Announcing new releases Alpha 3815.0.0, Beta 3760.1.1, Stable 3602.2.3

[Flatcar Container Linux User]

Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable channel.

 Comment Edit from here

Alpha 3815.0.0

Changes since Alpha 3794.0.0

Security fixes:

• Linux (CVE-2023-6121)
• Go (CVE-2023-39326, CVE-2023-45285)

Bug fixes:

• Deleted files in /etc that have a tmpfiles rule that normally would recreate them will now show up again through the /etc lowerdir (Flatcar#1265, bootengine#79)
• Fixed the missing /etc/extensions/ symlinks for the inbuilt Docker/containerd systemd-sysext images on update from Beta 3760.1.0 (update_engine#32)
• GCP: Fixed OS Login enabling (scripts#1445)

Changes:

• GCP OEM images now use a systemd-sysext image for layering additional platform-specific software on top of /usr and being part of the OEM A/B updates (flatcar#1146)

Updates:

• Linux (6.1.66 (includes 6.1.65, 6.1.64, 6.1.63))
• Go (1.20.12)
• acpid (2.0.34)
• afterburn (5.5.0)
• ca-certificates (3.95)
• containerd (1.7.10)
• efibootmgr (18)
• efivar (38)
• ipvsadm (1.31 (includes 1.28, 1.29 and 1.30))
• libmnl (1.0.5)
• libnetfilter_conntrack (1.0.9)
• libnetfilter_cthelper (1.0.1)
• libnetfilter_cttimeout (1.0.1)
• libnfnetlink (1.0.2)
• libunwind (1.7.2 (includes 1.7.0))
• liburing (2.3)
• SDK: squashfs-tools (4.6.1 (includes 4.6))

Beta 3760.1.1

Changes since Beta 3760.1.0

Security fixes:

• Linux (CVE-2023-6121)

Bug fixes:

• Deleted files in /etc that have a tmpfiles rule that normally would recreate them will now show up again through the /etc lowerdir (Flatcar#1265, bootengine#79)
• Fixed the missing /etc/extensions/ symlinks for the inbuilt Docker/containerd systemd-sysext images on update from Beta 3760.1.0 (update_engine#32)
• GCP: Fixed OS Login enabling (scripts#1445)

Changes:

• linux kernel: added zstd support for squashfs kernel module (scripts#1297)

Updates:

• Linux (6.1.66 (includes 6.1.65, 6.1.64, 6.1.63))
• afterburn (5.5.0)
• ca-certificates (3.95)

Stable 3602.2.3

Changes since Stable 3602.2.2

Security fixes:

• Linux (CVE-2023-46862, CVE-2023-6121)

Bug fixes:

• Deleted files in /etc that have a tmpfiles rule that normally would recreate them will now show up again through the /etc lowerdir (Flatcar#1265, bootengine#79)

Updates:

• Linux (5.15.142 (includes 5.15.141, 5.15.140, 5.15.139))
• ca-certificates (3.95)

Detailed Security Report

Security fix: With the Alpha 3815.0.0, Beta 3760.1.1, Stable 3602.2.3 releases we ship fixes for the CVEs listed below.

Alpha 3815.0.0

• Go

  • CVE-2023-39326 CVSSv3 score: 5.3(Medium)
    A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
  • CVE-2023-45285 CVSSv3 score: 7.5(High)
    Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

• Linux

  • CVE-2023-6121 CVSSv3 score: n/a
    An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This flaw allows a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data to be printed (and potentially leaked) to the kernel ring buffer (dmesg).

Beta 3760.1.1

• Linux
  • CVE-2023-6121 CVSSv3 score: n/a
    An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This flaw allows a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data to be printed (and potentially leaked) to the kernel ring buffer (dmesg).

Stable 3602.2.3

• Linux
  • CVE-2023-46862 CVSSv3 score: 4.7(Medium)
    An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur.
  • CVE-2023-6121 CVSSv3 score: n/a
    An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This flaw allows a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data to be printed (and potentially leaked) to the kernel ring buffer (dmesg).

Best,
The Flatcar Container Linux Maintainers