owned this note
owned this note
Published
Linked with GitHub
# Flatcar Container Linux Release - November 7th, 2022
## Alpha 3417.0.0
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## Beta 3402.1.0
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## Communication
---
#### Guidelines / Things to Remember
- Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/
- [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post).
- Make sure the the LTS is referred to as `LTS-2021`, and not `LTS-2605`
---
### Announcement Message
Subject: Announcing new releases Alpha 3417.0.0 and Beta 3402.1.0
Hello,
We are pleased to announce new Flatcar Container Linux releases for the Alpha 3417.0.0, Beta 3402.1.0 channel.
# New **Alpha** Release **3417.0.0**
_Changes since **Alpha 3402.0.1**_
#### Security fixes:
- Linux ([CVE-2022-2602](https://nvd.nist.gov/vuln/detail/CVE-2022-2602), [CVE-2022-3535](https://nvd.nist.gov/vuln/detail/CVE-2022-3535), [CVE-2022-3542](https://nvd.nist.gov/vuln/detail/CVE-2022-3542), [CVE-2022-3565](https://nvd.nist.gov/vuln/detail/CVE-2022-3565), [CVE-2022-3594](https://nvd.nist.gov/vuln/detail/CVE-2022-3594))
- git ([CVE-2022-39253](https://nvd.nist.gov/vuln/detail/CVE-2022-39253), [CVE-2022-39260](https://nvd.nist.gov/vuln/detail/CVE-2022-39260))
- multipath-tools ([CVE-2022-41973](https://nvd.nist.gov/vuln/detail/CVE-2022-41973), [CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974))
#### Changes:
- Toolbox now uses containerd to download and mount the image ([toolbox#7](https://github.com/flatcar/toolbox/pull/7))
#### Updates:
- Linux ([5.15.77](https://lwn.net/Articles/913681) (includes [5.15.76](https://lwn.net/Articles/912997), [5.15.75](https://lwn.net/Articles/912500)))
- Docker ([20.10.21](https://docs.docker.com/engine/release-notes/#201021))
- Go ([1.19.3](https://go.dev/doc/devel/release#go1.19.3))
- OpenSSL ([3.0.7](https://www.openssl.org/news/openssl-3.0-notes.html))
- bpftool ([5.19.8](https://lwn.net/Articles/907523/))
- containerd ([1.6.9](https://github.com/containerd/containerd/releases/tag/v1.6.9))
- git ([2.37.4](https://github.com/git/git/blob/master/Documentation/RelNotes/2.37.4.txt))
- glibc ([2.35](https://savannah.gnu.org/forum/forum.php?forum_id=10111))
- iputils ([20211215](https://github.com/iputils/iputils/releases/tag/20211215))
- libcap ([2.65](https://sites.google.com/site/fullycapable/release-notes-for-libcap?authuser=0#h.wfblevfzkj0))
- multipath-tools ([0.9.3](https://github.com/opensvc/multipath-tools/releases/tag/0.9.3))
- wget ([1.21.3](https://lists.gnu.org/archive/html/info-gnu/2022-02/msg00017.html))
- whois ([5.5.13](https://github.com/rfc1036/whois/blob/v5.5.13/debian/changelog))
- xz-utils ([5.2.6](https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;h=4c79b18ff26a1c479a920b21f07d050599c04c9e;hb=8dfed05bdaa4873833ba24279f02ad2db25effea))
# New **Beta** Release **3402.1.0**
_Changes since **Beta 3374.1.1**_
#### Security fixes:
- Linux ([CVE-2022-2602](https://nvd.nist.gov/vuln/detail/CVE-2022-2602), [CVE-2022-3535](https://nvd.nist.gov/vuln/detail/CVE-2022-3535), [CVE-2022-3542](https://nvd.nist.gov/vuln/detail/CVE-2022-3542), [CVE-2022-3565](https://nvd.nist.gov/vuln/detail/CVE-2022-3565), [CVE-2022-3594](https://nvd.nist.gov/vuln/detail/CVE-2022-3594))
