Hello,
We are pleased to announce a new Flatcar Container Linux release for Alpha, Beta, Stable, and LTS channel.
New Alpha Release 3637.0.0
Changes since Alpha 3619.0.0
Security fixes:
Bug fixes:
- Resolved the conflicting FD usage of libselinux and systemd which caused, e.g., a systemd crash on certain watchdog interaction during shutdown (patch in systemd 252.11)
Changes:
- Added TLS Kernel module (scripts#865)
- Added support for multipart MIME userdata in coreos-cloudinit. Ignition now detects multipart userdata and delegates execution to coreos-cloudinit. (scripts#873)
- Enabled the virtio GPU driver (scripts#830)
- Migrate to Type=notify in containerd.service. Changed the unit to Type=notify, utilizing the existing containerd support for sd_notify call after socket setup. (scripts#866)
- Migrated the NVIDIA installer from the Azure/AWS OEM partition to /usr to make it available on all platforms (scripts#932, Flatcar#1077)
- Azure and QEMU OEM images now use systemd-sysext images for layering additional platform-specific software on top of /usr. For Azure images this also means that the image has a normal Python installation available through the sysext image. The OEM software is still not updated but this will be added soon.
- Moved a mountpoint of the OEM partition from /usr/share/oem to /oem. /usr/share/oem became a symlink to /oem for backward compatibility. Despite the move, the initrd images providing files through /usr/share/oem should keep using /usr/share/oem. The move was done to enable activating the OEM sysext images that are placed in the OEM partition.
Updates:
New Beta Release 3602.1.1
Changes since Beta 3602.1.0
Bug fixes:
- Resolved the conflicting FD usage of libselinux and systemd which caused, e.g., a systemd crash on certain watchdog interaction during shutdown (patch in systemd 252.11)
Updates:
New Stable Release 3510.2.3
Changes since Stable 3510.2.2
Security fixes:
Updates:
New LTS Release 3033.3.14
Changes since LTS 3033.3.13
Security fixes:
Updates:
Detailed Security Report
Security fix: With the Alpha 3637.0.0, Beta 3602.1.1, Stable 3510.2.3, LTS 3033.3.14 release we ship fixes for the CVEs listed below.
Alpha 3637.0.0
Go
- CVE-2023-29402 CVSSv3 score: 9.8(Critical)
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). - CVE-2023-29403 CVSSv3 score: 7.8(High)
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. - CVE-2023-29404 CVSSv3 score: 9.8(Critical)
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. - CVE-2023-29405 CVSSv3 score: 9.8(Critical)
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
VMware: open-vm-tools
- CVE-2023-20867 CVSSv3 score: n/a
A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.
c-ares
CVE-2023-31124 CVSSv3 score: n/a
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
CVE-2023-31130 CVSSv3 score: 6.4(Medium)
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
CVE-2023-31147 CVSSv3 score: 6.5(Medium)
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
CVE-2023-32067 CVSSv3 score: n/a
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
sudo
- CVE-2023-27320 CVSSv3 score: 7.2(High)
Sudo before 1.9.13p2 has a double free in the per-command chroot feature. - CVE-2023-28486 CVSSv3 score: 5.3(Medium)
Sudo before 1.9.13 does not escape control characters in log messages. - CVE-2023-28487 CVSSv3 score: 5.3(Medium)
Sudo before 1.9.13 does not escape control characters in sudoreplay output.
Stable 3510.2.3
- Linux
- CVE-2022-48425 CVSSv3 score: 7.8(High)
In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs.
LTS 3033.3.14
- Linux
- CVE-2022-4269 CVSSv3 score: 5.5(Medium)
A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action "mirred") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition.
Best,
The Flatcar Container Linux Maintainers