owned this note
owned this note
Published
Linked with GitHub
# Flatcar Container Linux Release - January 25th, 2022
<!-- Alpha -->
## Flatcar-linux-3127.0.0-alpha
- AMD64-usr
- Platforms succeeded: all
- Platforms failed: None
- Platforms not tested: none
- ARM64-usr
- Platforms succeeded: QEMU_UEFI
- Platforms failed: EquinixMetal (capacity problems), AWS
- Platform AWS tests failed:
- coreos.update.badusr
- Platforms not tested: none
<!-- Beta -->
## Flatcar-linux-3066.1.1-beta
- AMD64-usr
- Platforms succeeded: all
- Platforms failed: AWS
- Platform AWS tests failed:
- coreos.update.badusr
- cl.ignition.v2.btrfsroot
- Platforms not tested: none
- ARM64-usr
- Platforms succeeded: QEMU_UEFI
- Platforms failed: EquinixMetal (capacity problems), AWS
- Platform AWS tests failed:
- coreos.update.badusr
- Platforms not tested: none
<!-- Stable -->
## Flatcar-linux-3033.2.1-stable
- AMD64-usr
- Platforms succeeded: all
- Platforms failed: Azure
- Platform Azure tests failed:
- cl.update.badverity
- Platforms not tested: none
- ARM64-usr
- Platforms succeeded: None
- Platforms failed: EquinixMetal (capacity problems)
- Platforms not tested: none
<!-- LTS -->
## Flatcar-linux-2605.25.1-lts
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: QEMU
- Platform QEMU tests failed:
- kubeadm.v1.22.0.calico.base
- Platforms not tested: None
VERDICT: _GO_
## Communication
---
#### Guidelines
- Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/
- [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post).
---
### Announcement Message
Subject: Announcing new Alpha release 3127.0.0, Beta release 3066.1.1, Stable release 3033.2.1, and LTS-2605 release 2605.25.1
Hello,
We are pleased to announce new Flatcar Container Linux releases for the Alpha, Beta, Stable, and LTS-2605 channel.
### Alpha 3127.0.0
**Changes since alpha-3115.0.0**
Security fixes:
- Linux ([CVE-2021-4155](https://nvd.nist.gov/vuln/detail/CVE-2021-4155), [CVE-2021-4197](https://nvd.nist.gov/vuln/detail/CVE-2021-4197), [CVE-2021-45095](https://nvd.nist.gov/vuln/detail/CVE-2021-45095), [CVE-2022-0185](https://nvd.nist.gov/vuln/detail/CVE-2022-0185))
- expat ([CVE-2021-45960](https://nvd.nist.gov/vuln/detail/CVE-2021-45960), [CVE-2021-46143](https://nvd.nist.gov/vuln/detail/CVE-2021-46143), [CVE-2022-22822](https://nvd.nist.gov/vuln/detail/CVE-2022-22822), [CVE-2022-22823](https://nvd.nist.gov/vuln/detail/CVE-2022-22823), [CVE-2022-22824](https://nvd.nist.gov/vuln/detail/CVE-2022-22824), [CVE-2022-22825](https://nvd.nist.gov/vuln/detail/CVE-2022-22825), [CVE-2022-22826](https://nvd.nist.gov/vuln/detail/CVE-2022-22826), [CVE-2022-22827](https://nvd.nist.gov/vuln/detail/CVE-2022-22827))
- mit-krb5 ([CVE-2021-37750](https://nvd.nist.gov/vuln/detail/CVE-2021-37750))
- openssl ([CVE-2021-4044](https://nvd.nist.gov/vuln/detail/CVE-2021-4044))
Bug fixes:
- Fixed the dracut emergency Ignition log printing that had a scripting error causing the print command to fail ([flatcar-linux/bootengine#33](https://github.com/flatcar-linux/bootengine/pull/33))
- Fixed leak of SELinux policy store to the root filesystem top directory due to wrong store path in `policycoreutils` instead of `/var/lib/selinux` ([flatcar-linux/Flatcar#596](https://github.com/flatcar-linux/Flatcar/issues/596))
