owned this note
owned this note
Published
Linked with GitHub
# Flatcar Container Linux Release - March 6th
## Alpha 3535.0.0
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## Beta 3510.1.0
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## Stable 3374.2.5
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## LTS-2022 3033.3.10
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## Communication
---
#### Guidelines / Things to Remember
- Release notes are used in a PR and will appear on https://www.flatcar.org/releases/
- [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post).
---
### Announcement Message
Subject: Announcing new releases Alpha 3535.0.0, Beta 3510.1.0, Stable 3374.2.5, LTS-2022 3033.3.10
Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable and LTS channels.
#### New Alpha release 3535.0.0
_Changes since **Alpha 3510.0.0**_
#### Security fixes:
- Linux ([CVE-2022-2196](https://nvd.nist.gov/vuln/detail/CVE-2022-2196), [CVE-2022-27672](https://nvd.nist.gov/vuln/detail/CVE-2022-27672), [CVE-2022-3707](https://nvd.nist.gov/vuln/detail/CVE-2022-3707), [CVE-2023-1078](https://nvd.nist.gov/vuln/detail/CVE-2023-1078), [CVE-2023-26545](https://nvd.nist.gov/vuln/detail/CVE-2023-26545))
- Go ([CVE-2022-41723](https://nvd.nist.gov/vuln/detail/CVE-2022-41723), [CVE-2022-41724](https://nvd.nist.gov/vuln/detail/CVE-2022-41724), [CVE-2022-41725](https://nvd.nist.gov/vuln/detail/CVE-2022-41725))
- OpenSSH ([CVE-2023-25136](https://nvd.nist.gov/vuln/detail/CVE-2023-25136))
- OpenSSL ([CVE-2022-4203](https://nvd.nist.gov/vuln/detail/CVE-2022-4203), [CVE-2022-4304](https://nvd.nist.gov/vuln/detail/CVE-2022-4304), [CVE-2022-4450](https://nvd.nist.gov/vuln/detail/CVE-2022-4450), [CVE-2023-0215](https://nvd.nist.gov/vuln/detail/CVE-2023-0215), [CVE-2023-0216](https://nvd.nist.gov/vuln/detail/CVE-2023-0216), [CVE-2023-0217](https://nvd.nist.gov/vuln/detail/CVE-2023-0217), [CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286), [CVE-2023-0401](https://nvd.nist.gov/vuln/detail/CVE-2023-0401))
- containerd ([CVE-2023-25153](https://nvd.nist.gov/vuln/detail/CVE-2023-25153), [CVE-2023-25173](https://nvd.nist.gov/vuln/detail/CVE-2023-25173))
- e2fsprogs ([CVE-2022-1304](https://nvd.nist.gov/vuln/detail/CVE-2022-1304))
- intel-microcode ([CVE-2022-21216](https://nvd.nist.gov/vuln/detail/CVE-2022-21216), [CVE-2022-33196](https://nvd.nist.gov/vuln/detail/CVE-2022-33196), [CVE-2022-38090](https://nvd.nist.gov/vuln/detail/CVE-2022-38090))
- less ([CVE-2022-46663](https://nvd.nist.gov/vuln/detail/CVE-2022-46663))
- torcx ([CVE-2022-32149](https://nvd.nist.gov/vuln/detail/CVE-2022-32149))
- SDK: dnsmasq ([CVE-2022-0934](https://nvd.nist.gov/vuln/detail/CVE-2022-0934))
#### Bug fixes:
- Excluded the special Kubernetes network interfaces `nodelocaldns` and `kube-ipvs0` from being managed with systemd-networkd which interfered with the setup ([init#89](https://github.com/flatcar/init/pull/89)).
