CVE-2019-11252: The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes. Maintainer, it's unclear from $URL whether our versions have a cherry-picked fix so please advise on this.
We now have 1.16.13. I don't know whether the 1.16 and 1.17 versions in the tree are vulnerable or not, so I'll wait for a comment from the security team.
I meant to list the other versions we have. We currently have versions 1.16.13, 1.17.9 and 1.18.6.
It looks like this will not be backported to 1.16 or even 1.17 (see https://github.com/kubernetes/kubernetes/pull/89494#issuecomment-619260906, https://github.com/kubernetes/kubernetes/pull/88684#issuecomment-673731833). All versions of 1.18 and later appear to have the fix. William, is it possible at this point to drop the 1.17 branch from Gentoo?
Cleanup is done, trivial severity so no GLSA, all done!