Changes:
- Removed the pre-shipped `/etc/flatcar/update.conf` file, leaving it totally to the user to define the contents as it was unnecessarily overwriting the `/use/share/flatcar/update.conf` ([flatcar-linux/scripts#212](https://github.com/flatcar-linux/scripts/pull/212))
- Moved `tracepath` and `traceroute6` from `/usr/sbin` to `/usr/bin`
Updates:
- Linux ([5.15.16](https://lwn.net/Articles/881963)) (includes [5.15.14](https://lwn.net/Articles/881018), [5.15.15](https://lwn.net/Articles/881548))
- expat ([2.4.3](https://github.com/libexpat/libexpat/blob/R_2_4_3/expat/Changes))
- iputils ([20210722](https://github.com/iputils/iputils/releases/tag/20210722))
- openssl ([3.0.1](https://www.openssl.org/news/changelog.html#openssl-30))
- parted ([3.4](https://savannah.gnu.org/forum/forum.php?forum_id=9924)) (includes [3.3](https://savannah.gnu.org/forum/forum.php?forum_id=9569))
- pciutils ([3.7.0](https://github.com/pciutils/pciutils/releases/tag/v3.7.0))
- runc ([1.1.0](https://github.com/opencontainers/runc/releases/tag/v1.1.0))
- sed ([4.8](https://savannah.gnu.org/forum/forum.php?forum_id=9647))
- SDK: mantle ([0.18.0](https://github.com/flatcar-linux/mantle/releases/tag/v0.18.0))
### Beta 3066.1.1
**Changes since beta-3066.1.0**
Known issues:
- The SELinux policy store update fix resulted in some files leaked to the root filesystem top directory ([flatcar-linux/Flatcar#596](https://github.com/flatcar-linux/Flatcar/issues/596))
Security fixes:
- Linux ([CVE-2021-4135](https://nvd.nist.gov/vuln/detail/CVE-2021-4135), [CVE-2021-4155](https://nvd.nist.gov/vuln/detail/CVE-2021-4155), [CVE-2021-28711](https://nvd.nist.gov/vuln/detail/CVE-2021-28711), [CVE-2021-28712](https://nvd.nist.gov/vuln/detail/CVE-2021-28712), [CVE-2021-28713](https://nvd.nist.gov/vuln/detail/CVE-2021-28713), [CVE-2021-28714](https://nvd.nist.gov/vuln/detail/CVE-2021-28714), [CVE-2021-28715](https://nvd.nist.gov/vuln/detail/CVE-2021-28715), [CVE-2021-39685](https://nvd.nist.gov/vuln/detail/CVE-2021-39685), [CVE-2021-44733](https://nvd.nist.gov/vuln/detail/CVE-2021-44733), [CVE-2021-45095](https://nvd.nist.gov/vuln/detail/CVE-2021-45095), [CVE-2022-0185](https://nvd.nist.gov/vuln/detail/CVE-2022-0185))
- ca-certificates ([CVE-2021-43527](https://nvd.nist.gov/vuln/detail/CVE-2021-43527))
- containerd ([CVE-2021-43816](https://nvd.nist.gov/vuln/detail/CVE-2021-43816))
- expat ([CVE-2021-45960](https://nvd.nist.gov/vuln/detail/CVE-2021-45960), [CVE-2021-46143](https://nvd.nist.gov/vuln/detail/CVE-2021-46143), [CVE-2022-22822](https://nvd.nist.gov/vuln/detail/CVE-2022-22822), [CVE-2022-22823](https://nvd.nist.gov/vuln/detail/CVE-2022-22823), [CVE-2022-22824](https://nvd.nist.gov/vuln/detail/CVE-2022-22824), [CVE-2022-22825](https://nvd.nist.gov/vuln/detail/CVE-2022-22825), [CVE-2022-22826](https://nvd.nist.gov/vuln/detail/CVE-2022-22826), [CVE-2022-22827](https://nvd.nist.gov/vuln/detail/CVE-2022-22827))
Bug fixes:
- Ensured that the `/run/xtables.lock` coordination file exists for modifications of the xtables backend from containers (must be bind-mounted) or the `iptables-legacy` binaries on the host ([flatcar-linux/init#57](https://github.com/flatcar-linux/init/pull/57))
- Excluded the Kubenet cbr0 interface from networkd’s DHCP config and set it to Unmanaged to prevent interference and ensure that it is not part of the network online check ([flatcar-linux/init#55](https://github.com/flatcar-linux/init/pull/55))
- dev container: Fix github URL for coreos-overlay and portage-stable to use repos from flatcar-linux org directly instead of relying on redirects from the kinvolk org. This fixes checkouts with emerge-gitclone inside dev-container. ([flatcar-linux/scripts#194](https://github.com/flatcar-linux/scripts/pull/194))
- SDK: Fixed build error popping up in the new SDK Container because `policycoreutils` used the wrong ROOT to update the SELinux store ([flatcar-linux/coreos-overlay#1502](https://github.com/flatcar-linux/coreos-overlay/pull/1502))
Changes:
- Backported `elf` support for `iproute2` ([flatcar-linux/coreos-overlay#1256](https://github.com/flatcar-linux/coreos-overlay/pull/1526))
Updates:
- Linux ([5.10.93](https://lwn.net/Articles/881964)) (from 5.10.84)
- ca-certificates ([3.74](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_74.html))
- Docker ([20.10.12](https://docs.docker.com/engine/release-notes/#201012))
- containerd ([1.5.9](https://github.com/containerd/containerd/releases/tag/v1.5.9))
- expat ([2.4.3](https://github.com/libexpat/libexpat/blob/R_2_4_3/expat/Changes))
### Stable 3033.2.1
**Changes since stable-3033.2.0**
Known issues:
- The SELinux policy store update fix resulted in some files leaked to the root filesystem top directory ([flatcar-linux/Flatcar#596](https://github.com/flatcar-linux/Flatcar/issues/596))
Security fixes:
- Linux ([CVE-2021-4135](https://nvd.nist.gov/vuln/detail/CVE-2021-4135), [CVE-2021-4155](https://nvd.nist.gov/vuln/detail/CVE-2021-4155), [CVE-2021-28711](https://nvd.nist.gov/vuln/detail/CVE-2021-28711), [CVE-2021-28712](https://nvd.nist.gov/vuln/detail/CVE-2021-28712), [CVE-2021-28713](https://nvd.nist.gov/vuln/detail/CVE-2021-28713), [CVE-2021-28714](https://nvd.nist.gov/vuln/detail/CVE-2021-28714), [CVE-2021-28715](https://nvd.nist.gov/vuln/detail/CVE-2021-28715), [CVE-2021-39685](https://nvd.nist.gov/vuln/detail/CVE-2021-39685), [CVE-2021-44733](https://nvd.nist.gov/vuln/detail/CVE-2021-44733), [CVE-2021-45095](https://nvd.nist.gov/vuln/detail/CVE-2021-45095), [CVE-2022-0185](https://nvd.nist.gov/vuln/detail/CVE-2022-0185))
- ca-certificates ([CVE-2021-43527](https://nvd.nist.gov/vuln/detail/CVE-2021-43527))
- containerd ([CVE-2021-43816](https://nvd.nist.gov/vuln/detail/CVE-2021-43816))
- expat ([CVE-2021-45960](https://nvd.nist.gov/vuln/detail/CVE-2021-45960), [CVE-2021-46143](https://nvd.nist.gov/vuln/detail/CVE-2021-46143), [CVE-2022-22822](https://nvd.nist.gov/vuln/detail/CVE-2022-22822), [CVE-2022-22823](https://nvd.nist.gov/vuln/detail/CVE-2022-22823), [CVE-2022-22824](https://nvd.nist.gov/vuln/detail/CVE-2022-22824), [CVE-2022-22825](https://nvd.nist.gov/vuln/detail/CVE-2022-22825), [CVE-2022-22826](https://nvd.nist.gov/vuln/detail/CVE-2022-22826), [CVE-2022-22827](https://nvd.nist.gov/vuln/detail/CVE-2022-22827))
