owned this note
owned this note
Published
Linked with GitHub
# Flatcar Container Linux Release - 2022-09-29
## Flatcar-linux-Alpha-3374.0.0
- AMD64-usr
- Platforms succeeded: all
- Platforms failed: none
- Platforms not tested: none
- ARM64-usr
- Platforms succeeded: all
- Platforms failed: none
- Platforms not tested: none
VERDICT: _GO_ / _WAIT_ / _NO-GO_
## Flatcar-linux-Beta-3346.1.0
- AMD64-usr
- Platforms succeeded: all
- Platforms failed: none
- Platforms not tested: none
- ARM64-usr
- Platforms succeeded: all
- Platforms failed: none
- Platforms not tested: none
VERDICT: _GO_ / _WAIT_ / _NO-GO_
## Communication
---
#### Guidelines / Things to Remember
- Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/
- [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post).
- Make sure the the LTS is referred to as `LTS-2021`, and not `LTS-2605`
---
### Announcement Message
Subject: Announcing new Alpha 3374.0.0, Beta 3346.1.0
Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta channel.
# New **Alpha** Release **3374.0.0**
_Changes since **Alpha 3346.0.0**_
#### Security fixes:
- Linux ([CVE-2022-0171](https://nvd.nist.gov/vuln/detail/CVE-2022-0171), [CVE-2022-2663](https://nvd.nist.gov/vuln/detail/CVE-2022-2663), [CVE-2022-2905](https://nvd.nist.gov/vuln/detail/CVE-2022-2905), [CVE-2022-3028](https://nvd.nist.gov/vuln/detail/CVE-2022-3028), [CVE-2022-3061](https://nvd.nist.gov/vuln/detail/CVE-2022-3061), [CVE-2022-3176](https://nvd.nist.gov/vuln/detail/CVE-2022-3176), [CVE-2022-3303](https://nvd.nist.gov/vuln/detail/CVE-2022-3303), [CVE-2022-39190](https://nvd.nist.gov/vuln/detail/CVE-2022-39190), [CVE-2022-39842](https://nvd.nist.gov/vuln/detail/CVE-2022-39842), [CVE-2022-40307](https://nvd.nist.gov/vuln/detail/CVE-2022-40307))
- Go ([CVE-2022-27664](https://nvd.nist.gov/vuln/detail/CVE-2022-27664), [CVE-2022-32190](https://nvd.nist.gov/vuln/detail/CVE-2022-32190))
- Docker ([CVE-2022-36109](https://nvd.nist.gov/vuln/detail/CVE-2022-36109))
- expat ([CVE-2022-40674](https://nvd.nist.gov/vuln/detail/CVE-2022-40674))
- intel-microcode ([CVE-2022-21233](https://nvd.nist.gov/vuln/detail/CVE-2022-21233))
- GNU Libtasn1 ([Gentoo#866237](https://bugs.gentoo.org/866237))
- libxml2 ([CVE-2016-3709](https://nvd.nist.gov/vuln/detail/CVE-2016-3709), [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309))
- polkit ([CVE-2021-4115](https://nvd.nist.gov/vuln/detail/CVE-2021-4115))
- rsync ([CVE-2022-29154](https://nvd.nist.gov/vuln/detail/CVE-2022-29154))
- unzip ([CVE-2022-0529](https://nvd.nist.gov/vuln/detail/CVE-2022-0529), [CVE-2022-0530](https://nvd.nist.gov/vuln/detail/CVE-2022-0530), [CVE-2021-4217](https://nvd.nist.gov/vuln/detail/CVE-2021-4217))
- zlib ([CVE-2022-37434](https://nvd.nist.gov/vuln/detail/CVE-2022-37434))
#### Bug fixes:
- Added back `gettext` to the OS ([Flatcar#849](https://github.com/flatcar-linux/Flatcar/issues/849))
- Added merging of Ignition systemd duplicated units when auto-translating from Ignition 2 to Ignition 3. ([coreos-overlay#2187](https://github.com/flatcar/coreos-overlay/pull/2187))
- Equinix Metal: Fixed serial console settings for the `m3.small.x86` instance by expanding the GRUB check for `i386` to `x86_64` ([coreos-overlay#2122](https://github.com/flatcar-linux/coreos-overlay/pull/2122))
