Bug 791256 (CVE-2021-25737)

Summary:	<sys-cluster/kube-apiserver-{1.18.19,1.19.11,1.20.7,1.21.1}: host network hijack (CVE-2021-25737)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	williamh
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/kubernetes/kubernetes/issues/102106
Whiteboard:	B4 [noglsa]
Package list:	sys-cluster/kube-apiserver-1.18.19 * sys-cluster/kube-apiserver-1.19.11 * sys-cluster/kube-apiserver-1.20.7 *	Runtime testing required:	---

Description John Helmert III archtester

2021-05-21 03:17:53 UTC

From URL:

"A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
This issue has been rated Low (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N), and assigned CVE-2021-25737.
Affected Component
kube-apiserver"

Please stabilize the fixed versions - 1.18.19, 1.19.11, and 1.20.7.

Comment 1 NATTkA bot gentoo-dev

2021-06-07 20:12:21 UTC Comment hidden (obsolete)

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 2 John Helmert III archtester

2021-06-09 04:24:52 UTC

Well, stabilization already done. Please cleanup <1.18.19, <1.19.11, and <1.20.7.

Comment 3 Larry the Git Cow gentoo-dev

2021-06-09 05:03:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=edd1a9504da1e0757ee90dc65da6e5491616f71a

commit edd1a9504da1e0757ee90dc65da6e5491616f71a
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-06-09 05:03:16 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-06-09 05:03:16 +0000

    sys-cluster/kube-apiserver: remove old versions
    
    Bug: https://bugs.gentoo.org/791256
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 sys-cluster/kube-apiserver/Manifest                |  4 ---
 .../kube-apiserver/kube-apiserver-1.18.18.ebuild   | 39 ---------------------
 .../kube-apiserver/kube-apiserver-1.19.10.ebuild   | 40 ----------------------
 .../kube-apiserver/kube-apiserver-1.20.6.ebuild    | 40 ----------------------
 .../kube-apiserver/kube-apiserver-1.21.0.ebuild    | 40 ----------------------
 5 files changed, 163 deletions(-)

Comment 4 NATTkA bot gentoo-dev

2021-08-31 21:36:43 UTC

Unable to check for sanity:

> no match for package: sys-cluster/kube-apiserver-1.18.19