Flatcar Container Linux
      • Sharing URL Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Customize slides
      • Note Permission
      • Read
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • Write
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • Engagement control Commenting, Suggest edit, Emoji Reply
    • Invite by email
      Invitee

      This note has no invitees

    • Publish Note

      Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

      Your note will be visible on your profile and discoverable by anyone.
      Your note is now live.
      This note is visible on your profile and discoverable online.
      Everyone on the web can find and read all notes of this public team.
      See published notes
      Unpublish note
      Please check the box to agree to the Community Guidelines.
      View profile
    • Commenting
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
      • Everyone
    • Suggest edit
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
    • Emoji Reply
    • Enable
    • Versions and GitHub Sync
    • Note settings
    • Note Insights New
    • Engagement control
    • Transfer ownership
    • Delete this note
    • Insert from template
    • Import from
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
    • Export to
      • Dropbox
      • Google Drive
      • Gist
    • Download
      • Markdown
      • HTML
      • Raw HTML
Menu Note settings Note Insights Versions and GitHub Sync Sharing URL Help
Menu
Options
Engagement control Transfer ownership Delete this note
Import from
Dropbox Google Drive Gist Clipboard
Export to
Dropbox Google Drive Gist
Download
Markdown HTML Raw HTML
Back
Sharing URL Link copied
/edit
View mode
  • Edit mode
  • View mode
  • Book mode
  • Slide mode
Edit mode View mode Book mode Slide mode
Customize slides
Note Permission
Read
Owners
  • Owners
  • Signed-in users
  • Everyone
Owners Signed-in users Everyone
Write
Owners
  • Owners
  • Signed-in users
  • Everyone
Owners Signed-in users Everyone
Engagement control Commenting, Suggest edit, Emoji Reply
  • Invite by email
    Invitee

