvd.nist.gov/vuln/detail/CVE-2021-20208))
- containerd ([CVE-2022-23648](https://nvd.nist.gov/vuln/detail/CVE-2022-23648), [CVE-2022-24769](https://nvd.nist.gov/vuln/detail/CVE-2022-24769), [CVE-2022-31030](https://nvd.nist.gov/vuln/detail/CVE-2022-31030))
- cryptsetup ([CVE-2021-4122](https://nvd.nist.gov/vuln/detail/CVE-2021-4122))
- duktape ([CVE-2021-46322](https://nvd.nist.gov/vuln/detail/CVE-2021-46322))
- gnutls ([CVE-2021-4209](https://nvd.nist.gov/vuln/detail/CVE-2021-4209), [GNUTLS-SA-2022-01-17](https://gitlab.com/gnutls/gnutls/-/issues/1277))
- gzip,xz-utils ([CVE-2022-1271](https://nvd.nist.gov/vuln/detail/CVE-2022-1271))
- intel-microcode ([CVE-2021-0127](https://nvd.nist.gov/vuln/detail/CVE-2021-0127), [CVE-2021-0146](https://nvd.nist.gov/vuln/detail/CVE-2021-0146))
- libarchive ([CVE-2021-31566](https://nvd.nist.gov/vuln/detail/CVE-2021-31566), [CVE-2021-36976](https://nvd.nist.gov/vuln/detail/CVE-2021-36976), [CVE-2022-26280](https://nvd.nist.gov/vuln/detail/CVE-2022-26280))
- libxml2 ([CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308))
- nvidia-drivers ([CVE-2022-28181](https://nvd.nist.gov/vuln/detail/CVE-2022-28181), [CVE-2022-28183](https://nvd.nist.gov/vuln/detail/CVE-2022-28183), [CVE-2022-28184](https://nvd.nist.gov/vuln/detail/CVE-2022-28184), [CVE-2022-28185](https://nvd.nist.gov/vuln/detail/CVE-2022-28185))
- shadow ([CVE-2013-4235](https://nvd.nist.gov/vuln/detail/CVE-2013-4235))
- systemd ([CVE-2021-3997](https://nvd.nist.gov/vuln/detail/CVE-2021-3997))
- util-linux ([CVE-2021-3995](https://nvd.nist.gov/vuln/detail/CVE-2021-3995), [CVE-2021-3996](https://nvd.nist.gov/vuln/detail/CVE-2021-3996), [CVE-2022-0563](https://nvd.nist.gov/vuln/detail/CVE-2022-0563))
- vim ([CVE-2021-3984](https://nvd.nist.gov/vuln/detail/CVE-2021-3984), [CVE-2021-4019](https://nvd.nist.gov/vuln/detail/CVE-2021-4019), [CVE-2021-4069](https://nvd.nist.gov/vuln/detail/CVE-2021-4069), [CVE-2021-4136](https://nvd.nist.gov/vuln/detail/CVE-2021-4136), [CVE-2021-4173](https://nvd.nist.gov/vuln/detail/CVE-2021-4173),[ CVE-2021-4166](https://nvd.nist.gov/vuln/detail/CVE-2021-4166), [CVE-2021-4187](https://nvd.nist.gov/vuln/detail/CVE-2021-4187), [CVE-2021-4192](https://nvd.nist.gov/vuln/detail/CVE-2021-4192), [CVE-2021-4193](https://nvd.nist.gov/vuln/detail/CVE-2021-4193), [CVE-2022-0128](https://nvd.nist.gov/vuln/detail/CVE-2022-0128), [CVE-2022-0156](https://nvd.nist.gov/vuln/detail/CVE-2022-0156), [CVE-2022-0158](https://nvd.nist.gov/vuln/detail/CVE-2022-0158), [CVE-2022-0213](https://nvd.nist.gov/vuln/detail/CVE-2022-0213), [CVE-2022-0261](https://nvd.nist.gov/vuln/detail/CVE-2022-0261), [CVE-2022-0318](https://nvd.nist.gov/vuln/detail/CVE-2022-0318), [CVE-2022-0319](https://nvd.nist.gov/vuln/detail/CVE-2022-0319), [CVE-2022-0351](https://nvd.nist.gov/vuln/detail/CVE-2022-0351), [CVE-2022-0359](https://nvd.nist.gov/vuln/detail/CVE-2022-0359), [CVE-2022-0361](https://nvd.nist.gov/vuln/detail/CVE-2022-0361), [CVE-2022-0368](https://nvd.nist.gov/vuln/detail/CVE-2022-0368), [CVE-2022-0392](https://nvd.nist.gov/vuln/detail/CVE-2022-0392), [CVE-2022-0393](https://nvd.nist.gov/vuln/detail/CVE-2022-0393), [CVE-2022-0407](https://nvd.nist.gov/vuln/detail/CVE-2022-0407), [CVE-2022-0408](https://nvd.nist.gov/vuln/detail/CVE-2022-0408), [CVE-2022-0413](https://nvd.nist.gov/vuln/detail/CVE-2022-0413), [CVE-2022-0417](https://nvd.nist.gov/vuln/detail/CVE-2022-0417), [CVE-2022-0443](https://nvd.nist.gov/vuln/detail/CVE-2022-0443))
