owned this note
owned this note
Published
Linked with GitHub
# Flatcar Container Linux Release - 2022-08-30
## Flatcar-linux-Alpha-3346.0.0
- AMD64-usr
- Platforms succeeded: All except for AWS, Digital Ocean, Qemu
- Platforms failed: AWS, Digital Ocean, Qemu
- AWS: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Digital Ocean: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Qemu: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## Flatcar-linux-Beta-3277.1.2
- AMD64-usr
- Platforms succeeded: All except for Azure, Digital Ocean, Qemu_uefi
- Platforms failed: Azure, Digital Ocean, Qemu_uefi
- Azure: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Digital Ocean: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Qemu_uefi: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All except for AWS, Azure, Equinix Metal, Qemu_uefi
- Platforms failed: AWS, Azure, Equinix Metal, Qemu_uefi
- AWS: `kubeadm.*.calico.base`, `kubeadm.*.cilium.base`, flaky test, already known issue
- Azure: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Equinix Metal: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Qemu_uefi: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Platforms not tested: None
VERDICT: _GO_
## Flatcar-linux-Stable-3227.2.2
- AMD64-usr
- Platforms succeeded: All except for AWS, Azure, Digital Ocean, Equinix Metal, Qemu, Qemu_uefi
- Platforms failed: AWS, Azure, Digital Ocean, Equinix Metal, Qemu, Qemu_uefi
- AWS: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Azure: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Digital Ocean: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Equinix Metal: `kubeadm.v1.24.1.cilium.base`, `cl.internet` for s3.xlarge, already known issue
- Qemu: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Qemu_uefi: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All except for AWS
- Platforms failed: None
- Platforms not tested: AWS
- The whole test could not run due to an unknown corrupted AMI issue.
VERDICT: _GO_
## Flatcar-linux-LTS-2022-3033.3.5
- AMD64-usr
- Platforms succeeded: All except for Equinix Metal, Qemu
- Platforms failed: Equinix Metal, Qemu
- Equinix Metal: `kubeadm.v1.24.1.cilium.base`, `cl.internet` for s3.xlarge already known issue
- Qemu: `kubeadm.v1.24.1.cilium.base`, flaky test, already known issue
- Platforms not tested: None
- ARM64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## Flatcar-linux-LTS-2021-2605.31.1
- AMD64-usr
- Platforms succeeded: All
- Platforms failed: None
- Platforms not tested: None
VERDICT: _GO_
## Communication
---
#### Guidelines / Things to Remember
- Release notes are used in a PR and will appear on https://www.flatcar-linux.org/releases/
- [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post).
- Make sure the the LTS is referred to as `LTS-2021`, and not `LTS-2605`
---
### Announcement Message
Subject: Announcing new Alpha 3346.0.0, Beta 3277.1.2, Stable 3227.2.2, LTS-2022 3033.3.5, LTS-2021 2605.31.1
Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, LTS-2022, LTS-2021 channels.
The images are signed with a [new image signing subkey](https://www.flatcar.org/security/image-signing-key/). If you verify the images, you need to update it. The new key is also updated in the embedded flatcar-install script and you should use, e.g., the new PXE images to install the latest releases to disk.
**NOTE** LTS-2021 is near the designated end of its 18 month lifespan and will only receive 1 more update by the end of September. If you use a fixed LTS channel please switch to LTS-2022, the new LTS which has been published in May. After the next update by end of September there will be no more releases for the LTS-2021 channel as it will enter EOL. Please check your nodes' `GROUP=` setting in `/etc/flatcar/update.conf` to determine if you need to take action:
- `GROUP=lts` points to the latest LTS release. No need to take action as you are already using LTS-2022, which is the latest release.
- `GROUP=lts-2022` you have pinned your nodes to the LTS-2022 channel. No need to take action as you are already using the latest release (however, you will need to take action in about 12 months to switch to LTS-2023. Check the release notes of upcoming LTS releases to stay up to date).
- `GROUP=lts-2021` you have pinned your nodes to the LTS-2021 channel. Nodes will receive one more update by the end of September; after that, LTS-2021 will be EOL. Please refer to the Flatcar documentation on [switching channels](https://flatcar-linux.org/docs/latest/setup/releases/switching-channels/#freezing-an-lts-stream) to switch to LTS-2022.
