# Flatcar Container Linux Release - December 8th, 2022 ## Alpha 3446.0.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Beta 3432.1.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Stable 3374.2.1 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## LTS-2022 3033.3.8 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). --- ### Announcement Message Subject: Announcing new releases Alpha 3446.0.0, Beta 3432.1.0, Stable 3374.2.1, LTS-2022 3033.3.8 Hello, We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable and LTS channel. ### New Alpha Release 3446.0.0 _Changes since **Alpha 3432.0.0**_ #### Security fixes: - Linux ([CVE-2022-3169](https://nvd.nist.gov/vuln/detail/CVE-2022-3169), [CVE-2022-3521](https://nvd.nist.gov/vuln/detail/CVE-2022-3521)) - sudo ([CVE-2022-43995](https://nvd.nist.gov/vuln/detail/CVE-2022-43995)) #### Bug fixes: - Fix "ext4 deadlock under heavy I/O load" kernel issue. The patch for this is included provisionally while we wait for it to be merged upstream ([Flatcar#847](https://github.com/flatcar/Flatcar/issues/847), [coreos-overlay#2315](https://github.com/flatcar/coreos-overlay/pull/2315)) #### Updates: - Linux ([5.15.81](https://lwn.net/Articles/916763) (includes [5.15.80](https://lwn.net/Articles/916003))) - gettext ([0.21.1](https://git.savannah.gnu.org/gitweb/?p=gettext.git;a=blob;f=NEWS;h=cdbb16746c23555e70bb1e16917f5c349ce92d9e;hb=8b38ee827251cadbb90cb6cb576ae98702566288)) - GnuTLS ([3.7.8](https://lists.gnupg.org/pipermail/gnutls-help/2022-September/004765.html)) - sudo ([1.9.12_p1](https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_12p1)) - XZ utils ([5.2.8](https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;h=c244b42a6771a6e8af206318dfc500d78929fd6f;hb=5476089d9c42b9b04e92b80e1800b384a98265cb)) - VMware: open-vm-tools ([12.1.5](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.1.5)) ### New Beta Release 3432.1.0 _Changes since **Beta 3417.1.0**_ #### Security fixes: - Linux ([CVE-2022-3169](https://nvd.nist.gov/vuln/detail/CVE-2022-169), [CVE-2022-3521](https://nvd.nist.gov/vuln/detail/CVE-2022-521)) - cpio ([CVE-2021-38185](https://nvd.nist.gov/vuln/detail/CVE-2021-8185)) - curl ([CVE-2022-32221](https://nvd.nist.gov/vuln/detail/CVE-2022-2221), [CVE-2022-35260](https://nvd.nist.gov/vuln/detail/CVE-2022-2221), [CVE-2022-42915](https://nvd.nist.gov/vuln/detail/CVE-2022-2221), [CVE-2022-42916](https://nvd.nist.gov/vuln/detail/CVE-2022-2221)) - expat ([CVE-2022-43680](https://nvd.nist.gov/vuln/detail/CVE-2022-3680)) - libksba ([CVE-2022-3515](https://nvd.nist.gov/vuln/detail/CVE-2022-515)) - vim ([CVE-2022-3705](https://nvd.nist.gov/vuln/detail/CVE-2022-705)) #### Bug fixes: - Added support for hardware security keys in update-ssh-keys ([update-ssh-keys#7](https://github.com/flatcar/update-ssh-eys/pull/7)) - Fix "ext4 deadlock under heavy I/O load" kernel issue. The patch for this is included provisionally while we wait for it to be merged pstream ([Flatcar#847](https://github.com/flatcar/Flatcar/issues/847), [coreos-overlay#2315](https://github.com/flatcar/coreos-overlay/pull/2315)) #### Updates: - Linux ([5.15.81](https://lwn.net/Articles/916763) (includes [5.15.80](https://lwn.net/Articles/916003))) - Linux Firmware ([20221109](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20221109)) - OpenSSH ([9.1](http://www.openssh.com/releasenotes.html#9.1)) - containerd ([1.6.10](https://github.com/containerd/containerd/releases/tag/v1.6.10)) - cpio ([2.13](https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html)) - curl ([7.86](https://curl.se/changes.html#7_86_0)) - Expat ([2.5.0](https://github.com/libexpat/libexpat/blob/R_2_5_0/expat/Changes)) - glib ([2.74.1](https://gitlab.gnome.org/GNOME/glib/-/tags/2.74.1)) - libcap ([2.66](https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.d9ygdose5kw)) - libksba ([1.6.2](https://dev.gnupg.org/T6230)) - sqlite ([3.39.4](https://sqlite.org/releaselog/3_39_4.html)) - vim ([9.0.0828](https://github.com/vim/vim/releases/tag/v9.0.0828)) - whois ([5.5.14](https://github.com/rfc1036/whois/commit/ab10466cf2e1ec4887f6a44375c3e29c1720157f)) - XZ utils ([5.2.7](https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;h=0205423e79ce8297102096b0fc8b030ddf5b2023;hb=d24a57b7fc7e5e9267b84367cb0788d3acf7f569)) - SDK: Rust ([1.65.0](https://github.com/rust-ang/rust/releases/tag/1.65.0)) _Changes