    This note has no invitees

    • Publish Note

    Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

    Your note will be visible on your profile and discoverable by anyone.
    Your note is now live.
    This note is visible on your profile and discoverable online.
    Everyone on the web can find and read all notes of this public team.
    See published notes
    Unpublish note
    Please check the box to agree to the Community Guidelines.
    View profile
    Engagement control
    Commenting
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    • Everyone
    Suggest edit
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    Emoji Reply
    Enable
    Import from Dropbox Google Drive Gist Clipboard
       Owned this note    Owned this note      
    Published Linked with GitHub
    • Any changes
      Be notified of any changes
    • Mention me
      Be notified of mention me
    • Unsubscribe
    # Flatcar Container Linux Release - November 7th, 2022 ## Alpha 3417.0.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Beta 3402.1.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). - Make sure the the LTS is referred to as `LTS-2021`, and not `LTS-2605` --- ### Announcement Message Subject: Announcing new releases Alpha 3417.0.0 and Beta 3402.1.0 Hello, We are pleased to announce new Flatcar Container Linux releases for the Alpha 3417.0.0, Beta 3402.1.0 channel. # New **Alpha** Release **3417.0.0** _Changes since **Alpha 3402.0.1**_ #### Security fixes: - Linux ([CVE-2022-2602](https://nvd.nist.gov/vuln/detail/CVE-2022-2602), [CVE-2022-3535](https://nvd.nist.gov/vuln/detail/CVE-2022-3535), [CVE-2022-3542](https://nvd.nist.gov/vuln/detail/CVE-2022-3542), [CVE-2022-3565](https://nvd.nist.gov/vuln/detail/CVE-2022-3565), [CVE-2022-3594](https://nvd.nist.gov/vuln/detail/CVE-2022-3594)) - git ([CVE-2022-39253](https://nvd.nist.gov/vuln/detail/CVE-2022-39253), [CVE-2022-39260](https://nvd.nist.gov/vuln/detail/CVE-2022-39260)) - multipath-tools ([CVE-2022-41973](https://nvd.nist.gov/vuln/detail/CVE-2022-41973), [CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)) #### Changes: - Toolbox now uses containerd to download and mount the image ([toolbox#7](https://github.com/flatcar/toolbox/pull/7)) #### Updates: - Linux ([5.15.77](https://lwn.net/Articles/913681) (includes [5.15.76](https://lwn.net/Articles/912997), [5.15.75](https://lwn.net/Articles/912500))) - Docker ([20.10.21](https://docs.docker.com/engine/release-notes/#201021)) - Go ([1.19.3](https://go.dev/doc/devel/release#go1.19.3)) - OpenSSL ([3.0.7](https://www.openssl.org/news/openssl-3.0-notes.html)) - bpftool ([5.19.8](https://lwn.net/Articles/907523/)) - containerd ([1.6.9](https://github.com/containerd/containerd/releases/tag/v1.6.9)) - git ([2.37.4](https://github.com/git/git/blob/master/Documentation/RelNotes/2.37.4.txt)) - glibc ([2.35](https://savannah.gnu.org/forum/forum.php?forum_id=10111)) - iputils ([20211215](https://github.com/iputils/iputils/releases/tag/20211215)) - libcap ([2.65](https://sites.google.com/site/fullycapable/release-notes-for-libcap?authuser=0#h.wfblevfzkj0)) - multipath-tools ([0.9.3](https://github.com/opensvc/multipath-tools/releases/tag/0.9.3)) - wget ([1.21.3](https://lists.gnu.org/archive/html/info-gnu/2022-02/msg00017.html)) - whois ([5.5.13](https://github.com/rfc1036/whois/blob/v5.5.13/debian/changelog)) - xz-utils ([5.2.6](https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;h=4c79b18ff26a1c479a920b21f07d050599c04c9e;hb=8dfed05bdaa4873833ba24279f02ad2db25effea)) # New **Beta** Release **3402.1.0** _Changes since **Beta 3374.1.1**_ #### Security fixes: - Linux ([CVE-2022-2602](https://nvd.nist.gov/vuln/detail/CVE-2022-2602), [CVE-2022-3535](https://nvd.nist.gov/vuln/detail/CVE-2022-3535), [CVE-2022-3542](https://nvd.nist.gov/vuln/detail/CVE-2022-3542), [CVE-2022-3565](https://nvd.nist.gov/vuln/detail/CVE-2022-3565), [CVE-2022-3594](https://nvd.nist.gov/vuln/detail/CVE-2022-3594)) - bind tools ([CVE-2022-2795](https://nvd.nist.gov/vuln/detail/CVE-2022-2795), [CVE-2022-2881](https://nvd.nist.gov/vuln/detail/CVE-2022-2881), [CVE-2022-2906](https://nvd.nist.gov/vuln/detail/CVE-2022-2906), [CVE-2022-3080](https://nvd.nist.gov/vuln/detail/CVE-2022-3080), [CVE-2022-38177](https://nvd.nist.gov/vuln/detail/CVE-2022-38177), [CVE-2022-38178](https://nvd.nist.gov/vuln/detail/CVE-2022-38178)) - curl ([CVE-2022-35252](https://nvd.nist.gov/vuln/detail/CVE-2022-35252)) - dbus ([CVE-2022-42010](https://nvd.nist.gov/vuln/detail/CVE-2022-42010), [CVE-2022-42011](https://nvd.nist.gov/vuln/detail/CVE-2022-42011), [CVE-2022-42012](https://nvd.nist.gov/vuln/detail/CVE-2022-42012)) - go ([CVE-2022-41715](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41715), [CVE-2022-2880](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2880), [CVE-2022-2879](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2879)) - libxml2 ([CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303), [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304)) - logrotate ([CVE-2022-1348](https://nvd.nist.gov/vuln/detail/CVE-2022-1348)) - vim ([CVE-2022-1725](https://nvd.nist.gov/vuln/detail/CVE-2022-1725), [CVE-2022-2042](https://nvd.nist.gov/vuln/detail/CVE-2022-2042), [CVE-2022-2124](https://nvd.nist.gov/vuln/detail/CVE-2022-2124), [CVE-2022-2125](https://nvd.nist.gov/vuln/detail/CVE-2022-2125), [CVE-2022-2126](https://nvd.nist.gov/vuln/detail/CVE-2022-2126), [CVE-2022-2129](https://nvd.nist.gov/vuln/detail/CVE-2022-2129), [CVE-2022-2175](https://nvd.nist.gov/vuln/detail/CVE-2022-2175), [CVE-2022-2182](https://nvd.nist.gov/vuln/detail/CVE-2022-2182), [CVE-2022-2183](https://nvd.nist.gov/vuln/detail/CVE-2022-2183), [CVE-2022-2206](https://nvd.nist.gov/vuln/detail/CVE-2022-2206), [CVE-2022-2207](https://nvd.nist.gov/vuln/detail/CVE-2022-2207), [CVE-2022-2208](https://nvd.nist.gov/vuln/detail/CVE-2022-2208), [CVE-2022-2210](https://nvd.nist.gov/vuln/detail/CVE-2022-2210), [CVE-2022-2231](https://nvd.nist.gov/vuln/detail/CVE-2022-2231), [CVE-2022-2257](https://nvd.nist.gov/vuln/detail/CVE-2022-2257), [CVE-2022-2264](https://nvd.nist.gov/vuln/detail/CVE-2022-2264), [CVE-2022-2284](https://nvd.nist.gov/vuln/detail/CVE-2022-2284), [CVE-2022-2285](https://nvd.nist.gov/vuln/detail/CVE-2022-2285), [CVE-2022-2286](https://nvd.nist.gov/vuln/detail/CVE-2022-2286), [CVE-2022-2287](https://nvd.nist.gov/vuln/detail/CVE-2022-2287), [CVE-2022-2288](https://nvd.nist.gov/vuln/detail/CVE-2022-2288), [CVE-2022-2289](https://nvd.nist.gov/vuln/detail/CVE-2022-2289), [CVE-2022-2304](https://nvd.nist.gov/vuln/detail/CVE-2022-2304), [CVE-2022-2343](https://nvd.nist.gov/vuln/detail/CVE-2022-2343), [CVE-2022-2344](https://nvd.nist.gov/vuln/detail/CVE-2022-2344), [CVE-2022-2345](https://nvd.nist.gov/vuln/detail/CVE-2022-2345), [CVE-2022-2522](https://nvd.nist.gov/vuln/detail/CVE-2022-2522), [CVE-2022-2816](https://nvd.nist.gov/vuln/detail/CVE-2022-2816), [CVE-2022-2817](https://nvd.nist.gov/vuln/detail/CVE-2022-2817), [CVE-2022-2819](https://nvd.nist.gov/vuln/detail/CVE-2022-2819), [CVE-2022-2845](https://nvd.nist.gov/vuln/detail/CVE-2022-2845), [CVE-2022-2849](https://nvd.nist.gov/vuln/detail/CVE-2022-2849), [CVE-2022-2862](https://nvd.nist.gov/vuln/detail/CVE-2022-2862), [CVE-2022-2874](https://nvd.nist.gov/vuln/detail/CVE-2022-2874), [CVE-2022-2889](https://nvd.nist.gov/vuln/detail/CVE-2022-2889), [CVE-2022-2923](https://nvd.nist.gov/vuln/detail/CVE-2022-2923), [CVE-2022-2946](https://nvd.nist.gov/vuln/detail/CVE-2022-2946), [CVE-2022-2980](https://nvd.nist.gov/vuln/detail/CVE-2022-2980), [CVE-2022-2982](https://nvd.nist.gov/vuln/detail/CVE-2022-2982), [CVE-2022-3016](https://nvd.nist.gov/vuln/detail/CVE-2022-3016), [CVE-2022-3099](https://nvd.nist.gov/vuln/detail/CVE-2022-3099), [CVE-2022-3134](https://nvd.nist.gov/vuln/detail/CVE-2022-3134), [CVE-2022-3153](https://nvd.nist.gov/vuln/detail/CVE-2022-3153), [CVE-2022-3234](https://nvd.nist.gov/vuln/detail/CVE-2022-3234), [CVE-2022-3235](https://nvd.nist.gov/vuln/detail/CVE-2022-3235), [CVE-2022-3278](https://nvd.nist.gov/vuln/detail/CVE-2022-3278), [CVE-2022-3256](https://nvd.nist.gov/vuln/detail/CVE-2022-3256), [CVE-2022-3296](https://nvd.nist.gov/vuln/detail/CVE-2022-3296), [CVE-2022-3297](https://nvd.nist.gov/vuln/detail/CVE-2022-3297), [CVE-2022-3324](https://nvd.nist.gov/vuln/detail/CVE-2022-3324), [CVE-2022-3352](https://nvd.nist.gov/vuln/detail/CVE-2022-3352)) - SDK: rust ([CVE-2022-36113](https://nvd.nist.gov/vuln/detail/CVE-2022-36113), [CVE-2022-36114](https://nvd.nist.gov/vuln/detail/CVE-2022-36114)) #### Bug fixes: - Enabled IOMMU on arm64 kernels, the lack of which prevented some systems from booting ([coreos-overlay#2235](https://github.com/flatcar/coreos-overlay/pull/2235)) #### Changes: - Added `CONFIG_NF_CONNTRACK_BRIDGE` (for