#### Changes:
- emerge-gitclone: Migrate emerge-gitclone to use scripts repo tags and submodule refs
#### Updates:
- Linux ([5.15.70](https://lwn.net/Articles/909212) (includes [5.15.69](https://lwn.net/Articles/908782), [5.15.68](https://lwn.net/Articles/908140), [5.15.67](https://lwn.net/Articles/907526), [5.15.66](https://lwn.net/Articles/907524), [5.15.65](https://lwn.net/Articles/907204), [5.15.64](https://lwn.net/Articles/906630)))
- Linux Firmware ([20220913](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220913))
- Go ([1.18.6](https://go.dev/doc/devel/release#go1.18.6))
- ca-certificates ([3.83](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_83.html))
- Docker ([20.10.18](https://docs.docker.com/engine/release-notes/#201018))
- expat ([2.4.9](https://github.com/libexpat/libexpat/blob/R_2_4_9/expat/Changes))
- gettext ([0.21](https://www.gnu.org/software/gettext/))
- intel-microcode ([20220809](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220809))
- GNU Libtasn1 ([4.19.0](https://lists.gnu.org/archive/html/help-libtasn1/2022-08/msg00001.html))
- libxml2 ([2.10.2](https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.2))
- locksmith([0.7.0](https://github.com/flatcar/locksmith/blob/v0.7.0/CHANGELOG.md#v070--30112021))
- polkit ([121](https://gitlab.freedesktop.org/polkit/polkit/-/commit/827b0ddac5b1ef00a47fca4526fcf057bee5f1db))
- rsync ([3.2.6](https://github.com/WayneD/rsync/releases/tag/v3.2.6))
- runc ([1.1.4](https://github.com/opencontainers/runc/releases/tag/v1.1.4))
- unzip ([6.0_p27](https://metadata.ftp-master.debian.org/changelogs//main/u/unzip/unzip_6.0-27_changelog))
- SDK: libxslt ([1.1.35](https://gitlab.gnome.org/GNOME/libxslt/-/tags/v1.1.35))
# New **Beta** Release **3346.1.0**
_Changes since **Beta 3277.1.2**_
#### Security fixes:
- Linux ([CVE-2022-0171](https://nvd.nist.gov/vuln/detail/CVE-2022-0171), [CVE-2022-2663](https://nvd.nist.gov/vuln/detail/CVE-2022-2663), [CVE-2022-2905](https://nvd.nist.gov/vuln/detail/CVE-2022-2905), [CVE-2022-3028](https://nvd.nist.gov/vuln/detail/CVE-2022-3028), [CVE-2022-3061](https://nvd.nist.gov/vuln/detail/CVE-2022-3061), [CVE-2022-3176](https://nvd.nist.gov/vuln/detail/CVE-2022-3176), [CVE-2022-3303](https://nvd.nist.gov/vuln/detail/CVE-2022-3303), [CVE-2022-39190](https://nvd.nist.gov/vuln/detail/CVE-2022-39190), [CVE-2022-39842](https://nvd.nist.gov/vuln/detail/CVE-2022-39842), [CVE-2022-40307](https://nvd.nist.gov/vuln/detail/CVE-2022-40307))
- Go ([CVE-2022-27664](https://nvd.nist.gov/vuln/detail/CVE-2022-27664), [CVE-2022-32190](https://nvd.nist.gov/vuln/detail/CVE-2022-32190), ([CVE-2022-32189](https://nvd.nist.gov/vuln/detail/CVE-2022-32189)))
- binutils ([CVE-2021-45078](https://nvd.nist.gov/vuln/detail/CVE-2021-45078))
- cifs-utils ([CVE-2022-27239](https://nvd.nist.gov/vuln/detail/CVE-2022-27239), [CVE-2022-29869](https://nvd.nist.gov/vuln/detail/CVE-2022-29869))
- curl ([CVE-2022-32205](https://nvd.nist.gov/vuln/detail/CVE-2022-32205), [CVE-2022-32206](https://nvd.nist.gov/vuln/detail/CVE-2022-32206), [CVE-2022-32207](https://nvd.nist.gov/vuln/detail/CVE-2022-32207), [CVE-2022-32208](https://nvd.nist.gov/vuln/detail/CVE-2022-32208))
- expat ([CVE-2022-40674](https://nvd.nist.gov/vuln/detail/CVE-2022-40674))
- git ([CVE-2022-29187](https://nvd.nist.gov/vuln/detail/CVE-2022-29187))