- zlib ([CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032))
- SDK: squashfs-tools ([CVE-2021-40153](https://nvd.nist.gov/vuln/detail/CVE-2021-40153), [CVE-2021-41072](https://nvd.nist.gov/vuln/detail/CVE-2021-41072))
## Bug fixes:
- Added `networkd` translation to `files` section when converting from Ignition 2.x to Ignition 3.x ([coreos-overlay#1910](https://github.com/flatcar-linux/coreos-overlay/pull/1910), [flatcar#741](https://github.com/flatcar-linux/Flatcar/issues/741))
- Added a remount action as `systemd-sysext.service` drop-in unit to restore the OEM partition mount after the overlay mounts in `/usr` are done ([init#69](https://github.com/flatcar-linux/init/pull/69))
- Fixed Ignition's OEM ID to be `metal` to follow the Ignition upstream change which otherwise resulted in a broken boot when the Flatcar OEM ID `pxe` was used ([bootengine#45](https://github.com/flatcar-linux/bootengine/pull/45))
- Made Ignition write the SSH keys into a file under `authorized_keys.d/ignition` again and added a call to `update-ssh-keys` after Ignition ran to create the merged `authorized_keys` file, which fixes the problem that keys added by Ignition get lost when `update-ssh-keys` runs ([init#66](https://github.com/flatcar-linux/init/pull/66))
- Skipped starting `ensure-sysext.service` if `systemd-sysext.service` won't be started, to prevent reporting a dependency failure ([Flatcar#710](https://github.com/flatcar-linux/Flatcar/issues/710))
- The Ignition v3 kargs directive failed before when used with the generic image where no `grub.cfg` exists, this was fixed by creating it first ([bootengine#47](https://github.com/flatcar-linux/bootengine/pull/47))
## Changes:
- Added `auditd.service` but left it disabled by default, a custom configuration can be created by removing `/etc/audit/auditd.conf` and replacing it with an own file ([coreos-overlay#1636](https://github.com/flatcar-linux/coreos-overlay/pull/1636))
- Added `cryptsetup` to the initramfs for the Ignition `luks` directive ([flatcar-linux/coreos-overlay#1760](https://github.com/flatcar-linux/coreos-overlay/pull/1760))
- Besides Ignition v1 and v2 configurations, Ignition configurations with specification v3 (up to 3.3.0) are now supported, see the [docs section for details](https://www.flatcar.org/docs/latest/provisioning/ignition/specification/#ignition-v3)
- Bring in dependencies for NFS4 with Kerberos both in kernel and userspace. Tested against NFS4.1 server. [coreos-overlay#1664](https://github.com/flatcar-linux/coreos-overlay/pull/1664)
- Enabled `CONFIG_INTEL_RAPL` on AMD64 Kernel config to compile `intel_rapl_common` module in order to allow power monitoring on modern Intel processors ([coreos-overlay#1801](https://github.com/flatcar-linux/coreos-overlay/pull/1801))
- Enabled `containerd.service` unit, `br_netfilter` and `overlay` modules by default to follow Kubernetes requirements ([coreos-overlay#1944](https://github.com/flatcar-linux/coreos-overlay/pull/1944), [init#72](https://github.com/flatcar-linux/init/pull/72))
