## Alpha 3654.0.0 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Beta 3602.1.2 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Stable 3510.2.4 - AMD64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None - ARM64-usr - Platforms succeeded: All - Platforms failed: None - Platforms not tested: None VERDICT: _GO_ ## Communication --- #### Guidelines / Things to Remember - Release notes are used in a PR and will appear on https://www.flatcar.org/releases/ - [Announcement Message](#Announcement-Message) is posted in [Flatcar-Linux-user](https://groups.google.com/g/flatcar-linux-user). Make sure to post as “Flatcar Container Linux User”, not with your personal user (this can be selected when drafting the post). --- ### Announcement Message Subject: Announcing new releases Alpha 3654.0.0, Beta 3602.1.2, Stable 3510.2.4 Hello, We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable channel. ### New Alpha Release 3654.0.0 _Changes since **Alpha 3637.0.0**_ #### Security fixes: - Linux ([CVE-2023-3269](https://nvd.nist.gov/vuln/detail/CVE-2023-3269), [CVE-2023-3390](https://nvd.nist.gov/vuln/detail/CVE-2023-3390)) - OpenSSL ([CVE-2023-2650](https://nvd.nist.gov/vuln/detail/CVE-2023-2650)) - libmicrohttpd ([CVE-2023-27371](https://nvd.nist.gov/vuln/detail/CVE-2023-27371)) - vim ([CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426)) #### Bug fixes: - Ensured that the folder `/var/log/sssd` is created if it doesn't exist, required for `sssd.service` ([Flatcar#1096](https://github.com/flatcar/Flatcar/issues/1096)) - Worked around a bash regression in `flatcar-install` and added error reporting for disk write failures ([Flatcar#1059](https://github.com/flatcar/Flatcar/issues/1059)) #### Changes: - Changed ext4 inode size of root partition to 256 bytes. This improves compatibility with applications and is necessary for 2038 readiness ([Flatcar#1082](https://github.com/flatcar/Flatcar/issues/1082)) - Updated locksmith to use non-deprecated resource control options in the systemd unit ([Locksmith#20](https://github.com/flatcar/locksmith/pull/20)) - SDK: Added the `build_sysext` script to ease building systemd-sysext images for Flatcar ([Flatcar#1052](https://github.com/flatcar/Flatcar/issues/1052), [scripts#920](https://github.com/flatcar/scripts/pull/920)) #### Updates: - Linux ([6.1.37](https://lwn.net/Articles/937082) (includes [6.1.36](https://lwn.net/Articles/936674), [6.1.35](https://lwn.net/Articles/935588))) - OpenSSL ([3.0.9](https://github.com/openssl/openssl/blob/openssl-3.0.9/NEWS.md#major-changes-between-openssl-308-and-openssl-309-30-may-2023)) - XZ utils ([5.4.3](https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;h=2f4d35adca6198671434d2988803cc9316ad1ec8;hb=dbb3a536ed9873ffa0870321f6873e564c6a9da8)) - bind tools ([9.16.41](https://bind9.readthedocs.io/en/v9.16.41/notes.html#notes-for-bind-9-16-41)) - bpftool ([6.3](https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/log/tools/bpf/bpftool?h=v6.3)) - ca-certificates ([3.91](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_91.html)) - coreutils ([9.3](https://lists.gnu.org/archive/html/info-gnu/2023-04/msg00006.html)) - curl ([8.1.2](https://curl.se/changes.html#8_1_2)) - diffutils ([3.10](https://lists.gnu.org/archive/html/info-gnu/2023-05/msg00009.html)) - ethtool ([6.3](https://git.kernel.org/pub/scm/network/ethtool/ethtool.git/commit/?id=7bdf78f0d2a9ae1571fe9444e552490130e573fd)) - gawk ([5.2.2](https://lists.gnu.org/archive/html/info-gnu/2023-05/msg00008.html)) - gdb ([13.2](https://lists.gnu.org/archive/html/info-gnu/2023-05/msg00011.html)) - grep ([3.11](https://lists.gnu.org/archive/html/info-gnu/2023-05/msg00004.html)) - hwdata ([0.371](https://github.com/vcrhonek/hwdata/commits/v0.371)) - intel-microcode ([20230512](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230512)) - iproute ([6.3.0](https://lwn.net/Articles/930473/)) - less ([633](http://www.greenwoodsoftware.com/less/news.633.html)) - libgpg-error ([1.47](https://dev.gnupg.org/T6231)) - libmicrohttpd ([0.9.76](https://lists.gnu.org/archive/html/libmicrohttpd/2023-02/msg00000.html)) - libpcap ([1.10.4](https://github.com/the-tcpdump-group/libpcap/blob/24832dd2728bd95ed9b9464ef27b47a943c38003/CHANGES#L51)) - multipath-tools ([0.9.5](https://github.com/opensvc/multipath-tools/commits/0.9.5)) - pciutils ([3.10.0](https://github.com/pciutils/pciutils/blob/v3.10.0/ChangeLog)) - sqlite ([3.42.0](https://sqlite.org/releaselog/3_42_0.html)) - strace ([6.3](https://github.com/strace/strace/releases/tag/v6.3)) - vim ([9.0.1503](https://github.com/vim/vim/commits/v9.0.1503)) - wget ([1.21.4](https://lists.gnu.org/archive/html/info-gnu/2023-05/msg00003.html)) - whois ([5.5.17](https://github.com/rfc1036/whois/commit/bac7108b01cfd54c517444efa1239e10e6edd5a4)) - SDK: portage ([3.0.46](https://gitweb.gentoo.org/proj/portage.git/tree/NEWS?h=portage-3.0.46)) - SDK: python ([3.10.12](https://www.python.org/downloads/release/python-31012/)) ### New Beta Release 3602.1.2 _Changes since **Beta 3602.1.1**_ #### Security fixes: - Linux ([CVE-2023-3338](https://nvd.nist.gov/vuln/detail/CVE-2023-3338), [CVE-2023-3390](https://nvd.nist.gov/vuln/detail/CVE-2023-3390)) #### Bug fixes: - Ensured that the folder `/var/log/sssd` is created if it doesn't exist, required for `sssd.service` ([Flatcar#1096](https://github.com/flatcar/Flatcar/issues/1096)) - Worked around a bash regression in `flatcar-install` and added error reporting for disk write failures ([Flatcar#1059](https://github.com/flatcar/Flatcar/issues/1059)) #### Changes: - Changed ext4 inode size of root partition to 256 bytes. This improves compatibility with applications and is necessary for 2038 readiness ([Flatcar#1082](https://github.com/flatcar/Flatcar/issues/1082)) #### Updates: - Linux ([5.15.119](https://lwn.net/Articles/936675) (includes [5.15.118](https://lwn.net/Articles/935584))) - ca-certificates ([3.91](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_91.html)) ### New Stable Release 3510.2.4 _Changes since **Stable 3510.2.3**_ #### Security fixes: - Linux ([CVE-2023-2124](https://nvd.nist.gov/vuln/detail/CVE-2023-2124), [CVE-2023-3212](https://nvd.nist.gov/vuln/detail/CVE-2023-3212), [CVE-2023-35788](https://nvd.nist.gov/vuln/detail/CVE-2023-35788)) #### Bug fixes: #### Changes: - Changed ext4 inode size of root partition to 256 bytes. This improves compatibility with applications and is necessary for 2038 readiness ([Flatcar#1082](https://github.com/flatcar/Flatcar/issues/1082)) #### Updates: - Linux ([5.15.117](https://lwn.net/Articles/934622) (includes [5.15.116](https://lwn.net/Articles/934320), [5.15.115](https://lwn.net/Articles/933909), [5.15.114](https://lwn.net/Articles/933280))) - ca-certificates ([3.91](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_91.html)) ### Detailed Security Report **Security fix**: With the Alpha 3654.0.0, Beta 3602.1.2, Stable 3510.2.4 release(s) we ship fixes for the CVEs listed below. #### Alpha 3654.0.0 * Linux * [CVE-2023-3269](https://nvd.nist.gov/vuln/detail/CVE-2023-3269) CVSSv3 score: n/a A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka "Stack Rot". The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues. An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges. As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger. However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging. * [CVE-2023-3390](https://nvd.nist.gov/vuln/detail/CVE-2023-3390) CVSSv3 score: n/a A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97. * OpenSSL * [CVE-2023-2650](https://nvd.nist.gov/vuln/detail/CVE-2023-2650) CVSSv3 score: 7.5(High) Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low. * libmicrohttpd * [CVE-2023-27371](https://nvd.nist.gov/vuln/detail/CVE-2023-27371) CVSSv3 score: 5.9(Medium) GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function. * vim * [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) CVSSv3 score: 5.5(Medium) Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499. #### Beta 3602.1.2 * Linux * [CVE-2023-3338](https://nvd.nist.gov/vuln/detail/CVE-2023-3338) CVSSv3 score: n/a A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system. * [CVE-2023-3390](https://nvd.nist.gov/vuln/detail/CVE-2023-3390) CVSSv3 score: n/a A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97. #### Stable 3510.2.4 * Linux * [CVE-2023-2124](https://nvd.nist.gov/vuln/detail/CVE-2023-2124) CVSSv3 score: 7.8(High) An out-of-bounds memory access flaw was found in the Linux kernel’s XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2023-3212](https://nvd.nist.gov/vuln/detail/CVE-2023-3212) CVSSv3 score: 4.4(Medium) A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic. * [CVE-2023-35788](https://nvd.nist.gov/vuln/detail/CVE-2023-35788) CVSSv3 score: 7.8(High) An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation. Best, The Flatcar Container Linux Maintainers --- ### Communication #### Go/No-Go message for Matrix/Slack Go/No-Go Meeting for Alpha 3654.0.0, Beta 3602.1.2, Stable 3510.2.4 Pre-view images are available in https://bincache.flatcar-linux.net/images/amd64/$VERSION/ Tracking issue: https://github.com/flatcar/Flatcar/issues/1106 The Go/No-Go document is in our HackMD @flatcar namespace Link: https://hackmd.io/thYlqweJSsOEhpjLvlv48Q?view Please give your Go/No-Go vote with 💚 for Go, ❌ for No-Go, and ✋ for Wait. Contributors & community feel free to put your suggestions, thoughts or comments on the document or here in the chat. @MAINTAINER @MAINTAINER @MAINTAINER #### Mastodon _The toot (from [@flatcar](https://hachyderm.io/@flatcar)) goes out after the changelog update has been published; it includes a link to the web changelog._ New Flatcar Alpha 3654.0.0, Beta 3602.1.2, Stable 3510.2.4 releases now available! 📦 Many package updates: Linux, bpftool, coreutils and more 🔒 CVE fixes & security patches: Linux, OpenSSL 📜 Release notes at the usual spot: https://www.flatcar.org/releases/ #linux #containers #cloudnative #containerlinux #### Kubernetes Slack _This goes in the #flatcar channel_ Please welcome Flatcar releases of this month: - Alpha 3654.0.0 (new major) - Beta 3602.1.2 (maintenance release) - Stable 3510.2.4 (maintenance release) These releases include: 📦 Many package updates: Linux, bpftool, coreutils and more 🔒 CVE fixes & security patches: Linux, OpenSSL 📜 Release notes at the usual spot: https://www.flatcar.org/releases/