owned this note
owned this note
Published
Linked with GitHub
# Flatcar Container Linux Release - February 7th, 2022
## Flatcar-linux-3139.0.0-Alpha
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All (except AWS)
- Platforms failed: AWS**
- Test failed on AWS
- cl.ignition.v1.btrfsroot
- Platforms not tested: None
VERDICT: _GO_ / _WAIT_ / _NO-GO_
## Flatcar-linux-3066.1.2-Beta
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All (except AWS)
- Platforms failed: AWS**
- Test failed on AWS
- cl.ignition.v1.btrfsroot
- cl.ignition.v2.btrfsroot
- Platforms not tested: None
VERDICT: _GO_ / _WAIT_ / _NO-GO_
## Flatcar-linux-3033.2.2-Stable
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_ / _WAIT_ / _NO-GO_
** The failed tests are flaky and a Github issue has been created to reproduce and fix the flaky test https://github.com/flatcar-linux/Flatcar/issues/621
## Communication
---
#### Guidelines
- Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/
- [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post).
---
### Announcement Message
Subject: Announcing new Alpha release 3139.0.0, Beta release 3066.1.2, Stable release 3033.2.2
Hello,
We are pleased to announce a new Flatcar Container Linux major release for the Alpha channel, and maintenance releases for Beta and Stable.
New **Alpha** Release **3139.0.0**
_Changes since **Alpha 3127.0.0**_
#### Security fixes
- Linux ([CVE-2021-43976](https://nvd.nist.gov/vuln/detail/CVE-2021-43976), [CVE-2022-0330](https://nvd.nist.gov/vuln/detail/CVE-2022-0330), [CVE-2022-22942](https://nvd.nist.gov/vuln/detail/CVE-2022-22942))
- expat ([CVE-2022-23852](https://nvd.nist.gov/vuln/detail/CVE-2022-23852), [CVE-2022-23990](https://nvd.nist.gov/vuln/detail/CVE-2022-23990))
- glibc ([CVE-2021-3998](https://nvd.nist.gov/vuln/detail/CVE-2021-3998), [CVE-2021-3999](https://nvd.nist.gov/vuln/detail/CVE-2021-3999), [CVE-2022-23218](https://nvd.nist.gov/vuln/detail/CVE-2022-23218), [CVE-2022-23219](https://nvd.nist.gov/vuln/detail/CVE-2022-23219))
- polkit ([CVE-2021-4034](https://nvd.nist.gov/vuln/detail/CVE-2021-4034))
- SDK: Rust ([CVE-2022-21658](https://nvd.nist.gov/vuln/detail/CVE-2022-21658))
#### Bug fixes
- network: Accept ICMPv6 Router Advertisements to fix IPv6 address assignment in the default DHCP setting ([flatcar-linux/init#51](https://github.com/flatcar-linux/init/pull/51), [flatcar-linux/cloudinit#12](https://github.com/flatcar-linux/coreos-cloudinit/pull/12), [flatcar-linux/bootengine#30](https://github.com/flatcar-linux/bootengine/pull/30))
- flatcar-update: Stopped checking for the `USER` environment variable which may not be set in all environments, causing the script to fail unless a workaround was used like prepending an additional `sudo` invocation ([flatcar-linux/init#58](https://github.com/flatcar-linux/init/pull/58))
#### Changes
- Enabled the FIPS support for the Linux kernel, which users can now choose through a kernel parameter in `grub.cfg` (check it taking effect with `cat /proc/sys/crypto/fips_enabled`) ([flatcar-linux/coreos-overlay#1602](https://github.com/flatcar-linux/coreos-overlay/pull/1602))
#### Updates
- Linux ([5.15.19](https://lwn.net/Articles/883441)) (from 5.15.16)
- expat ([2.4.4](https://github.com/libexpat/libexpat/blob/R_2_4_4/expat/Changes))
- polkit ([0.120](https://gitlab.freedesktop.org/polkit/polkit/-/blob/0.120/NEWS))
- sbsigntools ([0.9.4](https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/tag/?h=v0.9.4))
- SDK: Rust ([1.58.1](https://github.com/rust-lang/rust/releases/tag/1.58.1))
New **Beta** Release **3066.1.2**
_Changes since **Beta 3066.1.1**_
#### Security fixes
- Linux ([CVE-2021-43976](https://nvd.nist.gov/vuln/detail/CVE-2021-43976), [CVE-2022-0330](https://nvd.nist.gov/vuln/detail/CVE-2022-0330), [CVE-2022-22942](https://nvd.nist.gov/vuln/detail/CVE-2022-22942))
- expat ([CVE-2022-23852](https://nvd.nist.gov/vuln/detail/CVE-2022-23852), [CVE-2022-23990](https://nvd.nist.gov/vuln/detail/CVE-2022-23990))