- Enabled `systemd-sysext.service` to activate systemd-sysext images on boot, to disable you will need to mask it. Also added a helper service `ensure-sysext.service` which reloads the systemd units to reevaluate the `sockets`, `timers`, and `multi-user` targets when `systemd-sysext.service` is (re)started, making it possible to enable units that are part of a sysext image ([init#65](https://github.com/flatcar-linux/init/pull/65))
- For amd64 `/usr/lib` used to be a symlink to `/usr/lib64` but now they became two separate folders as common in other distributions (and was the case for arm64 already). Compatibility symlinks exist in case `/usr/lib64` was used to access, e.g., the `modules` folder or the `systemd` folder ([coreos-overlay#1713](https://github.com/flatcar-linux/coreos-overlay/pull/1713), [scripts#255](https://github.com/flatcar-linux/scripts/pull/255))
- Made SELinux enabled by default in default containerd configuration file. ([coreos-overlay#1699](https://github.com/flatcar-linux/coreos-overlay/pull/1699))
- Removed rngd.service because it is not essential anymore for the kernel to boot fast in VM environments ([coreos-overlay#1700](https://github.com/flatcar-linux/coreos-overlay/pull/1700))
- The systemd-networkd `ManageForeignRoutes` and `ManageForeignRoutingPolicyRules` settings are now disabled through a drop-in file and thus can only be enabled again by a drop-in file under `/etc/systemd/networkd.conf.d/` because drop-in files take precedence over `/etc/systemd/networkd.conf` ([init#61](https://github.com/flatcar-linux/init/pull/61))
- Azure VHD disks are now created using subformat=fixed, which makes them suitable for immediate upload to Azure using any tool.
- Defined a systemd-sysext level that sysext images can match for instead of the OS version when they don't have a strong coupling, meaning the only metadata required is `SYSEXT_LEVEL=1.0` and `ID=flatcar` ([Flatcar#643](https://github.com/flatcar-linux/Flatcar/issues/643))
- ARM64: Added [cifs-utils](https://wiki.samba.org/index.php/LinuxCIFS_utils) for ARM64
- ARM64: Added [sssd](https://sssd.io/), [adcli](https://www.freedesktop.org/software/realmd/adcli/adcli.html) and realmd for ARM64
- AWS EC2: Removed the setup of `/etc/hostname` from the instance metadata because it used a long FQDN but we can just use use the hostname set via DHCP ([Flatcar#707](https://github.com/flatcar-linux/Flatcar/issues/707))
- Azure: Set up `/etc/hostname` from instance metadata with Afterburn
- DigitalOcean: In addition to the `bz2` image, a `gz` compressed image is published. This helps against hitting the compression timeout that sometimes lets the image import fail.
- OpenStack: In addition to the `bz2` image, a `gz` compressed image is published. This allows Glance to directly consume the images by simply passing in the URL of the image.
- SDK: The image compression format is now configurable. Supported formats are: `bz2`, `gz`, `zip`, `none`, `zst`. Selecting the image format can now be done by passing the `--image_compression_formats` option. This flag gets a comma separated list of formats.