#### Changes:
- Added a new `flatcar-reset` tool and boot logic for selective OS resets to reconfigure the system with Ignition while avoiding config drift ([bootengine#55](https://github.com/flatcar/bootengine/pull/55), [init#91](https://github.com/flatcar/init/pull/91))
- On boot any files in `/etc` that are the same as provided by the booted `/usr/share/flatcar/etc` default for the overlay mount on `/etc` are deleted to ensure that future updates of `/usr/share/flatcar/etc` are propagated - to opt out create `/etc/.no-dup-update` in case you want to keep an unmodified config file as is or because you fear that a future Flatcar version may use the same file as you at which point your copy is cleaned up and any other future Flatcar changes would be applied ([bootengine#54](https://github.com/flatcar/bootengine/pull/54))
- Switched systemd log reporting to the combined format of both unit description, as before, and now the unit name to easily find the unit ([coreos-overlay#2436](https://github.com/flatcar/coreos-overlay/pull/2436))
- `/etc` is now set up as overlayfs with the original `/etc` folder being the store for changed files/directories and `/usr/share/flatcar/etc` providing the lower default directory tree ([bootengine#53](https://github.com/flatcar/bootengine/pull/53), [scripts#666](https://github.com/flatcar/scripts/pull/666))
#### Updates:
- Linux ([5.15.98](https://lwn.net/Articles/925080) (includes [5.15.97](https://lwn.net/Articles/925064), [5.15.96](https://lwn.net/Articles/924441), [5.15.95](https://lwn.net/Articles/924073), [5.15.94](https://lwn.net/Articles/923308), [5.15.93](https://lwn.net/Articles/922814)))
- Go ([1.19.6](https://go.dev/doc/devel/release#go1.19.6))
- Linux Firmware ([20230210](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20230210))
- OpenSSH ([9.2](http://www.openssh.com/releasenotes.html#9.2))
- OpenSSL ([3.0.8](https://github.com/openssl/openssl/blob/openssl-3.0.8/NEWS.md#major-changes-between-openssl-307-and-openssl-308-7-feb-2023))
- btrfs-progs ([6.0.2](https://btrfs.readthedocs.io/en/latest/CHANGES.html#btrfs-progs-6-0-2-2022-11-24), includes [6.0](https://btrfs.readthedocs.io/en/latest/CHANGES.html#btrfs-progs-6-0-2022-10-11))
- containerd ([1.6.19](https://github.com/containerd/containerd/releases/tag/v1.6.19) (includes [1.6.18](https://github.com/containerd/containerd/releases/tag/v1.6.18)))
- e2fsprogs ([1.46.6](https://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.46.6))
- findutils ([4.9.0](https://lists.gnu.org/archive/html/info-gnu/2022-02/msg00003.html))
- ignition ([2.15.0](https://coreos.github.io/ignition/release-notes/#ignition-2150-2023-02-21))
- intel-microcode ([20230214](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214))
- iputils ([20221126](https://github.com/iputils/iputils/releases/tag/20221126))
- less ([608](http://www.greenwoodsoftware.com/less/news.608.html))
- libpcre2 ([10.42](https://github.com/PCRE2Project/pcre2/blob/pcre2-10.42/NEWS))
- strace ([6.1](https://github.com/strace/strace/releases/tag/v6.1))
- SDK: cmake ([3.25.2](https://cmake.org/cmake/help/v3.25/release/3.25.html))
- SDK: dnsmasq ([2.89](https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2023q1/016859.html))
- SDK: python ([3.10.9](https://docs.python.org/3.10/whatsnew/changelog.html#python-3-10-9-final) (includes [3.10](https://www.python.org/downloads/release/python-3100/)))
- SDK: Rust ([1.67.1](https://github.com/rust-lang/rust/releases/tag/1.67.1))
#### New Beta Release 3510.1.0
_Changes since **Beta 3493.1.0**_
#### Security fixes:
- Linux ([CVE-2022-2196](https://nvd.nist.gov/vuln/detail/CVE-2022-2196), [CVE-2022-27672](https://nvd.nist.gov/vuln/detail/CVE-2022-27672), [CVE-2022-3707](https://nvd.nist.gov/vuln/detail/CVE-2022-3707), [CVE-2023-1078](https://nvd.nist.gov/vuln/detail/CVE-2023-1078), [CVE-2023-26545](https://nvd.nist.gov/vuln/detail/CVE-2023-26545))
- curl ([CVE-2022-43551](https://nvd.nist.gov/vuln/detail/CVE-2022-43551), [CVE-2022-43552](https://nvd.nist.gov/vuln/detail/CVE-2022-43552))
- sudo ([CVE-2023-22809](https://nvd.nist.gov/vuln/detail/CVE-2023-22809))
- vim ([CVE-2023-0049](https://nvd.nist.gov/vuln/detail/CVE-2023-0049), [CVE-2023-0051](https://nvd.nist.gov/vuln/detail/CVE-2023-0051), [CVE-2023-0054](https://nvd.nist.gov/vuln/detail/CVE-2023-0054))
- SDK: qemu ([CVE-2022-4172](https://nvd.nist.gov/vuln/detail/CVE-2022-4172))
#### Bug fixes:
- Excluded the special Kubernetes network interfaces `nodelocaldns` and `kube-ipvs0` from being managed with systemd-networkd which interfered with the setup ([init#89](https://github.com/flatcar/init/pull/89)).