Bug fixes:
- Ensured that the `/run/xtables.lock` coordination file exists for modifications of the xtables backend from containers (must be bind-mounted) or the `iptables-legacy` binaries on the host ([flatcar-linux/init#57](https://github.com/flatcar-linux/init/pull/57))
- dev container: Fix github URL for coreos-overlay and portage-stable to use repos from flatcar-linux org directly instead of relying on redirects from the kinvolk org. This fixes checkouts with emerge-gitclone inside dev-container. ([flatcar-linux/scripts#194](https://github.com/flatcar-linux/scripts/pull/194))
- SDK: Fixed build error popping up in the new SDK Container because `policycoreutils` used the wrong ROOT to update the SELinux store ([flatcar-linux/coreos-overlay#1502](https://github.com/flatcar-linux/coreos-overlay/pull/1502))
Changes:
- Backported `elf` support for `iproute2` ([flatcar-linux/coreos-overlay#1256](https://github.com/flatcar-linux/coreos-overlay/pull/1526))
Updates:
- Linux ([5.10.93](https://lwn.net/Articles/881964)) (from 5.10.84)
- ca-certificates ([3.74](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_74.html))
- Docker ([20.10.12](https://docs.docker.com/engine/release-notes/#201012))
- containerd ([1.5.9](https://github.com/containerd/containerd/releases/tag/v1.5.9))
- expat ([2.4.3](https://github.com/libexpat/libexpat/blob/R_2_4_3/expat/Changes))
### LTS 2605.25.1
**Changes since LTS-2605.24.1**
#### Security fixes
- Linux ([CVE-2021-4135](https://nvd.nist.gov/vuln/detail/CVE-2021-4135), [CVE-2021-4155](https://nvd.nist.gov/vuln/detail/CVE-2021-4155), [CVE-2021-28711](https://nvd.nist.gov/vuln/detail/CVE-2021-28711), [CVE-2021-28712](https://nvd.nist.gov/vuln/detail/CVE-2021-28712), [CVE-2021-28713](https://nvd.nist.gov/vuln/detail/CVE-2021-28713), [CVE-2021-28714](https://nvd.nist.gov/vuln/detail/CVE-2021-28714), [CVE-2021-28715](https://nvd.nist.gov/vuln/detail/CVE-2021-28715), [CVE-2021-39685](https://nvd.nist.gov/vuln/detail/CVE-2021-39685), [CVE-2021-44733](https://nvd.nist.gov/vuln/detail/CVE-2021-44733), [CVE-2021-45095](https://nvd.nist.gov/vuln/detail/CVE-2021-45095), [CVE-2022-0185](https://nvd.nist.gov/vuln/detail/CVE-2022-0185))
- ca-certificates ([CVE-2021-43527](https://nvd.nist.gov/vuln/detail/CVE-2021-43527))
#### Updates
- Linux ([5.4.173](https://lwn.net/Articles/881965)) (includes [5.4.165](https://lwn.net/Articles/878633), [5.4.166](https://lwn.net/Articles/878900), [5.4.167](https://lwn.net/Articles/879025), [5.4.168](https://lwn.net/Articles/879498), [5.4.169](https://lwn.net/Articles/879999), [5.4.170](https://lwn.net/Articles/880467), [5.4.171](https://lwn.net/Articles/881016), [5.4.172](https://lwn.net/Articles/881550))
- ca-certificates ([3.74](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_74.html)) (includes [3.73.1](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_73_1.html))
Best,
The Flatcar Container Linux Maintainers
---
## Security
#### Alpha
* Linux
* [CVE-2021-4155](https://nvd.nist.gov/vuln/detail/CVE-2021-4155) CVSSv3 score: 5.5(Medium)
A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them.