nf_conntrack_bridge) and `CONFIG_NFT_BRIDGE_META` (for nft_meta_bridge) to the kernel config to allow using conntrack rules for bridges in nftables and to match on bridge interface names ([coreos-overlay#2207](https://github.com/flatcar/coreos-overlay/pull/2207)) - Change CONFIG_WIREGUARD kernel option to module to save space on boot partition ([coreos-overlay#2239](https://github.com/flatcar/coreos-overlay/pull/2239)) - Disable several arch specific arm64 kernel config options for unsupported platforms to save space on boot partition ([coreos-overlay#2239](https://github.com/flatcar/coreos-overlay/pull/2239)) - Switched from `--strip-unneeded` to `--strip-debug` when installing kernel modules, which makes kernel stacktraces more accurate and makes debugging issues easier ([coreos-overlay#2196](https://github.com/flatcar/coreos-overlay/pull/2196)) - The flatcar-update tool got two new flags to customize ports used on the host while updating flatcar ([init#81](https://github.com/flatcar/init/pull/81)) - Add qemu-guest-agent to all amd64 images, it will be automatically enabled when qemu-ga virtio-port is detected ([coreos-overlay#2240](https://github.com/flatcar/coreos-overlay/pull/2240), [portage-stable#373](https://github.com/flatcar/portage-stable/pull/373)) #### Updates: - Linux ([5.15.77](https://lwn.net/Articles/913681) (includes [5.15.76](https://lwn.net/Articles/912997), [5.15.75](https://lwn.net/Articles/912500))) - Linux Firmware ([20221012](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20221012)) - Docker ([20.10.20](https://docs.docker.com/engine/release-notes/#201020)) - Go ([1.18.7](https://go.dev/doc/devel/release#1.18.7)) - OpenSSL ([3.0.7](https://www.openssl.org/news/openssl-3.0-notes.html)) - bind tools ([9.16.33](https://gitlab.isc.org/isc-projects/bind9/-/raw/v9_16_33/CHANGES)) - bpftool ([5.19.2](https://lwn.net/Articles/904957/)) - curl ([7.85](https://curl.se/mail/archive-2022-08/0012.html)) - dbus ([1.14.4](https://gitlab.freedesktop.org/dbus/dbus/-/raw/dbus-1.14.4/NEWS)) - git ([2.37.3](https://github.com/git/git/blob/v2.37.3/Documentation/RelNotes/2.37.3.txt)) - glibc ([2.34](https://sourceware.org/pipermail/libc-alpha/2021-August/129718.html)) - libxml2 ([2.10.3](https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3)) - logrotate ([3.20.1](https://github.com/logrotate/logrotate/releases/tag/3.20.1)) - nmap ([7.93](https://nmap.org/changelog.html#7.93)) - pahole ([1.23](https://git.kernel.org/pub/scm/devel/pahole/pahole.git/tag/?h=v1.23)) - strace ([5.19](https://github.com/strace/strace/releases/tag/v5.19)) - vim ([9.0.0655](https://github.com/vim/vim/releases/tag/v9.0.0655)) - wireguard-tools ([1.0.20210914](https://github.com/WireGuard/wireguard-tools/releases/tag/v1.0.20210914)) - zlib ([1.2.13](https://github.com/madler/zlib/releases/tag/v1.2.13)) - SDK: catalyst ([3.0.21](https://gitweb.gentoo.org/proj/catalyst.git/log/?h=3.0.21)) - SDK: cmake ([3.23.3](https://cmake.org/cmake/help/v3.23/release/3.23.html)) - SDK: libxslt ([1.1.37](https://gitlab.gnome.org/GNOME/libxslt/-/tags/v1.1.37)) - SDK: meson ([0.62.2](https://mesonbuild.com/Release-notes-for-0-62-0.html)) - SDK: ninja ([1.11.0](https://groups.google.com/g/ninja-build/c/R2oCyDctDf8/m/-U94Y5I8AgAJ?pli=1)) - SDK: Rust ([1.64.0](https://github.com/rust-lang/rust/releases/tag/1.64.0)) _Changes since **Alpha 3402.0.1**_ #### Security fixes: - Linux ([CVE-2022-2602](https://nvd.nist.gov/vuln/detail/CVE-2022-2602), [CVE-2022-3535](https://nvd.nist.gov/vuln/detail/CVE-2022-3535), [CVE-2022-3542](https://nvd.nist.gov/vuln/detail/CVE-2022-3542), [CVE-2022-3565](https://nvd.nist.gov/vuln/detail/CVE-2022-3565), [CVE-2022-3594](https://nvd.nist.gov/vuln/detail/CVE-2022-3594)) #### Updates: - Linux ([5.15.77](https://lwn.net/Articles/913681) (includes [5.15.76](https://lwn.net/Articles/912997), [5.15.75](https://lwn.net/Articles/912500))) - OpenSSL ([3.0.7](https://www.openssl.org/news/openssl-3.0-notes.html)) Best, The Flatcar Container Linux Maintainers --- ### Security **Subject**: Security issues fixed with the Alpha 3417.0.0, Beta 3402.1.0 releases **Security fix**: With the Alpha 3417.0.0, Beta 3402.1.0 releases we ship fixes for the CVEs listed below. #### Alpha 3417.0.0 * Linux * [CVE-2022-2602](https://nvd.nist.gov/vuln/detail/CVE-2022-2602) CVSSv3 score: n/a * [CVE-2022-3535](https://nvd.nist.gov/vuln/detail/CVE-2022-3535) CVSSv3 score: n/a A vulnerability classified as problematic was found in Linux Kernel. Affected by this vulnerability is the function mvpp2_dbgfs_port_init of the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the component mvpp2. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier VDB-211033 was assigned to this vulnerability. * [CVE-2022-3542](https://nvd.nist.gov/vuln/detail/CVE-2022-3542) CVSSv3 score: 5.5(Medium) A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function bnx2x_tpa_stop of the file drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211042 is the identifier assigned to this vulnerability. * [CVE-2022-3565](https://nvd.nist.gov/vuln/detail/CVE-2022-3565) CVSSv3 score: 8(High) A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088. * [CVE-2022-3594](https://nvd.nist.gov/vuln/detail/CVE-2022-3594) CVSSv3 score: 7.5(High) A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363. * git * [CVE-2022-39253](https://nvd.nist.gov/vuln/detail/CVE-2022-39253) CVSSv3 score: n/a Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`. * [CVE-2022-39260](https://nvd.nist.gov/vuln/detail/CVE-2022-39260) CVSSv3 score: 8.8(High) Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround. * multipath-tools * [CVE-2022-41973](https://nvd.nist.gov/vuln/detail/CVE-2022-41973) CVSSv3 score: 7.8(High) multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root. * [CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974) CVSSv3 score: 7.8(High) multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR. ### Beta 3402.1.0 * Linux * [CVE-2022-2602](https://nvd.nist.gov/vuln/detail/CVE-2022-2602) CVSSv3 score: n/a * [CVE-2022-3535](https://nvd.nist.gov/vuln/detail/CVE-2022-3535) CVSSv3 score: n/a A vulnerability classified as problematic was found in Linux Kernel. Affected by this vulnerability is the function mvpp2_dbgfs_port_init of the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the component mvpp2. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier VDB-211033 was assigned to this vulnerability. * [CVE-2022-3542](https://nvd.nist.gov/vuln/detail/CVE-2022-3542) CVSSv3 score: 5.5(Medium) A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function bnx2x_tpa_stop of the file drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211042 is the identifier assigned to this vulnerability. * [CVE-2022-3565](https://nvd.nist.gov/vuln/detail/CVE-2022-3565) CVSSv3 score: 8(High) A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088. * [CVE-2022-3594](https://nvd.nist.gov/vuln/detail/CVE-2022-3594) CVSSv3 score: 7.5(High) A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363. * SDK: rust * [CVE-2022-36113](https://nvd.nist.gov/vuln/detail/CVE-2022-36113) CVSSv3 score: 8.1(High) Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write "ok" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. Mitigations We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to exercise care in choosing their dependencies though, as remote code execution is allowed by design there as well. * [CVE-2022-36114](https://nvd.nist.gov/vuln/detail/CVE-2022-36114) CVSSv3 score: 6.5(Medium) Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a "zip bomb"), exhausting the disk space on the machine using Cargo to download the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. We recommend users of alternate registries to excercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as the same concerns about build scripts and procedural macros apply here. * bind tools * [CVE-2022-2795](https://nvd.nist.gov/vuln/detail/CVE-2022-2795) CVSSv3 score: 7.5(High) By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. * [CVE-2022-2881](https://nvd.nist.gov/vuln/detail/CVE-2022-2881) CVSSv3 score: 8.2(High) The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process. * [CVE-2022-2906](https://nvd.nist.gov/vuln/detail/CVE-2022-2906) CVSSv3 score: n/a An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service. * [CVE-2022-3080](https://nvd.nist.gov/vuln/detail/CVE-2022-3080) CVSSv3 score: n/a By sending specific queries to the resolver, an attacker can cause named to crash. * [CVE-2022-38177](https://nvd.nist.gov/vuln/detail/CVE-2022-38177) CVSSv3 score: n/a By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. * [CVE-2022-38178](https://nvd.nist.gov/vuln/detail/CVE-2022-38178) CVSSv3 score: n/a By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. * curl * [CVE-2022-35252](https://nvd.nist.gov/vuln/detail/CVE-2022-35252) CVSSv3 score: 3.7(Low) When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings. * dbus * [CVE-2022-42010](https://nvd.nist.gov/vuln/detail/CVE-2022-42010) CVSSv3 score: 6.5(Medium) An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures. * [CVE-2022-42011](https://nvd.nist.gov/vuln/detail/CVE-2022-42011) CVSSv3 score: 6.5(Medium) An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type. * [CVE-2022-42012](https://nvd.nist.gov/vuln/detail/CVE-2022-42012) CVSSv3 score: 6.5(Medium) An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format. * go * [CVE-2022-41715](https://nvd.nist.gov/vuln/detail/CVE-2022-41715) CVSSv3 score: 7.5(High) Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. * [CVE-2022-2880](https://nvd.nist.gov/vuln/detail/CVE-2022-2880) CVSSv3 score: 7.5(High) Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. * [CVE-2022-2879](https://nvd.nist.gov/vuln/detail/CVE-2022-2879) CVSSv3 score: 7.5(High) Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. * libxml2 * [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303) CVSSv3 score: n/a Fix integer overflows with XML_PARSE_HUGE * [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304) CVSSv3 score: n/a Fix dict corruption caused by entity reference cycles * logrotate * [CVE-2022-1348](https://nvd.nist.gov/vuln/detail/CVE-2022-1348) CVSSv3 score: 6.5(Medium) A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0. * vim * [CVE-2022-1725](https://nvd.nist.gov/vuln/detail/CVE-2022-1725) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.4959. * [CVE-2022-2042](https://nvd.nist.gov/vuln/detail/CVE-2022-2042) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2124](https://nvd.nist.gov/vuln/detail/CVE-2022-2124) CVSSv3 score: 7.8(High) Buffer Over-read in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2125](https://nvd.nist.gov/vuln/detail/CVE-2022-2125) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2126](https://nvd.nist.gov/vuln/detail/CVE-2022-2126) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2129](https://nvd.nist.gov/vuln/detail/CVE-2022-2129) CVSSv3 score: 7.8(High) Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2175](https://nvd.nist.gov/vuln/detail/CVE-2022-2175) CVSSv3 score: 7.8(High) Buffer Over-read in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2182](https://nvd.nist.gov/vuln/detail/CVE-2022-2182) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2183](https://nvd.nist.gov/vuln/detail/CVE-2022-2183) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2206](https://nvd.nist.gov/vuln/detail/CVE-2022-2206) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2207](https://nvd.nist.gov/vuln/detail/CVE-2022-2207) CVSSv3 score: 9.8(Critical) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2208](https://nvd.nist.gov/vuln/detail/CVE-2022-2208) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163. * [CVE-2022-2210](https://nvd.nist.gov/vuln/detail/CVE-2022-2210) CVSSv3 score: 7.8(High) Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2231](https://nvd.nist.gov/vuln/detail/CVE-2022-2231) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2. * [CVE-2022-2257](https://nvd.nist.gov/vuln/detail/CVE-2022-2257) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2264](https://nvd.nist.gov/vuln/detail/CVE-2022-2264) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2284](https://nvd.nist.gov/vuln/detail/CVE-2022-2284) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2285](https://nvd.nist.gov/vuln/detail/CVE-2022-2285) CVSSv3 score: 7.8(High) Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2286](https://nvd.nist.gov/vuln/detail/CVE-2022-2286) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2287](https://nvd.nist.gov/vuln/detail/CVE-2022-2287) CVSSv3 score: 7.1(High) Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2288](https://nvd.nist.gov/vuln/detail/CVE-2022-2288) CVSSv3 score: 7.8(High) Out-of-bounds Write in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2289](https://nvd.nist.gov/vuln/detail/CVE-2022-2289) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2304](https://nvd.nist.gov/vuln/detail/CVE-2022-2304) CVSSv3 score: 