#### Updates:
- Linux ([5.15.98](https://lwn.net/Articles/925080) (includes [5.15.97](https://lwn.net/Articles/925064), [5.15.96](https://lwn.net/Articles/924441), [5.15.95](https://lwn.net/Articles/924073), [5.15.94](https://lwn.net/Articles/923308), [5.15.93](https://lwn.net/Articles/922814)))
- Docker ([20.10.23](https://docs.docker.com/engine/release-notes/#201023))
- bind tools ([9.16.36](https://bind9.readthedocs.io/en/v9_16_36/notes.html#notes-for-bind-9-16-36) (includes [9.16.34](https://bind9.readthedocs.io/en/v9_16_35/notes.html#notes-for-bind-9-16-34) and [9.16.35](https://bind9.readthedocs.io/en/v9_16_34/notes.html#notes-for-bind-9-16-35)))
- bpftool ([5.19.12](https://lwn.net/Articles/909678/))
- ca-certificates ([3.88.1](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_88_1.html))
- containerd ([1.6.16](https://github.com/containerd/containerd/releases/tag/v1.6.16))
- curl ([7.87.0](https://curl.se/changes.html#7_87_0))
- git ([2.39.1](https://github.com/git/git/blob/v2.39.1/Documentation/RelNotes/2.39.1.txt) (includes [2.39.0](https://github.com/git/git/blob/v2.39.0/Documentation/RelNotes/2.39.0.txt)))
- iptables ([1.8.8](https://www.netfilter.org/projects/iptables/files/changes-iptables-1.8.8.txt))
- sudo ([1.9.12_p2](https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_12p2))
- systemd ([252.5](https://github.com/systemd/systemd-stable/releases/tag/v252.5))
- vim ([9.0.1157](https://github.com/vim/vim/releases/tag/v9.0.1157))
- XZ utils ([5.4.1](https://github.com/tukaani-project/xz/releases/tag/v5.4.1) (includes [5.4.0](https://github.com/tukaani-project/xz/releases/tag/v5.4.0)))
- SDK: boost ([1.81.0](https://www.boost.org/users/history/version_1_81_0.html))
- SDK: file ([5.44](https://github.com/file/file/blob/FILE5_44/ChangeLog))
- SDK: portage ([3.0.43](https://github.com/gentoo/portage/blob/portage-3.0.43/NEWS) (includes [3.0.42](https://github.com/gentoo/portage/blob/portage-3.0.42/NEWS)))
- SDK: qemu ([7.2.0](https://wiki.qemu.org/ChangeLog/7.2))
- SDK: Rust ([1.67.0](https://github.com/rust-lang/rust/releases/tag/1.67.0))
_Changes since **Alpha 3510.0.0**_
#### Security fixes:
- Linux ([CVE-2022-2196](https://nvd.nist.gov/vuln/detail/CVE-2022-2196), [CVE-2022-27672](https://nvd.nist.gov/vuln/detail/CVE-2022-27672), [CVE-2022-3707](https://nvd.nist.gov/vuln/detail/CVE-2022-3707), [CVE-2023-1078](https://nvd.nist.gov/vuln/detail/CVE-2023-1078), [CVE-2023-26545](https://nvd.nist.gov/vuln/detail/CVE-2023-26545))
#### Bug fixes:
- Excluded the special Kubernetes network interfaces `nodelocaldns` and `kube-ipvs0` from being managed with systemd-networkd which interfered with the setup ([init#89](https://github.com/flatcar/init/pull/89)).