- bind tools ([CVE-2022-2795](https://nvd.nist.gov/vuln/detail/CVE-2022-2795), [CVE-2022-2881](https://nvd.nist.gov/vuln/detail/CVE-2022-2881), [CVE-2022-2906](https://nvd.nist.gov/vuln/detail/CVE-2022-2906), [CVE-2022-3080](https://nvd.nist.gov/vuln/detail/CVE-2022-3080), [CVE-2022-38177](https://nvd.nist.gov/vuln/detail/CVE-2022-38177), [CVE-2022-38178](https://nvd.nist.gov/vuln/detail/CVE-2022-38178))
- curl ([CVE-2022-35252](https://nvd.nist.gov/vuln/detail/CVE-2022-35252))
- dbus ([CVE-2022-42010](https://nvd.nist.gov/vuln/detail/CVE-2022-42010), [CVE-2022-42011](https://nvd.nist.gov/vuln/detail/CVE-2022-42011), [CVE-2022-42012](https://nvd.nist.gov/vuln/detail/CVE-2022-42012))
- go ([CVE-2022-41715](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41715), [CVE-2022-2880](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2880), [CVE-2022-2879](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2879))
- libxml2 ([CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303), [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304))
- logrotate ([CVE-2022-1348](https://nvd.nist.gov/vuln/detail/CVE-2022-1348))
- vim ([CVE-2022-1725](https://nvd.nist.gov/vuln/detail/CVE-2022-1725), [CVE-2022-2042](https://nvd.nist.gov/vuln/detail/CVE-2022-2042), [CVE-2022-2124](https://nvd.nist.gov/vuln/detail/CVE-2022-2124), [CVE-2022-2125](https://nvd.nist.gov/vuln/detail/CVE-2022-2125), [CVE-2022-2126](https://nvd.nist.gov/vuln/detail/CVE-2022-2126), [CVE-2022-2129](https://nvd.nist.gov/vuln/detail/CVE-2022-2129), [CVE-2022-2175](https://nvd.nist.gov/vuln/detail/CVE-2022-2175), [CVE-2022-2182](https://nvd.nist.gov/vuln/detail/CVE-2022-2182), [CVE-2022-2183](https://nvd.nist.gov/vuln/detail/CVE-2022-2183), [CVE-2022-2206](https://nvd.nist.gov/vuln/detail/CVE-2022-2206), [CVE-2022-2207](https://nvd.nist.gov/vuln/detail/CVE-2022-2207), [CVE-2022-2208](https://nvd.nist.gov/vuln/detail/CVE-2022-2208), [CVE-2022-2210](https://nvd.nist.gov/vuln/detail/CVE-2022-2210), [CVE-2022-2231](https://nvd.nist.gov/vuln/detail/CVE-2022-2231), [CVE-2022-2257](https://nvd.nist.gov/vuln/detail/CVE-2022-2257), [CVE-2022-2264](https://nvd.nist.gov/vuln/detail/CVE-2022-2264), [CVE-2022-2284](https://nvd.nist.gov/vuln/detail/CVE-2022-2284), [CVE-2022-2285](https://nvd.nist.gov/vuln/detail/CVE-2022-2285), [CVE-2022-2286](https://nvd.nist.gov/vuln/detail/CVE-2022-2286), [CVE-2022-2287](https://nvd.nist.gov/vuln/detail/CVE-2022-2287), [CVE-2022-2288](https://nvd.nist.gov/vuln/detail/CVE-2022-2288), [CVE-2022-2289](https://nvd.nist.gov/vuln/detail/CVE-2022-2289), [CVE-2022-2304](https://nvd.nist.gov/vuln/detail/CVE-2022-2304), [CVE-2022-2343](https://nvd.nist.gov/vuln/detail/CVE-2022-2343), [CVE-2022-2344](https://nvd.nist.gov/vuln/detail/CVE-2022-2344), [CVE-2022-2345](https://nvd.nist.gov/vuln/detail/CVE-2022-2345), [CVE-2022-2522](https://nvd.nist.gov/vuln/detail/CVE-2022-2522), [CVE-2022-2816](https://nvd.nist.gov/vuln/detail/CVE-2022-2816), [CVE-2022-2817](https://nvd.nist.gov/vuln/detail/CVE-2022-2817), [CVE-2022-2819](https://nvd.nist.gov/vuln/detail/CVE-2022-2819), [CVE-2022-2845](https://nvd.nist.gov/vuln/detail/CVE