- gnupg ([CVE-2022-34903](https://nvd.nist.gov/vuln/detail/CVE-2022-34903))
- gnutls ([CVE-2022-2509](https://nvd.nist.gov/vuln/detail/CVE-2022-2509))
- libtirpc ([CVE-2021-46828](https://nvd.nist.gov/vuln/detail/CVE-2021-46828))
- oniguruma ([oniguruma-20220430](https://bugs.gentoo.org/841893))
- open-vm-tools ([CVE-2022-31676](https://nvd.nist.gov/vuln/detail/CVE-2022-31676))
- shadow ([CVE-2013-4235](https://nvd.nist.gov/vuln/detail/CVE-2013-4235))
- vim ([CVE-2022-0629](https://nvd.nist.gov/vuln/detail/CVE-2022-0629), [CVE-2022-0685](https://nvd.nist.gov/vuln/detail/CVE-2022-0685), [CVE-2022-0714](https://nvd.nist.gov/vuln/detail/CVE-2022-0714), [CVE-2022-0729](https://nvd.nist.gov/vuln/detail/CVE-2022-0729), [CVE-2022-0943](https://nvd.nist.gov/vuln/detail/CVE-2022-0943), [CVE-2022-1154](https://nvd.nist.gov/vuln/detail/CVE-2022-1154), [CVE-2022-1160](https://nvd.nist.gov/vuln/detail/CVE-2022-1160), [CVE-2022-1381](https://nvd.nist.gov/vuln/detail/CVE-2022-1381), [CVE-2022-1420](https://nvd.nist.gov/vuln/detail/CVE-2022-1420), [CVE-2022-1616](https://nvd.nist.gov/vuln/detail/CVE-2022-1616), [CVE-2022-1619](https://nvd.nist.gov/vuln/detail/CVE-2022-1619), [CVE-2022-1620](https://nvd.nist.gov/vuln/detail/CVE-2022-1620), [CVE-2022-1621](https://nvd.nist.gov/vuln/detail/CVE-2022-1621), [CVE-2022-1629](https://nvd.nist.gov/vuln/detail/CVE-2022-1629), [CVE-2022-1674](https://nvd.nist.gov/vuln/detail/CVE-2022-1674), [CVE-2022-1733](https://nvd.nist.gov/vuln/detail/CVE-2022-1733), [CVE-2022-1735](https://nvd.nist.gov/vuln/detail/CVE-2022-1735), [CVE-2022-1769](https://nvd.nist.gov/vuln/detail/CVE-2022-1769), [CVE-2022-1771](https://nvd.nist.gov/vuln/detail/CVE-2022-1771), [CVE-2022-1785](https://nvd.nist.gov/vuln/detail/CVE-2022-1785), [CVE-2022-1796](https://nvd.nist.gov/vuln/detail/CVE-2022-1796), [CVE-2022-1897](https://nvd.nist.gov/vuln/detail/CVE-2022-1897), [CVE-2022-1898](https://nvd.nist.gov/vuln/detail/CVE-2022-1898), [CVE-2022-1886](https://nvd.nist.gov/vuln/detail/CVE-2022-1886), [CVE-2022-1851](https://nvd.nist.gov/vuln/detail/CVE-2022-1851), [CVE-2022-1927](https://nvd.nist.gov/vuln/detail/CVE-2022-1927), [CVE-2022-1942](https://nvd.nist.gov/vuln/detail/CVE-2022-1942), [CVE-2022-1968](https://nvd.nist.gov/vuln/detail/CVE-2022-1968), [CVE-2022-2000](https://nvd.nist.gov/vuln/detail/CVE-2022-2000))
#### Bug fixes:
- Added back `gettext` to the OS ([Flatcar#849](https://github.com/flatcar-linux/Flatcar/issues/849))
- Added merging of Ignition systemd duplicated units when auto-translating from Ignition 2 to Ignition 3. ([coreos-overlay#2187](https://github.com/flatcar/coreos-overlay/pull/2187))
- Equinix Metal: Fixed serial console settings for the `m3.small.x86` instance by expanding the GRUB check for `i386` to `x86_64` ([coreos-overlay#2122](https://github.com/flatcar-linux/coreos-overlay/pull/2122))
- Removed outdated LTS channel information printed on login ([init#75](https://github.com/flatcar-linux/init/pull/75))
#### Changes:
- Added symlink from `nc` to `ncat`. `-q` option is [not yet supported](https://github.com/nmap/nmap/issues/2422) ([flatcar#545](https://github.com/flatcar-linux/Flatcar/issues/545))
- emerge-gitclone: Migrate emerge-gitclone to use scripts repo tags and submodule refs
