With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection. @maintainer(s): Please consider dropping vulnerable versions <1.10.11 Gentoo Security Padawan (domhnall)
(In reply to D'juan McDonald (domhnall) from comment #0) > With a specially crafted request, users that are authorized to establish a > connection through the Kubernetes API server to a backend server can then > send arbitrary requests over the same connection directly to that backend, > authenticated with the Kubernetes API server’s TLS credentials used to > establish the backend connection. > > > @maintainer(s): Please consider dropping vulnerable versions <1.10.11 > > Gentoo Security Padawan > (domhnall) Please re-read the upstream report regarding the versions which are fixed then take another look at the versions in the tree. After that, fix this bug report.
Thanks to Darren Shepherd for reporting this problem. CVE-2018-1002105 is fixed in the following Kubernetes releases: v1.10.11 v1.11.5 v1.12.3 v1.13.0-rc.1 Affected components: Kubernetes API server Affected versions: Kubernetes v1.0.x-1.9.x Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11) Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5) Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)
@maintainer, please clean the vulnerable.
Arches and Maintainer(s), Thank you for your work.