-2022-2845), [CVE-2022-2849](https://nvd.nist.gov/vuln/detail/CVE-2022-2849), [CVE-2022-2862](https://nvd.nist.gov/vuln/detail/CVE-2022-2862), [CVE-2022-2874](https://nvd.nist.gov/vuln/detail/CVE-2022-2874), [CVE-2022-2889](https://nvd.nist.gov/vuln/detail/CVE-2022-2889), [CVE-2022-2923](https://nvd.nist.gov/vuln/detail/CVE-2022-2923), [CVE-2022-2946](https://nvd.nist.gov/vuln/detail/CVE-2022-2946), [CVE-2022-2980](https://nvd.nist.gov/vuln/detail/CVE-2022-2980), [CVE-2022-2982](https://nvd.nist.gov/vuln/detail/CVE-2022-2982), [CVE-2022-3016](https://nvd.nist.gov/vuln/detail/CVE-2022-3016), [CVE-2022-3099](https://nvd.nist.gov/vuln/detail/CVE-2022-3099), [CVE-2022-3134](https://nvd.nist.gov/vuln/detail/CVE-2022-3134), [CVE-2022-3153](https://nvd.nist.gov/vuln/detail/CVE-2022-3153), [CVE-2022-3234](https://nvd.nist.gov/vuln/detail/CVE-2022-3234), [CVE-2022-3235](https://nvd.nist.gov/vuln/detail/CVE-2022-3235), [CVE-2022-3278](https://nvd.nist.gov/vuln/detail/CVE-2022-3278), [CVE-2022-3256](https://nvd.nist.gov/vuln/detail/CVE-2022-3256), [CVE-2022-3296](https://nvd.nist.gov/vuln/detail/CVE-2022-3296), [CVE-2022-3297](https://nvd.nist.gov/vuln/detail/CVE-2022-3297), [CVE-2022-3324](https://nvd.nist.gov/vuln/detail/CVE-2022-3324), [CVE-2022-3352](https://nvd.nist.gov/vuln/detail/CVE-2022-3352))
- SDK: rust ([CVE-2022-36113](https://nvd.nist.gov/vuln/detail/CVE-2022-36113), [CVE-2022-36114](https://nvd.nist.gov/vuln/detail/CVE-2022-36114))
#### Bug fixes:
- Enabled IOMMU on arm64 kernels, the lack of which prevented some systems from booting ([coreos-overlay#2235](https://github.com/flatcar/coreos-overlay/pull/2235))
#### Changes:
- Added `CONFIG_NF_CONNTRACK_BRIDGE` (for nf_conntrack_bridge) and `CONFIG_NFT_BRIDGE_META` (for nft_meta_bridge) to the kernel config to allow using conntrack rules for bridges in nftables and to match on bridge interface names ([coreos-overlay#2207](https://github.com/flatcar/coreos-overlay/pull/2207))
- Change CONFIG_WIREGUARD kernel option to module to save space on boot partition ([coreos-overlay#2239](https://github.com/flatcar/coreos-overlay/pull/2239))
- Disable several arch specific arm64 kernel config options for unsupported platforms to save space on boot partition ([coreos-overlay#2239](https://github.com/flatcar/coreos-overlay/pull/2239))
- Switched from `--strip-unneeded` to `--strip-debug` when installing kernel modules, which makes kernel stacktraces more accurate and makes debugging issues easier ([coreos-overlay#2196](https://github.com/flatcar/coreos-overlay/pull/2196))
- The flatcar-update tool got two new flags to customize ports used on the host while updating flatcar ([init#81](https://github.com/flatcar/init/pull/81))
- Add qemu-guest-agent to all amd64 images, it will be automatically enabled when qemu-ga virtio-port is detected ([coreos-overlay#2240](https://github.com/flatcar/coreos-overlay/pull/2240), [portage-stable#373](https://github.com/flatcar/portage-stable/pull/373))
#### Updates:
- Linux ([5.15.77](https://lwn.net/Articles/913681) (includes [5.15.76](https://lwn.net/Articles/912997), [5.15.75](https://lwn.net/Articles/912500)))
- Linux Firmware ([20221012](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20221012))
