owned this note
owned this note
Published
Linked with GitHub
# Flatcar Container Linux Release - January 12th, 2022
- Flatcar-linux-3115.0.0-Alpha
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: QEMU_UEFI, Packet
- Platforms failed: AWS
- Platform AWS tests failed:
- Test coreos.update.badusr
- Platforms not tested: None
VERDICT: _GO_
## Communication
---
#### Guidelines
- Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/
- [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post).
---
### Announcement Message
Subject: Announcing new Alpha release 3115.0.0
Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha channel.
**Changes since Alpha 3066.0.0**
#### Known issues
- `calico` is crashing with Kubernetes 1.23 and Linux 5.15 - it's recommended to switch over `iptables` instead of `ipvs` for `kube-proxy` mode. ([projectcalico/calico#5011](https://github.com/projectcalico/calico/issues/5011))
- The SELinux policy store update fix resulted in some files leaked to the root filesystem top directory ([Flatcar#596](https://github.com/flatcar-linux/Flatcar/issues/596))
#### Security fixes
- Linux ([CVE-2020-27820](https://nvd.nist.gov/vuln/detail/CVE-2020-27820), [CVE-2021-4001](https://nvd.nist.gov/vuln/detail/CVE-2021-4001), [CVE-2021-4002](https://nvd.nist.gov/vuln/detail/CVE-2021-4002), [CVE-2021-4083](https://nvd.nist.gov/vuln/detail/CVE-2021-4083), [CVE-2021-4135](https://nvd.nist.gov/vuln/detail/CVE-2021-4135), [CVE-2021-4155](https://nvd.nist.gov/vuln/detail/CVE-2021-4155), [CVE-2021-28711](https://nvd.nist.gov/vuln/detail/CVE-2021-28711), [CVE-2021-28712](https://nvd.nist.gov/vuln/detail/CVE-2021-28712), [CVE-2021-28713](https://nvd.nist.gov/vuln/detail/CVE-2021-28713), [CVE-2021-28714](https://nvd.nist.gov/vuln/detail/CVE-2021-28714), [CVE-2021-28715](https://nvd.nist.gov/vuln/detail/CVE-2021-28715))
- GCC ([CVE-2020-13844](https://nvd.nist.gov/vuln/detail/CVE-2020-13844))
- Go ([CVE-2021-44716](https://nvd.nist.gov/vuln/detail/CVE-2021-44716), [CVE-2021-44717](https://nvd.nist.gov/vuln/detail/CVE-2021-44717))
- ca-certificates ([CVE-2021-43527](https://nvd.nist.gov/vuln/detail/CVE-2021-43527))
- containerd ([CVE-2021-43816](https://nvd.nist.gov/vuln/detail/CVE-2021-43816))
- ignition ([CVE-2020-14040](https://nvd.nist.gov/vuln/detail/CVE-2020-14040))
- libarchive ([libarchive-1565](https://github.com/libarchive/libarchive/issues/1565), [libarchive-1566](https://github.com/libarchive/libarchive/issues/1566))
- openssh ([CVE-2021-41617](https://nvd.nist.gov/vuln/detail/CVE-2021-41617))
- runc ([CVE-2021-43784](https://nvd.nist.gov/vuln/detail/CVE-2021-43784))
- torcx ([CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561), [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565))
- vim ([CVE-2021-3872](https://nvd.nist.gov/vuln/detail/CVE-2021-3872), [CVE-2021-3875](https://nvd.nist.gov/vuln/detail/CVE-2021-3875), [CVE-2021-3903](https://nvd.nist.gov/vuln/detail/CVE-2021-3903), [CVE-2021-3927](https://nvd.nist.gov/vuln/detail/CVE-2021-3927), [CVE-2021-3928](https://nvd.nist.gov/vuln/detail/CVE-2021-3928), [CVE-2021-3968](https://nvd.nist.gov/vuln/detail/CVE-2021-3968), [CVE-2021-3973](https://nvd.nist.gov/vuln/detail/CVE-2021-3973), [CVE-2021-3974](https://nvd.nist.gov/vuln/detail/CVE-2021-3974))
- SDK: edk2-ovmf ([CVE-2019-14584](https://nvd.nist.gov/vuln/detail/CVE-2019-14584), [CVE-2021-28210](https://nvd.nist.gov/vuln/detail/CVE-2021-28210), [CVE-2021-28211](https://nvd.nist.gov/vuln/detail/CVE-2021-28211), [CVE-2021-28213](https://nvd.nist.gov/vuln/detail/CVE-2021-28213))