* [CVE-2021-4197](https://nvd.nist.gov/vuln/detail/CVE-2021-4197) CVSSv3 score: 6.3(Medium)
An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system.
* [CVE-2021-45095](https://nvd.nist.gov/vuln/detail/CVE-2021-45095) CVSSv3 score: 5.5(Medium)
pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak.
* [CVE-2022-0185](https://nvd.nist.gov/vuln/detail/CVE-2022-0185) CVSSv3 score: 7.8(High)
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
* expat
* [CVE-2021-45960](https://nvd.nist.gov/vuln/detail/CVE-2021-45960) CVSSv3 score: 7.5(High)
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
* [CVE-2021-46143](https://nvd.nist.gov/vuln/detail/CVE-2021-46143) CVSSv3 score: 7.8(High)
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
* [CVE-2022-22822](https://nvd.nist.gov/vuln/detail/CVE-2022-22822) CVSSv3 score: 9.8(Critical)
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22823](https://nvd.nist.gov/vuln/detail/CVE-2022-22823) CVSSv3 score: 9.8(Critical)
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22824](https://nvd.nist.gov/vuln/detail/CVE-2022-22824) CVSSv3 score: 9.8(Critical)
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22825](https://nvd.nist.gov/vuln/detail/CVE-2022-22825) CVSSv3 score: 8.8(High)
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22826](https://nvd.nist.gov/vuln/detail/CVE-2022-22826) CVSSv3 score: 8.8(High)
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22827](https://nvd.nist.gov/vuln/detail/CVE-2022-22827) CVSSv3 score: 8.8(High)
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* mit-krb5
* [CVE-2021-37750](https://nvd.nist.gov/vuln/detail/CVE-2021-37750) CVSSv3 score: 6.5(Medium)
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.
* openssl
* [CVE-2021-4044](https://nvd.nist.gov/vuln/detail/CVE-2021-4044) CVSSv3 score: 7.5(High)
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).
#### Beta
* Linux
* [CVE-2021-4135](https://nvd.nist.gov/vuln/detail/CVE-2021-4135) CVSSv3 score: 4.7(Medium)
A flaw memory leak in the Linux kernel's eBPF for the Simulated networking device driver in the way user uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this flaw to get unauthorized access to some data.
* [CVE-2021-4155](https://nvd.nist.gov/vuln/detail/CVE-2021-4155) CVSSv3 score: 5.5(Medium)
A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them.
* [CVE-2021-28711](https://nvd.nist.gov/vuln/detail/CVE-2021-28711) CVSSv3 score: 6.5(Medium)
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
* [CVE-2021-28712](https://nvd.nist.gov/vuln/detail/CVE-2021-28712) CVSSv3 score: 6.5(Medium)
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
* [CVE-2021-28713](https://nvd.nist.gov/vuln/detail/CVE-2021-28713) CVSSv3 score: 6.5(Medium)
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
* [CVE-2021-28714](https://nvd.nist.gov/vuln/detail/CVE-2021-28714) CVSSv3 score: 6.5(Medium)
Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)
* [CVE-2021-28715](https://nvd.nist.gov/vuln/detail/CVE-2021-28715) CVSSv3 score: 6.5(Medium)
Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)
* [CVE-2021-39685](https://nvd.nist.gov/vuln/detail/CVE-2021-39685) CVSSv3 score: 7.8(High)
An out of bounds memory access flaw in the Linux kernel's USB Peripheral Controller functionality was found in the way users call control request handlers in a specific way for the USB gadget. A local user could use this flaw to crash the system or escalate their privileges on the system.
* [CVE-2021-44733](https://nvd.nist.gov/vuln/detail/CVE-2021-44733) CVSSv3 score: 7(High)
A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object.
