# Flatcar Container Linux Release - January 11th, 2023 ## Alpha 3480.0.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: **GO** ## Beta 3446.1.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: **GO** ## Stable 3374.2.2 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: **GO** ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). --- ### Announcement Message Subject: Announcing new releases Alpha 3480.0.0, Beta 3446.1.0, Stable 3374.2.2 Hello, We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta and Stable channel. ### New Alpha Release 3480.0.0 _Changes since **Alpha 3446.0.0**_ #### Security fixes: - Linux ([CVE-2022-3424](https://nvd.nist.gov/vuln/detail/CVE-2022-3424), [CVE-2022-3534](https://nvd.nist.gov/vuln/detail/CVE-2022-3534), [CVE-2022-3545](https://nvd.nist.gov/vuln/detail/CVE-2022-3545), [CVE-2022-3643](https://nvd.nist.gov/vuln/detail/CVE-2022-3643), [CVE-2022-4378](https://nvd.nist.gov/vuln/detail/CVE-2022-4378), [CVE-2022-45869](https://nvd.nist.gov/vuln/detail/CVE-2022-45869), [CVE-2022-45934](https://nvd.nist.gov/vuln/detail/CVE-2022-45934)) - Go ([CVE-2022-41717](https://nvd.nist.gov/vuln/detail/CVE-2022-41717)) - containerd ([CVE-2022-23471](https://nvd.nist.gov/vuln/detail/CVE-2022-23471)) - systemd ([CVE-2022-3821](https://nvd.nist.gov/vuln/detail/CVE-2022-3821), [CVE-2022-4415](https://nvd.nist.gov/vuln/detail/CVE-2022-4415)) - Python ([CVE-2015-20107](https://nvd.nist.gov/vuln/detail/CVE-2015-20107), [CVE-2020-10735](https://nvd.nist.gov/vuln/detail/CVE-2020-10735), [CVE-2021-3654](https://nvd.nist.gov/vuln/detail/CVE-2021-3654), [CVE-2022-37454](https://nvd.nist.gov/vuln/detail/CVE-2022-37454), [CVE-2022-42919](https://nvd.nist.gov/vuln/detail/CVE-2022-42919), [CVE-2022-45061](https://nvd.nist.gov/vuln/detail/CVE-2022-45061)) - libarchive ([CVE-2022-36227](https://nvd.nist.gov/vuln/detail/CVE-2022-36227)) - libksba ([CVE-2022-47629](https://nvd.nist.gov/vuln/detail/CVE-2022-47629)) #### Bug fixes: - Added back Ignition support for Vagrant ([coreos-overlay#2351](https://github.com/flatcar/coreos-overlay/pull/2351)) - The rootfs setup in the initrd now runs systemd-tmpfiles on every boot, not only when Ignition runs, to fix a dbus failure due to missing files ([Flatcar#944](https://github.com/flatcar/Flatcar/issues/944)) #### Updates: - Linux ([5.15.86](https://lwn.net/Articles/918808) (includes [5.15.85](https://lwn.net/Articles/918329), [5.15.84](https://lwn.net/Articles/918206), [5.15.83](https://lwn.net/Articles/917896), [5.15.82](https://lwn.net/Articles/917400))) - Linux Firmware ([20221214](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20221214)) - Docker ([20.10.22](https://docs.docker.com/engine/release-notes/#201022)) - GNU C Library ([2.36](https://sourceware.org/pipermail/libc-alpha/2022-August/141193.html)) - Go ([1.19.4](https://go.dev/doc/devel/release#go1.19.4)) - Rust ([1.66.0](https://github.com/rust-lang/rust/releases/tag/1.66.0)) - ca-certificates ([3.87](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html)) - containerd ([1.6.15](https://github.com/containerd/containerd/releases/tag/v1.6.15)) - systemd ([251.10](https://github.com/systemd/systemd-stable/commits/v251.10) (includes [251](https://github.com/systemd/systemd/releases/tag/v251))) - MIT Kerberos V ([1.20.1](https://web.mit.edu/kerberos/krb5-1.20/krb5-1.20.1.html)) - XZ utils ([5.2.9](https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;h=ebb303084403445088ec97dfedf0461a6e5b5077;hb=d8a898eb9974683bc725c49ec76722f9a8758f48)) - libksba ([1.6.3](https://dev.gnupg.org/T6304)) ### New Beta Release 3446.1.0 _Changes since **Beta 3432.1.0**_ #### Security fixes: - Linux ([CVE-2022-3424](https://nvd.nist.gov/vuln/detail/CVE-2022-3424), [CVE-2022-3534](https://nvd.nist.gov/vuln/detail/CVE-2022-3534), [CVE-2022-3545](https://nvd.nist.gov/vuln/detail/CVE-2022-3545), [CVE-2022-3643](https://nvd.nist.gov/vuln/detail/CVE-2022-3643), [CVE-2022-4378](https://nvd.nist.gov/vuln/detail/CVE-2022-4378), [CVE-2022-45869](https://nvd.nist.gov/vuln/detail/CVE-2022-45869), [CVE-2022-45934](https://nvd.nist.gov/vuln/detail/CVE-2022-45934)) - sudo ([CVE-2022-43995](https://nvd.nist.gov/vuln/detail/CVE-2022-43995)) - libksba ([CVE-2022-47629](https://nvd.nist.gov/vuln/detail/CVE-2022-47629)) #### Bug fixes: - Added back Ignition support for Vagrant ([coreos-overlay#2351](https://github.com/flatcar/coreos-overlay/pull/2351)) - The rootfs setup in the initrd now runs systemd-tmpfiles on every boot, not only when Ignition runs, to fix a dbus failure due to missing files ([Flatcar#944](https://github.com/flatcar/Flatcar/issues/944)) #### Updates: - Linux ([5.15.86](https://lwn.net/Articles/918808) (includes [5.15.85](https://lwn.net/Articles/918329), [5.15.84](https://lwn.net/Articles/918206), [5.15.83](https://lwn.net/Articles/917896), [5.15.82](https://lwn.net/Articles/917400))) - ca-certificates ([3.87](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html)) - sudo ([1.9.12_p1](https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_12p1)) - GnuTLS ([3.7.8](https://lists.gnupg.org/pipermail/gnutls-help/2022-September/004765.html)) - XZ utils ([5.2.8](https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;h=c244b42a6771a6e8af206318dfc500d78929fd6f;hb=5476089d9c42b9b04e92b80e1800b384a98265cb)) - gettext ([0.21.1](https://git.savannah.gnu.org/gitweb/?p=gettext.git;a=blob;f=NEWS;h=cdbb16746c23555e70bb1e16917f5c349ce92d9e;hb=8b38ee827251cadbb90cb6cb576ae98702566288)) - libksba ([1.6.3](https://dev.gnupg.org/T6304)) - VMware: open-vm-tools ([12.1.5](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.1.5)) _Changes since **Alpha 3446.0.0**_ #### Security fixes: - Linux ([CVE-2022-3424](https://nvd.nist.gov/vuln/detail/CVE-2022-3424), [CVE-2022-3534](https://nvd.nist.gov/vuln/detail/CVE-2022-3534), [CVE-2022-3545](https://nvd.nist.gov/vuln/detail/CVE-2022-3545), [CVE-2022-3643](https://nvd.nist.gov/vuln/detail/CVE-2022-3643), [CVE-2022-4378](https://nvd.nist.gov/vuln/detail/CVE-2022-4378), [CVE-2022-45869](https://nvd.nist.gov/vuln/detail/CVE-2022-45869), [CVE-2022-45934](https://nvd.nist.gov/vuln/detail/CVE-2022-45934)) - libksba ([CVE-2022-47629](https://nvd.nist.gov/vuln/detail/CVE-2022-47629)) #### Bug fixes: - Added back Ignition support for Vagrant ([coreos-overlay#2351](https://github.com/flatcar/coreos-overlay/pull/2351)) - The rootfs setup in the initrd now runs systemd-tmpfiles on every boot, not only when Ignition runs, to fix a dbus failure due to missing files ([Flatcar#944](https://github.com/flatcar/Flatcar/issues/944)) #### Updates: - Linux ([5.15.86](https://lwn.net/Articles/918808) (includes [5.15.85](https://lwn.net/Articles/918329), [5.15.84](https://lwn.net/Articles/918206), [5.15.83](https://lwn.net/Articles/917896), [5.15.82](https://lwn.net/Articles/917400))) - ca-certificates ([3.87](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html)) - libksba ([1.6.3](https://dev.gnupg.org/T6304)) ### New Stable Release 3374.2.2 _Changes since **Stable 3374.2.1**_ #### Security fixes: - Linux ([CVE-2022-3543](https://nvd.nist.gov/vuln/detail/CVE-2022-3543), [CVE-2022-3564](https://nvd.nist.gov/vuln/detail/CVE-2022-3564), [CVE-2022-3619](https://nvd.nist.gov/vuln/detail/CVE-2022-3619), [CVE-2022-3623](https://nvd.nist.gov/vuln/detail/CVE-2022-3623), [CVE-2022-3628](https://nvd.nist.gov/vuln/detail/CVE-2022-3628), [CVE-2022-42895](https://nvd.nist.gov/vuln/detail/CVE-2022-42895), [CVE-2022-42896](https://nvd.nist.gov/vuln/detail/CVE-2022-42896)) #### Updates: - Linux ([5.15.79](https://lwn.net/Articles/915100) (includes [5.15.78](https://lwn.net/Articles/914423), [5.15.77](https://lwn.net/Articles/913681), [5.15.76](https://lwn.net/Articles/912997), [5.15.75](https://lwn.net/Articles/912500))) - ca-certificates ([3.87](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html)) Best, The Flatcar Container Linux Maintainers --- ### Security **Subject**: Security issues fixed with the latest Alpha 3480.0.0, Beta 3446.1.0, Stable 3374.2.2 release(s) **Security fix**: With the Alpha 3480.0.0, Beta 3446.1.0, Stable 3374.2.2 release(s) we ship fixes for the CVEs listed below. #### Alpha 3380.0.0 * Go * [CVE-2022-41717](https://nvd.nist.gov/vuln/detail/CVE-2022-41717) CVSSv3 score: 5.3(Medium) An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. * Linux * [CVE-2022-3424](https://nvd.nist.gov/vuln/detail/CVE-2022-3424) CVSSv3 score: n/a * [CVE-2022-3534](https://nvd.nist.gov/vuln/detail/CVE-2022-3534) CVSSv3 score: 8(High) A vulnerability classified as critical has been found in Linux Kernel. Affected is the function btf_dump_name_dups of the file tools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211032. * [CVE-2022-3545](https://nvd.nist.gov/vuln/detail/CVE-2022-3545) CVSSv3 score: 7.8(High) A vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability. * [CVE-2022-3643](https://nvd.nist.gov/vuln/detail/CVE-2022-3643) CVSSv3 score: 10(Critical) Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior. * [CVE-2022-4378](https://nvd.nist.gov/vuln/detail/CVE-2022-4378) CVSSv3 score: n/a A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2022-45869](https://nvd.nist.gov/vuln/detail/CVE-2022-45869) CVSSv3 score: 5.5(Medium) A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled. * [CVE-2022-45934](https://nvd.nist.gov/vuln/detail/CVE-2022-45934) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets. * Python * [CVE-2015-20107](https://nvd.nist.gov/vuln/detail/CVE-2015-20107) CVSSv3 score: 7.6(High) In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9 * [CVE-2020-10735](https://nvd.nist.gov/vuln/detail/CVE-2020-10735) CVSSv3 score: 7.5(High) A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability. * [CVE-2021-3654](https://nvd.nist.gov/vuln/detail/CVE-2021-3654) CVSSv3 score: 6.1(Medium) A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL. * [CVE-2022-37454](https://nvd.nist.gov/vuln/detail/CVE-2022-37454) CVSSv3 score: 9.8(Critical) The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface. * [CVE-2022-42919](https://nvd.nist.gov/vuln/detail/CVE-2022-42919) CVSSv3 score: 7.8(High) Python 3.9.x and 3.10.x through 3.10.8 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9. * [CVE-2022-45061](https://nvd.nist.gov/vuln/detail/CVE-2022-45061) CVSSv3 score: 7.5(High) An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. * containerd * [CVE-2022-23471](https://nvd.nist.gov/vuln/detail/CVE-2022-23471) CVSSv3 score: 6.5(Medium) containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. * libarchive * [CVE-2022-36227](https://nvd.nist.gov/vuln/detail/CVE-2022-36227) CVSSv3 score: 9.8(Critical) In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution." * libksba * [CVE-2022-47629](https://nvd.nist.gov/vuln/detail/CVE-2022-47629) CVSSv3 score: 9.8(Critical) Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser. * systemd * [CVE-2022-3821](https://nvd.nist.gov/vuln/detail/CVE-2022-3821) CVSSv3 score: 5.5(Medium) An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service. * [CVE-2022-4415](https://nvd.nist.gov/vuln/detail/CVE-2022-4415) CVSSv3 score: n/a #### Beta 3446.1.0 * Linux * [CVE-2022-3424](https://nvd.nist.gov/vuln/detail/CVE-2022-3424) CVSSv3 score: n/a * [CVE-2022-3534](https://nvd.nist.gov/vuln/detail/CVE-2022-3534) CVSSv3 score: 8(High) A vulnerability classified as critical has been found in Linux Kernel. Affected is the function btf_dump_name_dups of the file