- SDK / ARM64: Added [go-tspi](https://pkg.go.dev/github.com/coreos/go-tspi) bindings for ARM64
## Updates:
- Linux ([5.15.55](https://lwn.net/Articles/901380) (includes [5.15.54](https://lwn.net/Articles/900911), [5.15.53](https://lwn.net/Articles/900321), [5.15.52](https://lwn.net/Articles/899788), [5.15.51](https://lwn.net/Articles/899370), [5.15.50](https://lwn.net/Articles/899091), [5.15.49](https://lwn.net/Articles/898622), [5.15.48](https://lwn.net/Articles/898124), [5.15.47](https://lwn.net/Articles/897904), [5.15.46](https://lwn.net/Articles/897377), [5.15.45](https://lwn.net/Articles/897167), [5.15.44](https://lwn.net/Articles/896647), [5.15.43](https://lwn.net/Articles/896231), [5.15.42](https://lwn.net/Articles/896226), [5.15.41](https://lwn.net/Articles/895645), [5.15.40](https://lwn.net/Articles/895318), [5.15.39](https://lwn.net/Articles/895070), [5.15.38](https://lwn.net/Articles/894357), [5.15.37](https://lwn.net/Articles/893264), [5.15.36](https://lwn.net/Articles/892812), [5.15.35](https://lwn.net/Articles/892002)))
- Linux Firmware ([20220411](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220411) (includes [20220310](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220310), [20220209](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220209)))
- Docker ([20.10.14](https://docs.docker.com/engine/release-notes/#201014) (includes [20.10.13](https://docs.docker.com/engine/release-notes/#201013)))
- Go ([1.17.12](https://go.dev/doc/devel/release#go1.17.12))
- afterburn ([5.2.0](https://github.com/coreos/afterburn/releases/tag/v5.2.0))
- bind-tools ([9.16.27](https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_16_27/CHANGES))
- bpftool ([5.15.8](https://lwn.net/Articles/878631/))
- bridge-utils ([1.7.1](https://git.kernel.org/pub/scm/network/bridge/bridge-utils.git/log/?h=v1.7.1))
- ca-certificates ([3.80](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_80.html) (includes [3.79](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_79.html), [3.78](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_78.html), [3.77](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_77.html), [3.76](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_76.html), [3.75](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_75.html)))
- cifs-utils ([6.13](https://lkml.kernel.org/linux-cifs/CAKywueSqRGSFmeDHQacyu831BNUeGFxGg3vgBmozzhkGBCjyXQ@mail.gmail.com/T/))
- conntrack-tools ([1.4.6](https://lists.netfilter.org/pipermail/netfilter-announce/2020/000240.html))
- containerd ([1.6.6](https://github.com/containerd/containerd/releases/tag/v1.6.6) (includes [1.6.5](https://github.com/containerd/containerd/releases/tag/v1.6.5), [1.6.4](https://github.com/containerd/containerd/releases/tag/v1.6.4), [1.6.3](https://github.com/containerd/containerd/releases/tag/v1.6.3), [1.6.2](https://github.com/containerd/containerd/releases/tag/v1.6.2), [1.6.1](https://github.com/containerd/containerd/releases/tag/v1.6.1), [1.6.0](https://github.com/containerd/containerd/releases/tag/v1.6.0)))
- cryptsetup ([2.4.3](https://lore.kernel.org/all/572c18a7bf60cb1b0f67c3a03c531d7e7ed31832.camel@scientia.net/T/))
- dosfstools ([4.2](https://github.com/dosfstools/dosfstools/releases/tag/v4.2))
- duktape ([2.7.0](https://github.com/svaarala/duktape/releases/tag/v2.7.0))
- e2fsprogs ([1.46.4](http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.46.4))
- elfutils ([0.186](https://sourceware.org/git/?p=elfutils.git;a=blob;f=NEWS;h=490932ae4ef9b5a3af01d2c8c616f14d57586046;hb=983e86fd89e8bf02f2d27ba5dce5bf078af4ceda))
- gcc ([10.3.0](https://gcc.gnu.org/gcc-10/changes.html))
- gnutls ([3.7.3](https://gitlab.com/gnutls/gnutls/-/merge_requests/1517))
- grep ([3.7](https://savannah.gnu.org/forum/forum.php?forum_id=10037))