- SDK: libxslt ([CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560))
- SDK: mantle ([CVE-2021-3121](https://nvd.nist.gov/vuln/detail/CVE-2021-3121), [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561), [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565))
- SDK: Python ([CVE-2018-20852](https://nvd.nist.gov/vuln/detail/CVE-2018-20852), [CVE-2019-5010](https://nvd.nist.gov/vuln/detail/CVE-2019-5010), [CVE-2019-9636](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2019-9740](https://nvd.nist.gov/vuln/detail/CVE-2019-9740), [CVE-2019-9947](https://nvd.nist.gov/vuln/detail/CVE-2019-9947), [CVE-2019-9948](https://nvd.nist.gov/vuln/detail/CVE-2019-9948), [CVE-2019-20907](https://nvd.nist.gov/vuln/detail/CVE-2019-20907), [CVE-2020-8492](https://nvd.nist.gov/vuln/detail/CVE-2020-8492), [CVE-2020-14422](https://nvd.nist.gov/vuln/detail/CVE-2020-14422), [CVE-2020-26116](https://nvd.nist.gov/vuln/detail/CVE-2020-26116), [CVE-2021-3177](https://nvd.nist.gov/vuln/detail/CVE-2021-3177), [CVE-2021-3426](https://nvd.nist.gov/vuln/detail/CVE-2021-3426), [CVE-2021-23336](https://nvd.nist.gov/vuln/detail/CVE-2021-23336), [CVE-2021-29921](https://nvd.nist.gov/vuln/detail/CVE-2021-29921))
- SDK: QEMU ([CVE-2020-35504](https://nvd.nist.gov/vuln/detail/CVE-2020-35504), [CVE-2020-35505](https://nvd.nist.gov/vuln/detail/CVE-2020-35505), [CVE-2020-35506](https://nvd.nist.gov/vuln/detail/CVE-2020-35506), [CVE-2020-35517](https://nvd.nist.gov/vuln/detail/CVE-2020-35517), [CVE-2021-20255](https://nvd.nist.gov/vuln/detail/CVE-2021-20255), [CVE-2021-20257](https://nvd.nist.gov/vuln/detail/CVE-2021-20257), [CVE-2021-20263](https://nvd.nist.gov/vuln/detail/CVE-2021-20263), [CVE-2021-3409](https://nvd.nist.gov/vuln/detail/CVE-2021-3409), [CVE-2021-3416](https://nvd.nist.gov/vuln/detail/CVE-2021-3416), [CVE-2021-3527](https://nvd.nist.gov/vuln/detail/CVE-2021-3527), [CVE-2021-3544](https://nvd.nist.gov/vuln/detail/CVE-2021-3544), [CVE-2021-3545](https://nvd.nist.gov/vuln/detail/CVE-2021-3545), [CVE-2021-3546](https://nvd.nist.gov/vuln/detail/CVE-2021-3546), [CVE-2021-3582](https://nvd.nist.gov/vuln/detail/CVE-2021-3582), [CVE-2021-3607](https://nvd.nist.gov/vuln/detail/CVE-2021-3607), [CVE-2021-3608](https://nvd.nist.gov/vuln/detail/CVE-2021-3608), [CVE-2021-3682](https://nvd.nist.gov/vuln/detail/CVE-2021-3682))
#### Bug fixes
- Added configuration files for logrotate ([flatcar-linux/coreos-overlay#1442](https://github.com/flatcar-linux/coreos-overlay/pull/1442))
- Fixed `ETCD_NAME` conflicting with `--name` for `etcd-member` to start ([flatcar-linux/coreos-overlay#1444](https://github.com/flatcar-linux/coreos-overlay/pull/1444))
- The Torcx profile `docker-1.12-no` got fixed to reference the current Docker version instead of 19.03 which wasn't found on the image, causing Torcx to fail to provide Docker ([flatcar-linux/coreos-overlay#1456](https://github.com/flatcar-linux/coreos-overlay/pull/1456))
- Fix vim warnings on missing file, when built with USE=”minimal” ([portage-stable#260](https://github.com/flatcar-linux/portage-stable/pull/260))
- Excluded the Kubenet cbr0 interface from networkd's DHCP config and set it to Unmanaged to prevent interference and ensure that it is not part of the network online check ([flatcar-linux/init#55](https://github.com/flatcar-linux/init/pull/55))
