Flatcar Container Linux Release - July 18th, 2023

## Alpha 3665.0.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Beta 3602.1.3 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Stable 3510.2.5 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## LTS 3033.3.15 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). --- ### Announcement Message Subject: Announcing new releases Alpha 3665.0.0, Beta 3602.1.3, Stable 3510.2.5, LTS 3033.3.15 Hello, We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, LTS channel. ## New Alpha Release 3665.0.0 _Changes since **Alpha 3654.0.0**_ #### Security fixes: - binutils ([CVE-2022-38533](https://nvd.nist.gov/vuln/detail/CVE-2022-38533), [CVE-2022-4285](https://nvd.nist.gov/vuln/detail/CVE-2022-4285), [CVE-2023-1579](https://nvd.nist.gov/vuln/detail/CVE-2023-1579), [CVE-2023-2222](https://nvd.nist.gov/vuln/detail/CVE-2023-2222)) - ncurses ([CVE-2023-29491](https://nvd.nist.gov/vuln/detail/CVE-2023-29491)) - protobuf ([CVE-2022-1941](https://nvd.nist.gov/vuln/detail/CVE-2022-1941)) #### Changes: - :warning: Dropped support for niftycloud and interoute. For interoute we haven't been generating the images for some time already. #### Updates: - Linux ([6.1.38](https://lwn.net/Articles/937403)) - Linux Firmware ([20230625](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20230625)) - binutils ([2.40](https://lists.gnu.org/archive/html/info-gnu/2023-01/msg00003.html)) - containerd ([1.7.2](https://github.com/containerd/containerd/releases/tag/v1.7.2)) - elfutils ([0.189](https://sourceware.org/pipermail/elfutils-devel/2023q1/006023.html)) - glib ([2.76.3](https://gitlab.gnome.org/GNOME/glib/-/releases/2.76.3)) - ldb ([2.4.4](https://gitlab.com/samba-team/samba/-/commit/b686ef00da46d4a0c0aba0c61b1866cbc9b462b6) (includes [2.4.3](https://gitlab.com/samba-team/samba/-/commit/604f94704f30e90ef960aa2be62a14d2e614a002), [2.4.2](https://gitlab.com/samba-team/samba/-/commit/d93892d2e8ed69758c15ab18bc03bba09e715bc6))) - lua ([5.4.4](https://www.lua.org/manual/5.4/readme.html#changes)) - ncurses ([6.4](https://invisible-island.net/ncurses/announce.html#h2-release-notes)) - nettle ([3.9.1](https://git.lysator.liu.se/nettle/nettle/-/blob/nettle_3.9.1_release_20230601/ChangeLog)) - nmap ([7.94](https://nmap.org/changelog.html#7.94)) - pax-utils ([1.3.7](https://gitweb.gentoo.org/proj/pax-utils.git/log/?h=v1.3.7)) - protobuf ([21.9](https://github.com/protocolbuffers/protobuf/releases/tag/v21.9)) - python ([3.11.3](https://www.python.org/downloads/release/python-3113/)) - talloc ([2.4.0](https://gitlab.com/samba-team/samba/-/commit/5224ed98eeba43f22b5f5f87de5947fbb1c1c7c1) (includes [2.3.4](https://gitlab.com/samba-team/samba/-/commit/0189ccf9fc3d2a77cc83cffe180e307bcdccebb4))) - tdb ([1.4.8](https://gitlab.com/samba-team/samba/-/commit/eab796a4f9172e602dc262f3c99ead35b35929e7) (includes [1.4.7](https://gitlab.com/samba-team/samba/-/commit/27ceb1c3ad786386e746a5e2968780d791393b9e), [1.4.6](https://gitlab.com/samba-team/samba/-/commit/1c776e54cf33b46b2ed73263f093d596a0cdbb2f))) - tevent ([0.14.1](https://gitlab.com/samba-team/samba/-/commits/tevent-0.14.1?ref_type=tags) (includes [0.14.0](https://gitlab.com/samba-team/samba/-/commits/tevent-0.14.0?ref_type=tags), [0.13.0](https://gitlab.com/samba-team/samba/-/commits/tevent-0.13.0?ref_type=tags), [0.12.1](https://gitlab.com/samba-team/samba/-/commits/tevent-0.12.1?ref_type=tags), [0.12.0](https://gitlab.com/samba-team/samba/-/commits/tevent-0.12.0?ref_type=tags))) - SDK: perf ([6.3](https://kernelnewbies.org/LinuxChanges#Linux_6.3.Tracing.2C_perf_and_BPF)) - SDK: perl ([5.36.1](https://perldoc.perl.org/perl5361delta)) - SDK: qemu ([7.2.3](https://wiki.qemu.org/ChangeLog/7.2)) ## New Beta Release 3602.1.3 _Changes since **Beta 3602.1.2**_ #### Updates: - Linux ([5.15.120](https://lwn.net/Articles/937404)) ## New Stable Release 3510.2.5 _Changes since **Stable 3510.2.4**_ #### Security fixes: - Linux ([CVE-2023-3338](https://nvd.nist.gov/vuln/detail/CVE-2023-3338), [CVE-2023-3390](https://nvd.nist.gov/vuln/detail/CVE-2023-3390)) #### Bug fixes: - Resolved the conflicting FD usage of libselinux and systemd which caused, e.g., a systemd crash on certain watchdog interaction during shutdown (patch in systemd 252.11) #### Updates: - Linux ([5.15.119](https://lwn.net/Articles/936675) (includes [5.15.118](https://lwn.net/Articles/935584))) - systemd ([252.11](https://github.com/systemd/systemd-stable/releases/tag/v252.11) (from 252.5)) ## New LTS Release 3033.3.15 _Changes since **LTS 3033.3.14**_ #### Security fixes: - Linux ([CVE-2023-3338](https://nvd.nist.gov/vuln/detail/CVE-2023-3338)) #### Bug fixes: #### Changes: - Changed ext4 inode size of root partition to 256 bytes. This improves compatibility with applications and is necessary for 2038 readiness ([Flatcar#1082](https://github.com/flatcar/Flatcar/issues/1082)) #### Updates: - Linux ([5.10.186](https://lwn.net/Articles/936676) (includes [5.10.185](https://lwn.net/Articles/935583))) - ca-certificates ([3.91](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_91.html)) ### Detailed Security Report **Security fix**: With the Alpha 3665.0.0, Beta 3602.1.3, Stable 3510.2.5, LTS 3033.3.15 release(s) we ship fixes for the CVEs listed below. #### Alpha 3665.0.0 * binutils * [CVE-2022-38533](https://nvd.nist.gov/vuln/detail/CVE-2022-38533) CVSSv3 score: 5.5(Medium) In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file. * [CVE-2022-4285](https://nvd.nist.gov/vuln/detail/CVE-2022-4285) CVSSv3 score: 5.5(Medium) An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599. * [CVE-2023-1579](https://nvd.nist.gov/vuln/detail/CVE-2023-1579) CVSSv3 score: 7.8(High) Heap based buffer overflow in binutils-gdb/bfd/libbfd.c in bfd_getl64. * [CVE-2023-2222](https://nvd.nist.gov/vuln/detail/CVE-2023-2222) CVSSv3 score: n/a A vulnerability was found in binutils where, objdump SEGV in concat_filename() at dwarf2.c:2060. * ncurses * [CVE-2023-29491](https://nvd.nist.gov/vuln/detail/CVE-2023-29491) CVSSv3 score: 7.8(High) ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable. * protobuf * [CVE-2022-1941](https://nvd.nist.gov/vuln/detail/CVE-2022-1941) CVSSv3 score: 7.5(High) A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated. #### Stable 3510.2.3 * Linux * [CVE-2023-3338](https://nvd.nist.gov/vuln/detail/CVE-2023-3338) CVSSv3 score: 7.5(High) A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system. * [CVE-2023-3390](https://nvd.nist.gov/vuln/detail/CVE-2023-3390) CVSSv3 score: n/a A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97. #### LTS 3033.3.15 * Linux * [CVE-2023-3338](https://nvd.nist.gov/vuln/detail/CVE-2023-3338) CVSSv3 score: 7.5(High) A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system. Best, The Flatcar Container Linux Maintainers --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Alpha 3665.0.0, Beta 3602.1.3, Stable 3510.2.5, LTS 3033.3.15 Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/ Tracking issue: https://github.com/flatcar/Flatcar/issues/1113 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/t2_LFF3ZSNaDYMPcvBGoJA Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. @MAINTAINER @MAINTAINER @MAINTAINER #### Mastodon _The toot (from [@flatcar](https://hachyderm.io/@flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar releases for all channels 📦 Many package updates: Linux, containerd, binutils and more. 🔒 CVE fixes & security patches: Linux, binutils, etc 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #linux #cloudnative #containers #updates #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome Flatcar releases of this month: - Alpha 3665.0.0 (new major) - Beta 3602.1.3 (maintenance release) - Stable 3510.2.5 (maintenance release) - LTS 3033.3.15 (maintenance release) These releases include: New Flatcar releases for all channels 📦 Many package updates: Linux, containerd, binutils and more. 🔒 CVE fixes & security patches: Linux, binutils, etc 📜 Release notes at the usual spot: https://www.flatcar.org/releases/

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.