- gzip ([1.12](https://savannah.gnu.org/forum/forum.php?forum_id=10157) (includes [1.11](https://lists.gnu.org/archive/html/info-gnu/2021-09/msg00002.html)))
- ignition ([2.13.0](https://github.com/coreos/ignition/releases/tag/v2.13.0))
- intel-microcode ([20220207_p20220207](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220207))
- iperf ([3.10.1](https://github.com/esnet/iperf/blob/master/RELNOTES.md#iperf-3101-2021-06-03))
- jansson ([2.14](https://github.com/akheron/jansson/blob/v2.14/CHANGES))
- kexec-tools ([2.0.22](https://www.spinics.net/lists/kexec/msg26864.html))
- less ([590](https://www.greenwoodsoftware.com/less/news.590.html))
- libarchive ([3.6.1](https://github.com/libarchive/libarchive/releases/tag/v3.6.1) (includes [3.5.3](https://github.com/libarchive/libarchive/releases/tag/v3.5.3)))
- libbsd ([0.11.3](https://gitlab.freedesktop.org/libbsd/libbsd/-/commits/0.11.3/))
- libmspack ([0.10.1_alpha](https://github.com/kyz/libmspack/blob/v0.10.1alpha/libmspack/ChangeLog))
- libnetfilter_queue ([1.0.5](https://git.netfilter.org/libnetfilter_queue/log/?h=libnetfilter_queue-1.0.5))
- libpcap ([1.10.1](https://git.tcpdump.org/libpcap/blob/c7642e2cc0c5bd65754685b160d25dc23c76c6bd:/CHANGES))
- libtasn1 ([4.17.0](https://gitlab.com/gnutls/libtasn1/-/blob/v4.17.0/NEWS))
- liburing ([2.1](https://github.com/axboe/liburing/commits/liburing-2.1))
- libxml2 ([2.9.13](http://www.xmlsoft.org/news.html))
- lsscsi ([0.32](https://sg.danny.cz/scsi/lsscsi.ChangeLog))
- mdadm ([4.2](https://lore.kernel.org/all/28fdbc45-96ca-7cdb-3ced-a5f65d978048@trained-monkey.org/T/))
- multipath-tools ([0.8.7](https://github.com/opensvc/multipath-tools/commits/0.8.7))
- nfs-utils ([2.5.4](https://lore.kernel.org/linux-fsdevel/c8795653-7728-18a4-93dc-58943ad0fe09@redhat.com/))
- nghttp2 ([1.45.1](https://github.com/nghttp2/nghttp2/releases/tag/v1.45.1))
- nvidia-drivers ([510.73.05](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-510-73-05/index.html))
- nvme-cli ([1.16](https://github.com/linux-nvme/nvme-cli/commits/deee9cae1ac94760deebd71f8e5449061338666c))
- oniguruma ([6.9.7.1](https://github.com/kkos/oniguruma/releases/tag/v6.9.7.1))
- open-isns ([0.101](https://github.com/open-iscsi/open-isns/blob/v0.101/ChangeLog))
- pam ([1.5.1_p20210622](https://github.com/linux-pam/linux-pam/commit/fe1307512fb8892b5ceb3d884c793af8dbd4c16a))
- pambase (20220214)
- pcre2 ([10.39](https://github.com/PhilipHazel/pcre2/blob/pcre2-10.39/NEWS))
- pinentry ([1.2.0](https://dev.gnupg.org/T5566))
- quota ([4.06](https://sourceforge.net/p/linuxquota/code/ci/0acd4cc6275122fd9864cb7b5d349e65a2622920/))
- rpcbind ([1.2.6](https://git.linux-nfs.org/?p=steved/rpcbind.git;a=shortlog;h=refs/tags/rpcbind-1_2_6))
- runc ([1.1.1](https://github.com/opencontainers/runc/releases/tag/v1.1.1))
- socat ([1.7.4.3](https://repo.or.cz/socat.git/blob/refs/tags/tag-1.7.4.3:/CHANGES))
- shadow ([4.11.1](https://github.com/shadow-maint/shadow/releases/tag/v4.11.1))
- systemd ([250.3](https://github.com/systemd/systemd-stable/releases/tag/v250.3))
- timezone-data ([2021a](https://mm.icann.org/pipermail/tz-announce/2021-January/000065.html))
- tcpdump ([4.99.1](https://git.tcpdump.org/tcpdump/blob/5f552b5e6e9fe05f7ad9681d51d0303233daba6a:/CHANGES))
- thin-provisioning-tools ([0.9.0](https://github.com/jthornber/thin-provisioning-tools/blob/d6d93c3157631b242a13a81d30f75453e576c55a/CHANGES#L1-L9))
- unzip ([6.0_p26](https://metadata.ftp-master.debian.org/changelogs//main/u/unzip/unzip_6.0-26_changelog))
- util-linux ([2.37.4](https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.37/v2.37.4-ChangeLog))
- vim ([8.2.4328](https://github.com/vim/vim/releases/tag/v8.2.4328))
- whois ([5.5.11](https://github.com/rfc1036/whois/commit/5f5ba8312c04a759dad05723c035549273d07461))
