Announcing new releases Alpha 3654.0.0, Beta 3602.1.2, Stable 3510.2.4

[Flatcar Container Linux User]

Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable channel.

New Alpha Release 3654.0.0

Changes since Alpha 3637.0.0

Security fixes:

• Linux (CVE-2023-3269, CVE-2023-3390)
• OpenSSL (CVE-2023-2650)
• libmicrohttpd (CVE-2023-27371)
• vim (CVE-2023-2426)

Bug fixes:

• Ensured that the folder /var/log/sssd is created if it doesn’t exist, required for sssd.service (Flatcar#1096)
• Worked around a bash regression in flatcar-install and added error reporting for disk write failures (Flatcar#1059)

Changes:

• Changed ext4 inode size of root partition to 256 bytes. This improves compatibility with applications and is necessary for 2038 readiness (Flatcar#1082)
• Updated locksmith to use non-deprecated resource control options in the systemd unit (Locksmith#20)
• SDK: Added the build_sysext script to ease building systemd-sysext images for Flatcar (Flatcar#1052, scripts#920)

Updates:

• Linux (6.1.37 (includes 6.1.36, 6.1.35))
• OpenSSL (3.0.9)
• XZ utils (5.4.3)
• bind tools (9.16.41)
• bpftool (6.3)
• ca-certificates (3.91)
• coreutils (9.3)
• curl (8.1.2)
• diffutils (3.10)
• ethtool (6.3)
• gawk (5.2.2)
• gdb (13.2)
• grep (3.11)
• hwdata (0.371)
• intel-microcode (20230512)
• iproute (6.3.0)
• less (633)
• libgpg-error (1.47)
• libmicrohttpd (0.9.76)
• libpcap (1.10.4)
• multipath-tools (0.9.5)
• pciutils (3.10.0)
• sqlite (3.42.0)
• strace (6.3)
• vim (9.0.1503)
• wget (1.21.4)
• whois (5.5.17)
• SDK: portage (3.0.46)
• SDK: python (3.10.12)

New Beta Release 3602.1.2

Changes since Beta 3602.1.1

Security fixes:

• Linux (CVE-2023-3338, CVE-2023-3390)

Bug fixes:

• Ensured that the folder /var/log/sssd is created if it doesn’t exist, required for sssd.service (Flatcar#1096)
• Worked around a bash regression in flatcar-install and added error reporting for disk write failures (Flatcar#1059)

Changes:

• Changed ext4 inode size of root partition to 256 bytes. This improves compatibility with applications and is necessary for 2038 readiness (Flatcar#1082)

Updates:

• Linux (5.15.119 (includes 5.15.118))
• ca-certificates (3.91)

New Stable Release 3510.2.4

Changes since Stable 3510.2.3

Security fixes:

• Linux (CVE-2023-2124, CVE-2023-3212, CVE-2023-35788)

Bug fixes:Changes:

• Changed ext4 inode size of root partition to 256 bytes. This improves compatibility with applications and is necessary for 2038 readiness (Flatcar#1082)

Updates:

• Linux (5.15.117 (includes 5.15.116, 5.15.115, 5.15.114))
• ca-certificates (3.91)

Detailed Security Report

Security fix: With the Alpha 3654.0.0, Beta 3602.1.2, Stable 3510.2.4 release(s) we ship fixes for the CVEs listed below.

Alpha 3654.0.0

• Linux

  • CVE-2023-3269 CVSSv3 score: n/a
    A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka “Stack Rot”. The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues. An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges. As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger. However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging.

  • CVE-2023-3390 CVSSv3 score: n/a
    A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97.

• OpenSSL

  • CVE-2023-2650 CVSSv3 score: 7.5(High)
    Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service.
    An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods.
    When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*).
    With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms.
    Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data.
    Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low.
    In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature.
    The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication.
    In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.

• libmicrohttpd

  • CVE-2023-27371 CVSSv3 score: 5.9(Medium)
    GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.

• vim

  • CVE-2023-2426 CVSSv3 score: 5.5(Medium)
    Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.

Beta 3602.1.2

• Linux
  • CVE-2023-3338 CVSSv3 score: n/a
    A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.
  • CVE-2023-3390 CVSSv3 score: n/a
    A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97.

Stable 3510.2.4

• Linux
  • CVE-2023-2124 CVSSv3 score: 7.8(High)
    An out-of-bounds memory access flaw was found in the Linux kernel’s XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system.
  • CVE-2023-3212 CVSSv3 score: 4.4(Medium)
    A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.
  • CVE-2023-35788 CVSSv3 score: 7.8(High)
    An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.

Best,
The Flatcar Container Linux Maintainers