Flatcar Container Linux Release - September 21st, 2023

Alpha 3732.0.0

• AMD64-usr
  • Platforms succeeded: None
  • Platforms failed: All
    • All platforms: kubeadm.*.cgroupv1 failed due to a regression in Kernel 6.1.54, reported upstream.
  • Platforms not tested: None
• ARM64-usr
  • Platforms succeeded: None
  • Platforms failed: All
    • All platforms: kubeadm.*.cgroupv1 failed due to a regression in Kernel 6.1.54, reported upstream.
    • Equinix Metal arm64 failed due to insufficient number of available instances.
  • Platforms not tested: None

VERDICT: GO / WAIT / NO-GO

Beta 3602.1.6

• AMD64-usr
  • Platforms succeeded: All
  • Platforms failed: None
  • Platforms not tested: None
• ARM64-usr
  • Platforms succeeded: All except Equinix Metal
  • Platforms failed: Equinix Metal
    • Equinix Metal arm64 failed due to insufficient number of available instances.
  • Platforms not tested: None

VERDICT: GO / WAIT / NO-GO

Stable 3510.2.8

• AMD64-usr
  • Platforms succeeded: All except Azure
  • Platforms failed: Azure
    • Azure
      • cl.ignition.kargs failed due to an already known issue of Kernel warnings in Kernel 5.15.129
  • Platforms not tested: None
• ARM64-usr
  • Platforms succeeded: All except Azure, Equinix Metal
  • Platforms failed:
    • Azure
      • cl.ignition.kargs failed due to an already known issue of Kernel warnings in Kernel 5.15.129
    • Equinix Metal
      • Equinix Metal arm64 failed due to insufficient number of available instances.
  • Platforms not tested: None

VERDICT: GO / WAIT / NO-GO

Communication

Guidelines / Things to Remember

• Release notes are used in a PR and will appear on https://www.flatcar.org/releases/
• Announcement Message is posted in Flatcar-Linux-user. Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post).

Announcement Message

Subject: Announcing new releases Alpha 3732.0.0, Beta 3602.1.6, Stable 3510.2.8

Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable channel.

New Alpha Release 3732.0.0

Changes since Alpha 3717.0.0

Known issues:

• Regression in Kernel 6.1.54, so that a specific cgroupv1 sysfs entry for reading Kernel memory limit disappeared. Container runtimes like runc are mainly affected. The issue was already reported to the upstream Kernel community.

Security fixes:

• Linux (CVE-2023-25775, CVE-2023-4623)
• Go (CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322)
• nvidia-drivers (CVE-2023-25515, CVE-2023-25516)
• torcx (CVE-2022-28948)
• SDK: Python (CVE-2023-40217, CVE-2023-41105)

Bug fixes:

• Fix the RemainAfterExit clause in nvidia.service (Flatcar#1169)
• Fixed bug in handling renamed network interfaces when generating login issue (init#102)

Changes:

• OEM vendor tools are now A/B updated if they are shipped as systemd-sysext images, the migration happens when both partitions require a systemd-sysext OEM image - note that this will delete the nvidia.service from /etc on Azure because it's now part of /usr (Flatcar#60)
• Azure: Add support for Microsoft Azure Network Adapter (MANA) NICs on Azure (scripts#1131)

Updates:

• Linux (6.1.54 (includes 6.1.53, 6.1.52, 6.1.51))
• Go (1.19.13)
• Go (1.20.8)
• cJSON (1.7.16)
• ca-certificates (3.93)
• containerd (1.7.6)
• ethtool (6.4)
• glib (2.76.4)
• glibc (2.37)
• gmp (6.3.0)
• hwdata (0.373 (includes 0.372))
• inih (57)
• iproute2 (6.4.0)
• libmicrohttpd (0.9.77)
• libnftnl (1.2.6)
• libnvme (1.5)
• nvidia-drivers (535.104.05)
• nvme-cli (2.5)
• openldap (2.6.4)
• tar (1.35)
• xfsprogs (6.4.0)
• SDK: file (5.45)
• SDK: gnuconfig (20230731)
• SDK: kbd (2.6.1 (includes 2.6.0))
• SDK: python (3.11.5)
• SDK: qemu (8.0.4)

New Beta Release 3602.1.6

Changes since Beta 3602.1.5

Changes:

• Azure: Add support for Microsoft Azure Network Adapter (MANA) NICs on Azure (scripts#1131)

Updates:

• Linux (5.15.132 (includes 5.15.131, 5.15.130))
• ca-certificates (3.93)