- xfsprogs ([5.14.2](https://marc.info/?l=linux-xfs&m=163883318025390&w=2))
- zlib ([1.2.12](https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/ChangeLog#L4))
- SDK: gcc-config ([2.5](https://gitweb.gentoo.org/proj/gcc-config.git/tag/?h=v2.5))
- SDK: iasl ([20200717](https://www.acpica.org/node/183))
- SDK: man-db ([2.9.4](https://gitlab.com/cjwatson/man-db/-/tags/2.9.4))
- SDK: man-pages ([5.12-r2](https://man7.org/linux/man-pages/changelog.html#release_5.12))
- SDK: netperf ([2.7.0](https://github.com/HewlettPackard/netperf/blob/netperf-2.7.0/Release_Notes))
- SDK: Rust ([1.60.0](https://github.com/rust-lang/rust/releases/tag/1.60.0) (includes [1.59.0](https://github.com/rust-lang/rust/releases/tag/1.59.0)))
- SDK: squashfs-tools ([4.5_p20210914](https://lore.kernel.org/lkml/CAB3woddJss+ziGp-RjJ-yiax6pc_HLMdxk3Qk5nJdRgjpEYWBg@mail.gmail.com/))
- VMware: open-vm-tools ([12.0.0](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.0.0))
# New **LTS-2022** Release **3033.3.3**
Changes since lts-3033.3.2
## Security fixes:
- Linux ([CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655), [CVE-2021-33656](https://nvd.nist.gov/vuln/detail/CVE-2021-33656), [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318), [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365), [CVE-2022-32296](https://nvd.nist.gov/vuln/detail/CVE-2022-32296), [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740), [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741), [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742), [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743), [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744), [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918))
- containerd ([CVE-2022-31030](https://nvd.nist.gov/vuln/detail/CVE-2022-31030))
## Bug fixes:
- Removed outdated LTS channel information printed on login ([init#75](https://github.com/flatcar-linux/init/pull/75))
## Changes:
- Enabled `containerd.service` unit, `br_netfilter` and `overlay` modules by default to follow Kubernetes requirements ([coreos-overlay#1944](https://github.com/flatcar-linux/coreos-overlay/pull/1944), [init#72](https://github.com/flatcar-linux/init/pull/72))
- DigitalOcean: In addition to the `bz2` image, a `gz` compressed image is published. This helps against hitting the compression timeout that sometimes lets the image import fail.
- OpenStack: In addition to the `bz2` image, a `gz` compressed image is published. This allows Glance to directly consume the images by simply passing in the URL of the image.
- SDK: The image compression format is now configurable. Supported formats are: `bz2`, `gz`, `zip`, `none`, `zst`. Selecting the image format can now be done by passing the `--image_compression_formats` option. This flag gets a comma separated list of formats.
## Updates:
- Linux ([5.10.131](https://lwn.net/Articles/901381/) (includes [5.10.130](https://lwn.net/Articles/900910), [5.10.129](https://lwn.net/Articles/900322), [5.10.128](https://lwn.net/Articles/899789), [5.10.127](https://lwn.net/Articles/899371), [5.10.126](https://lwn.net/Articles/899121), [5.10.125](https://lwn.net/Articles/899090), [5.10.124](https://lwn.net/Articles/898623)))
- ca-certificates ([3.80](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_80.html))
- containerd ([1.5.13](https://github.com/containerd/containerd/releases/tag/v1.5.13))
Best,
The Flatcar Container Linux Maintainers
---
### Security
**Subject**: Security issues fixed with the latest Alpha 3305.0.0, Beta 3277.1.0, Stable 3227.2.0, LTS-2022 3033.3.3 releases
**Security fix**: With the Alpha 3305.0.0, Beta 3277.1.0, Stable 3227.2.0, LTS-2022 3033.3.3 releases we ship fixes for the CVEs listed below.