* [CVE-2021-45095](https://nvd.nist.gov/vuln/detail/CVE-2021-45095) CVSSv3 score: 5.5(Medium)
pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak.
* [CVE-2022-0185](https://nvd.nist.gov/vuln/detail/CVE-2022-0185) CVSSv3 score: 7.8(High)
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
* ca-certificates
* [CVE-2021-43527](https://nvd.nist.gov/vuln/detail/CVE-2021-43527) CVSSv3 score: 9.8(Critical)
NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.
* containerd
* [CVE-2021-43816](https://nvd.nist.gov/vuln/detail/CVE-2021-43816) CVSSv3 score: 9.1(Critical)
containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.
* expat
* [CVE-2021-45960](https://nvd.nist.gov/vuln/detail/CVE-2021-45960) CVSSv3 score: 7.5(High)
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
* [CVE-2021-46143](https://nvd.nist.gov/vuln/detail/CVE-2021-46143) CVSSv3 score: 7.8(High)
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
* [CVE-2022-22822](https://nvd.nist.gov/vuln/detail/CVE-2022-22822) CVSSv3 score: 9.8(Critical)
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22823](https://nvd.nist.gov/vuln/detail/CVE-2022-22823) CVSSv3 score: 9.8(Critical)
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22824](https://nvd.nist.gov/vuln/detail/CVE-2022-22824) CVSSv3 score: 9.8(Critical)
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22825](https://nvd.nist.gov/vuln/detail/CVE-2022-22825) CVSSv3 score: 8.8(High)
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22826](https://nvd.nist.gov/vuln/detail/CVE-2022-22826) CVSSv3 score: 8.8(High)
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22827](https://nvd.nist.gov/vuln/detail/CVE-2022-22827) CVSSv3 score: 8.8(High)
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
#### Stable
* Linux
* [CVE-2021-4135](https://nvd.nist.gov/vuln/detail/CVE-2021-4135) CVSSv3 score: 4.7(Medium)
A flaw memory leak in the Linux kernel's eBPF for the Simulated networking device driver in the way user uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this flaw to get unauthorized access to some data.
* [CVE-2021-4155](https://nvd.nist.gov/vuln/detail/CVE-2021-4155) CVSSv3 score: 5.5(Medium)
A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them.
* [CVE-2021-28711](https://nvd.nist.gov/vuln/detail/CVE-2021-28711) CVSSv3 score: 6.5(Medium)
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
* [CVE-2021-28712](https://nvd.nist.gov/vuln/detail/CVE-2021-28712) CVSSv3 score: 6.5(Medium)
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
* [CVE-2021-28713](https://nvd.nist.gov/vuln/detail/CVE-2021-28713) CVSSv3 score: 6.5(Medium)
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
* [CVE-2021-28714](https://nvd.nist.gov/vuln/detail/CVE-2021-28714) CVSSv3 score: 6.5(Medium)
Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)
* [CVE-2021-28715](https://nvd.nist.gov/vuln/detail/CVE-2021-28715) CVSSv3 score: 6.5(Medium)
Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)
* [CVE-2021-39685](https://nvd.nist.gov/vuln/detail/CVE-2021-39685) CVSSv3 score: 7.8(High)
An out of bounds memory access flaw in the Linux kernel's USB Peripheral Controller functionality was found in the way users call control request handlers in a specific way for the USB gadget. A local user could use this flaw to crash the system or escalate their privileges on the system.
* [CVE-2021-44733](https://nvd.nist.gov/vuln/detail/CVE-2021-44733) CVSSv3 score: 7(High)
A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object.
* [CVE-2021-45095](https://nvd.nist.gov/vuln/detail/CVE-2021-45095) CVSSv3 score: 5.5(Medium)
pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak.
* [CVE-2022-0185](https://nvd.nist.gov/vuln/detail/CVE-2022-0185) CVSSv3 score: 7.8(High)
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
* ca-certificates
* [CVE-2021-43527](https://nvd.nist.gov/vuln/detail/CVE-2021-43527) CVSSv3 score: 9.8(Critical)
NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.
