Announcing new release Alpha 3549.0.0
11 views
Skip to first unread message
Flatcar Container Linux User
Mar 21, 2023, 9:05:13 AM3/21/23
to Flatcar Container Linux User
Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha channel.
Changes since Alpha 3535.0.0
Security fixes:- Go (CVE-2023-24532)
- GnuTLS (CVE-2023-0361)
- curl (CVE-2023-23914, CVE-2023-23915, CVE-2023-23916)
- git (CVE-2023-22490, CVE-2023-23946)
- pkgconf (CVE-2023-24056)
- python (CVE-2023-24329)
- vim (CVE-2023-0288, CVE-2023-0433)
- Restored the support to specify OEM partition files in Ignition when /usr/share/oem is given as initrd mount point (bootengine#58)
- Added pigz to the image, a parallel gzip implementation, which is useful to speed up the (de)compression for large container image imports/exports (coreos-overlay#2504)
- Added new image signing pub key to flatcar-install, needed for download verification of releases built from July 2023 onwards, if you have copies of flatcar-install or the image signing pub key, you need to update them as well (init#92)
- Enabled elfutils support in systemd-coredump. A backtrace will now appear in the journal for any program that dumps core (coreos-overlay#2489)
- Specifying the OEM filesystem in Ignition to write files to /usr/share/oem is not needed anymore (bootengine#58)
- Go (1.19.7)
- Linux (5.15.103 (includes 5.15.102, 5.15.101, 5.15.100, 5.15.99))
- Linux Firmware (20230310)
- Rust (1.68.0)
- ca-certificates (3.89)
- open-vm-tools (12.2.0)
- GLib (2.74.5)
- GnuTLS (3.8.0)
- SDK: portage (3.0.44)
- SDK: python (3.10.10)
- bind tools (9.16.37)
- curl (7.88.1 (includes 7.88.0))
- diffutils (3.9)
- gcc (12.2.1)
- git (2.39.2)
- libpcap (1.10.3 (includes 1.10.2))
- qemu guest agent (7.1.0)
- socat (1.7.4.4)
- traceroute (2.1.1)
- vim (9.0.1363)
Security
With the Alpha 3549.0.0 release we ship fixes for the CVEs listed below.
Alpha 3549.0.0GnuTLS
- CVE-2023-0361 CVSSv3 score: 7.5(High)
A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.
- CVE-2023-0361 CVSSv3 score: 7.5(High)
Go
- CVE-2023-24532 CVSSv3 score: 5.3(Medium)
The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.
- CVE-2023-24532 CVSSv3 score: 5.3(Medium)
curl
- CVE-2023-23914 CVSSv3 score: 9.1(Critical)
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on. - CVE-2023-23915 CVSSv3 score: 6.5(Medium)
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then not get upgraded properly to HSTS. - CVE-2023-23916 CVSSv3 score: 7.5(High)
An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
- CVE-2023-23914 CVSSv3 score: 9.1(Critical)
git
- CVE-2023-22490 CVSSv3 score: n/a
Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links, the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with --recurse-submodules. Instead, consider cloning repositories without recursively cloning their submodules, and instead run git submodule update at each layer. Before doing so, inspect each new .gitmodules file to ensure that it does not contain suspicious module URLs. - CVE-2023-23946 CVSSv3 score: 7.5(High)
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to git apply, a path outside the working tree can be overwritten as the user who is running git apply. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
- CVE-2023-22490 CVSSv3 score: n/a
pkgconf
- CVE-2023-24056 CVSSv3 score: 5.5(Medium)
In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred bytes can expand to one billion bytes.
- CVE-2023-24056 CVSSv3 score: 5.5(Medium)
python
- CVE-2023-24329 CVSSv3 score: 7.5(High)
An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
- CVE-2023-24329 CVSSv3 score: 7.5(High)
vim
- CVE-2023-0288 CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189. - CVE-2023-0433 CVSSv3 score: 7.8(High)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.
- CVE-2023-0288 CVSSv3 score: 7.8(High)
Best,
The Flatcar Container Linux Maintainers
Reply all
Reply to author
Forward
0 new messages