# New **Alpha** Release **3346.0.0**
_Changes since **Alpha 3305.0.1**_
#### Security fixes:
- Linux ([CVE-2022-1679](https://nvd.nist.gov/vuln/detail/CVE-2022-1679), [CVE-2022-2585](https://nvd.nist.gov/vuln/detail/CVE-2022-2585), [CVE-2022-2586](https://nvd.nist.gov/vuln/detail/CVE-2022-2586), [CVE-2022-2588](https://nvd.nist.gov/vuln/detail/CVE-2022-2588), [CVE-2022-26373](https://nvd.nist.gov/vuln/detail/CVE-2022-26373), [CVE-2022-36946](https://nvd.nist.gov/vuln/detail/CVE-2022-36946))
- Go ([CVE-2022-32189](https://nvd.nist.gov/vuln/detail/CVE-2022-32189))
- binutils ([CVE-2021-45078](https://nvd.nist.gov/vuln/detail/CVE-2021-45078))
- git ([CVE-2022-29187](https://nvd.nist.gov/vuln/detail/CVE-2022-29187))
- gnutls ([CVE-2022-2509](https://nvd.nist.gov/vuln/detail/CVE-2022-2509))
- libtirpc ([CVE-2021-46828](https://nvd.nist.gov/vuln/detail/CVE-2021-46828))
- oniguruma ([oss-fuzz issues fixed 2022-04-30](https://bugs.gentoo.org/841893))
- shadow ([CVE-2013-4235](https://nvd.nist.gov/vuln/detail/CVE-2013-4235))
- vim ([CVE-2022-0629](https://nvd.nist.gov/vuln/detail/CVE-2022-0629), [CVE-2022-0685](https://nvd.nist.gov/vuln/detail/CVE-2022-0685), [CVE-2022-0714](https://nvd.nist.gov/vuln/detail/CVE-2022-0714), [CVE-2022-0729](https://nvd.nist.gov/vuln/detail/CVE-2022-0729), [CVE-2022-0943](https://nvd.nist.gov/vuln/detail/CVE-2022-0943), [CVE-2022-1154](https://nvd.nist.gov/vuln/detail/CVE-2022-1154), [CVE-2022-1160](https://nvd.nist.gov/vuln/detail/CVE-2022-1160), [CVE-2022-1381](https://nvd.nist.gov/vuln/detail/CVE-2022-1381), [CVE-2022-1420](https://nvd.nist.gov/vuln/detail/CVE-2022-1420), [CVE-2022-1616](https://nvd.nist.gov/vuln/detail/CVE-2022-1616), [CVE-2022-1619](https://nvd.nist.gov/vuln/detail/CVE-2022-1619), [CVE-2022-1620](https://nvd.nist.gov/vuln/detail/CVE-2022-1620), [CVE-2022-1621](https://nvd.nist.gov/vuln/detail/CVE-2022-1621), [CVE-2022-1629](https://nvd.nist.gov/vuln/detail/CVE-2022-1629), [CVE-2022-1674](https://nvd.nist.gov/vuln/detail/CVE-2022-1674), [CVE-2022-1733](https://nvd.nist.gov/vuln/detail/CVE-2022-1733), [CVE-2022-1735](https://nvd.nist.gov/vuln/detail/CVE-2022-1735), [CVE-2022-1769](https://nvd.nist.gov/vuln/detail/CVE-2022-1769), [CVE-2022-1771](https://nvd.nist.gov/vuln/detail/CVE-2022-1771), [CVE-2022-1785](https://nvd.nist.gov/vuln/detail/CVE-2022-1785), [CVE-2022-1796](https://nvd.nist.gov/vuln/detail/CVE-2022-1796), [CVE-2022-1897](https://nvd.nist.gov/vuln/detail/CVE-2022-1897), [CVE-2022-1898](https://nvd.nist.gov/vuln/detail/CVE-2022-1898), [CVE-2022-1886](https://nvd.nist.gov/vuln/detail/CVE-2022-1886), [CVE-2022-1851](https://nvd.nist.gov/vuln/detail/CVE-2022-1851), [CVE-2022-1927](https://nvd.nist.gov/vuln/detail/CVE-2022-1927), [CVE-2022-1942](https://nvd.nist.gov/vuln/detail/CVE-2022-1942), [CVE-2022-1968](https://nvd.nist.gov/vuln/detail/CVE-2022-1968), [CVE-2022-2000](https://nvd.nist.gov/vuln/detail/CVE-2022-2000))
- VMware: open-vm-tools ([CVE-2022-31676](https://nvd.nist.gov/vuln/detail/CVE-2022-31676))
#### Bug fixes:
- AWS: added EKS support for version 1.22 and 1.23. ([coreos-overlay#2110](https://github.com/flatcar-linux/coreos-overlay/pull/2110), [Flatcar#829](https://github.com/flatcar-linux/Flatcar/issues/829))
- VMWare: excluded `wireguard` (and others) from `systemd-networkd` management. ([init#80](https://github.com/flatcar-linux/init/pull/80))
#### Changes:
- Added symlink from `nc` to `ncat`. `-q` option is [not yet supported](https://github.com/nmap/nmap/issues/2422) ([flatcar#545](https://github.com/flatcar-linux/Flatcar/issues/545))