#### Updates:
- Linux ([5.15.70](https://lwn.net/Articles/909212) (includes [5.15.69](https://lwn.net/Articles/908782), [5.15.68](https://lwn.net/Articles/908140), [5.15.67](https://lwn.net/Articles/907526), [5.15.66](https://lwn.net/Articles/907524), [5.15.65](https://lwn.net/Articles/907204), [5.15.64](https://lwn.net/Articles/906630), [5.15.51](https://lwn.net/Articles/899370)))
- Linux Firmware ([20220815](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220815) (includes [20220708](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220708)))
- Go ([1.18.6](https://go.dev/doc/devel/release#go1.18.6))
- adcli ([0.9.1](https://gitlab.freedesktop.org/realmd/adcli/-/releases#0.9.1))
- automake ([1.16.5](https://savannah.gnu.org/forum/forum.php?forum_id=10055))
- binutils ([2.38](https://lwn.net/Articles/884264/))
- bison ([3.8.2](https://lists.gnu.org/archive/html/bug-bison/2021-09/msg00056.html))
- boost ([1.79](https://www.boost.org/users/history/version_1_79_0.html))
- ca-certificates ([3.83](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_83.html))
- cifs-utils ([6.15](https://lists.samba.org/archive/samba-technical/2022-April/137335.html))
- containerd ([1.6.8](https://github.com/containerd/containerd/releases/tag/v1.6.8) (includes [1.6.7](https://github.com/containerd/containerd/releases/tag/v1.6.7)))
- curl ([7.84.0](https://github.com/curl/curl/releases/tag/curl-7_84_0))
- Cyrus SASL ([2.1.28](https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28))
- expat ([2.4.9](https://github.com/libexpat/libexpat/blob/R_2_4_9/expat/Changes))
- gcc ([11.3.0](https://gcc.gnu.org/gcc-11/changes.html))
- gdb ([11.2](https://lists.gnu.org/archive/html/info-gnu/2022-01/msg00009.html))
- gettext ([0.21](https://www.gnu.org/software/gettext/))
- git ([2.37.1](https://github.com/git/git/blob/v2.37.1/Documentation/RelNotes/2.37.1.txt))
- glib ([2.72.3](https://gitlab.gnome.org/GNOME/glib/-/tags/2.73.3))
- gnupg ([2.2.35](https://dev.gnupg.org/T5928))
- gnutls ([3.7.7](https://gitlab.com/gnutls/gnutls/-/tags/3.7.7))
- libtool ([2.4.7](https://savannah.gnu.org/forum/forum.php?forum_id=10139))
- locksmith([0.7.0](https://github.com/flatcar/locksmith/blob/v0.7.0/CHANGELOG.md#v070--30112021))
- oniguruma ([6.9.8](https://github.com/kkos/oniguruma/releases/tag/v6.9.8))
- perl ([5.34.1](https://perldoc.perl.org/5.34.1/perldelta))
- pkgconf ([1.8.0](https://gitea.treehouse.systems/ariadne/pkgconf/src/tag/pkgconf-1.8.0/NEWS))
- shadow ([4.12.3](https://github.com/shadow-maint/shadow/releases/tag/4.12.3))
- sudo ([1.9.10](https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_10))
- vim ([8.2.5066](https://github.com/vim/vim/releases/tag/v8.2.5066))
- SDK: Rust ([1.63.0](https://github.com/rust-lang/rust/releases/tag/1.63.0) (includes [1.62.1](https://github.com/rust-lang/rust/releases/tag/1.62.1), [1.62.0](https://github.com/rust-lang/rust/releases/tag/1.62.0)))
- VMware: open-vm-tools ([12.1.0](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.1.0))
_Changes since **Alpha 3346.0.0**_
#### Security fixes:
- Linux ([CVE-2022-0171](https://nvd.nist.gov/vuln/detail/CVE-2022-0171), [CVE-2022-2663](https://nvd.nist.gov/vuln/detail/CVE-2022-2663), [CVE-2022-2905](https://nvd.nist.gov/vuln/detail/CVE-2022-2905), [CVE-2022-3028](https://nvd.nist.gov/vuln/detail/CVE-2022-3028), [CVE-2022-3061](https://nvd.nist.gov/vuln/detail/CVE-2022-3061), [CVE-2022-3176](https://nvd.nist.gov/vuln/detail/CVE-2022-3176), [CVE-2022-3303](https://nvd.nist.gov/vuln/detail/CVE-2022-3303), [CVE-2022-39190](https://nvd.nist.gov/vuln/detail/CVE-2022-39190), [CVE-2022-39842](https://nvd.nist.gov/vuln/detail/CVE-2022-39842), [CVE-2022-40307](https://nvd.nist.gov/vuln/detail/CVE-2022-40307))
- Go ([CVE-2022-27664](https://nvd.nist.gov/vuln/detail/CVE-2022-27664), [CVE-2022-32190](https://nvd.nist.gov/vuln/detail/CVE-2022-32190))
- expat ([CVE-2022-40674](https://nvd.nist.gov/vuln/detail/CVE-2022-40674))
#### Bug fixes:
- Added back `gettext` to the OS ([Flatcar#849](https://github.com/flatcar-linux/Flatcar/issues/849))
- Added merging of Ignition systemd duplicated units when auto-translating from Ignition 2 to Ignition 3. ([coreos-overlay#2187](https://github.com/flatcar/coreos-overlay/pull/2187))
- Equinix Metal: Fixed serial console settings for the `m3.small.x86` instance by expanding the GRUB check for `i386` to `x86_64` ([coreos-overlay#2122](https://github.com/flatcar-linux/coreos-overlay/pull/2122))
#### Changes:
- emerge-gitclone: Migrate emerge-gitclone to use scripts repo tags and submodule refs
#### Updates:
- Linux ([5.15.70](https://lwn.net/Articles/909212) (includes [5.15.69](https://lwn.net/Articles/908782), [5.15.68](https://lwn.net/Articles/908140), [5.15.67](https://lwn.net/Articles/907526), [5.15.66](https://lwn.net/Articles/907524), [5.15.65](https://lwn.net/Articles/907204), [5.15.64](https://lwn.net/Articles/906630)))
- Go ([1.18.6](https://go.dev/doc/devel/release#go1.18.6))
- ca-certificates ([3.83](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_83.html))
- gettext ([0.21](https://www.gnu.org/software/gettext/))
- locksmith([0.7.0](https://github.com/flatcar/locksmith/blob/v0.7.0/CHANGELOG.md#v070--30112021))
- expat ([2.4.9](https://github.com/libexpat/libexpat/blob/R_2_4_9/expat/Changes))
Best,
The Flatcar Container Linux Maintainers
---
### Security
**Subject**: Security issues fixed with the latest Alpha 3374.0.0, Beta 3346.1.0 releases
**Security fix**: With the Alpha 3374.0.0, Beta 3346.1.0 releases we ship fixes for the CVEs listed below.
#### Alpha 3374.0.0
* Docker
* [CVE-2022-36109](https://nvd.nist.gov/vuln/detail/CVE-2022-36109) CVSSv3 score: n/a
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.
* Go
* [CVE-2022-27664](https://nvd.nist.gov/vuln/detail/CVE-2022-27664) CVSSv3 score: 7.5(High)
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
* [CVE-2022-32190](https://nvd.nist.gov/vuln/detail/CVE-2022-32190) CVSSv3 score: 9.8(Critical)
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
* Linux
* [CVE-2022-0171](https://nvd.nist.gov/vuln/detail/CVE-2022-0171) CVSSv3 score: 5.5(Medium)
A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD CPU that supports Secure Encrypted Virtualization (SEV).
* [CVE-2022-2663](https://nvd.nist.gov/vuln/detail/CVE-2022-2663) CVSSv3 score: 5.3(Medium)
An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured.
* [CVE-2022-2905](https://nvd.nist.gov/vuln/detail/CVE-2022-2905) CVSSv3 score: 5.5(Medium)
An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data.
* [CVE-2022-3028](https://nvd.nist.gov/vuln/detail/CVE-2022-3028) CVSSv3 score: 7(High)
A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.
* [CVE-2022-3061](https://nvd.nist.gov/vuln/detail/CVE-2022-3061) CVSSv3 score: 5.5(Medium)
Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn't check the value of 'pixclock', so it may cause a divide by zero error.
* [CVE-2022-3176](https://nvd.nist.gov/vuln/detail/CVE-2022-3176) CVSSv3 score: n/a
There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659
* [CVE-2022-3303](https://nvd.nist.gov/vuln/detail/CVE-2022-3303) CVSSv3 score: 4.7(Medium)
A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition
* [CVE-2022-39190](https://nvd.nist.gov/vuln/detail/CVE-2022-39190) CVSSv3 score: 5.5(Medium)
An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain.
* [CVE-2022-39842](https://nvd.nist.gov/vuln/detail/CVE-2022-39842) CVSSv3 score: 7.8(High)
An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur.
* [CVE-2022-40307](https://nvd.nist.gov/vuln/detail/CVE-2022-40307) CVSSv3 score: 4.7(Medium)
An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free.
* expat
* [CVE-2022-40674](https://nvd.nist.gov/vuln/detail/CVE-2022-40674) CVSSv3 score: 9.8(Critical)
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
* intel-microcode
* [CVE-2022-21233](https://nvd.nist.gov/vuln/detail/CVE-2022-21233) CVSSv3 score: 5.5(Medium)
Improper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.
* libxml2
* [CVE-2016-3709](https://nvd.nist.gov/vuln/detail/CVE-2016-3709) CVSSv3 score: 6.1(Medium)
Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
* [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309) CVSSv3 score: 7.5(High)
NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
* polkit
* [CVE-2021-4115](https://nvd.nist.gov/vuln/detail/CVE-2021-4115) CVSSv3 score: 5.5(Medium)
There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. The highest threat from this vulnerability is to availability. NOTE: Polkit process outage duration is tied to the failing process being reaped and a new one being spawned
* rsync
* [CVE-2022-29154](https://nvd.nist.gov/vuln/detail/CVE-2022-29154) CVSSv3 score: 7.4(High)
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
* unzip
* [CVE-2022-0529](https://nvd.nist.gov/vuln/detail/CVE-2022-0529) CVSSv3 score: 5.5(Medium)
A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
* [CVE-2022-0530](https://nvd.nist.gov/vuln/detail/CVE-2022-0530) CVSSv3 score: 5.5(Medium)
A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
* [CVE-2021-4217](https://nvd.nist.gov/vuln/detail/CVE-2021-4217) CVSSv3 score: 7.8(High)
A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
* zlib
* [CVE-2022-37434](https://nvd.nist.gov/vuln/detail/CVE-2022-37434) CVSSv3 score: 9.8(Critical)
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
#### Beta 3346.1.0
* Go
* [CVE-2022-27664](https://nvd.nist.gov/vuln/detail/CVE-2022-27664) CVSSv3 score: 7.5(High)
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
* [CVE-2022-32190](https://nvd.nist.gov/vuln/detail/CVE-2022-32190) CVSSv3 score: 9.8(Critical)
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
* [CVE-2022-32189](https://nvd.nist.gov/vuln/detail/CVE-2022-32189) CVSSv3 score: 7.5(High)
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.
* Linux
* [CVE-2022-0171](https://nvd.nist.gov/vuln/detail/CVE-2022-0171) CVSSv3 score: 5.5(Medium)
A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD CPU that supports Secure Encrypted Virtualization (SEV).
* [CVE-2022-2663](https://nvd.nist.gov/vuln/detail/CVE-2022-2663) CVSSv3 score: 5.3(Medium)
An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured.
* [CVE-2022-2905](https://nvd.nist.gov/vuln/detail/CVE-2022-2905) CVSSv3 score: 5.5(Medium)
An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data.
* [CVE-2022-3028](https://nvd.nist.gov/vuln/detail/CVE-2022-3028) CVSSv3 score: 7(High)
A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.
* [CVE-2022-3061](https://nvd.nist.gov/vuln/detail/CVE-2022-3061) CVSSv3 score: 5.5(Medium)
Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn't check the value of 'pixclock', so it may cause a divide by zero error.