- Ensured that the `/run/xtables.lock` coordination file exists for modifications of the xtables backend from containers (must be bind-mounted) or the `iptables-legacy` binaries on the host ([flatcar-linux/init#57](https://github.com/flatcar-linux/init/pull/57))
- AWS: Published missing arm64 AMIs for stable & beta ([flatcar-linux/scripts#188](https://github.com/flatcar-linux/scripts/pull/188), [flatcar-linux/scripts#189](https://github.com/flatcar-linux/scripts/pull/189))
- dev container: Fixed github URL for coreos-overlay and portage-stable to use repos from flatcar-linux org directly instead of relying on redirects from the kinvolk org. This fixes checkouts with emerge-gitclone inside dev-container. ([flatcar-linux/scripts#194](https://github.com/flatcar-linux/scripts/pull/194))
- SDK: Fixed build error popping up in the new SDK Container because `policycoreutils` used the wrong ROOT to update the SELinux store ([flatcar-linux/coreos-overlay#1502](https://github.com/flatcar-linux/coreos-overlay/pull/1502))
#### Changes
- Flatcar is in the NIST CPE dictionary. Programmatically build the `CPE_NAME` in the build process in order to be scanned ([flatcar-linux/Flatcar#536](https://github.com/flatcar-linux/Flatcar/issues/536))
- Added a new flatcar-update tool to the image to ease manual updates, rollbacks, channel/release jumping, and airgapped updates ([flatcar-linux/init#53](https://github.com/flatcar-linux/init/pull/53))
- Update-engine now creates the `/run/reboot-required` flag file for [kured](https://github.com/weaveworks/kured) ([flatcar-linux/update_engine#15](https://github.com/flatcar-linux/update_engine/pull/15))
- Excluded special network interface devices like bridge, tunnel, vxlan, and veth devices from the default DHCP configuration to prevent networkd interference ([flatcar-linux/init#56](https://github.com/flatcar-linux/init/pull/56))
- Backported `elf` support for `iproute2` ([flatcar-linux/coreos-overlay#1256](https://github.com/flatcar-linux/coreos-overlay/pull/1526))
- Added CONFIG_NF_CT_NETLINK_HELPER (for libnetfilter_cthelper), CONFIG_NET_VRF (for virtual routing and forwarding) and CONFIG_KEY_DH_OPERATIONS (for keyutils) to the kernel config ([flatcar-linux/coreos-overlay#1524](https://github.com/flatcar-linux/coreos-overlay/pull/1524))
#### Updates
- Linux ([5.15.13](https://lwn.net/Articles/880469))
- Linux Firmware ([20211216](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20211216))
- Linux Kernel headers ([5.15](https://lwn.net/Articles/874495/))
- Docker ([20.10.12](https://docs.docker.com/engine/release-notes/#201012))
- GCC ([9.4.0](https://lists.gnu.org/archive/html/info-gnu/2021-06/msg00000.html))
- Go ([1.17.6](https://go.googlesource.com/go/+/refs/tags/go1.17.6))
- acl ([2.3.1](https://git.savannah.nongnu.org/cgit/acl.git/log/?h=v2.3.1))
- attr ([2.5.1](https://git.savannah.nongnu.org/cgit/attr.git/log/?h=v2.5.1))
- audit ([3.0.6](https://listman.redhat.com/archives/linux-audit/2021-October/msg00000.html))
- boost ([1.76.0](https://www.boost.org/users/history/version_1_76_0.html))
- btrfs-progs ([5.15.1](https://btrfs.wiki.kernel.org/index.php/Changelog#btrfs-progs_v5.15_.28Nov_2021.29))
- ca-certificates ([3.74](https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/5cpT9SNXYSM))
- containerd ([1.5.9](https://github.com/containerd/containerd/releases/tag/v1.5.9))
- coreutils ([8.32](https://lists.gnu.org/archive/html/coreutils-announce/2020-03/msg00000.html))