#### Alpha 3305.0.0
* Linux
* [CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655) CVSSv3 score: n/a
When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.
* [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318) CVSSv3 score: 5.5(Medium)
There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.
* [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743) CVSSv3 score: 7.8(High)
network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.
* [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744) CVSSv3 score: 4.7(Medium)
Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages.
* [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918) CVSSv3 score: 7.8(High)
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.
* cifs-utils
* [CVE-2022-27239](https://nvd.nist.gov/vuln/detail/CVE-2022-27239) CVSSv3 score: 7.8(High)
In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.
* [CVE-2022-29869](https://nvd.nist.gov/vuln/detail/CVE-2022-29869) CVSSv3 score: 5.3(Medium)
cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file.
* curl
* [CVE-2022-32205](https://nvd.nist.gov/vuln/detail/CVE-2022-32205) CVSSv3 score: 4.3(Medium)
A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.
* [CVE-2022-32206](https://nvd.nist.gov/vuln/detail/CVE-2022-32206) CVSSv3 score: 6.5(Medium)
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
* [CVE-2022-32207](https://nvd.nist.gov/vuln/detail/CVE-2022-32207) CVSSv3 score: 9.8(Critical)
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.
* [CVE-2022-32208](https://nvd.nist.gov/vuln/detail/CVE-2022-32208) CVSSv3 score: 5.9(Medium)
When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.
* gnupg
* [CVE-2022-34903](https://nvd.nist.gov/vuln/detail/CVE-2022-34903) CVSSv3 score: 6.5(Medium)
GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.
* Go
* [CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705) CVSSv3 score: n/a
net/http: improper sanitization of Transfer-Encoding header. The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.
* [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962) CVSSv3 score: n/a
go/parser: stack exhaustion in all Parse* functions. Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.
* [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131) CVSSv3 score: n/a
encoding/xml: stack exhaustion in Decoder.Skip. Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.
* [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630) CVSSv3 score: n/a
io/fs: stack exhaustion in Glob. Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.
* [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631) CVSSv3 score: n/a
compress/gzip: stack exhaustion in Reader.Read. Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.
* [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632) CVSSv3 score: n/a
path/filepath: stack exhaustion in Glob. Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.
* [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633) CVSSv3 score: n/a
encoding/xml: stack exhaustion in Unmarshal. Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.
* [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635) CVSSv3 score: n/a
encoding/gob: stack exhaustion in Decoder.Decode. Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.
* [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148) CVSSv3 score: n/a
net/http: When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected.
#### Beta 3277.1.0
* Linux
* [CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655) CVSSv3 score: n/a
When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.
* [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318) CVSSv3 score: 5.5(Medium)
There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.
* [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743) CVSSv3 score: 7.8(High)
network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.
* [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744) CVSSv3 score: 4.7(Medium)
Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages.
* [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918) CVSSv3 score: 7.8(High)
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.
* Go
* [CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705) CVSSv3 score: n/a
net/http: improper sanitization of Transfer-Encoding header. The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.
* [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962) CVSSv3 score: n/a
go/parser: stack exhaustion in all Parse* functions. Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.
* [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131) CVSSv3 score: n/a
encoding/xml: stack exhaustion in Decoder.Skip. Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.
* [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630) CVSSv3 score: n/a
io/fs: stack exhaustion in Glob. Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.
* [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631) CVSSv3 score: n/a
compress/gzip: stack exhaustion in Reader.Read. Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.
* [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632) CVSSv3 score: n/a
path/filepath: stack exhaustion in Glob. Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.
* [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633) CVSSv3 score: n/a
encoding/xml: stack exhaustion in Unmarshal. Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.