* [CVE-2022-3176](https://nvd.nist.gov/vuln/detail/CVE-2022-3176) CVSSv3 score: n/a
There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659
* [CVE-2022-3303](https://nvd.nist.gov/vuln/detail/CVE-2022-3303) CVSSv3 score: 4.7(Medium)
A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition
* [CVE-2022-39190](https://nvd.nist.gov/vuln/detail/CVE-2022-39190) CVSSv3 score: 5.5(Medium)
An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain.
* [CVE-2022-39842](https://nvd.nist.gov/vuln/detail/CVE-2022-39842) CVSSv3 score: 7.8(High)
An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur.
* [CVE-2022-40307](https://nvd.nist.gov/vuln/detail/CVE-2022-40307) CVSSv3 score: 4.7(Medium)
An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free.
* binutils
* [CVE-2021-45078](https://nvd.nist.gov/vuln/detail/CVE-2021-45078) CVSSv3 score: 7.8(High)
stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.
* cifs-utils
* [CVE-2022-27239](https://nvd.nist.gov/vuln/detail/CVE-2022-27239) CVSSv3 score: 7.8(High)
In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.
* [CVE-2022-29869](https://nvd.nist.gov/vuln/detail/CVE-2022-29869) CVSSv3 score: 5.3(Medium)
cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file.
* curl
* [CVE-2022-32205](https://nvd.nist.gov/vuln/detail/CVE-2022-32205) CVSSv3 score: 4.3(Medium)
A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.
* [CVE-2022-32206](https://nvd.nist.gov/vuln/detail/CVE-2022-32206) CVSSv3 score: 6.5(Medium)
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
* [CVE-2022-32207](https://nvd.nist.gov/vuln/detail/CVE-2022-32207) CVSSv3 score: 9.8(Critical)
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.
* [CVE-2022-32208](https://nvd.nist.gov/vuln/detail/CVE-2022-32208) CVSSv3 score: 5.9(Medium)
When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.
* expat
* [CVE-2022-40674](https://nvd.nist.gov/vuln/detail/CVE-2022-40674) CVSSv3 score: 9.8(Critical)
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
* git
* [CVE-2022-29187](https://nvd.nist.gov/vuln/detail/CVE-2022-29187) CVSSv3 score: n/a
Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.
* gnupg
* [CVE-2022-34903](https://nvd.nist.gov/vuln/detail/CVE-2022-34903) CVSSv3 score: 6.5(Medium)
GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.
* gnutls
* [CVE-2022-2509](https://nvd.nist.gov/vuln/detail/CVE-2022-2509) CVSSv3 score: 7.5(High)
A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.
* libtirpc
* [CVE-2021-46828](https://nvd.nist.gov/vuln/detail/CVE-2021-46828) CVSSv3 score: 7.5(High)
In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.
* open-vm-tools
* [CVE-2022-31676](https://nvd.nist.gov/vuln/detail/CVE-2022-31676) CVSSv3 score: 7.8(High)
VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine.
* shadow
* [CVE-2013-4235](https://nvd.nist.gov/vuln/detail/CVE-2013-4235) CVSSv3 score: 4.7(Medium)
shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees
* vim
* [CVE-2022-0629](https://nvd.nist.gov/vuln/detail/CVE-2022-0629) CVSSv3 score: 7.8(High)
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-0685](https://nvd.nist.gov/vuln/detail/CVE-2022-0685) CVSSv3 score: 7.8(High)
Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4418.
* [CVE-2022-0714](https://nvd.nist.gov/vuln/detail/CVE-2022-0714) CVSSv3 score: 5.5(Medium)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4436.
* [CVE-2022-0729](https://nvd.nist.gov/vuln/detail/CVE-2022-0729) CVSSv3 score: 8.8(High)
Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440.
* [CVE-2022-0943](https://nvd.nist.gov/vuln/detail/CVE-2022-0943) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow occurs in vim in GitHub repository vim/vim prior to 8.2.4563.
* [CVE-2022-1154](https://nvd.nist.gov/vuln/detail/CVE-2022-1154) CVSSv3 score: 7.8(High)
Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646.
* [CVE-2022-1160](https://nvd.nist.gov/vuln/detail/CVE-2022-1160) CVSSv3 score: 7.8(High)
heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.4647.