- The new image signing subkey was added to the public key embedded into `flatcar-install` (the old expired on 10th August 2022), only an updated `flatcar-install` script can verify releases signed with the new key ([init#79](https://github.com/flatcar-linux/init/pull/79))
- AWS: Added AWS IMDSv2 support to coreos-cloudinit ([flatcar-linux/coreos-cloudinit#13](https://github.com/flatcar-linux/coreos-cloudinit/pull/13))
#### Updates:
- Linux ([5.15.63](https://lwn.net/Articles/906061) (includes [5.15.62](https://lwn.net/Articles/905533), [5.15.61](https://lwn.net/Articles/904959), [5.15.60](https://lwn.net/Articles/904461), [5.15.59](https://lwn.net/Articles/903688))
- Linux Firmware ([20220815](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20220815))
- binutils ([2.38](https://lwn.net/Articles/884264/))
- boost ([1.79](https://www.boost.org/users/history/version_1_79_0.html))
- ca-certificates ([3.82](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_82.html))
- containerd ([1.6.8](https://github.com/containerd/containerd/releases/tag/v1.6.8))
- Cyrus SASL ([2.1.28](https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28))
- gcc ([11.3.0](https://gcc.gnu.org/gcc-11/changes.html))
- git ([2.37.1](https://github.com/git/git/blob/v2.37.1/Documentation/RelNotes/2.37.1.txt))
- glib ([2.72.3](https://gitlab.gnome.org/GNOME/glib/-/tags/2.73.3))
- gnutls ([3.7.7](https://gitlab.com/gnutls/gnutls/-/tags/3.7.7))
- oniguruma ([6.9.8](https://github.com/kkos/oniguruma/releases/tag/v6.9.8))
- shadow ([4.12.3](https://github.com/shadow-maint/shadow/releases/tag/4.12.3))
- vim ([8.2.5066](https://github.com/vim/vim/releases/tag/v8.2.5066))
- SDK: automake ([1.16.5](https://savannah.gnu.org/forum/forum.php?forum_id=10055))
- SDK: bison ([3.8.2](https://lists.gnu.org/archive/html/bug-bison/2021-09/msg00056.html))
- SDK: libtool ([2.4.7](https://savannah.gnu.org/forum/forum.php?forum_id=10139))
- SDK: perl ([5.34.1](https://perldoc.perl.org/5.34.1/perldelta))
- SDK: pkgconf ([1.8.0](https://gitea.treehouse.systems/ariadne/pkgconf/src/tag/pkgconf-1.8.0/NEWS))
- SDK: Rust ([1.63.0](https://github.com/rust-lang/rust/releases/tag/1.63.0))
- VMware: open-vm-tools ([12.1.0](https://github.com/vmware/open-vm-tools/releases/tag/stable-12.1.0))
# New **Beta** Release **3277.1.2**
_Changes since **Beta 3277.1.1**_
#### Security fixes:
- Linux ([CVE-2022-1679](https://nvd.nist.gov/vuln/detail/CVE-2022-1679), [CVE-2022-2585](https://nvd.nist.gov/vuln/detail/CVE-2022-2585), [CVE-2022-2586](https://nvd.nist.gov/vuln/detail/CVE-2022-2586), [CVE-2022-2588](https://nvd.nist.gov/vuln/detail/CVE-2022-2588), [CVE-2022-26373](https://nvd.nist.gov/vuln/detail/CVE-2022-26373), [CVE-2022-36946](https://nvd.nist.gov/vuln/detail/CVE-2022-36946))
#### Bug fixes:
- AWS: added EKS support for version 1.22 and 1.23. ([coreos-overlay#2110](https://github.com/flatcar-linux/coreos-overlay/pull/2110), [Flatcar#829](https://github.com/flatcar-linux/Flatcar/issues/829))
- VMWare: excluded `wireguard` (and others) from `systemd-networkd` management. ([init#80](https://github.com/flatcar-linux/init/pull/80))
#### Changes:
- The new image signing subkey was added to the public key embedded into `flatcar-install` (the old expired on 10th August 2022), only an updated `flatcar-install` script can verify releases signed with the new key ([init#79](https://github.com/flatcar-linux/init/pull/79))
- AWS: Added AWS IMDSv2 support to coreos-cloudinit ([flatcar-linux/coreos-cloudinit#13](https://github.com/flatcar-linux/coreos-cloudinit/pull/13))
#### Updates:
- Linux ([5.15.63](https://lwn.net/Articles/906061) (includes [5.15.62](https://lwn.net/Articles/905533), [5.15.61](https://lwn.net/Articles/904959), [5.15.60](https://lwn.net/Articles/904461), [5.15.59](https://lwn.net/Articles/903688))
- ca-certificates ([3.82](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_82.html))
# New **Stable** Release **3227.2.2**
_Note: The ARM64 AWS AMI of the Stable release has an unknown issue of corrupted images which we are still investigating. We will release the AMI as soon as we have resolved the issue. Follow [#840](https://github.com/flatcar-linux/Flatcar/issues/840) for more information_
_Changes since **Stable 3227.2.1**_
#### Security fixes:
- Linux ([CVE-2022-1679](https://nvd.nist.gov/vuln/detail/CVE-2022-1679), [CVE-2022-2585](https://nvd.nist.gov/vuln/detail/CVE-2022-2585), [CVE-2022-2586](https://nvd.nist.gov/vuln/detail/CVE-2022-2586), [CVE-2022-2588](https://nvd.nist.gov/vuln/detail/CVE-2022-2588), [CVE-2022-26373](https://nvd.nist.gov/vuln/detail/CVE-2022-26373), [CVE-2022-36946](https://nvd.nist.gov/vuln/detail/CVE-2022-36946))
#### Bug fixes:
- AWS: added EKS support for version 1.22 and 1.23. ([coreos-overlay#2110](https://github.com/flatcar-linux/coreos-overlay/pull/2110), [Flatcar#829](https://github.com/flatcar-linux/Flatcar/issues/829))
- VMWare: excluded `wireguard` (and others) from `systemd-networkd` management. ([init#80](https://github.com/flatcar-linux/init/pull/80))
#### Changes:
- The new image signing subkey was added to the public key embedded into `flatcar-install` (the old expired on 10th August 2022), only an updated `flatcar-install` script can verify releases signed with the new key ([init#79](https://github.com/flatcar-linux/init/pull/79))
#### Updates:
- Linux ([5.15.63](https://lwn.net/Articles/906061) (includes [5.15.62](https://lwn.net/Articles/905533), [5.15.61](https://lwn.net/Articles/904959), [5.15.60](https://lwn.net/Articles/904461), [5.15.59](https://lwn.net/Articles/903688))
- ca-certificates ([3.82](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_82.html))
# New **LTS-2022** Release **3033.3.5**
_Changes since **LTS 3033.3.4**_
#### Security fixes:
- Linux ([CVE-2022-1679](https://nvd.nist.gov/vuln/detail/CVE-2022-1679), [CVE-2022-2153](https://nvd.nist.gov/vuln/detail/CVE-2022-2153), [CVE-2022-2585](https://nvd.nist.gov/vuln/detail/CVE-2022-2585), [CVE-2022-2586](https://nvd.nist.gov/vuln/detail/CVE-2022-2586), [CVE-2022-2588](https://nvd.nist.gov/vuln/detail/CVE-2022-2588), [CVE-2022-26373](https://nvd.nist.gov/vuln/detail/CVE-2022-26373), [CVE-2022-36946](https://nvd.nist.gov/vuln/detail/CVE-2022-36946))
#### Changes:
- The new image signing subkey was added to the public key embedded into `flatcar-install` (the old expired on 10th August 2022), only an updated `flatcar-install` script can verify releases signed with the new key ([init#79](https://github.com/flatcar-linux/init/pull/79))
#### Updates:
- Linux ([5.10.137](https://lwn.net/Articles/905534) (includes [5.10.136](https://lwn.net/Articles/904462), [5.10.135](https://lwn.net/Articles/903689)))
- ca-certificates ([3.82](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_82.html))
# New **LTS-2021** Release **2605.31.1**
**NOTE** LTS-2021 is near the designated end of its 18 month lifespan and will only receive 1 more update by the end of September. If you use a fixed LTS channel please switch to LTS-2022, the new LTS which has been published in May. After the next update by end of September there will be no more releases for the LTS-2021 channel. Please check your nodes' `GROUP=` setting in `/etc/flatcar/update.conf` to determine if you need to take action. Please refer to the Flatcar documentation on [switching channels](https://flatcar-linux.org/docs/latest/setup/releases/switching-channels/#freezing-an-lts-stream) to switch to LTS-2022.
_Changes since **LTS 2605.30.1**_
#### Security fixes:
- Linux ([CVE-2021-4159](https://nvd.nist.gov/vuln/detail/CVE-2021-4159), [CVE-2022-1462](https://nvd.nist.gov/vuln/detail/CVE-2022-1462), [CVE-2022-20369](https://nvd.nist.gov/vuln/detail/CVE-2022-20369), [CVE-2022-21505](https://nvd.nist.gov/vuln/detail/CVE-2022-21505), [CVE-2022-26373](https://nvd.nist.gov/vuln/detail/CVE-2022-26373), [CVE-2022-36123](https://nvd.nist.gov/vuln/detail/CVE-2022-36123), [CVE-2022-36879](https://nvd.nist.gov/vuln/detail/CVE-2022-36879), [CVE-2022-36946](https://nvd.nist.gov/vuln/detail/CVE-2022-36946))
#### Changes:
- The new image signing subkey was added to the public key embedded into `flatcar-install` (the old expired on 10th August 2022), only an updated `flatcar-install` script can verify releases signed with the new key ([init#79](https://github.com/flatcar-linux/init/pull/79))
#### Updates:
- Linux ([5.4.210](https://lwn.net/Articles/904463) (includes [5.4.209](https://lwn.net/Articles/903690), [5.4.208](https://lwn.net/Articles/902919), [5.4.207](https://lwn.net/Articles/902103)))
- ca-certificates ([3.82](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_82.html))
Note: LTS 2605.32.1 i.e the next release to be release in the month of September would be the last release for LTS-2021. Post that there will be no more releases for the channel. Please upgrade your workloads to LTS-2022 as soon as possible.
Best,
The Flatcar Container Linux Maintainers
---
---
### Security
**Subject**: Security issues fixed with the latest Alpha 3346.0.0, Beta 3277.1.2, Stable 3227.2.2, LTS-2022 3033.3.5, LTS-2021 2605.31.1 releases
**Security fix**: With the Alpha 3346.0.0, Beta 3277.1.2, Stable 3227.2.2, LTS-2022 3033.3.5, LTS-2021 2605.31.1 releases we ship fixes for the CVEs listed below.
#### Alpha 3346.0.0
* Go
* [CVE-2022-32189](https://nvd.nist.gov/vuln/detail/CVE-2022-32189) CVSSv3 score: 7.5(High)
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.
* Linux
* [CVE-2022-1679](https://nvd.nist.gov/vuln/detail/CVE-2022-1679) CVSSv3 score: 7.8(High)
A use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system.
* [CVE-2022-2585](https://nvd.nist.gov/vuln/detail/CVE-2022-2585)
It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed, leading to a use-after-free. An independent security researcher working with SSD Secure Disclosure discovered that this vulnerability could be exploited for Local Privilege Escalation. This bug was introduced by commit 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a task"), which is present since v5.7-rc1.
* [CVE-2022-2586](https://nvd.nist.gov/vuln/detail/CVE-2022-2586)
When doing lookups for chains on the same batch by using its ID, a chain from a different table can be used. If a rule is added to a table but refers to a chain in a different table, it will be linked to the chain in table2, but would have expressions referring to objects in table1. Then, when table1 is removed, the rule will not be removed as its linked to a chain in table2. When expressions in the rule are processed or removed, that will lead to a use-after-free. When looking for chains by ID, use the table that was used for the lookup by name, and only return chains belonging to that same table.
* [CVE-2022-2588](https://nvd.nist.gov/vuln/detail/CVE-2022-2588)
It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0. Zhenpeng Lin working with Trend Micro's Zero Day Initiative discovered that this vulnerability could be exploited for Local Privilege Escalation. This bug has been present since the first Linux commit git, v2.6.12-rc2. * [CVE-2022-26373](https://nvd.nist.gov/vuln/detail/CVE-2022-26373) CVSSv3 score: 5.5(Medium)
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
* [CVE-2022-36946](https://nvd.nist.gov/vuln/detail/CVE-2022-36946) CVSSv3 score: 7.5(High)
nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.
* VMware: open-vm-tools
* [CVE-2022-31676](https://nvd.nist.gov/vuln/detail/CVE-2022-31676) CVSSv3 score: 7.8(High)
VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine.
* binutils
* [CVE-2021-45078](https://nvd.nist.gov/vuln/detail/CVE-2021-45078) CVSSv3 score: 7.8(High)
stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.
* git
* [CVE-2022-29187](https://nvd.nist.gov/vuln/detail/CVE-2022-29187) CVSSv3 score: n/a
Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.
* gnutls
* [CVE-2022-2509](https://nvd.nist.gov/vuln/detail/CVE-2022-2509) CVSSv3 score: 7.5(High)
A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.
* libtirpc
* [CVE-2021-46828](https://nvd.nist.gov/vuln/detail/CVE-2021-46828) CVSSv3 score: 7.5(High)
In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.
* shadow
* [CVE-2013-4235](https://nvd.nist.gov/vuln/detail/CVE-2013-4235) CVSSv3 score: 4.7(Medium)
shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees
* vim
* [CVE-2022-0629](https://nvd.nist.gov/vuln/detail/CVE-2022-0629) CVSSv3 score: 7.8(High)
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-0685](https://nvd.nist.gov/vuln/detail/CVE-2022-0685) CVSSv3 score: 7.8(High)
Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4418.
* [CVE-2022-0714](https://nvd.nist.gov/vuln/detail/CVE-2022-0714) CVSSv3 score: 5.5(Medium)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4436.
* [CVE-2022-0729](https://nvd.nist.gov/vuln/detail/CVE-2022-0729) CVSSv3 score: 8.8(High)
Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440.
* [CVE-2022-0943](https://nvd.nist.gov/vuln/detail/CVE-2022-0943) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow occurs in vim in GitHub repository vim/vim prior to 8.2.4563.
* [CVE-2022-1154](https://nvd.nist.gov/vuln/detail/CVE-2022-1154) CVSSv3 score: 7.8(High)
Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646.
* [CVE-2022-1160](https://nvd.nist.gov/vuln/detail/CVE-2022-1160) CVSSv3 score: 7.8(High)
heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.4647.
* [CVE-2022-1381](https://nvd.nist.gov/vuln/detail/CVE-2022-1381) CVSSv3 score: 7.8(High)
global heap buffer overflow in skip_range in GitHub repository vim/vim prior to 8.2.4763. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
* [CVE-2022-1420](https://nvd.nist.gov/vuln/detail/CVE-2022-1420) CVSSv3 score: 5.5(Medium)
Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4774.
* [CVE-2022-1616](https://nvd.nist.gov/vuln/detail/CVE-2022-1616) CVSSv3 score: 7.8(High)
Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
* [CVE-2022-1619](https://nvd.nist.gov/vuln/detail/CVE-2022-1619) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution
* [CVE-2022-1620](https://nvd.nist.gov/vuln/detail/CVE-2022-1620) CVSSv3 score: 7.5(High)
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.
* [CVE-2022-1621](https://nvd.nist.gov/vuln/detail/CVE-2022-1621) CVSSv3 score: 7.8(High)
Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
* [CVE-2022-1629](https://nvd.nist.gov/vuln/detail/CVE-2022-1629) CVSSv3 score: 7.8(High)
Buffer Over-read in function find_next_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution
* [CVE-2022-1674](https://nvd.nist.gov/vuln/detail/CVE-2022-1674) CVSSv3 score: 5.5(Medium)
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 in GitHub repository vim/vim prior to 8.2.4938. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 allows attackers to cause a denial of service (application crash) via a crafted input.
* [CVE-2022-1733](https://nvd.nist.gov/vuln/detail/CVE-2022-1733) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4968.
* [CVE-2022-1735](https://nvd.nist.gov/vuln/detail/CVE-2022-1735) CVSSv3 score: 7.8(High)
Classic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969.
* [CVE-2022-1769](https://nvd.nist.gov/vuln/detail/CVE-2022-1769) CVSSv3 score: 7.8(High)
Buffer Over-read in GitHub repository vim/vim prior to 8.2.4974.
* [CVE-2022-1771](https://nvd.nist.gov/vuln/detail/CVE-2022-1771) CVSSv3 score: 5.5(Medium)
Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975.
* [CVE-2022-1785](https://nvd.nist.gov/vuln/detail/CVE-2022-1785) CVSSv3 score: 7.8(High)
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977.
* [CVE-2022-1796](https://nvd.nist.gov/vuln/detail/CVE-2022-1796) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 8.2.4979.
* [CVE-2022-1897](https://nvd.nist.gov/vuln/detail/CVE-2022-1897) CVSSv3 score: 7.8(High)
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-1898](https://nvd.nist.gov/vuln/detail/CVE-2022-1898) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-1886](https://nvd.nist.gov/vuln/detail/CVE-2022-1886) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-1851](https://nvd.nist.gov/vuln/detail/CVE-2022-1851) CVSSv3 score: 7.8(High)
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-1927](https://nvd.nist.gov/vuln/detail/CVE-2022-1927) CVSSv3 score: 9.8(Critical)
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-1942](https://nvd.nist.gov/vuln/detail/CVE-2022-1942) CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-1968](https://nvd.nist.gov/vuln/detail/CVE-2022-1968) CVSSv3 score: 7.8(High)
Use After Free in GitHub repository vim/vim prior to 8.2.
* [CVE-2022-2000](https://nvd.nist.gov/vuln/detail/CVE-2022-2000) CVSSv3 score: 7.8(High)
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
#### Beta 3277.1.2
* Linux
* [CVE-2022-1679](https://nvd.nist.gov/vuln/detail/CVE-2022-1679) CVSSv3 score: 7.8(High)
A use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system.
* [CVE-2022-2585](https://nvd.nist.gov/vuln/detail/CVE-2022-2585)
It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed, leading to a use-after-free. An independent security researcher working with SSD Secure Disclosure discovered that this vulnerability could be exploited for Local Privilege Escalation. This bug was introduced by commit 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a task"), which is present since v5.7-rc1.
* [CVE-2022-2586](https://nvd.nist.gov/vuln/detail/CVE-2022-2586)
When doing lookups for chains on the same batch by using its ID, a chain from a different table can be used. If a rule is added to a table but refers to a chain in a different table, it will be linked to the chain in table2, but would have expressions referring to objects in table1. Then, when table1 is removed, the rule will not be removed as its linked to a chain in table2. When expressions in the rule are processed or removed, that will lead to a use-after-free. When looking for chains by ID, use the table that was used for the lookup by name, and only return chains belonging to that same table.
* [CVE-2022-2588](https://nvd.nist.gov/vuln/detail/CVE-2022-2588)
It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0. Zhenpeng Lin working with Trend Micro's Zero Day Initiative discovered that this vulnerability could be exploited for Local Privilege Escalation. This bug has been present since the first Linux commit git, v2.6.12-rc2.
* [CVE-2022-26373](https://nvd.nist.gov/vuln/detail/CVE-2022-26373) CVSSv3 score: 5.5(Medium)
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
* [CVE-2022-36946](https://nvd.nist.gov/vuln/detail/CVE-2022-36946) CVSSv3 score: 7.5(High)
nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.
#### Stable 3227.2.2
* Linux
* [CVE-2022-1679](https://nvd.nist.gov/vuln/detail/CVE-2022-1679) CVSSv3 score: 7.8(High)
A use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system.
* [CVE-2022-2585](https://nvd.nist.gov/vuln/detail/CVE-2022-2585)
It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed, leading to a use-after-free. An independent security researcher working with SSD Secure Disclosure discovered that this vulnerability could be exploited for Local Privilege Escalation. This bug was introduced by commit 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a task"), which is present since v5.7-rc1.
* [CVE-2022-2586](https://nvd.nist.gov/vuln/detail/CVE-2022-2586)
When doing lookups for chains on the same batch by using its ID, a chain from a different table can be used. If a rule is added to a table but refers to a chain in a different table, it will be linked to the chain in table2, but would have expressions referring to objects in table1. Then, when table1 is removed, the rule will not be removed as its linked to a chain in table2. When expressions in the rule are processed or removed, that will lead to a use-after-free. When looking for chains by ID, use the table that was used for the lookup by name, and only return chains belonging to that same table.
* [CVE-2022-2588](https://nvd.nist.gov/vuln/detail/CVE-2022-2588)
It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0. Zhenpeng Lin working with Trend Micro's Zero Day Initiative discovered that this vulnerability could be exploited for Local Privilege Escalation. This bug has been present since the first Linux commit git, v2.6.12-rc2.
* [CVE-2022-26373](https://nvd.nist.gov/vuln/detail/CVE-2022-26373) CVSSv3 score: 5.5(Medium)
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
* [CVE-2022-36946](https://nvd.nist.gov/vuln/detail/CVE-2022-36946) CVSSv3 score: 7.5(High)
nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.
#### LTS-2022 3033.3.5
* Linux
* [CVE-2022-1679](https://nvd.nist.gov/vuln/detail/CVE-2022-1679) CVSSv3 score: 7.8(High)
A use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system.
* [CVE-2022-2153](https://nvd.nist.gov/vuln/detail/CVE-2022-2153) CVSSv3 score: n/a
A flaw was found in the Linux kernel’s KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.
* [CVE-2022-2585](https://nvd.nist.gov/vuln/detail/CVE-2022-2585)
It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed, leading to a use-after-free. An independent security researcher working with SSD Secure Disclosure discovered that this vulnerability could be exploited for Local Privilege Escalation. This bug was introduced by commit 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a task"), which is present since v5.7-rc1.
* [CVE-2022-2586](https://nvd.nist.gov/vuln/detail/CVE-2022-2586)
When doing lookups for chains on the same batch by using its ID, a chain from a different table can be used. If a rule is added to a table but refers to a chain in a different table, it will be linked to the chain in table2, but would have expressions referring to objects in table1. Then, when table1 is removed, the rule will not be removed as its linked to a chain in table2. When expressions in the rule are processed or removed, that will lead to a use-after-free. When looking for chains by ID, use the table that was used for the lookup by name, and only return chains belonging to that same table.
* [CVE-2022-2588](https://nvd.nist.gov/vuln/detail/CVE-2022-2588)
It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0. Zhenpeng Lin working with Trend Micro's Zero Day Initiative discovered that this vulnerability could be exploited for Local Privilege Escalation. This bug has been present since the first Linux commit git, v2.6.12-rc2.
* [CVE-2022-26373](https://nvd.nist.gov/vuln/detail/CVE-2022-26373) CVSSv3 score: 5.5(Medium)
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
* [CVE-2022-36946](https://nvd.nist.gov/vuln/detail/CVE-2022-36946) CVSSv3 score: 7.5(High)
nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.
#### LTS-2021 2605.31.1
* Linux
* [CVE-2021-4159](https://nvd.nist.gov/vuln/detail/CVE-2021-4159) CVSSv3 score: 4.4(Medium)
A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel.
* [CVE-2022-1462](https://nvd.nist.gov/vuln/detail/CVE-2022-1462) CVSSv3 score: 6.3(Medium)
An out-of-bounds read flaw was found in the Linux kernel’s TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory.
* [CVE-2022-20369](https://nvd.nist.gov/vuln/detail/CVE-2022-20369) CVSSv3 score: 6.7(Medium)
In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-223375145References: Upstream kernel
* [CVE-2022-21505](https://nvd.nist.gov/vuln/detail/CVE-2022-21505) CVSSv3 score: n/a
* [CVE-2022-26373](https://nvd.nist.gov/vuln/detail/CVE-2022-26373) CVSSv3 score: 5.5(Medium)
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
* [CVE-2022-36123](https://nvd.nist.gov/vuln/detail/CVE-2022-36123) CVSSv3 score: 7.8(High)
The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges.
* [CVE-2022-36879](https://nvd.nist.gov/vuln/detail/CVE-2022-36879) CVSSv3 score: 5.5(Medium)
An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice.
* [CVE-2022-36946](https://nvd.nist.gov/vuln/detail/CVE-2022-36946) CVSSv3 score: 7.5(High)
nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.
---
### Communication
#### Twitter
_The tweet (from [@flatcar](https://twitter.com/flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._
New Flatcar releases now available for all channels!
📦 Package updates (with 🔒CVE fixes) for Linux, gnutls, git, vim and others in Alpha
📜 Release notes at the usual spot: https://www.flatcar.org/releases/
#### Kubernetes Slack
_This goes in the #flatcar channel_
Please welcome Flatcar releases of this month:
- Alpha 3346.0.0 (new major)
- Beta 3277.1.2 (maintenance release)
- Stable 3227.2.2 (maintenance release)
- LTS-2022 3033.3.5 (maintenance release)
- LTS-2021 2605.31.1 (maintenance release)
These releases include:
🚀 new features include AWS IMDSv2 support to coreos-cloudinit, EKS support for version 1.22 and 1.23
📦 Many package updates (with 🔒 CVE fixes) for Linux, gnutls, git, vim and others in Alpha
📜 Release notes in usual spot: https://www.flatcar.org/releases/