7.8(High) Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. * [CVE-2022-2343](https://nvd.nist.gov/vuln/detail/CVE-2022-2343) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044. * [CVE-2022-2344](https://nvd.nist.gov/vuln/detail/CVE-2022-2344) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045. * [CVE-2022-2345](https://nvd.nist.gov/vuln/detail/CVE-2022-2345) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0046. * [CVE-2022-2522](https://nvd.nist.gov/vuln/detail/CVE-2022-2522) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061. * [CVE-2022-2816](https://nvd.nist.gov/vuln/detail/CVE-2022-2816) CVSSv3 score: 7.8(High) Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0212. * [CVE-2022-2817](https://nvd.nist.gov/vuln/detail/CVE-2022-2817) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0213. * [CVE-2022-2819](https://nvd.nist.gov/vuln/detail/CVE-2022-2819) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0211. * [CVE-2022-2845](https://nvd.nist.gov/vuln/detail/CVE-2022-2845) CVSSv3 score: 7.8(High) Buffer Over-read in GitHub repository vim/vim prior to 9.0.0218. * [CVE-2022-2849](https://nvd.nist.gov/vuln/detail/CVE-2022-2849) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0220. * [CVE-2022-2862](https://nvd.nist.gov/vuln/detail/CVE-2022-2862) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0221. * [CVE-2022-2874](https://nvd.nist.gov/vuln/detail/CVE-2022-2874) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0224. * [CVE-2022-2889](https://nvd.nist.gov/vuln/detail/CVE-2022-2889) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0225. * [CVE-2022-2923](https://nvd.nist.gov/vuln/detail/CVE-2022-2923) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240. * [CVE-2022-2946](https://nvd.nist.gov/vuln/detail/CVE-2022-2946) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0246. * [CVE-2022-2980](https://nvd.nist.gov/vuln/detail/CVE-2022-2980) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0259. * [CVE-2022-2982](https://nvd.nist.gov/vuln/detail/CVE-2022-2982) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0260. * [CVE-2022-3016](https://nvd.nist.gov/vuln/detail/CVE-2022-3016) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0286. * [CVE-2022-3099](https://nvd.nist.gov/vuln/detail/CVE-2022-3099) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0360. * [CVE-2022-3134](https://nvd.nist.gov/vuln/detail/CVE-2022-3134) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0389. * [CVE-2022-3153](https://nvd.nist.gov/vuln/detail/CVE-2022-3153) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404. * [CVE-2022-3234](https://nvd.nist.gov/vuln/detail/CVE-2022-3234) CVSSv3 score: 7.8(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483. * [CVE-2022-3235](https://nvd.nist.gov/vuln/detail/CVE-2022-3235) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0490. * [CVE-2022-3278](https://nvd.nist.gov/vuln/detail/CVE-2022-3278) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552. * [CVE-2022-3256](https://nvd.nist.gov/vuln/detail/CVE-2022-3256) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0530. * [CVE-2022-3296](https://nvd.nist.gov/vuln/detail/CVE-2022-3296) CVSSv3 score: 7.8(High) Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577. * [CVE-2022-3297](https://nvd.nist.gov/vuln/detail/CVE-2022-3297) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0579. * [CVE-2022-3324](https://nvd.nist.gov/vuln/detail/CVE-2022-3324) CVSSv3 score: 7.8(High) Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598. * [CVE-2022-3352](https://nvd.nist.gov/vuln/detail/CVE-2022-3352) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to 9.0.0614. --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Alpha 3417.0.0, Beta 3402.1.0 Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/ Tracking issue: https://github.com/flatcar/Flatcar/issues/893 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/fQQcKNK0SMedCgC6gQ9nuA?view Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. @MAINTAINER @MAINTAINER @MAINTAINER #### Twitter _The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar Alpha, Beta releases now available! 📦 Many package updates: Linux, glibc, git and others 🔒 CVE fixes & security patches: Linux, git, multipath-tools 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome the new Flatcar releases: - Alpha 3417.0.0 (new major) - Beta 3402.1.0 (promotion of major release) These releases include: 📦 Many package updates: Linux, glibc, git and others 🩹 CVE fixes & security patches: Linux, git, multipath-tools 📜 Release notes in usual spot: https://www.flatcar.org/releases/