- diffutils ([3.8](https://lists.gnu.org/archive/html/info-gnu/2021-08/msg00000.html))
- ethtool ([5.10](https://git.kernel.org/pub/scm/network/ethtool/ethtool.git/tree/NEWS?h=v5.10))
- findutils ([4.8.0](https://savannah.gnu.org/forum/forum.php?forum_id=9914))
- glib ([2.68.4](https://gitlab.gnome.org/GNOME/glib/-/releases/2.68.4))
- glog ([0.4.0](https://github.com/google/glog/releases/tag/v0.4.0))
- i2c-tools ([4.2](https://git.kernel.org/pub/scm/utils/i2c-tools/i2c-tools.git/log/?h=v4.2))
- iproute2 ([5.15](https://lwn.net/ml/linux-kernel/20211101164705.6f4f2e41%40hermes.local/))
- ipset ([7.11](https://ipset.netfilter.org/changelog.html))
- ipvsadm ([1.27](http://archive.linuxvirtualserver.org/html/lvs-devel/2013-09/msg00011.html))
- kmod ([29](https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/tree/NEWS?h=v29))
- libarchive ([3.5.2](https://github.com/libarchive/libarchive/releases/tag/v3.5.2))
- libcap ([2.49](https://git.kernel.org/pub/scm/libs/libcap/libcap.git/tag/?h=libcap-2.49))
- libcap-ng ([0.8.2](https://github.com/stevegrubb/libcap-ng/releases/tag/v0.8.2))
- libmicrohttpd ([0.9.73](https://lists.gnu.org/r/info-gnu/2021-04/msg00007.html))
- libnl ([3.5.0](https://github.com/thom311/libnl/releases/tag/libnl3_5_0))
- libseccomp ([2.5.1](https://github.com/seccomp/libseccomp/releases/tag/v2.5.1))
- lshw ([02.19.2b_p20210121](https://www.ezix.org/project/wiki/HardwareLiSter#Changes))
- lsof ([4.94.0](https://github.com/lsof-org/lsof/releases/tag/4.94.0))
- openssh ([8.8](http://www.openssh.com/txt/release-8.8))
- pax-utils ([1.3.3](https://gitweb.gentoo.org/proj/pax-utils.git/tree/?h=v1.3.3))
- psmisc ([23.4](https://gitlab.com/psmisc/psmisc/-/blob/v23.4/ChangeLog))
- runc ([1.0.3](https://github.com/opencontainers/runc/releases/tag/v1.0.3))
- systemd ([249.7](https://github.com/systemd/systemd-stable/blob/v249.7/NEWS))
- tdb (1.4.5)
- usbutils ([014](https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usbutils.git/commit/?id=57fb18e59cce31a50a1ca62d1e192512c905ba00))
- vim ([8.2.3582](https://github.com/vim/vim/releases/tag/v8.2.3582))
- which ([2.21](https://carlowood.github.io/which/cvslog-2.21.html))
- Azure: Python for OEM images ([3.9.8](https://www.python.org/downloads/release/python-398/))
- SDK: Python ([3.9.8](https://www.python.org/downloads/release/python-398/))
- SDK: Rust ([1.57.0](https://github.com/rust-lang/rust/releases/tag/1.57.0))
- SDK: edk2-ovmf ([202105](https://github.com/tianocore/edk2/releases/tag/edk2-stable202105))
- SDK: file ([5.40](https://mailman.astron.com/pipermail/file/2021-March/000478.html))
- SDK: ipxe ([1.21.1](https://github.com/ipxe/ipxe/releases/tag/v1.21.1))
- SDK: mantle ([0.17.0](https://github.com/flatcar-linux/mantle/releases/tag/v0.17.0))
- SDK: ninja ([1.10.2](https://groups.google.com/g/ninja-build/c/oobwq_F0PpA/m/FeJC5LoRBgAJ))
- SDK: pahole ([1.20](https://git.kernel.org/pub/scm/devel/pahole/pahole.git/tag/?h=v1.20))
- SDK: perf ([5.15](https://kernelnewbies.org/LinuxChanges#Linux_5.15.Tracing.2C_perf_and_BPF))
- SDK: portage ([3.0.28](https://gitweb.gentoo.org/proj/portage.git/tag/?h=portage-3.0.28))
- SDK: qemu ([6.1.0](https://wiki.qemu.org/ChangeLog/6.1))
- SDK: seabios ([1.14.0](https://seabios.org/Releases#SeaBIOS_1.14.0))
Best,
The Flatcar Container Linux Maintainers
---
### Security
* GCC
* [CVE-2020-13844](https://nvd.nist.gov/vuln/detail/CVE-2020-13844) CVSSv3 score: 5.5(Medium)
Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka "straight-line speculation."