tools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211032. * [CVE-2022-3545](https://nvd.nist.gov/vuln/detail/CVE-2022-3545) CVSSv3 score: 7.8(High) A vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability. * [CVE-2022-3643](https://nvd.nist.gov/vuln/detail/CVE-2022-3643) CVSSv3 score: 10(Critical) Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior. * [CVE-2022-4378](https://nvd.nist.gov/vuln/detail/CVE-2022-4378) CVSSv3 score: n/a A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2022-45869](https://nvd.nist.gov/vuln/detail/CVE-2022-45869) CVSSv3 score: 5.5(Medium) A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled. * [CVE-2022-45934](https://nvd.nist.gov/vuln/detail/CVE-2022-45934) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets. * libksba * [CVE-2022-47629](https://nvd.nist.gov/vuln/detail/CVE-2022-47629) CVSSv3 score: 9.8(Critical) Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser. * sudo * [CVE-2022-43995](https://nvd.nist.gov/vuln/detail/CVE-2022-43995) CVSSv3 score: 7.1(High) Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture. #### Stable 3374.2.2 * Linux * [CVE-2022-3543](https://nvd.nist.gov/vuln/detail/CVE-2022-3543) CVSSv3 score: 5.5(Medium) A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function unix_sock_destructor/unix_release_sock of the file net/unix/af_unix.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211043. * [CVE-2022-3564](https://nvd.nist.gov/vuln/detail/CVE-2022-3564) CVSSv3 score: 7.1(High) A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087. * [CVE-2022-3619](https://nvd.nist.gov/vuln/detail/CVE-2022-3619) CVSSv3 score: 4.3(Medium) A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211918 is the identifier assigned to this vulnerability. * [CVE-2022-3623](https://nvd.nist.gov/vuln/detail/CVE-2022-3623) CVSSv3 score: 7.5(High) A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function follow_page_pte of the file mm/gup.c of the component BPF. The manipulation leads to race condition. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211921 was assigned to this vulnerability. * [CVE-2022-3628](https://nvd.nist.gov/vuln/detail/CVE-2022-3628) CVSSv3 score: n/a * [CVE-2022-42895](https://nvd.nist.gov/vuln/detail/CVE-2022-42895) CVSSv3 score: 5.5(Medium) There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req function which can be used to leak kernel pointers remotely. We recommend upgrading past commit https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e https://www.google.com/url * [CVE-2022-42896](https://nvd.nist.gov/vuln/detail/CVE-2022-42896) CVSSv3 score: 8.8(High) There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim. We recommend upgrading past commit https://www.google.com/url https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Alpha 3480.0.0, Beta 3446.1.0, Stable 3374.2.2 Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/ Tracking issue: https://github.com/flatcar/Flatcar/issues/946 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/NfNzuY5TSDKpXPmhDiWMOg?edit Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. @MAINTAINER @MAINTAINER @MAINTAINER #### Mastodon _The toot (from [@flatcar](https://hachyderm.io/@flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar releases for all channels 📦 Many package updates: Linux, Go, systemd and others 🔒 CVE fixes & security patches: Linux, Go, systemd, Python, libksba and more 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome Flatcar releases of this month: - Alpha 3480.0.0 (new major) - Beta 3446.1.0 (major release) - Stable 3374.2.2 (maintenance release) These releases include: 📦 Many package updates: Linux, Go, systemd and others 🔒 CVE fixes & security patches: Linux, Go, systemd, Python, libksba and more 📜 Release notes in usual spot: https://www.flatcar.org/releases/