#### Updates:
- Linux ([5.15.98](https://lwn.net/Articles/925080) (includes [5.15.97](https://lwn.net/Articles/925064), [5.15.96](https://lwn.net/Articles/924441), [5.15.95](https://lwn.net/Articles/924073), [5.15.94](https://lwn.net/Articles/923308), [5.15.93](https://lwn.net/Articles/922814)))
#### New Stable 3374.2.5
_Changes since **Stable 3374.2.4**_
#### Security fixes:
- Linux ([CVE-2022-4129](https://nvd.nist.gov/vuln/detail/CVE-2022-4129), [CVE-2022-4382](https://nvd.nist.gov/vuln/detail/CVE-2022-4382), [CVE-2022-4842](https://nvd.nist.gov/vuln/detail/CVE-2022-4842), [CVE-2023-1073](https://nvd.nist.gov/vuln/detail/CVE-2023-1073), [CVE-2023-1074](https://nvd.nist.gov/vuln/detail/CVE-2023-1074), [CVE-2023-23559](https://nvd.nist.gov/vuln/detail/CVE-2023-23559))
#### Bug fixes:
- Excluded the special Kubernetes network interfaces `nodelocaldns` and `kube-ipvs0` from being managed with systemd-networkd which interfered with the setup ([init#89](https://github.com/flatcar/init/pull/89)).
#### Updates:
- Linux ([5.15.92](https://lwn.net/Articles/922340) (includes [5.15.91](https://lwn.net/Articles/921851), [5.15.90](https://lwn.net/Articles/921029)))
#### New LTS-2022 Release 3033.3.10
_Changes since **LTS 3033.3.9**_
#### Security fixes:
- Linux ([CVE-2022-2196](https://nvd.nist.gov/vuln/detail/CVE-2022-2196), [CVE-2022-3707](https://nvd.nist.gov/vuln/detail/CVE-2022-3707), [CVE-2022-4129](https://nvd.nist.gov/vuln/detail/CVE-2022-4129), [CVE-2022-4382](https://nvd.nist.gov/vuln/detail/CVE-2022-4382), [CVE-2023-1073](https://nvd.nist.gov/vuln/detail/CVE-2023-1073), [CVE-2023-1074](https://nvd.nist.gov/vuln/detail/CVE-2023-1074), [CVE-2023-1078](https://nvd.nist.gov/vuln/detail/CVE-2023-1078), [CVE-2023-22998](https://nvd.nist.gov/vuln/detail/CVE-2023-22998), [CVE-2023-23559](https://nvd.nist.gov/vuln/detail/CVE-2023-23559), [CVE-2023-26545](https://nvd.nist.gov/vuln/detail/CVE-2023-26545))
#### Updates:
- Linux ([5.10.172](https://lwn.net/Articles/925079) (includes [5.10.171](https://lwn.net/Articles/925065), [5.10.170](https://lwn.net/Articles/924440), [5.10.169](https://lwn.net/Articles/924074), [5.10.168](https://lwn.net/Articles/923395), [5.10.167](https://lwn.net/Articles/922341), [5.10.166](https://lwn.net/Articles/921852), [5.10.165](https://lwn.net/Articles/921030)))
- ca-certificates ([3.88.1](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_88_1.html))
Best,
The Flatcar Container Linux Maintainers
---
### Security
**Subject**: Security issues fixed with the latest Alpha 3535.0.0, Beta 3510.1.0, Stable 3374.2.5, LTS-2022 3033.3.10 releases
**Security fix**: With the Alpha 3535.0.0, Beta 3510.1.0, Stable 3374.2.5, LTS-2022 3033.3.10 releases we ship fixes for the CVEs listed below.
#### Alpha 3535.0.0
* Go
* [CVE-2022-41723](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) CVSSv3 score: n/a
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
* [CVE-2022-41724](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) CVSSv3 score: n/a
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
* [CVE-2022-41725](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) CVSSv3 score: n/a
A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.
* Linux
* [CVE-2022-2196](https://nvd.nist.gov/vuln/detail/CVE-2022-2196) CVSSv3 score: 8.8(High)
A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a
* [CVE-2022-27672](https://nvd.nist.gov/vuln/detail/CVE-2022-27672) CVSSv3 score: n/a
When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure.
* [CVE-2022-3707](https://nvd.nist.gov/vuln/detail/CVE-2022-3707) CVSSv3 score: n/a
A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.
* [CVE-2023-1078](https://nvd.nist.gov/vuln/detail/CVE-2023-1078) CVSSv3 score: n/a
* [CVE-2023-26545](https://nvd.nist.gov/vuln/detail/CVE-2023-26545) CVSSv3 score: 7.8(High)
In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.