- glibc ([CVE-2021-3998](https://nvd.nist.gov/vuln/detail/CVE-2021-3998), [CVE-2021-3999](https://nvd.nist.gov/vuln/detail/CVE-2021-3999), [CVE-2022-23218](https://nvd.nist.gov/vuln/detail/CVE-2022-23218), [CVE-2022-23219](https://nvd.nist.gov/vuln/detail/CVE-2022-23219))
- polkit ([CVE-2021-4034](https://nvd.nist.gov/vuln/detail/CVE-2021-4034))
#### Bug fixes
- SDK: Fixed build error popping up in the new SDK Container because `policycoreutils` used the wrong ROOT to update the SELinux store ([flatcar-linux/coreos-overlay#1502](https://github.com/flatcar-linux/coreos-overlay/pull/1502))
- Fixed leak of SELinux policy store to the root filesystem top directory due to wrong store path in `policycoreutils` instead of `/var/lib/selinux` ([flatcar-linux/Flatcar#596](https://github.com/flatcar-linux/Flatcar/issues/596))
#### Updates
- Linux ([5.10.96](https://lwn.net/Articles/883442)) (from 5.10.93)
- Linux Firmware ([20211216](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20211216))
- expat ([2.4.4](https://github.com/libexpat/libexpat/blob/R_2_4_4/expat/Changes))
New **Stable** Release **3033.2.2**
_Changes since **Stable 3033.2.1**_
#### Security fixes
- Linux ([CVE-2021-43976](https://nvd.nist.gov/vuln/detail/CVE-2021-43976), [CVE-2022-0330](https://nvd.nist.gov/vuln/detail/CVE-2022-0330), [CVE-2022-22942](https://nvd.nist.gov/vuln/detail/CVE-2022-22942))
- expat ([CVE-2022-23852](https://nvd.nist.gov/vuln/detail/CVE-2022-23852), [CVE-2022-23990](https://nvd.nist.gov/vuln/detail/CVE-2022-23990))
- glibc ([CVE-2021-3998](https://nvd.nist.gov/vuln/detail/CVE-2021-3998), [CVE-2021-3999](https://nvd.nist.gov/vuln/detail/CVE-2021-3999), [CVE-2022-23218](https://nvd.nist.gov/vuln/detail/CVE-2022-23218), [CVE-2022-23219](https://nvd.nist.gov/vuln/detail/CVE-2022-23219))
- polkit ([CVE-2021-4034](https://nvd.nist.gov/vuln/detail/CVE-2021-4034))
#### Bug fixes
- SDK: Fixed build error popping up in the new SDK Container because `policycoreutils` used the wrong ROOT to update the SELinux store ([flatcar-linux/coreos-overlay#1502](https://github.com/flatcar-linux/coreos-overlay/pull/1502))
- Fixed leak of SELinux policy store to the root filesystem top directory due to wrong store path in `policycoreutils` instead of `/var/lib/selinux` ([flatcar-linux/Flatcar#596](https://github.com/flatcar-linux/Flatcar/issues/596))
#### Updates
- Linux ([5.10.96](https://lwn.net/Articles/883442)) (from 5.10.93)
- Linux Firmware ([20211216](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20211216))
- expat ([2.4.4](https://github.com/libexpat/libexpat/blob/R_2_4_4/expat/Changes))
Best,
The Flatcar Container Linux Maintainers
---
### Security
#### Alpha
* Linux
* [CVE-2021-43976](https://nvd.nist.gov/vuln/detail/CVE-2021-43976) CVSSv3 score: 4.6(Medium)
In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).
* [CVE-2022-0330](https://nvd.nist.gov/vuln/detail/CVE-2022-0330) CVSSv3 score: 7.0(High)
A random memory access flaw was found in the Linux kernel’s GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system.
* [CVE-2022-22942](https://nvd.nist.gov/vuln/detail/CVE-2022-22942) CVSSv3 score: 7.0(High)
A use-after-free flaw was found in the Linux kernel’s vmw_execbuf_copy_fence_user function in drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c in vmwgfx. This flaw allows a local attacker with user privileges to cause a privilege escalation problem.
* SDK: rust
* [CVE-2022-21658](https://nvd.nist.gov/vuln/detail/CVE-2022-21658) CVSSv3 score: 6.3(Medium)
Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.
* expat
* [CVE-2022-23852](https://nvd.nist.gov/vuln/detail/CVE-2022-23852) CVSSv3 score: 9.8(Critical)
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
* [CVE-2022-23990](https://nvd.nist.gov/vuln/detail/CVE-2022-23990) CVSSv3 score: 9.8(Critical)
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
* glibc
* [CVE-2021-3998](https://nvd.nist.gov/vuln/detail/CVE-2021-3998) CVSSv3 score: 5.9(Medium)
A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.
