# Flatcar Container Linux Release - February 10th ## Alpha 3510.0.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: __GO__ ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). --- ### Announcement Message Subject: Announcing new release Alpha 3510.0.0 Hello, We are pleased to announce a new Flatcar Container Linux release for the Alpha channel. ### New Alpha Release 3510.0.0 _Changes since **Alpha 3493.0.0**_ #### Security fixes: - Linux ([CVE-2022-4842](https://nvd.nist.gov/vuln/detail/CVE-2022-4842)) - curl ([CVE-2022-43551](https://nvd.nist.gov/vuln/detail/CVE-2022-43551), [CVE-2022-43552](https://nvd.nist.gov/vuln/detail/CVE-2022-43552)) - sudo ([CVE-2023-22809](https://nvd.nist.gov/vuln/detail/CVE-2023-22809)) - vim ([CVE-2023-0049](https://nvd.nist.gov/vuln/detail/CVE-2023-0049), [CVE-2023-0051](https://nvd.nist.gov/vuln/detail/CVE-2023-0051), [CVE-2023-0054](https://nvd.nist.gov/vuln/detail/CVE-2023-0054)) - SDK: qemu ([CVE-2022-4172](https://nvd.nist.gov/vuln/detail/CVE-2022-4172)) #### Bug fixes: #### Changes: #### Updates: - Linux ([5.15.92](https://lwn.net/Articles/922340) (includes [5.15.91](https://lwn.net/Articles/921851), [5.15.90](https://lwn.net/Articles/921029))) - bind tools ([9.16.36](https://bind9.readthedocs.io/en/v9_16_36/notes.html#notes-for-bind-9-16-36) (includes [9.16.34](https://bind9.readthedocs.io/en/v9_16_35/notes.html#notes-for-bind-9-16-34) and [9.16.35](https://bind9.readthedocs.io/en/v9_16_34/notes.html#notes-for-bind-9-16-35))) - bpftool ([5.19.12](https://lwn.net/Articles/909678/)) - containerd ([1.6.16](https://github.com/containerd/containerd/releases/tag/v1.6.16)) - cri-tools ([1.24.2](https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.24.2)) - curl ([7.87.0](https://curl.se/changes.html#7_87_0)) - Docker ([20.10.23](https://docs.docker.com/engine/release-notes/20.10/#201023)) - git ([2.39.1](https://github.com/git/git/blob/v2.39.1/Documentation/RelNotes/2.39.1.txt) (includes [2.39.0](https://github.com/git/git/blob/v2.39.0/Documentation/RelNotes/2.39.0.txt))) - iptables ([1.8.8](https://www.netfilter.org/projects/iptables/files/changes-iptables-1.8.8.txt)) - sudo ([1.9.12_p2](https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_12p2)) - systemd ([252.5](https://github.com/systemd/systemd-stable/releases/tag/v252.5) (includes [252](https://github.com/systemd/systemd/releases/tag/v252))) - XZ utils ([5.4.1](https://github.com/tukaani-project/xz/releases/tag/v5.4.1) (includes [5.4.0](https://github.com/tukaani-project/xz/releases/tag/v5.4.0))) - vim ([9.0.1157](https://github.com/vim/vim/releases/tag/v9.0.1157)) - SDK: boost ([1.81.0](https://www.boost.org/users/history/version_1_81_0.html)) - SDK: file ([5.44](https://github.com/file/file/blob/FILE5_44/ChangeLog)) - SDK: portage ([3.0.43](https://github.com/gentoo/portage/blob/portage-3.0.43/NEWS) (includes [3.0.42](https://github.com/gentoo/portage/blob/portage-3.0.42/NEWS))) - SDK: qemu ([7.2.0](https://wiki.qemu.org/ChangeLog/7.2)) - SDK: Rust ([1.67.0](https://github.com/rust-lang/rust/releases/tag/1.67.0)) Best, The Flatcar Container Linux Maintainers --- ### Security **Subject**: Security issues fixed with the latest Alpha 3510.0.0 release. **Security fix**: With the Alpha 3510.0.0 release we ship fixes for the CVEs listed below. #### Alpha 3510.0.0 * Linux * [CVE-2022-4842](https://nvd.nist.gov/vuln/detail/CVE-2022-4842) CVSSv3 score: 5.5(Medium) A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system. * curl * [CVE-2022-43551](https://nvd.nist.gov/vuln/detail/CVE-2022-43551) CVSSv3 score: 7.5(High) A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded. * [CVE-2022-43552](https://nvd.nist.gov/vuln/detail/CVE-2022-43552) CVSSv3 score: n/a A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path. * sudo * [CVE-2023-22809](https://nvd.nist.gov/vuln/detail/CVE-2023-22809) CVSSv3 score: 7.8(High) In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value. * vim * [CVE-2023-0049](https://nvd.nist.gov/vuln/detail/CVE-2023-0049) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143. * [CVE-2023-0051](https://nvd.nist.gov/vuln/detail/CVE-2023-0051) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144. * [CVE-2023-0054](https://nvd.nist.gov/vuln/detail/CVE-2023-0054) CVSSv3 score: 7.8(High) Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145. * SDK: qemu * [CVE-2022-4172](https://nvd.nist.gov/vuln/detail/CVE-2022-4172) CVSSv3 score: 6.5(Medium) An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host. --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Alpha 3510.0.0. Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/3510.0.0/ Tracking issue: https://github.com/flatcar/Flatcar/issues/957 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/QS326OCXRImks5_iis61nw?view Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. @MAINTAINER @MAINTAINER @MAINTAINER #### Mastodon _The toot (from [@flatcar](https://hachyderm.io/@flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New #flatcar Alpha 3510.0.0 release now available! 📦 Many package updates: systemd 252.5, curl 7.87.0, iptables 1.8.8 🔒 CVE fixes & security patches: CVE-2022-43551 and CVE-2022-43552 of curl 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome a Flatcar release: - Alpha 3510.0.0 (new major) These releases include: 📦 Many package updates: systemd 252.5, curl 7.87.0, iptables 1.8.8 🔒 CVE fixes & security patches: CVE-2022-43551 and CVE-2022-43552 of curl 📜 Release notes in usual spot: https://www.flatcar.org/releases/