* containerd
* [CVE-2021-43816](https://nvd.nist.gov/vuln/detail/CVE-2021-43816) CVSSv3 score: 9.1(Critical)
containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.
* expat
* [CVE-2021-45960](https://nvd.nist.gov/vuln/detail/CVE-2021-45960) CVSSv3 score: 7.5(High)
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
* [CVE-2021-46143](https://nvd.nist.gov/vuln/detail/CVE-2021-46143) CVSSv3 score: 7.8(High)
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
* [CVE-2022-22822](https://nvd.nist.gov/vuln/detail/CVE-2022-22822) CVSSv3 score: 9.8(Critical)
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22823](https://nvd.nist.gov/vuln/detail/CVE-2022-22823) CVSSv3 score: 9.8(Critical)
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22824](https://nvd.nist.gov/vuln/detail/CVE-2022-22824) CVSSv3 score: 9.8(Critical)
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22825](https://nvd.nist.gov/vuln/detail/CVE-2022-22825) CVSSv3 score: 8.8(High)
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22826](https://nvd.nist.gov/vuln/detail/CVE-2022-22826) CVSSv3 score: 8.8(High)
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
* [CVE-2022-22827](https://nvd.nist.gov/vuln/detail/CVE-2022-22827) CVSSv3 score: 8.8(High)
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
#### LTS-2605
* Linux
* [CVE-2021-4135](https://nvd.nist.gov/vuln/detail/CVE-2021-4135) CVSSv3 score: 4.7(Medium)
A flaw memory leak in the Linux kernel's eBPF for the Simulated networking device driver in the way user uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this flaw to get unauthorized access to some data.
* [CVE-2021-4155](https://nvd.nist.gov/vuln/detail/CVE-2021-4155) CVSSv3 score: 5.5(Medium)
A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them.
* [CVE-2021-28711](https://nvd.nist.gov/vuln/detail/CVE-2021-28711) CVSSv3 score: 6.5(Medium)
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
* [CVE-2021-28712](https://nvd.nist.gov/vuln/detail/CVE-2021-28712) CVSSv3 score: 6.5(Medium)
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
* [CVE-2021-28713](https://nvd.nist.gov/vuln/detail/CVE-2021-28713) CVSSv3 score: 6.5(Medium)
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
* [CVE-2021-28714](https://nvd.nist.gov/vuln/detail/CVE-2021-28714) CVSSv3 score: 6.5(Medium)
Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)
* [CVE-2021-28715](https://nvd.nist.gov/vuln/detail/CVE-2021-28715) CVSSv3 score: 6.5(Medium)
Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)
* [CVE-2021-39685](https://nvd.nist.gov/vuln/detail/CVE-2021-39685) CVSSv3 score: 7.8(High)
An out of bounds memory access flaw in the Linux kernel's USB Peripheral Controller functionality was found in the way users call control request handlers in a specific way for the USB gadget. A local user could use this flaw to crash the system or escalate their privileges on the system.
* [CVE-2021-44733](https://nvd.nist.gov/vuln/detail/CVE-2021-44733) CVSSv3 score: 7(High)
A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object.
* [CVE-2021-45095](https://nvd.nist.gov/vuln/detail/CVE-2021-45095) CVSSv3 score: 5.5(Medium)
pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak.
* [CVE-2022-0185](https://nvd.nist.gov/vuln/detail/CVE-2022-0185) CVSSv3 score: 7.8(High)
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
* ca-certificates
* [CVE-2021-43527](https://nvd.nist.gov/vuln/detail/CVE-2021-43527) CVSSv3 score: 9.8(Critical)
NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.
### Twitter
_The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._
New Flatcar releases now available for all channels!
📦 Many package updates: Linux Kernel, ca-certificates, containerd
🔒 CVE fixes & security patches: CVE-2022-0185 that fixes potential container privilege escalation
📜 Release notes at the usual spot: https://www.flatcar.org/releases/