* [CVE-2022-1381](https://nvd.nist.gov/vuln/detail/CVE-2022-1381) CVSSv3 score: 7.8(High)
global heap buffer overflow in skip_range in GitHub repository vim/vim prior to 8.2.4763. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
* [CVE-2022-1420](https://nvd.nist.gov/vuln/detail/CVE-2022-1420) CVSSv3 score: 5.5(Medium)
Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4774.
* [CVE-2022-1616](https://nvd.nist.gov/vuln/detail/CVE-2022-1616) CVSSv3 score: 7.8(High)
Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
* [CVE-2022-1619](https://nvd.nist.gov/vuln/detail/CVE-2022-1619) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution
* [CVE-2022-1620](https://nvd.nist.gov/vuln/detail/CVE-2022-1620) CVSSv3 score: 7.5(High)
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.
* [CVE-2022-1621](https://nvd.nist.gov/vuln/detail/CVE-2022-1621) CVSSv3 score: 7.8(High)
Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
* [CVE-2022-1629](https://nvd.nist.gov/vuln/detail/CVE-2022-1629) CVSSv3 score: 7.8(High)
Buffer Over-read in function find_next_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution
* [CVE-2022-1674](https://nvd.nist.gov/vuln/detail/CVE-2022-1674) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 in GitHub repository vim/vim prior to 8.2.4938. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 allows attackers to cause a denial of service (application crash) via a crafted input.
* [CVE-2022-1733](https://nvd.nist.gov/vuln/detail/CVE-2022-1733) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4968.
* [CVE-2022-1735](https://nvd.nist.gov/vuln/detail/CVE-2022-1735) CVSSv3 score: 7.8(High)
Classic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969.
* [CVE-2022-1769](https://nvd.nist.gov/vuln/detail/CVE-2022-1769) CVSSv3 score: 7.8(High)
Buffer Over-read in GitHub repository vim/vim prior to 8.2.4974.
* [CVE-2022-1771](https://nvd.nist.gov/vuln/detail/CVE-2022-1771) CVSSv3 score: 5.5(Medium)
Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975.
* [CVE-2022-1785](https://nvd.nist.gov/vuln/detail/CVE-2022-1785) CVSSv3 score: 7.8(High)
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977.
* [CVE-2022-1796](https://nvd.nist.gov/vuln/detail/CVE-2022-1796) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 8.2.4979.
* [CVE-2022-1897](https://nvd.nist.gov/vuln/detail/CVE-2022-1897) CVSSv3 score: 7.8(High)
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-1898](https://nvd.nist.gov/vuln/detail/CVE-2022-1898) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-1886](https://nvd.nist.gov/vuln/detail/CVE-2022-1886) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-1851](https://nvd.nist.gov/vuln/detail/CVE-2022-1851) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-1927](https://nvd.nist.gov/vuln/detail/CVE-2022-1927) CVSSv3 score: 9.8(Critical)
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-1942](https://nvd.nist.gov/vuln/detail/CVE-2022-1942) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-1968](https://nvd.nist.gov/vuln/detail/CVE-2022-1968) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2000](https://nvd.nist.gov/vuln/detail/CVE-2022-2000) CVSSv3 score: 7.8(High)
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
---
### Communication
#### Go/No-Go message for Matrix/Slack
Go/No-Go Meeting for Alpha 3374.0.0 Beta 3346.1.0
Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/3346.1.0/ https://bincache.flatcar-linux.net/images/amd64/3374.0.0/
Tracking issue: https://github.com/flatcar/Flatcar/issues/860
The Go/No-Go document is in our HackMD @flatcar namespace
Link: https://hackmd.io/NuLz3rKZQl2B44jbZrSaRw?view
Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait.
Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat.
@MAINTAINER @MAINTAINER @MAINTAINER
#### Twitter
_The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._
New Flatcar releases now available for [all channels|Alpha|Alpha+Beta|...]!
📦 Many package updates: [highlight], [highlight] ...
🔒 CVE fixes & security patches: [highlight fix], [highlight fix] ...
📜 Release notes at the usual spot: https://www.flatcar.org/releases/
#### Kubernetes Slack
_This goes in the #flatcar channel_
Please welcome Flatcar releases of this month:
- Alpha ${VERSION} (new major)
- Beta ${VERSION} (maintenance release)
These releases include:
🚀 new features ...
🩹 Fix bugs ...
📦 Many package updates: ...
📜 Release notes in usual spot: https://www.flatcar.org/releases/