* Go
* [CVE-2021-44716](https://nvd.nist.gov/vuln/detail/CVE-2021-44716) CVSSv3 score: 7.5(High)
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
* [CVE-2021-44717](https://nvd.nist.gov/vuln/detail/CVE-2021-44717) CVSSv3 score: 7.5(High)
Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
* Linux
* [CVE-2020-27820](https://nvd.nist.gov/vuln/detail/CVE-2020-27820) CVSSv3 score: 4.7(Medium)
A vulnerability was found in Linux kernel, where a use-after-frees in nouveau's postclose() handler could happen if removing device (that is not common to remove video card physically without power-off, but same happens if "unbind" the driver).
* [CVE-2021-4001](https://nvd.nist.gov/vuln/detail/CVE-2021-4001) CVSSv3 score: 6.7(Medium)
A race condition was found in the Linux kernel's ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c. In this flaw, a local user with a special privilege (cap_sys_admin or cap_bpf) can modify the frozen mapped address space.
* [CVE-2021-4002](https://nvd.nist.gov/vuln/detail/CVE-2021-4002) CVSSv3 score: 5.1(Medium)
A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.
* [CVE-2021-4083](https://nvd.nist.gov/vuln/detail/CVE-2021-4083) CVSSv3 score: 7.4(High)
A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system.
* [CVE-2021-4135](https://nvd.nist.gov/vuln/detail/CVE-2021-4135) CVSSv3 score: n/a
* [CVE-2021-4155](https://nvd.nist.gov/vuln/detail/CVE-2021-4155) CVSSv3 score: 5.5(Medium)
A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them.
* [CVE-2021-28711](https://nvd.nist.gov/vuln/detail/CVE-2021-28711) CVSSv3 score: n/a
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
* [CVE-2021-28712](https://nvd.nist.gov/vuln/detail/CVE-2021-28712) CVSSv3 score: n/a
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
* [CVE-2021-28713](https://nvd.nist.gov/vuln/detail/CVE-2021-28713) CVSSv3 score: n/a
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
* [CVE-2021-28714](https://nvd.nist.gov/vuln/detail/CVE-2021-28714) CVSSv3 score: n/a
Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)
* [CVE-2021-28715](https://nvd.nist.gov/vuln/detail/CVE-2021-28715) CVSSv3 score: n/a
Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)
* Python
* [CVE-2018-20852](https://nvd.nist.gov/vuln/detail/CVE-2018-20852) CVSSv3 score: 5.3(Medium)
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
* [CVE-2019-5010](https://nvd.nist.gov/vuln/detail/CVE-2019-5010) CVSSv3 score: 7.5(High)
An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.
* [CVE-2019-9636](https://nvd.nist.gov/vuln/detail/CVE-2019-9636) CVSSv3 score: 9.8(Critical)
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
* [CVE-2019-9740](https://nvd.nist.gov/vuln/detail/CVE-2019-9740) CVSSv3 score: 6.1(Medium)
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
* [CVE-2019-9947](https://nvd.nist.gov/vuln/detail/CVE-2019-9947) CVSSv3 score: 6.1(Medium)
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
* [CVE-2019-9948](https://nvd.nist.gov/vuln/detail/CVE-2019-9948) CVSSv3 score: 9.1(Critical)
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
* [CVE-2019-20907](https://nvd.nist.gov/vuln/detail/CVE-2019-20907) CVSSv3 score: 7.5(High)
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
* [CVE-2020-8492](https://nvd.nist.gov/vuln/detail/CVE-2020-8492) CVSSv3 score: 6.5(Medium)
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
* [CVE-2020-14422](https://nvd.nist.gov/vuln/detail/CVE-2020-14422) CVSSv3 score: 5.9(Medium)
Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.
