Announcing new releases Alpha 3732.0.0, Beta 3602.1.6, Stable 3510.2.8

17 views
Skip to first unread message

Flatcar Container Linux User

unread,
Sep 21, 2023, 11:34:28 AM9/21/23
to Flatcar Container Linux User

Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable channel.

New Alpha Release 3732.0.0

Changes since Alpha 3717.0.0

Known issues:
  • Regression in Kernel 6.1.54, so that a specific cgroupv1 sysfs entry for reading Kernel memory limit disappeared. Container runtimes like runc are mainly affected. The issue was already reported to the upstream Kernel community.
Security fixes:Bug fixes:
  • Fix the RemainAfterExit clause in nvidia.service (Flatcar#1169)
  • Fixed bug in handling renamed network interfaces when generating login issue (init#102)
Changes:
  • OEM vendor tools are now A/B updated if they are shipped as systemd-sysext images, the migration happens when both partitions require a systemd-sysext OEM image - note that this will delete the nvidia.service from /etc on Azure because it’s now part of /usr (Flatcar#60)
  • Azure: Add support for Microsoft Azure Network Adapter (MANA) NICs on Azure (scripts#1131)
Updates:New Beta Release 3602.1.6

Changes since Beta 3602.1.5

Changes:
  • Azure: Add support for Microsoft Azure Network Adapter (MANA) NICs on Azure (scripts#1131)
Updates:New Stable Release 3510.2.8

Changes since Stable 3510.2.7

Security fixes:Changes:
  • Azure: Add support for Microsoft Azure Network Adapter (MANA) NICs on Azure (scripts#1131)
Updates:
Detailed Security Report

Security fix: With the Alpha 3732.0.0, Beta 3602.1.6, Stable 3510.2.8 releases we ship fixes for the CVEs listed below.

Alpha 3732.0.0

  • Go

    • CVE-2023-39318 CVSSv3 score: 6.1(Medium)
      The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.
    • CVE-2023-39319 CVSSv3 score: 6.1(Medium)
      The html/template package does not apply the proper rules for handling occurrences of "<script", "<!–", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
    • CVE-2023-39320 CVSSv3 score: 9.8(Critical)
      The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
    • CVE-2023-39321 CVSSv3 score: 7.5(High)
      Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
    • CVE-2023-39322 CVSSv3 score: 7.5(High)
      QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.

  • Linux

    • CVE-2023-25775 CVSSv3 score: 9.8(Critical)
      Improper access control in the Intel® Ethernet Controller RDMA driver for linux before version 1.9.30 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
    • CVE-2023-4623 CVSSv3 score: n/a
      A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.
      We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.

  • SDK: Python

    • CVE-2023-40217 CVSSv3 score: 5.3(Medium)
      An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
    • CVE-2023-41105 CVSSv3 score: 7.5(High)
      An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.

  • nvidia-drivers

    • CVE-2023-25515 CVSSv3 score: 7.6(High)
      NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability where unexpected untrusted data is parsed, which may lead to code execution, denial of service, escalation of privileges, data tampering, or information disclosure.

    • CVE-2023-25516 CVSSv3 score: n/a
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged user can cause an integer overflow, which may lead to information disclosure and denial of service.

  • torcx

    • CVE-2022-28948 CVSSv3 score: 7.5(High)
      An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.
Stable 3510.2.8
  • Linux

    • CVE-2023-20588 CVSSv3 score: 5.5(Medium)
      A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.

    • CVE-2023-3772 CVSSv3 score: 4.4(Medium)
      A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.

    • CVE-2023-40283 CVSSv3 score: 7.8(High)
      An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.

    • CVE-2023-4128 CVSSv3 score: n/a
      A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.

    • CVE-2023-4206 CVSSv3 score: n/a
      A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.
      We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.

    • CVE-2023-4207 CVSSv3 score: n/a
      A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.
      We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.

    • CVE-2023-4208 CVSSv3 score: n/a
      A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.
      We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.

    • CVE-2023-4273 CVSSv3 score: 6.7(Medium)
      A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.

    • CVE-2023-4569 CVSSv3 score: 5.5(Medium)
      A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which results in a memory leak.

Best,
The Flatcar Container Linux Maintainers
Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages