owned this note
owned this note
Published
Linked with GitHub
# Flatcar Container Linux Release - 2022-08-04
## Flatcar-linux-Alpha-3305.0.1
- AMD64-usr
- Platforms succeeded: All except for Equinix Metal
- Platforms failed: Equinix Metal
- Equinix Metal: flaky failure at cl.internet with s3.xlarge.x86: "machine failed to start: ssh journalctl failed: time limit exceeded: dial tcp 147.75.109.167:22: i/o timeout"
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: *GO*
## Flatcar-linux-Beta-3277.1.1
- AMD64-usr
- Platforms succeeded: All except for Equinix Metal
- Platforms failed: Equinix Metal
- Equinix Metal: flaky failure at cl.internet with s3.xlarge.x86: "machine failed to start: ssh journalctl failed: time limit exceeded: dial tcp 86.109.11.255:22: i/o timeout"
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: *GO*
## Flatcar-linux-Stable-3227.2.1
- AMD64-usr
- Platforms succeeded: All except for Equinix Metal
- Platforms failed: Equinix Metal
- Equinix Metal: flaky failure at cl.internet with s3.xlarge.x86: "machine failed to start: ssh journalctl failed: time limit exceeded: dial tcp 145.40.82.217:22: i/o timeout"
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: *GO*
## Flatcar-linux-LTS-2022-3033.3.4
- AMD64-usr
- Platforms succeeded: All except for AWS and Equinix Metal
- Platforms failed: AWS and Equinix Metal
- AWS: flaky failure at cl.internet with m4.2xlarge: "machine failed to start: ssh journalctl failed: time limit exceeded: dial tcp 35.166.226.223:22: i/o timeout"
- Equinix Metal: flaky failure at cl.internet with s3.xlarge.x86: "machine failed to start: ssh journalctl failed: time limit exceeded: dial tcp 86.109.11.255:22: i/o timeout"
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: *GO*
## Flatcar-linux-LTS-2021-2605.30.1
- AMD64-usr
- Platforms succeeded: All except for kubeadm tests
- Platforms failed: kubeadm tests
- failed at kubeadm tests for k8s 1.24, which should not be tested for LTS-2021 anyway.
- Platforms not tested: None
VERDICT: *GO*
## Communication
---
#### Guidelines / Things to Remember
- Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/
- [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post).
- Make sure the the LTS is referred to as `LTS-2021`, and not `LTS-2605`
---
### Announcement Message
Subject: Announcing new Alpha 3305.0.1, Beta 3277.1.1, Stable 3227.2.1, LTS-2022 3033.3.4, LTS-2021 2605.30.1 releases.
Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, LTS-2022 and LTS-2021 channels.
They are mainly bug fix releases across all channels.
# New **Alpha** Release **3305.0.1**
Changes since alpha-3305.0.0
## Security fixes:
- Linux ([CVE-2022-23816](https://nvd.nist.gov/vuln/detail/CVE-2022-23816), [CVE-2022-23825](https://nvd.nist.gov/vuln/detail/CVE-2022-23825), [CVE-2022-29900](https://nvd.nist.gov/vuln/detail/CVE-2022-29900), [CVE-2022-29901](https://nvd.nist.gov/vuln/detail/CVE-2022-29901))
## Bug fixes:
- Added support for Openstack for cloud-init activation ([flatcar-linux/init#76](https://github.com/flatcar-linux/init/pull/76))
- Excluded Wireguard interface from `systemd-networkd` default management ([Flatcar#808](https://github.com/flatcar-linux/Flatcar/issues/808))
- Fixed `/etc/resolv.conf` symlink by pointing it at `resolv.conf` instead of `stub-resolv.conf`. This bug was present since the update to systemd v250 ([coreos-overlay#2057](https://github.com/flatcar-linux/coreos-overlay/pull/2057))
- Fixed excluded interface type from default systemd-networkd configuration ([flatcar-linux/init#78](https://github.com/flatcar-linux/init/pull/78))
- Fixed space escaping in the `networkd` Ignition translation ([Flatcar#812](https://github.com/flatcar-linux/Flatcar/issues/812))
## Changes:
## Updates:
- Linux ([5.15.58](https://lwn.net/Articles/902917) (includes [5.15.57](https://lwn.net/Articles/902317), [5.15.56](https://lwn.net/Articles/902101)))
- ca-certificates ([3.81](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_81.html))
# New **Beta** Release **3277.1.1**
Changes since beta-3277.1.0
## Security fixes:
- Linux ([CVE-2022-23816](https://nvd.nist.gov/vuln/detail/CVE-2022-23816), [CVE-2022-23825](https://nvd.nist.gov/vuln/detail/CVE-2022-23825), [CVE-2022-29900](https://nvd.nist.gov/vuln/detail/CVE-2022-29900), [CVE-2022-29901](https://nvd.nist.gov/vuln/detail/CVE-2022-29901))
## Bug fixes:
- Added support for Openstack for cloud-init activation ([flatcar-linux/init#76](https://github.com/flatcar-linux/init/pull/76))
- Excluded Wireguard interface from `systemd-networkd` default management ([Flatcar#808](https://github.com/flatcar-linux/Flatcar/issues/808))
- Fixed `/etc/resolv.conf` symlink by pointing it at `resolv.conf` instead of `stub-resolv.conf`. This bug was present since the update to systemd v250 ([coreos-overlay#2057](https://github.com/flatcar-linux/coreos-overlay/pull/2057))
- Fixed excluded interface type from default systemd-networkd configuration ([flatcar-linux/init#78](https://github.com/flatcar-linux/init/pull/78))
- Fixed space escaping in the `networkd` Ignition translation ([Flatcar#812](https://github.com/flatcar-linux/Flatcar/issues/812))
## Changes:
## Updates:
- Linux ([5.15.58](https://lwn.net/Articles/902917) (includes [5.15.57](https://lwn.net/Articles/902317), [5.15.56](https://lwn.net/Articles/902101)))
- ca-certificates ([3.81](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_81.html))
# New **Stable** Release **3227.2.1**
Changes since stable-3227.2.0
## Security fixes:
- Linux ([CVE-2022-23816](https://nvd.nist.gov/vuln/detail/CVE-2022-23816), [CVE-2022-23825](https://nvd.nist.gov/vuln/detail/CVE-2022-23825), [CVE-2022-29900](https://nvd.nist.gov/vuln/detail/CVE-2022-29900), [CVE-2022-29901](https://nvd.nist.gov/vuln/detail/CVE-2022-29901))
## Bug fixes:
- Added support for Openstack for cloud-init activation ([flatcar-linux/init#76](https://github.com/flatcar-linux/init/pull/76))
- Excluded Wireguard interface from `systemd-networkd` default management ([Flatcar#808](https://github.com/flatcar-linux/Flatcar/issues/808))
- Fixed `/etc/resolv.conf` symlink by pointing it at `resolv.conf` instead of `stub-resolv.conf`. This bug was present since the update to systemd v250 ([coreos-overlay#2057](https://github.com/flatcar-linux/coreos-overlay/pull/2057))
- Fixed excluded interface type from default systemd-networkd configuration ([flatcar-linux/init#78](https://github.com/flatcar-linux/init/pull/78))
- Fixed space escaping in the `networkd` Ignition translation ([Flatcar#812](https://github.com/flatcar-linux/Flatcar/issues/812))
## Changes:
## Updates:
- Linux ([5.15.58](https://lwn.net/Articles/902917) (includes [5.15.57](https://lwn.net/Articles/902317), [5.15.56](https://lwn.net/Articles/902101)))
- ca-certificates ([3.81](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_81.html))
# New **LTS-2022** Release **3033.3.4**
Changes since lts-3033.3.3
## Security fixes:
- Linux ([CVE-2022-23816](https://nvd.nist.gov/vuln/detail/CVE-2022-23816), [CVE-2022-23825](https://nvd.nist.gov/vuln/detail/CVE-2022-23825), [CVE-2022-29900](https://nvd.nist.gov/vuln/detail/CVE-2022-29900), [CVE-2022-29901](https://nvd.nist.gov/vuln/detail/CVE-2022-29901))
## Bug fixes:
## Changes:
## Updates:
- Linux ([5.10.134](https://lwn.net/Articles/902918) (includes [5.10.133](https://lwn.net/Articles/902372), [5.10.132](https://lwn.net/Articles/902102)))
- ca-certificates ([3.81](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_81.html))
# New **LTS-2021** Release **2605.30.1**
Changes since lts-2605.29.1
## Security fixes:
- Linux ([CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655), [CVE-2021-33656](https://nvd.nist.gov/vuln/detail/CVE-2021-33656), [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318), [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365), [CVE-2022-32296](https://nvd.nist.gov/vuln/detail/CVE-2022-32296), [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740), [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741), [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742), [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744))
## Bug fixes:
- Removed outdated LTS channel information printed on login ([init#75](https://github.com/flatcar-linux/init/pull/75))
## Changes:
## Updates:
- Linux ([5.4.206](https://lwn.net/Articles/901382) (includes [5.4.205](https://lwn.net/Articles/900908), [5.4.204](https://lwn.net/Articles/900323), [5.4.203](https://lwn.net/Articles/899790), [5.4.202](https://lwn.net/Articles/899372), [5.4.201](https://lwn.net/Articles/899089), [5.4.200](https://lwn.net/Articles/898624)))
- ca-certificates ([3.80](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_80.html))
Best,
The Flatcar Container Linux Maintainers
---
### Security
**Subject**: Security issues fixed with the latest Alpha 3305.0.1, Beta 3277.1.1, Stable 3227.2.1, LTS-2022 3033.3.4, LTS-2021 2605.30.1 releases
**Security fix**: With the Alpha 3305.0.1, Beta 3277.1.1, Stable 3227.2.1, LTS-2022 3033.3.4, LTS-2021 2605.30.1 releases we ship fixes for the CVEs listed below.
#### Alpha 3305.0.1
* Linux
* [CVE-2022-23816](https://nvd.nist.gov/vuln/detail/CVE-2022-23816) CVSSv3 score: n/a
Mis-trained branch predictions for return instructions may cause some AMD processors to allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.
* [CVE-2022-23825](https://nvd.nist.gov/vuln/detail/CVE-2022-23825) CVSSv3 score: 6.5(Medium)
Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.
* [CVE-2022-29900](https://nvd.nist.gov/vuln/detail/CVE-2022-29900) CVSSv3 score: 6.5(Medium)
Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.
* [CVE-2022-29901](https://nvd.nist.gov/vuln/detail/CVE-2022-29901) CVSSv3 score: 6.5(Medium)
Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.
#### Beta 3277.1.1
* Linux
* [CVE-2022-23816](https://nvd.nist.gov/vuln/detail/CVE-2022-23816) CVSSv3 score: n/a
Mis-trained branch predictions for return instructions may cause some AMD processors to allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.
* [CVE-2022-23825](https://nvd.nist.gov/vuln/detail/CVE-2022-23825) CVSSv3 score: 6.5(Medium)
Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.
* [CVE-2022-29900](https://nvd.nist.gov/vuln/detail/CVE-2022-29900) CVSSv3 score: 6.5(Medium)
Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.
* [CVE-2022-29901](https://nvd.nist.gov/vuln/detail/CVE-2022-29901) CVSSv3 score: 6.5(Medium)
Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.
#### Stable 3227.2.1
* Linux
* [CVE-2022-23816](https://nvd.nist.gov/vuln/detail/CVE-2022-23816) CVSSv3 score: n/a
Mis-trained branch predictions for return instructions may cause some AMD processors to allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.
* [CVE-2022-23825](https://nvd.nist.gov/vuln/detail/CVE-2022-23825) CVSSv3 score: 6.5(Medium)
Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.
* [CVE-2022-29900](https://nvd.nist.gov/vuln/detail/CVE-2022-29900) CVSSv3 score: 6.5(Medium)
Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.
* [CVE-2022-29901](https://nvd.nist.gov/vuln/detail/CVE-2022-29901) CVSSv3 score: 6.5(Medium)
Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.
#### LTS-2022 3033.3.4
* Linux
* [CVE-2022-23816](https://nvd.nist.gov/vuln/detail/CVE-2022-23816) CVSSv3 score: n/a
Mis-trained branch predictions for return instructions may cause some AMD processors to allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.
* [CVE-2022-23825](https://nvd.nist.gov/vuln/detail/CVE-2022-23825) CVSSv3 score: 6.5(Medium)
Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.
* [CVE-2022-29900](https://nvd.nist.gov/vuln/detail/CVE-2022-29900) CVSSv3 score: 6.5(Medium)
Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.
* [CVE-2022-29901](https://nvd.nist.gov/vuln/detail/CVE-2022-29901) CVSSv3 score: 6.5(Medium)
Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.
#### LTS-2021 2605.30.1
* Linux
* [CVE-2021-33655](https://nvd.nist.gov/vuln/detail/CVE-2021-33655) CVSSv3 score: 7.8(High)
When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.
* [CVE-2021-33656](https://nvd.nist.gov/vuln/detail/CVE-2021-33656) CVSSv3 score: 7.8(High)
When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.
* [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318) CVSSv3 score: 5.5(Medium)
There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.
* [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-32296](https://nvd.nist.gov/vuln/detail/CVE-2022-32296) CVSSv3 score: 3.3(Low)
The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used.
* [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742) CVSSv3 score: 7.1(High)
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
* [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744) CVSSv3 score: 4.7(Medium)
Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages.
---
### Communication
#### Twitter
_The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._
New Flatcar releases now available for all channels!
🩹 Fix bugs in systemd-networkd, /etc/resolv.conf, openstack cloud-init
🔒 Security: Retbleed fixes in Linux Kernel
📜 Release notes at the usual spot: https://www.flatcar.org/releases/
#### Kubernetes Slack
_This goes in the #flatcar channel_
Please welcome Flatcar releases:
- Alpha 3305.0.1 (maintenance release)
- Beta 3277.1.1 (maintenance release)
- Stable 3227.2.1 (maintenance release)
- LTS-2022 3033.3.4 (maintenance release)
- LTS-2021 2605.30.1 (maintenance release)
These releases include:
🩹 Fix bugs in systemd-networkd, /etc/resolv.conf, openstack cloud-init
🔒 Retbleed fixes in Linux Kernel
📜 Release notes in usual spot: https://www.flatcar.org/releases/