* [CVE-2020-26116](https://nvd.nist.gov/vuln/detail/CVE-2020-26116) CVSSv3 score: 7.2(High)
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
* [CVE-2021-3177](https://nvd.nist.gov/vuln/detail/CVE-2021-3177) CVSSv3 score: 9.8(Critical)
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
* [CVE-2021-3426](https://nvd.nist.gov/vuln/detail/CVE-2021-3426) CVSSv3 score: 5.7(Medium)
There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.
* [CVE-2021-23336](https://nvd.nist.gov/vuln/detail/CVE-2021-23336) CVSSv3 score: n/a
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
* [CVE-2021-29921](https://nvd.nist.gov/vuln/detail/CVE-2021-29921) CVSSv3 score: 9.8(Critical)
In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
* QEMU
* [CVE-2020-35504](https://nvd.nist.gov/vuln/detail/CVE-2020-35504) CVSSv3 score: 6(Medium)
A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
* [CVE-2020-35505](https://nvd.nist.gov/vuln/detail/CVE-2020-35505) CVSSv3 score: 4.4(Medium)
A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
* [CVE-2020-35506](https://nvd.nist.gov/vuln/detail/CVE-2020-35506) CVSSv3 score: 6.7(Medium)
A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.
* [CVE-2020-35517](https://nvd.nist.gov/vuln/detail/CVE-2020-35517) CVSSv3 score: 8.2(High)
A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices.
* [CVE-2021-20255](https://nvd.nist.gov/vuln/detail/CVE-2021-20255) CVSSv3 score: 5.5(Medium)
A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
* [CVE-2021-20257](https://nvd.nist.gov/vuln/detail/CVE-2021-20257) CVSSv3 score: 3.2(Low)
An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
* [CVE-2021-20263](https://nvd.nist.gov/vuln/detail/CVE-2021-20263) CVSSv3 score: 3.3(Low)
A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.
* [CVE-2021-3409](https://nvd.nist.gov/vuln/detail/CVE-2021-3409) CVSSv3 score: 5.7(Medium)
The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this.
* [CVE-2021-3416](https://nvd.nist.gov/vuln/detail/CVE-2021-3416) CVSSv3 score: 6(Medium)
A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario.
* [CVE-2021-3527](https://nvd.nist.gov/vuln/detail/CVE-2021-3527) CVSSv3 score: 5.5(Medium)
A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.
* [CVE-2021-3544](https://nvd.nist.gov/vuln/detail/CVE-2021-3544) CVSSv3 score: 6.5(Medium)
Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.
* [CVE-2021-3545](https://nvd.nist.gov/vuln/detail/CVE-2021-3545) CVSSv3 score: 6.5(Medium)
An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.
* [CVE-2021-3546](https://nvd.nist.gov/vuln/detail/CVE-2021-3546) CVSSv3 score: 8.2(High)
An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process.
* [CVE-2021-3582](https://nvd.nist.gov/vuln/detail/CVE-2021-3582) CVSSv3 score: 3.2(Low)
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_CMD_CREATE_MR" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability.
* [CVE-2021-3607](https://nvd.nist.gov/vuln/detail/CVE-2021-3607) CVSSv3 score: 3.2(Low)
An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
* [CVE-2021-3608](https://nvd.nist.gov/vuln/detail/CVE-2021-3608) CVSSv3 score: 3.2(Low)
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability.
* [CVE-2021-3682](https://nvd.nist.gov/vuln/detail/CVE-2021-3682) CVSSv3 score: 8.5(High)
A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.
* ca-certificates
* [CVE-2021-43527](https://nvd.nist.gov/vuln/detail/CVE-2021-43527) CVSSv3 score: 9.8(Critical)
NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.