* [CVE-2021-3999](https://nvd.nist.gov/vuln/detail/CVE-2021-3999) CVSSv3 score: 7.4(Medium)
A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.
* [CVE-2022-23218](https://nvd.nist.gov/vuln/detail/CVE-2022-23218) CVSSv3 score: 9.8(Critical)
The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
* [CVE-2022-23219](https://nvd.nist.gov/vuln/detail/CVE-2022-23219) CVSSv3 score: 9.8(Critical)
The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
* polkit
* [CVE-2021-4034](https://nvd.nist.gov/vuln/detail/CVE-2021-4034) CVSSv3 score: 7.8(High)
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
#### Beta
* Linux
* [CVE-2021-43976](https://nvd.nist.gov/vuln/detail/CVE-2021-43976) CVSSv3 score: 4.6(Medium)
In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).
* [CVE-2022-0330](https://nvd.nist.gov/vuln/detail/CVE-2022-0330) CVSSv3 score: 7.0(High)
A random memory access flaw was found in the Linux kernel’s GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system.
* [CVE-2022-22942](https://nvd.nist.gov/vuln/detail/CVE-2022-22942) CVSSv3 score: 7.0(High)
A use-after-free flaw was found in the Linux kernel’s vmw_execbuf_copy_fence_user function in drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c in vmwgfx. This flaw allows a local attacker with user privileges to cause a privilege escalation problem.
* expat
* [CVE-2022-23852](https://nvd.nist.gov/vuln/detail/CVE-2022-23852) CVSSv3 score: 9.8(Critical)
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
* [CVE-2022-23990](https://nvd.nist.gov/vuln/detail/CVE-2022-23990) CVSSv3 score: 9.8(Critical)
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
* glibc
* [CVE-2021-3998](https://nvd.nist.gov/vuln/detail/CVE-2021-3998) CVSSv3 score: 5.9(Medium)
A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.
* [CVE-2021-3999](https://nvd.nist.gov/vuln/detail/CVE-2021-3999) CVSSv3 score: 7.4(Medium)
A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.
* [CVE-2022-23218](https://nvd.nist.gov/vuln/detail/CVE-2022-23218) CVSSv3 score: 9.8(Critical)
The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
* [CVE-2022-23219](https://nvd.nist.gov/vuln/detail/CVE-2022-23219) CVSSv3 score: 9.8(Critical)
The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
* polkit
* [CVE-2021-4034](https://nvd.nist.gov/vuln/detail/CVE-2021-4034) CVSSv3 score: 7.8(High)
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
#### Stable
* Linux
* [CVE-2021-43976](https://nvd.nist.gov/vuln/detail/CVE-2021-43976) CVSSv3 score: 4.6(Medium)
In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).
* [CVE-2022-0330](https://nvd.nist.gov/vuln/detail/CVE-2022-0330) CVSSv3 score: 7.0(High)
A random memory access flaw was found in the Linux kernel’s GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system.
* [CVE-2022-22942](https://nvd.nist.gov/vuln/detail/CVE-2022-22942) CVSSv3 score: 7.0(High)
A use-after-free flaw was found in the Linux kernel’s vmw_execbuf_copy_fence_user function in drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c in vmwgfx. This flaw allows a local attacker with user privileges to cause a privilege escalation problem.
* expat
* [CVE-2022-23852](https://nvd.nist.gov/vuln/detail/CVE-2022-23852) CVSSv3 score: 9.8(Critical)
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
* [CVE-2022-23990](https://nvd.nist.gov/vuln/detail/CVE-2022-23990) CVSSv3 score: 9.8(Critical)
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
* glibc
* [CVE-2021-3998](https://nvd.nist.gov/vuln/detail/CVE-2021-3998) CVSSv3 score: 5.9(Medium)
A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.
* [CVE-2021-3999](https://nvd.nist.gov/vuln/detail/CVE-2021-3999) CVSSv3 score: 7.4(Medium)
A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.
* [CVE-2022-23218](https://nvd.nist.gov/vuln/detail/CVE-2022-23218) CVSSv3 score: 9.8(Critical)
The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
* [CVE-2022-23219](https://nvd.nist.gov/vuln/detail/CVE-2022-23219) CVSSv3 score: 9.8(Critical)
The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
* polkit
* [CVE-2021-4034](https://nvd.nist.gov/vuln/detail/CVE-2021-4034) CVSSv3 score: 7.8(High)
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
---
### Twitter
_The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._
New Flatcar releases now available for Alpha+Beta+Stable!
📦 Many package updates: polkit, expat, Rust
🔒 CVE fixes & security patches: polkit, glibc, expat
📜 Release notes at the usual spot: https://www.flatcar.org/releases/