Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable channel.
Alpha 3815.0.0Changes since Alpha 3794.0.0
Security fixes:Bug fixes:- Deleted files in /etc that have a tmpfiles rule that normally would recreate them will now show up again through the /etc lowerdir (Flatcar#1265, bootengine#79)
- Fixed the missing /etc/extensions/ symlinks for the inbuilt Docker/containerd systemd-sysext images on update from Beta 3760.1.0 (update_engine#32)
- GCP: Fixed OS Login enabling (scripts#1445)
Changes:- GCP OEM images now use a systemd-sysext image for layering additional platform-specific software on top of /usr and being part of the OEM A/B updates (flatcar#1146)
Updates:Beta 3760.1.1Changes since Beta 3760.1.0
Security fixes:Bug fixes:- Deleted files in /etc that have a tmpfiles rule that normally would recreate them will now show up again through the /etc lowerdir (Flatcar#1265, bootengine#79)
- Fixed the missing /etc/extensions/ symlinks for the inbuilt Docker/containerd systemd-sysext images on update from Beta 3760.1.0 (update_engine#32)
- GCP: Fixed OS Login enabling (scripts#1445)
Changes:- linux kernel: added zstd support for squashfs kernel module (scripts#1297)
Updates:Stable 3602.2.3Changes since Stable 3602.2.2
Security fixes:Bug fixes:- Deleted files in /etc that have a tmpfiles rule that normally would recreate them will now show up again through the /etc lowerdir (Flatcar#1265, bootengine#79)
Updates:Detailed Security ReportSecurity fix: With the Alpha 3815.0.0, Beta 3760.1.1, Stable 3602.2.3 releases we ship fixes for the CVEs listed below.
Alpha 3815.0.0Go
- CVE-2023-39326 CVSSv3 score: 5.3(Medium)
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. - CVE-2023-45285 CVSSv3 score: 7.5(High)
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Linux
- CVE-2023-6121 CVSSv3 score: n/a
An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This flaw allows a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data to be printed (and potentially leaked) to the kernel ring buffer (dmesg).
Beta 3760.1.1- Linux
- CVE-2023-6121 CVSSv3 score: n/a
An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This flaw allows a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data to be printed (and potentially leaked) to the kernel ring buffer (dmesg).
Stable 3602.2.3- Linux
- CVE-2023-46862 CVSSv3 score: 4.7(Medium)
An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur. - CVE-2023-6121 CVSSv3 score: n/a
An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This flaw allows a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data to be printed (and potentially leaked) to the kernel ring buffer (dmesg).
Best,
The Flatcar Container Linux Maintainers