New Stable Release 3510.2.8

Changes since Stable 3510.2.7

Security fixes:

• Linux (CVE-2023-20588, CVE-2023-3772, CVE-2023-40283, CVE-2023-4128, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208, CVE-2023-4273, CVE-2023-4569)

Changes:

• Azure: Add support for Microsoft Azure Network Adapter (MANA) NICs on Azure (scripts#1131)

Updates:

• Linux (5.15.129 (includes 5.15.128, 5.15.127, 5.15.126))
• ca-certificates (3.93)

Best,
The Flatcar Container Linux Maintainers

Detailed Security Report

Security fix: With the Alpha 3732.0.0, Beta 3602.1.6, Stable 3510.2.8 releases we ship fixes for the CVEs listed below.

Alpha 3732.0.0

• Go

  • CVE-2023-39318 CVSSv3 score: 6.1(Medium)
    The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.
  • CVE-2023-39319 CVSSv3 score: 6.1(Medium)
    The html/template package does not apply the proper rules for handling occurrences of "<script", "<!–", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
  • CVE-2023-39320 CVSSv3 score: 9.8(Critical)
    The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
  • CVE-2023-39321 CVSSv3 score: 7.5(High)
    Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
  • CVE-2023-39322 CVSSv3 score: 7.5(High)
    QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.

• Linux

  • CVE-2023-25775 CVSSv3 score: 9.8(Critical)
    Improper access control in the Intel® Ethernet Controller RDMA driver for linux before version 1.9.30 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
  • CVE-2023-4623 CVSSv3 score: n/a
    A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.
    We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.

• SDK: Python

  • CVE-2023-40217 CVSSv3 score: 5.3(Medium)
    An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
  • CVE-2023-41105 CVSSv3 score: 7.5(High)
    An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.

• nvidia-drivers

  • CVE-2023-25515 CVSSv3 score: 7.6(High)
    NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability where unexpected untrusted data is parsed, which may lead to code execution, denial of service, escalation of privileges, data tampering, or information disclosure.

  • CVE-2023-25516 CVSSv3 score: n/a
    NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged user can cause an integer overflow, which may lead to information disclosure and denial of service.

• torcx

  • CVE-2022-28948 CVSSv3 score: 7.5(High)
    An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

Stable 3510.2.8

• Linux

  • CVE-2023-20588 CVSSv3 score: 5.5(Medium)
    A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.

  • CVE-2023-3772 CVSSv3 score: 4.4(Medium)
    A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.

  • CVE-2023-40283 CVSSv3 score: 7.8(High)
    An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.

  • CVE-2023-4128 CVSSv3 score: n/a
    A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.

  • CVE-2023-4206 CVSSv3 score: n/a
    A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.
    We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.

  • CVE-2023-4207 CVSSv3 score: n/a
    A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.
    We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.

  • CVE-2023-4208 CVSSv3 score: n/a
    A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.
    We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.

  • CVE-2023-4273 CVSSv3 score: 6.7(Medium)
    A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.

  • CVE-2023-4569 CVSSv3 score: 5.5(Medium)
    A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which results in a memory leak.

Communication

Go/No-Go message for Matrix/Slack

Go/No-Go Meeting for Alpha 3732.0.0, Beta 3602.1.6, Stable 3510.2.8
Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/
Tracking issue: https://github.com/flatcar/Flatcar/issues/1181
The Go/No-Go document is in our HackMD @flatcar namespace
Link: https://hackmd.io/WHLJb98ITamt-oMwW_MvXg?view

Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait.

Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat.

@MAINTAINER @MAINTAINER @MAINTAINER

Mastodon

The toot (from @flatcar) goes out after the changelog update has been published; it includes a link to the web changelog.

New Flatcar Alpha 3732.0.0, Beta 3602.1.6, Stable 3510.2.8 releases now available!
📦 Many package updates: Linux, nvidia-drivers, libnvme
🔒 CVE fixes & security patches: Linux, nvidia-drivers
📜 Release notes at the usual spot: https://www.flatcar.org/releases/

#linux #cloudnative #containers #updates

Kubernetes Slack

This goes in the #flatcar channel

Please welcome new Flatcar releases:

• Alpha 3732.0.0 (new major)
• Beta 3602.1.6 (maintenance release)
• Stable 3510.2.8 (maintenance release)

These releases include:
📦 Many package updates: Linux, nvidia-drivers, libnvme
🔒 CVE fixes & security patches: Linux, nvidia-drivers
📜 Release notes at the usual spot: https://www.flatcar.org/releases/