    Import from clipboard

    Paste your markdown or webpage here...

    Advanced permission required

    Your current role can only read. Ask the system administrator to acquire write and comment permission.

    This team is disabled

    Sorry, this team is disabled. You can't edit this note.

    This note is locked

    Sorry, only owner can edit this note.

    Reach the limit

    Sorry, you've reached the max length this note can be.
    Please reduce the content or divide it to more notes, thank you!

    Import from Gist

    Import from Snippet

    or

    Export to Snippet

    Are you sure?

    Do you really want to delete this note?
    All users will lose their connection.

    Create a note from template

    Create a note from template

    Oops...
    This template has been removed or transferred.
    Upgrade
    All
    • All
    • Team
    No template.

    Create a template

    Upgrade

    Delete template

    Do you really want to delete this template?
    Turn this template into a regular note and keep its content, versions, and comments.

    This page need refresh

    You have an incompatible client version.
    Refresh to update.
    New version available!
    See releases notes here
    Refresh to enjoy new features.
    Your user state has changed.
    Refresh to load new user state.

    Sign in

    Forgot password

    or

    By clicking below, you agree to our terms of service.

    Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in with Wallet
    Wallet ( )
    Connect another wallet

    New to HackMD? Sign up

    Help

    • English
    • 中文
    • Français
    • Deutsch
    • 日本語
    • Español
    • Català
    • Ελληνικά
    • Português
    • italiano
    • Türkçe
    • Русский
    • Nederlands
    • hrvatski jezik
    • język polski
    • Українська
    • हिन्दी
    • svenska
    • Esperanto
    • dansk

    Documents

    Help & Tutorial

    How to use Book mode

    Slide Example

    API Docs

    Edit in VSCode

    Install browser extension

    Contacts

    Feedback

    Discord

    Send us email

    Resources

    Releases

    Pricing

    Blog

    Policy

    Terms

    Privacy

    Cheatsheet

    Syntax Example Reference
    # Header Header 基本排版
    - Unordered List
    • Unordered List
    1. Ordered List
    1. Ordered List
    - [ ] Todo List
    • Todo List
    > Blockquote
    Blockquote
    **Bold font** Bold font
    *Italics font* Italics font
    ~~Strikethrough~~ Strikethrough
    19^th^ 19th
    H~2~O H2O
    ++Inserted text++ Inserted text
    ==Marked text== Marked text
    [link text](https:// "title") Link
    ![image alt](https:// "title") Image
    `Code` Code 在筆記中貼入程式碼
    ```javascript
    var i = 0;
    ```    		 
    var i = 0;
    :smile: :smile: Emoji list
    {%youtube youtube_id %} Externals
    $L^aT_eX$ LaTeX
    :::info
    This is a alert area.
    :::

    This is a alert area.
    Versions and GitHub Sync
    Get Full History Access

    • Edit version name
    • Delete

    revision author avatar     named on  

    More Less

    Note content is identical to the latest version.
    Compare
      Choose a version
      No search result
      Version not found
    Sign in to link this note to GitHub
    Learn more
    This note is not linked with GitHub
     

    Feedback

    Submission failed, please try again

    Thanks for your support.

    On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

    Please give us some advice and help us improve HackMD.

     

    Thanks for your feedback

    Remove version name

    Do you want to remove this version name and description?

    Transfer ownership

    Transfer to
      Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

        Link with GitHub

        Please authorize HackMD on GitHub
        • Please sign in to GitHub and install the HackMD app on your GitHub repo.
        • HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.
        Learn more  Sign in to GitHub

        Push the note to GitHub Push to GitHub Pull a file from GitHub

          Authorize again
         

        Choose which file to push to

        Select repo
        Refresh Authorize more repos
        Select branch
        Select file
        Select branch
        Choose version(s) to push
        • Save a new version and push
        • Choose from existing versions
        Include title and tags
        Available push count

        Pull from GitHub

         
        File from GitHub
        File from HackMD

        GitHub Link Settings

        File linked

        Linked by
        File path
        Last synced branch
        Available push count

        Danger Zone

        Unlink
        You will no longer receive notification when GitHub file changes after unlink.

        Syncing

        Push failed

        Push successfully