- Docker ([20.10.20](https://docs.docker.com/engine/release-notes/#201020))
- Go ([1.18.7](https://go.dev/doc/devel/release#1.18.7))
- OpenSSL ([3.0.7](https://www.openssl.org/news/openssl-3.0-notes.html))
- bind tools ([9.16.33](https://gitlab.isc.org/isc-projects/bind9/-/raw/v9_16_33/CHANGES))
- bpftool ([5.19.2](https://lwn.net/Articles/904957/))
- curl ([7.85](https://curl.se/mail/archive-2022-08/0012.html))
- dbus ([1.14.4](https://gitlab.freedesktop.org/dbus/dbus/-/raw/dbus-1.14.4/NEWS))
- git ([2.37.3](https://github.com/git/git/blob/v2.37.3/Documentation/RelNotes/2.37.3.txt))
- glibc ([2.34](https://sourceware.org/pipermail/libc-alpha/2021-August/129718.html))
- libxml2 ([2.10.3](https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3))
- logrotate ([3.20.1](https://github.com/logrotate/logrotate/releases/tag/3.20.1))
- nmap ([7.93](https://nmap.org/changelog.html#7.93))
- pahole ([1.23](https://git.kernel.org/pub/scm/devel/pahole/pahole.git/tag/?h=v1.23))
- strace ([5.19](https://github.com/strace/strace/releases/tag/v5.19))
- vim ([9.0.0655](https://github.com/vim/vim/releases/tag/v9.0.0655))
- wireguard-tools ([1.0.20210914](https://github.com/WireGuard/wireguard-tools/releases/tag/v1.0.20210914))
- zlib ([1.2.13](https://github.com/madler/zlib/releases/tag/v1.2.13))
- SDK: catalyst ([3.0.21](https://gitweb.gentoo.org/proj/catalyst.git/log/?h=3.0.21))
- SDK: cmake ([3.23.3](https://cmake.org/cmake/help/v3.23/release/3.23.html))
- SDK: libxslt ([1.1.37](https://gitlab.gnome.org/GNOME/libxslt/-/tags/v1.1.37))
- SDK: meson ([0.62.2](https://mesonbuild.com/Release-notes-for-0-62-0.html))
- SDK: ninja ([1.11.0](https://groups.google.com/g/ninja-build/c/R2oCyDctDf8/m/-U94Y5I8AgAJ?pli=1))
- SDK: Rust ([1.64.0](https://github.com/rust-lang/rust/releases/tag/1.64.0))
_Changes since **Alpha 3402.0.1**_
#### Security fixes:
- Linux ([CVE-2022-2602](https://nvd.nist.gov/vuln/detail/CVE-2022-2602), [CVE-2022-3535](https://nvd.nist.gov/vuln/detail/CVE-2022-3535), [CVE-2022-3542](https://nvd.nist.gov/vuln/detail/CVE-2022-3542), [CVE-2022-3565](https://nvd.nist.gov/vuln/detail/CVE-2022-3565), [CVE-2022-3594](https://nvd.nist.gov/vuln/detail/CVE-2022-3594))
#### Updates:
- Linux ([5.15.77](https://lwn.net/Articles/913681) (includes [5.15.76](https://lwn.net/Articles/912997), [5.15.75](https://lwn.net/Articles/912500)))
- OpenSSL ([3.0.7](https://www.openssl.org/news/openssl-3.0-notes.html))
Best,
The Flatcar Container Linux Maintainers
---
### Security
**Subject**: Security issues fixed with the Alpha 3417.0.0, Beta 3402.1.0 releases
**Security fix**: With the Alpha 3417.0.0, Beta 3402.1.0 releases we ship fixes for the CVEs listed below.
#### Alpha 3417.0.0
* Linux
* [CVE-2022-2602](https://nvd.nist.gov/vuln/detail/CVE-2022-2602) CVSSv3 score: n/a
* [CVE-2022-3535](https://nvd.nist.gov/vuln/detail/CVE-2022-3535) CVSSv3 score: n/a
A vulnerability classified as problematic was found in Linux Kernel. Affected by this vulnerability is the function mvpp2_dbgfs_port_init of the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the component mvpp2. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier VDB-211033 was assigned to this vulnerability.