* OpenSSH
* [CVE-2023-25136](https://nvd.nist.gov/vuln/detail/CVE-2023-25136) CVSSv3 score: 9.8(Critical)
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
* OpenSSL
* [CVE-2022-4203](https://nvd.nist.gov/vuln/detail/CVE-2022-4203) CVSSv3 score: 9.1(Critical)
A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. The read buffer overrun might result in a crash which could lead to a denial of service attack. In theory it could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext) although we are not aware of any working exploit leading to memory contents disclosure as of the time of release of this advisory. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.
* [CVE-2022-4304](https://nvd.nist.gov/vuln/detail/CVE-2022-4304) CVSSv3 score: 5.9(Medium)
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
* [CVE-2022-4450](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) CVSSv3 score: 7.5(High)
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.
* [CVE-2023-0215](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) CVSSv3 score: 7.5(High)
The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.
* [CVE-2023-0216](https://nvd.nist.gov/vuln/detail/CVE-2023-0216) CVSSv3 score: 7.5(High)
An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data.
* [CVE-2023-0217](https://nvd.nist.gov/vuln/detail/CVE-2023-0217) CVSSv3 score: 7.5(High)
An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack. The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3.
* [CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) CVSSv3 score: 7.4(High)
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
* [CVE-2023-0401](https://nvd.nist.gov/vuln/detail/CVE-2023-0401) CVSSv3 score: 7.5(High)
A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data.
* SDK: dnsmasq
* [CVE-2022-0934](https://nvd.nist.gov/vuln/detail/CVE-2022-0934) CVSSv3 score: 7.5(High)
A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq. This flaw allows an attacker who sends a crafted packet processed by dnsmasq, potentially causing a denial of service.
* containerd
* [CVE-2023-25153](https://nvd.nist.gov/vuln/detail/CVE-2023-25153) CVSSv3 score: 5.5(Medium)
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
* [CVE-2023-25173](https://nvd.nist.gov/vuln/detail/CVE-2023-25173) CVSSv3 score: 7.8(High)
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.
* e2fsprogs
* [CVE-2022-1304](https://nvd.nist.gov/vuln/detail/CVE-2022-1304) CVSSv3 score: 7.8(High)
An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.
* intel-microcode
* [CVE-2022-21216](https://nvd.nist.gov/vuln/detail/CVE-2022-21216) CVSSv3 score: 6.8(Medium)
Insufficient granularity of access control in out-of-band management in some Intel(R) Atom and Intel Xeon Scalable Processors may allow a privileged user to potentially enable escalation of privilege via adjacent network access.
* [CVE-2022-33196](https://nvd.nist.gov/vuln/detail/CVE-2022-33196) CVSSv3 score: 6.7(Medium)
Incorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access.
* [CVE-2022-38090](https://nvd.nist.gov/vuln/detail/CVE-2022-38090) CVSSv3 score: 4.4(Medium)
Improper isolation of shared resources in some Intel(R) Processors when using Intel(R) Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.
* less
* [CVE-2022-46663](https://nvd.nist.gov/vuln/detail/CVE-2022-46663) CVSSv3 score: 7.5(High)
In GNU Less before 609, crafted data can result in "less -R" not filtering ANSI escape sequences sent to the terminal.
* torcx
* [CVE-2022-32149](https://nvd.nist.gov/vuln/detail/CVE-2022-32149) CVSSv3 score: 7.5(High)
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
#### Beta 3510.1.0
* Linux
* [CVE-2022-2196](https://nvd.nist.gov/vuln/detail/CVE-2022-2196) CVSSv3 score: 8.8(High)
A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a
* [CVE-2022-27672](https://nvd.nist.gov/vuln/detail/CVE-2022-27672) CVSSv3 score: n/a
When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure.
* [CVE-2022-3707](https://nvd.nist.gov/vuln/detail/CVE-2022-3707) CVSSv3 score: n/a
A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.
* [CVE-2023-1078](https://nvd.nist.gov/vuln/detail/CVE-2023-1078) CVSSv3 score: n/a
* [CVE-2023-26545](https://nvd.nist.gov/vuln/detail/CVE-2023-26545) CVSSv3 score: 7.8(High)
In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.
* SDK: qemu
* [CVE-2022-4172](https://nvd.nist.gov/vuln/detail/CVE-2022-4172) CVSSv3 score: 6.5(Medium)
An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.
* curl
* [CVE-2022-43551](https://nvd.nist.gov/vuln/detail/CVE-2022-43551) CVSSv3 score: 7.5(High)
A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.
* [CVE-2022-43552](https://nvd.nist.gov/vuln/detail/CVE-2022-43552) CVSSv3 score: 5.9(Medium)
A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.
* sudo
* [CVE-2023-22809](https://nvd.nist.gov/vuln/detail/CVE-2023-22809) CVSSv3 score: 7.8(High)
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
* vim
* [CVE-2023-0049](https://nvd.nist.gov/vuln/detail/CVE-2023-0049) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.
* [CVE-2023-0051](https://nvd.nist.gov/vuln/detail/CVE-2023-0051) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144.
* [CVE-2023-0054](https://nvd.nist.gov/vuln/detail/CVE-2023-0054) CVSSv3 score: 7.8(High)
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.
#### Stable 3374.2.5
* Linux
* [CVE-2022-4129](https://nvd.nist.gov/vuln/detail/CVE-2022-4129) CVSSv3 score: 5.5(Medium)
A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.
* [CVE-2022-4382](https://nvd.nist.gov/vuln/detail/CVE-2022-4382) CVSSv3 score: 6.4(Medium)
A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side.
* [CVE-2022-4842](https://nvd.nist.gov/vuln/detail/CVE-2022-4842) CVSSv3 score: 5.5(Medium)
A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system.
* [CVE-2023-1073](https://nvd.nist.gov/vuln/detail/CVE-2023-1073) CVSSv3 score: n/a
* [CVE-2023-1074](https://nvd.nist.gov/vuln/detail/CVE-2023-1074) CVSSv3 score: n/a
* [CVE-2023-23559](https://nvd.nist.gov/vuln/detail/CVE-2023-23559) CVSSv3 score: 7.8(High)
In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.
#### LTS-2022 3033.3.10
* Linux
* [CVE-2022-4129](https://nvd.nist.gov/vuln/detail/CVE-2022-4129) CVSSv3 score: 5.5(Medium)
A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.
* [CVE-2022-4382](https://nvd.nist.gov/vuln/detail/CVE-2022-4382) CVSSv3 score: 6.4(Medium)
A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side.
* [CVE-2022-4842](https://nvd.nist.gov/vuln/detail/CVE-2022-4842) CVSSv3 score: 5.5(Medium)
A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system.
* [CVE-2023-1073](https://nvd.nist.gov/vuln/detail/CVE-2023-1073) CVSSv3 score: n/a
* [CVE-2023-1074](https://nvd.nist.gov/vuln/detail/CVE-2023-1074) CVSSv3 score: n/a
* [CVE-2023-23559](https://nvd.nist.gov/vuln/detail/CVE-2023-23559) CVSSv3 score: 7.8(High)
In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.
---
### Communication
#### Go/No-Go message for Matrix/Slack
Go/No-Go Meeting for Alpha 3535.0.0, Beta 3510.1.0, Stable 3374.2.5, LTS-2022 3033.3.10
Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/
Tracking issue: https://github.com/flatcar/Flatcar/issues/971
The Go/No-Go document is in our HackMD @flatcar namespace
Link: https://hackmd.io/@flatcar/BJBbyAaRo
Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait.
Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat.
@MAINTAINER @MAINTAINER @MAINTAINER
#### Mastodon
_The toot (from [@flatcar](https://hachyderm.io/@flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._
New Flatcar releases for all channels now available!
📦 Many package updates: Linux, Rust, containerd and many more
🔒 CVE fixes & security patches: Linux, openssh, containerd, openssl
📜 Release notes at the usual spot: https://www.flatcar.org/releases/
#linux #cloudnative #containers #containerlinux #release
#### Kubernetes Slack
_This goes in the #flatcar channel_
Please welcome Flatcar releases of this month:
- Alpha 3535.0.0 (major release)
- Beta 3510.1.0 (major release)
- Stable 3374.2.5 (maintenance release)
- LTS-2022 3033.3.10 (maintenance release)
These releases include:
📦 Many package updates: Linux, Rust, containerd and many more
🔒 CVE fixes & security patches: Linux, openssh, containerd, openssl
📜 Release notes at the usual spot: https://www.flatcar.org/releases/