since **Alpha 3432.0.0**_ #### Security fixes: - Linux ([CVE-2022-3169](https://nvd.nist.gov/vuln/detail/CVE-2022-3169), [CVE-2022-3521](https://nvd.nist.gov/vuln/detail/CVE-2022-3521)) #### Bug fixes: - Fix "ext4 deadlock under heavy I/O load" kernel issue. The patch for this is included provisionally while we wait for it to be merged upstream ([Flatcar#847](https://github.com/flatcar/Flatcar/issues/847), [coreos-overlay#2315](https://github.com/flatcar/coreos-overlay/pull/2315)) #### Updates: - Linux ([5.15.81](https://lwn.net/Articles/916763) (includes [5.15.80](https://lwn.net/Articles/916003))) ### New Stable Release 3374.2.1 _Changes since **Stable 3374.2.0**_ #### Security fixes: - Linux ([CVE-2022-2602](https://nvd.nist.gov/vuln/detail/CVE-2022-2602), [CVE-2022-3524](https://nvd.nist.gov/vuln/detail/CVE-2022-3524), [CVE-2022-3535](https://nvd.nist.gov/vuln/detail/CVE-2022-3535), [CVE-2022-3542](https://nvd.nist.gov/vuln/detail/CVE-2022-3542), [CVE-2022-3565](https://nvd.nist.gov/vuln/detail/CVE-2022-3565), [CVE-2022-3594](https://nvd.nist.gov/vuln/detail/CVE-2022-3594), [CVE-2022-41849](https://nvd.nist.gov/vuln/detail/CVE-2022-41849), [CVE-2022-41850](https://nvd.nist.gov/vuln/detail/CVE-2022-41850), [CVE-2022-43945](https://nvd.nist.gov/vuln/detail/CVE-2022-43945)) #### Updates: - Linux ([5.15.77](https://lwn.net/Articles/913681) (includes [5.15.76](https://lwn.net/Articles/912997), [5.15.75](https://lwn.net/Articles/912500))) - ca-certificates ([3.85](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_85.html)) ### New LTS Release 3033.3.8 _Changes since **LTS 3033.3.7**_ #### Security fixes: - Linux ([CVE-2022-3169](https://nvd.nist.gov/vuln/detail/CVE-2022-3169), [CVE-2022-3521](https://nvd.nist.gov/vuln/detail/CVE-2022-3521)) #### Updates: - Linux ([5.10.157](https://lwn.net/Articles/916764) (includes [5.10.156](https://lwn.net/Articles/915992), [5.10.155](https://lwn.net/Articles/915101))) Best, The Flatcar Container Linux Maintainers --- ### Security **Subject**: Security issues fixed with the latest Alpha 3446.0.0, Beta 3432.1.0, Stable 3374.2.1, LTS-2022 3033.3.8 release(s) **Security fix**: With the Alpha 3446.0.0, Beta 3432.1.0, Stable 3374.2.1, LTS-2022 3033.3.8 release(s) we ship fixes for the CVEs listed below. #### Alpha 3446.0.0 * Linux * [CVE-2022-3169](https://nvd.nist.gov/vuln/detail/CVE-2022-3169) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux kernel. A denial of service flaw may occur if there is a consecutive request of the NVME_IOCTL_RESET and the NVME_IOCTL_SUBSYS_RESET through the device file of the driver, resulting in a PCIe link disconnect. * [CVE-2022-3521](https://nvd.nist.gov/vuln/detail/CVE-2022-3521) CVSSv3 score: 2.5(Low) A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function kcm_tx_work of the file net/kcm/kcmsock.c of the component kcm. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211018 is the identifier assigned to this vulnerability. * sudo * [CVE-2022-43995](https://nvd.nist.gov/vuln/detail/CVE-2022-43995) CVSSv3 score: 7.1(High) Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture. #### Beta 3432.1.0 * Linux * [CVE-2022-3169](https://nvd.nist.gov/vuln/detail/CVE-2022-3169) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux kernel. A denial of service flaw may occur if there is a consecutive request of the NVME_IOCTL_RESET and the NVME_IOCTL_SUBSYS_RESET through the device file of the driver, resulting in a PCIe link disconnect. * [CVE-2022-3521](https://nvd.nist.gov/vuln/detail/CVE-2022-3521) CVSSv3 score: 2.5(Low) A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function kcm_tx_work of the file net/kcm/kcmsock.c of the component kcm. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211018 is the identifier assigned to this vulnerability. * cpio * [CVE-2021-38185](https://nvd.nist.gov/vuln/detail/CVE-2021-38185) CVSSv3 score: 7.8(High) GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data. * curl * [CVE-2022-32221](https://nvd.nist.gov/vuln/detail/CVE-2022-32221) CVSSv3 score: n/a When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. * [CVE-2022-35260](https://nvd.nist.gov/vuln/detail/CVE-2022-35260) CVSSv3 score: 6.5(Medium) curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service. * [CVE-2022-42915](https://nvd.nist.gov/vuln/detail/CVE-2022-42915) CVSSv3 score: 