* [CVE-2022-3542](https://nvd.nist.gov/vuln/detail/CVE-2022-3542) CVSSv3 score: 5.5(Medium)
A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function bnx2x_tpa_stop of the file drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211042 is the identifier assigned to this vulnerability.
* [CVE-2022-3565](https://nvd.nist.gov/vuln/detail/CVE-2022-3565) CVSSv3 score: 8(High)
A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.
* [CVE-2022-3594](https://nvd.nist.gov/vuln/detail/CVE-2022-3594) CVSSv3 score: 7.5(High)
A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.
* git
* [CVE-2022-39253](https://nvd.nist.gov/vuln/detail/CVE-2022-39253) CVSSv3 score: n/a
Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.
* [CVE-2022-39260](https://nvd.nist.gov/vuln/detail/CVE-2022-39260) CVSSv3 score: 8.8(High)
Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.
* multipath-tools
* [CVE-2022-41973](https://nvd.nist.gov/vuln/detail/CVE-2022-41973) CVSSv3 score: 7.8(High)
multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.
* [CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974) CVSSv3 score: 7.8(High)
multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.
### Beta 3402.1.0
* Linux
* [CVE-2022-2602](https://nvd.nist.gov/vuln/detail/CVE-2022-2602) CVSSv3 score: n/a
* [CVE-2022-3535](https://nvd.nist.gov/vuln/detail/CVE-2022-3535) CVSSv3 score: n/a
A vulnerability classified as problematic was found in Linux Kernel. Affected by this vulnerability is the function mvpp2_dbgfs_port_init of the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the component mvpp2. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier VDB-211033 was assigned to this vulnerability.
* [CVE-2022-3542](https://nvd.nist.gov/vuln/detail/CVE-2022-3542) CVSSv3 score: 5.5(Medium)
A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function bnx2x_tpa_stop of the file drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211042 is the identifier assigned to this vulnerability.
* [CVE-2022-3565](https://nvd.nist.gov/vuln/detail/CVE-2022-3565) CVSSv3 score: 8(High)
A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.
* [CVE-2022-3594](https://nvd.nist.gov/vuln/detail/CVE-2022-3594) CVSSv3 score: 7.5(High)
A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.
* SDK: rust
* [CVE-2022-36113](https://nvd.nist.gov/vuln/detail/CVE-2022-36113) CVSSv3 score: 8.1(High)
Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write "ok" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. Mitigations We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to exercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.
* [CVE-2022-36114](https://nvd.nist.gov/vuln/detail/CVE-2022-36114) CVSSv3 score: 6.5(Medium)
Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a "zip bomb"), exhausting the disk space on the machine using Cargo to download the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. We recommend users of alternate registries to excercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as the same concerns about build scripts and procedural macros apply here.
* bind tools
* [CVE-2022-2795](https://nvd.nist.gov/vuln/detail/CVE-2022-2795) CVSSv3 score: 7.5(High)
By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.
* [CVE-2022-2881](https://nvd.nist.gov/vuln/detail/CVE-2022-2881) CVSSv3 score: 8.2(High)
The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.
* [CVE-2022-2906](https://nvd.nist.gov/vuln/detail/CVE-2022-2906) CVSSv3 score: n/a
An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.
* [CVE-2022-3080](https://nvd.nist.gov/vuln/detail/CVE-2022-3080) CVSSv3 score: n/a
By sending specific queries to the resolver, an attacker can cause named to crash.
* [CVE-2022-38177](https://nvd.nist.gov/vuln/detail/CVE-2022-38177) CVSSv3 score: n/a
By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.
* [CVE-2022-38178](https://nvd.nist.gov/vuln/detail/CVE-2022-38178) CVSSv3 score: n/a
By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.
* curl
* [CVE-2022-35252](https://nvd.nist.gov/vuln/detail/CVE-2022-35252) CVSSv3 score: 3.7(Low)
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
* dbus
* [CVE-2022-42010](https://nvd.nist.gov/vuln/detail/CVE-2022-42010) CVSSv3 score: 6.5(Medium)
An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.