* containerd
* [CVE-2021-43816](https://nvd.nist.gov/vuln/detail/CVE-2021-43816) CVSSv3 score: n/a
containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.
* edk2-ovmf
* [CVE-2019-14584](https://nvd.nist.gov/vuln/detail/CVE-2019-14584) CVSSv3 score: 7.8(High)
Null pointer dereference in Tianocore EDK2 may allow an authenticated user to potentially enable escalation of privilege via local access.
* [CVE-2021-28210](https://nvd.nist.gov/vuln/detail/CVE-2021-28210) CVSSv3 score: 7.8(High)
An unlimited recursion in DxeCore in EDK II.
* [CVE-2021-28211](https://nvd.nist.gov/vuln/detail/CVE-2021-28211) CVSSv3 score: 6.7(Medium)
A heap overflow in LzmaUefiDecompressGetInfo function in EDK II.
* [CVE-2021-28213](https://nvd.nist.gov/vuln/detail/CVE-2021-28213) CVSSv3 score: 7.5(High)
Example EDK2 encrypted private key in the IpSecDxe.efi present potential security risks.
* ignition
* [CVE-2020-14040](https://nvd.nist.gov/vuln/detail/CVE-2020-14040) CVSSv3 score: 7.5(High)
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
* libxslt
* [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560) CVSSv3 score: 8.8(High)
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
* mantle
* [CVE-2021-3121](https://nvd.nist.gov/vuln/detail/CVE-2021-3121) CVSSv3 score: 8.6(High)
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
* [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561) CVSSv3 score: n/a
Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.
* [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565) CVSSv3 score: n/a
Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed unauthenticated clients to cause a panic in SSH servers.
* openssh
* [CVE-2021-41617](https://nvd.nist.gov/vuln/detail/CVE-2021-41617) CVSSv3 score: 7(High)
sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.
* runc
* [CVE-2021-43784](https://nvd.nist.gov/vuln/detail/CVE-2021-43784) CVSSv3 score: 5(Medium)
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.
* torcx
* [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561) CVSSv3 score: n/a
Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.
* [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565) CVSSv3 score: n/a
Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed unauthenticated clients to cause a panic in SSH servers.
* vim
* [CVE-2021-3872](https://nvd.nist.gov/vuln/detail/CVE-2021-3872) CVSSv3 score: 7.8(High)
vim is vulnerable to Heap-based Buffer Overflow
* [CVE-2021-3875](https://nvd.nist.gov/vuln/detail/CVE-2021-3875) CVSSv3 score: 5.5(Medium)
vim is vulnerable to Heap-based Buffer Overflow
* [CVE-2021-3903](https://nvd.nist.gov/vuln/detail/CVE-2021-3903) CVSSv3 score: 7.8(High)
vim is vulnerable to Heap-based Buffer Overflow
* [CVE-2021-3927](https://nvd.nist.gov/vuln/detail/CVE-2021-3927) CVSSv3 score: 7.8(High)
vim is vulnerable to Heap-based Buffer Overflow
* [CVE-2021-3928](https://nvd.nist.gov/vuln/detail/CVE-2021-3928) CVSSv3 score: 7.8(High)
vim is vulnerable to Use of Uninitialized Variable
* [CVE-2021-3968](https://nvd.nist.gov/vuln/detail/CVE-2021-3968) CVSSv3 score: 8(High)
vim is vulnerable to Heap-based Buffer Overflow
* [CVE-2021-3973](https://nvd.nist.gov/vuln/detail/CVE-2021-3973) CVSSv3 score: 7.8(High)
vim is vulnerable to Heap-based Buffer Overflow
* [CVE-2021-3974](https://nvd.nist.gov/vuln/detail/CVE-2021-3974) CVSSv3 score: 7.8(High)
vim is vulnerable to Use After Free
---
### Twitter
_The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._
First Alpha release of 2022 is here 🎆
📦 Linux moves to 5.15, along with updates to Docker, GCC, Go and more
🔒 CVE-2021-43527 for ca-certificates and more
📜 Release notes at the usual spot: https://www.flatcar.org/releases/