* [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635) CVSSv3 score: n/a
encoding/gob: stack exhaustion in Decoder.Decode. Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.
* [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148) CVSSv3 score: n/a
net/http: When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected.
#### Stable 3227.2.0
* Linux
* [CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655) CVSSv3 score: n/a
When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.
* [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318) CVSSv3 score: 5.5(Medium)
There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.
* [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743) CVSSv3 score: 7.8(High)
network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.
* [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744) CVSSv3 score: 4.7(Medium)
Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages.
* [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918) CVSSv3 score: 7.8(High)
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.
* Go
* [CVE-2022-1705](https://nvd.nist.gov/vuln/detail/CVE-2022-1705) CVSSv3 score: n/a
net/http: improper sanitization of Transfer-Encoding header. The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.
* [CVE-2022-1962](https://nvd.nist.gov/vuln/detail/CVE-2022-1962) CVSSv3 score: n/a
go/parser: stack exhaustion in all Parse* functions. Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.
* [CVE-2022-28131](https://nvd.nist.gov/vuln/detail/CVE-2022-28131) CVSSv3 score: n/a
encoding/xml: stack exhaustion in Decoder.Skip. Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.
* [CVE-2022-30630](https://nvd.nist.gov/vuln/detail/CVE-2022-30630) CVSSv3 score: n/a
io/fs: stack exhaustion in Glob. Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.
* [CVE-2022-30631](https://nvd.nist.gov/vuln/detail/CVE-2022-30631) CVSSv3 score: n/a
compress/gzip: stack exhaustion in Reader.Read. Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.
* [CVE-2022-30632](https://nvd.nist.gov/vuln/detail/CVE-2022-30632) CVSSv3 score: n/a
path/filepath: stack exhaustion in Glob. Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.
* [CVE-2022-30633](https://nvd.nist.gov/vuln/detail/CVE-2022-30633) CVSSv3 score: n/a
encoding/xml: stack exhaustion in Unmarshal. Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.
* [CVE-2022-30635](https://nvd.nist.gov/vuln/detail/CVE-2022-30635) CVSSv3 score: n/a
encoding/gob: stack exhaustion in Decoder.Decode. Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.
* [CVE-2022-32148](https://nvd.nist.gov/vuln/detail/CVE-2022-32148) CVSSv3 score: n/a
net/http: When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected.
#### LTS-2022 3033.3.3
* Linux
* [CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655) CVSSv3 score: n/a
When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.
* [CVE-2021-33656](https://nvd.nist.gov/vuln/detail/CVE-2021-33656) CVSSv3 score: n/a
When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.
* [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318) CVSSv3 score: 5.5(Medium)
There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.
* [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-32296](https://nvd.nist.gov/vuln/detail/CVE-2022-32296) CVSSv3 score: 3.3(Low)
The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used.
* [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743) CVSSv3 score: 7.8(High)
network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.
* [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744) CVSSv3 score: 4.7(Medium)
Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages.
* [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918) CVSSv3 score: 7.8(High)
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.
* containerd
* [CVE-2022-31030](https://nvd.nist.gov/vuln/detail/CVE-2022-31030) CVSSv3 score: n/a
containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.
---
### Communication
#### Twitter
_The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._
New Flatcar releases now available for Alpha+Beta+Stable+LTS-2022!
🚀 New major version bumps for Alpha, Beta, and Stable
🩹 Fix a bug when running ignition v3 with kargs directive.
📦 Many package updates: Linux Kernel, Go, containerd, gnupg
📜 Release notes at the usual spot: https://www.flatcar.org/releases/
#### Kubernetes Slack
_This goes in the #flatcar channel_
Please welcome Flatcar releases of this month:
- Alpha 3305.0.0 (new major)
- Beta 3277.1.0 (new major)
- Stable 3227.2.0 (new major)
- LTS-2022 3033.3.3 (maintenance release)
These releases include:
🚀 New major version bumps for Alpha, Beta, and Stable
🩹 Fix a bug when running ignition v3 with kargs directive.
📦 Many package updates: Linux Kernel, Go, containerd, gnupg
📜 Release notes in usual spot: https://www.flatcar.org/releases/