9.8(Critical) curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. * [CVE-2022-42916](https://nvd.nist.gov/vuln/detail/CVE-2022-42916) CVSSv3 score: 7.5(High) In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. * expat * [CVE-2022-43680](https://nvd.nist.gov/vuln/detail/CVE-2022-43680) CVSSv3 score: 7.5(High) In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. * libksba * [CVE-2022-3515](https://nvd.nist.gov/vuln/detail/CVE-2022-3515) CVSSv3 score: n/a A severe bug has been found in libksba , the library used by GnuPG for parsing the ASN.1 structures as used by S/MIME. The bug affects all versions of libksba before 1.6.2 and may be used for remote code execution. * vim * [CVE-2022-3705](https://nvd.nist.gov/vuln/detail/CVE-2022-3705) CVSSv3 score: 7.5(High) A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324. #### Stable 3374.2.1 * Linux * [CVE-2022-2602](https://nvd.nist.gov/vuln/detail/CVE-2022-2602) CVSSv3 score: n/a * [CVE-2022-3524](https://nvd.nist.gov/vuln/detail/CVE-2022-3524) CVSSv3 score: 7.5(High) A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211021 was assigned to this vulnerability. * [CVE-2022-3535](https://nvd.nist.gov/vuln/detail/CVE-2022-3535) CVSSv3 score: n/a A vulnerability classified as problematic was found in Linux Kernel. Affected by this vulnerability is the function mvpp2_dbgfs_port_init of the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the component mvpp2. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier VDB-211033 was assigned to this vulnerability. * [CVE-2022-3542](https://nvd.nist.gov/vuln/detail/CVE-2022-3542) CVSSv3 score: 5.5(Medium) A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function bnx2x_tpa_stop of the file drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211042 is the identifier assigned to this vulnerability. * [CVE-2022-3565](https://nvd.nist.gov/vuln/detail/CVE-2022-3565) CVSSv3 score: 8(High) A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088. * [CVE-2022-3594](https://nvd.nist.gov/vuln/detail/CVE-2022-3594) CVSSv3 score: 7.5(High) A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363. * [CVE-2022-41849](https://nvd.nist.gov/vuln/detail/CVE-2022-41849) CVSSv3 score: 4.2(Medium) drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect. * [CVE-2022-41850](https://nvd.nist.gov/vuln/detail/CVE-2022-41850) CVSSv3 score: 4.7(Medium) roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress. * [CVE-2022-43945](https://nvd.nist.gov/vuln/detail/CVE-2022-43945) CVSSv3 score: 7.5(High) The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H #### LTS 3033.3.8 * Linux * [CVE-2022-3169](https://nvd.nist.gov/vuln/detail/CVE-2022-3169) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux kernel. A denial of service flaw may occur if there is a consecutive request of the NVME_IOCTL_RESET and the NVME_IOCTL_SUBSYS_RESET through the device file of the driver, resulting in a PCIe link disconnect. * [CVE-2022-3521](https://nvd.nist.gov/vuln/detail/CVE-2022-3521) CVSSv3 score: 2.5(Low) A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function kcm_tx_work of the file net/kcm/kcmsock.c of the component kcm. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211018 is the identifier assigned to this vulnerability. --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Alpha 3446.0.0, Beta 3432.1.0, Stable 3374.2.1, LTS-2022 3033.3.8 Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/ Tracking issue: https://github.com/flatcar/Flatcar/issues/910 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/@flatcar/r117O9pvi Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. @MAINTAINER @MAINTAINER @MAINTAINER #### Mastodon _The toot (from [@flatcar](https://hachyderm.io/@flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar releases for all channels. 📦 Package updates for Linux and sudo ⬆️ New major Beta upgrade includes cpio, curl, vim etc 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome Flatcar releases of this month: - Alpha 3446.0.0 (new major) - Beta 3432.1.0 (major release) - Stable 3374.2.1 (maintenance release) - LTS-2022 3033.3.8 (maintenance release) These releases include: New Flatcar releases for all channels. 📦 Package updates for Linux and sudo ⬆️ New major Beta upgrade includes cpio, curl, vim etc 📜 Release notes at the usual spot: https://www.flatcar.org/releases/