* [CVE-2022-42011](https://nvd.nist.gov/vuln/detail/CVE-2022-42011) CVSSv3 score: 6.5(Medium)
An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.
* [CVE-2022-42012](https://nvd.nist.gov/vuln/detail/CVE-2022-42012) CVSSv3 score: 6.5(Medium)
An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.
* go
* [CVE-2022-41715](https://nvd.nist.gov/vuln/detail/CVE-2022-41715) CVSSv3 score: 7.5(High)
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
* [CVE-2022-2880](https://nvd.nist.gov/vuln/detail/CVE-2022-2880) CVSSv3 score: 7.5(High)
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
* [CVE-2022-2879](https://nvd.nist.gov/vuln/detail/CVE-2022-2879) CVSSv3 score: 7.5(High)
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
* libxml2
* [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303) CVSSv3 score: n/a
Fix integer overflows with XML_PARSE_HUGE
* [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304) CVSSv3 score: n/a
Fix dict corruption caused by entity reference cycles
* logrotate
* [CVE-2022-1348](https://nvd.nist.gov/vuln/detail/CVE-2022-1348) CVSSv3 score: 6.5(Medium)
A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.
* vim
* [CVE-2022-1725](https://nvd.nist.gov/vuln/detail/CVE-2022-1725) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.4959.
* [CVE-2022-2042](https://nvd.nist.gov/vuln/detail/CVE-2022-2042) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2124](https://nvd.nist.gov/vuln/detail/CVE-2022-2124) CVSSv3 score: 7.8(High)
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2125](https://nvd.nist.gov/vuln/detail/CVE-2022-2125) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2126](https://nvd.nist.gov/vuln/detail/CVE-2022-2126) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2129](https://nvd.nist.gov/vuln/detail/CVE-2022-2129) CVSSv3 score: 7.8(High)
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2175](https://nvd.nist.gov/vuln/detail/CVE-2022-2175) CVSSv3 score: 7.8(High)
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2182](https://nvd.nist.gov/vuln/detail/CVE-2022-2182) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2183](https://nvd.nist.gov/vuln/detail/CVE-2022-2183) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2206](https://nvd.nist.gov/vuln/detail/CVE-2022-2206) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2207](https://nvd.nist.gov/vuln/detail/CVE-2022-2207) CVSSv3 score: 9.8(Critical)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2208](https://nvd.nist.gov/vuln/detail/CVE-2022-2208) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163.
* [CVE-2022-2210](https://nvd.nist.gov/vuln/detail/CVE-2022-2210) CVSSv3 score: 7.8(High)
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2231](https://nvd.nist.gov/vuln/detail/CVE-2022-2231) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2257](https://nvd.nist.gov/vuln/detail/CVE-2022-2257) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2264](https://nvd.nist.gov/vuln/detail/CVE-2022-2264) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2284](https://nvd.nist.gov/vuln/detail/CVE-2022-2284) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2285](https://nvd.nist.gov/vuln/detail/CVE-2022-2285) CVSSv3 score: 7.8(High)
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2286](https://nvd.nist.gov/vuln/detail/CVE-2022-2286) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2287](https://nvd.nist.gov/vuln/detail/CVE-2022-2287) CVSSv3 score: 7.1(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2288](https://nvd.nist.gov/vuln/detail/CVE-2022-2288) CVSSv3 score: 7.8(High)
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2289](https://nvd.nist.gov/vuln/detail/CVE-2022-2289) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2304](https://nvd.nist.gov/vuln/detail/CVE-2022-2304) CVSSv3 score: 7.8(High)
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
* [CVE-2022-2343](https://nvd.nist.gov/vuln/detail/CVE-2022-2343) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044.
* [CVE-2022-2344](https://nvd.nist.gov/vuln/detail/CVE-2022-2344) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.
* [CVE-2022-2345](https://nvd.nist.gov/vuln/detail/CVE-2022-2345) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0046.
* [CVE-2022-2522](https://nvd.nist.gov/vuln/detail/CVE-2022-2522) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061.
