# Flatcar Container Linux Release - 2022-10-12 ## Flatcar-linux-3227.2.3-Stable - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Flatcar-linux-2605.32.1-LTS-2021 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Flatcar-linux-3033.3.6-LTS-2022 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). - Make sure the the LTS is referred to as `LTS-2021`, and not `LTS-2605` --- ### Announcement Message Subject: Announcing new Stable 3227.2.3, LTS-2022 3033.3.6, LTS-2021 2605.32.1 release. Hello, We are pleased to announce a new Flatcar Container Linux release for the Stable 3227.2.3, LTS-2022 3033.3.6, LTS-2021 2605.32.1 channel. As mentioned earlier, The LTS-2021 2605.32.1 will be the last release and no further release will be pushed out. Please upgrade to new LTS-2022 for package and security upgrades. # New **Stable** Release **3227.2.3** _Changes since **Stable 3227.2.2**_ #### Security fixes: - Linux ([CVE-2022-0171](https://nvd.nist.gov/vuln/detail/CVE-2022-0171), [CVE-2022-2663](https://nvd.nist.gov/vuln/detail/CVE-2022-2663), [CVE-2022-2905](https://nvd.nist.gov/vuln/detail/CVE-2022-2905), [CVE-2022-3028](https://nvd.nist.gov/vuln/detail/CVE-2022-3028), [CVE-2022-3061](https://nvd.nist.gov/vuln/detail/CVE-2022-3061), [CVE-2022-3176](https://nvd.nist.gov/vuln/detail/CVE-2022-3176), [CVE-2022-3303](https://nvd.nist.gov/vuln/detail/CVE-2022-3303), [CVE-2022-39190](https://nvd.nist.gov/vuln/detail/CVE-2022-39190), [CVE-2022-39842](https://nvd.nist.gov/vuln/detail/CVE-2022-39842), [CVE-2022-40307](https://nvd.nist.gov/vuln/detail/CVE-2022-40307)) - Go ([CVE-2022-32189](https://nvd.nist.gov/vuln/detail/CVE-2022-32189)) - torcx ([CVE-2022-27191](https://nvd.nist.gov/vuln/detail/CVE-2022-27191)) - expat ([CVE-2022-40674](https://nvd.nist.gov/vuln/detail/CVE-2022-40674)) #### Bug fixes: - Added back `gettext` to the OS ([Flatcar#849](https://github.com/flatcar-linux/Flatcar/issues/849)) - Added merging of Ignition systemd duplicated units when auto-translating from Ignition 2 to Ignition 3. ([coreos-overlay#2187](https://github.com/flatcar/coreos-overlay/pull/2187)) - Equinix Metal: Fixed serial console settings for the `m3.small.x86` instance by expanding the GRUB check for `i386` to `x86_64` [coreos-overlay#2122](https://github.com/flatcar-linux/coreos-overlay/pull/2122) #### Changes: - emerge-gitclone: Migrate emerge-gitclone to use scripts repo tags and submodule refs #### Updates: - Linux ([5.15.70](https://lwn.net/Articles/909212) (includes [5.15.69](https://lwn.net/Articles/908782), [5.15.68](https://lwn.net/Articles/908140), [5.15.67](https://lwn.net/Articles/907526), [5.15.66](https://lwn.net/Articles/907524), [5.15.65](https://lwn.net/Articles/907204), [5.15.64](https://lwn.net/Articles/906630))) - ca-certificates ([3.83](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_83.html)) - gettext ([0.21](https://www.gnu.org/software/gettext/)) - Go ([1.17.13](https://go.dev/doc/devel/release#go1.17.13)) - locksmith([0.7.0](https://github.com/flatcar/locksmith/blob/v0.7.0/CHANGELOG.md#v070--30112021)) - expat ([2.4.9](https://github.com/libexpat/libexpat/blob/R_2_4_9/expat/Changes)) # New **LTS-2022** Release **3033.3.6** _Changes since **LTS 3033.3.5**_ #### Security fixes: - Linux ([CVE-2022-2905](https://nvd.nist.gov/vuln/detail/CVE-2022-2905), [CVE-2022-3028](https://nvd.nist.gov/vuln/detail/CVE-2022-3028), [CVE-2022-39190](https://nvd.nist.gov/vuln/detail/CVE-2022-39190)) - torcx ([CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561), [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565), [CVE-2022-27191](https://nvd.nist.gov/vuln/detail/CVE-2022-27191)) #### Bug fixes: - Equinix Metal: Fixed serial console settings for the `m3.small.x86` instance by expanding the GRUB check for `i386` to `x86_64` [coreos-overlay#2122](https://github.com/flatcar-linux/coreos-overlay/pull/2122) #### Changes: - emerge-gitclone: Migrate emerge-gitclone to use scripts repo tags and submodule refs #### Updates: - Linux ([5.10.142](https://lwn.net/Articles/907525) (includes [5.10.141](https://lwn.net/Articles/907205), [5.10.140](https://lwn.net/Articles/906628), [5.10.139](https://lwn.net/Articles/906359), [5.10.138](https://lwn.net/Articles/906062))) - ca-certificates ([3.83](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_83.html)) - locksmith([0.7.0](https://github.com/flatcar/locksmith/blob/v0.7.0/CHANGELOG.md#v070--30112021)) # New **LTS-2021** Release **2605.32.1** _Changes since **LTS 2605.31.1**_ #### Updates: - ca-certificates ([3.83](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_83.html)) Best, The Flatcar Container Linux Maintainers --- ### Security **Subject**: Security issues fixed with the latest Stable, LTS-2021, LTS-2022 release(s) **Security fix**: With the Stable, LTS-2021, LTS-2022 release(s) we ship fixes for the CVEs listed below. #### Stable 3227.2.3 * Go * [CVE-2022-32189](https://nvd.nist.gov/vuln/detail/CVE-2022-32189) CVSSv3 score: 7.5(High) A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. * Linux * [CVE-2022-0171](https://nvd.nist.gov/vuln/detail/CVE-2022-0171) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD CPU that supports Secure Encrypted Virtualization (SEV). * [CVE-2022-2663](https://nvd.nist.gov/vuln/detail/CVE-2022-2663) CVSSv3 score: 5.3(Medium) An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured. * [CVE-2022-2905](https://nvd.nist.gov/vuln/detail/CVE-2022-2905) CVSSv3 score: 5.5(Medium) An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data. * [CVE-2022-3028](https://nvd.nist.gov/vuln/detail/CVE-2022-3028) CVSSv3 score: 7(High) A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. * [CVE-2022-3061](https://nvd.nist.gov/vuln/detail/CVE-2022-3061) CVSSv3 score: 5.5(Medium) Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn't check the value of 'pixclock', so it may cause a divide by zero error. * [CVE-2022-3176](https://nvd.nist.gov/vuln/detail/CVE-2022-3176) CVSSv3 score: n/a There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659 * [CVE-2022-3303](https://nvd.nist.gov/vuln/detail/CVE-2022-3303) CVSSv3 score: 4.7(Medium) A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition * [CVE-2022-39190](https://nvd.nist.gov/vuln/detail/CVE-2022-39190) CVSSv3 score: 5.5(Medium) An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain. * [CVE-2022-39842](https://nvd.nist.gov/vuln/detail/CVE-2022-39842) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur. * [CVE-2022-40307](https://nvd.nist.gov/vuln/detail/CVE-2022-40307) CVSSv3 score: 4.7(Medium) An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free. * expat * [CVE-2022-40674](https://nvd.nist.gov/vuln/detail/CVE-2022-40674) CVSSv3 score: 9.8(Critical) libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. * torcx * [CVE-2022-27191](https://nvd.nist.gov/vuln/detail/CVE-2022-27191) CVSSv3 score: 7.5(High) The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. #### LTS-2022 3033.3.6 * Linux * [CVE-2022-2905](https://nvd.nist.gov/vuln/detail/CVE-2022-2905) CVSSv3 score: 5.5(Medium) An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data. * [CVE-2022-3028](https://nvd.nist.gov/vuln/detail/CVE-2022-3028) CVSSv3 score: 7(High) A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. * [CVE-2022-39190](https://nvd.nist.gov/vuln/detail/CVE-2022-39190) CVSSv3 score: 5.5(Medium) An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain. * torcx * [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561) CVSSv3 score: n/a * [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565) CVSSv3 score: 7.5(High) The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. * [CVE-2022-27191](https://nvd.nist.gov/vuln/detail/CVE-2022-27191) CVSSv3 score: 7.5(High) The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Stable 3227.2.3, LTS-2022 3033.3.6, LTS-2021 2605.32.1 Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/ Tracking issue: https://github.com/flatcar/Flatcar/issues/870 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/SzVBsJTeS--cySnQJ9i85w Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. #### Twitter _The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar releases now available for Stable, LTS-2022, LTS-2021 📦 Package updates: Linux, Go, expat, and more 🔒 CVE fixes & security patches: Linux, Go 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome Flatcar releases of this month: - Stable 3227.2.3 (maintenance release) - LTS-2022 3033.3.6 (maintenance release) - LTS-2021 2605.32.1 (maintenance release) These releases include: 📦 Package updates: Linux, Go, expat, and more 🔒 CVE fixes & security patches: Linux, Go 📜 Release notes at the usual spot: https://www.flatcar.org/releases/