* [CVE-2022-2816](https://nvd.nist.gov/vuln/detail/CVE-2022-2816) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0212.
* [CVE-2022-2817](https://nvd.nist.gov/vuln/detail/CVE-2022-2817) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0213.
* [CVE-2022-2819](https://nvd.nist.gov/vuln/detail/CVE-2022-2819) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0211.
* [CVE-2022-2845](https://nvd.nist.gov/vuln/detail/CVE-2022-2845) CVSSv3 score: 7.8(High)
Buffer Over-read in GitHub repository vim/vim prior to 9.0.0218.
* [CVE-2022-2849](https://nvd.nist.gov/vuln/detail/CVE-2022-2849) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0220.
* [CVE-2022-2862](https://nvd.nist.gov/vuln/detail/CVE-2022-2862) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0221.
* [CVE-2022-2874](https://nvd.nist.gov/vuln/detail/CVE-2022-2874) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0224.
* [CVE-2022-2889](https://nvd.nist.gov/vuln/detail/CVE-2022-2889) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0225.
* [CVE-2022-2923](https://nvd.nist.gov/vuln/detail/CVE-2022-2923) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240.
* [CVE-2022-2946](https://nvd.nist.gov/vuln/detail/CVE-2022-2946) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0246.
* [CVE-2022-2980](https://nvd.nist.gov/vuln/detail/CVE-2022-2980) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0259.
* [CVE-2022-2982](https://nvd.nist.gov/vuln/detail/CVE-2022-2982) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0260.
* [CVE-2022-3016](https://nvd.nist.gov/vuln/detail/CVE-2022-3016) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0286.
* [CVE-2022-3099](https://nvd.nist.gov/vuln/detail/CVE-2022-3099) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0360.
* [CVE-2022-3134](https://nvd.nist.gov/vuln/detail/CVE-2022-3134) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0389.
* [CVE-2022-3153](https://nvd.nist.gov/vuln/detail/CVE-2022-3153) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404.
* [CVE-2022-3234](https://nvd.nist.gov/vuln/detail/CVE-2022-3234) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.
* [CVE-2022-3235](https://nvd.nist.gov/vuln/detail/CVE-2022-3235) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0490.
* [CVE-2022-3278](https://nvd.nist.gov/vuln/detail/CVE-2022-3278) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552.
* [CVE-2022-3256](https://nvd.nist.gov/vuln/detail/CVE-2022-3256) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0530.
* [CVE-2022-3296](https://nvd.nist.gov/vuln/detail/CVE-2022-3296) CVSSv3 score: 7.8(High)
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.
* [CVE-2022-3297](https://nvd.nist.gov/vuln/detail/CVE-2022-3297) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0579.
* [CVE-2022-3324](https://nvd.nist.gov/vuln/detail/CVE-2022-3324) CVSSv3 score: 7.8(High)
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.
* [CVE-2022-3352](https://nvd.nist.gov/vuln/detail/CVE-2022-3352) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 9.0.0614.
---
### Communication
#### Go/No-Go message for Matrix/Slack
Go/No-Go Meeting for Alpha 3417.0.0, Beta 3402.1.0
Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/
Tracking issue: https://github.com/flatcar/Flatcar/issues/893
The Go/No-Go document is in our HackMD @flatcar namespace
Link: https://hackmd.io/fQQcKNK0SMedCgC6gQ9nuA?view
Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait.
Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat.
@MAINTAINER @MAINTAINER @MAINTAINER
#### Twitter
_The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._
New Flatcar Alpha, Beta releases now available!
📦 Many package updates: Linux, glibc, git and others
🔒 CVE fixes & security patches: Linux, git, multipath-tools
📜 Release notes at the usual spot: https://www.flatcar.org/releases/
#### Kubernetes Slack
_This goes in the #flatcar channel_
Please welcome the new Flatcar releases:
- Alpha 3417.0.0 (new major)
- Beta 3402.1.0 (promotion of major release)
These releases include:
📦 Many package updates: Linux, glibc, git and others
🩹 CVE fixes & security patches: Linux, git, multipath-tools
📜 Release notes in usual spot: https://www.flatcar.org/releases/