Description: The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail. Affected Versions kubelet v1.18.0-1.18.5 kubelet v1.17.0-1.17.8 kubelet < v1.16.13 Fixed Versions kubelet master - fixed by #92916 kubelet v1.18.6 - fixed by #92921 kubelet v1.17.9 - fixed by #92923 kubelet v1.16.13 - fixed by #92924
Maintainer, please bump.
Oops, another one. My previous comment refers to CVE-2020-8557. CVE-2020-8559: If an attacker is able to intercept certain requests to the Kubelet, they can send a redirect response that may be followed by a client using the credentials from the original request. This can lead to compromise of other nodes. If multiple clusters share the same certificate authority trusted by the client, and the same authentication credentials, this vulnerability may allow an attacker to redirect the client to another cluster. In this configuration, this vulnerability should be considered High severity. Affected Versions kube-apiserver v1.18.0-1.18.5 kube-apiserver v1.17.0-1.17.8 kube-apiserver v1.16.0-1.16.12 all kube-apiserver versions prior to v1.16.0 Fixed Versions kube-apiserver master - fixed by #92941 kube-apiserver v1.18.6 - fixed by #92969 kube-apiserver v1.17.9 - fixed by #92970 kube-apiserver v1.16.13 - fixed by #92971
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ecb23129160a5563652f7133ceef6af7fede5ca commit 1ecb23129160a5563652f7133ceef6af7fede5ca Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-07-24 18:12:00 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-07-24 18:16:39 +0000 sys-cluster/kubernetes: 1.16.13 1.17.9 1.18.6 security bump Bug: https://bugs.gentoo.org/732762 Closes: https://github.com/gentoo/gentoo/pull/9963 Signed-off-by: William Hubbs <williamh@gentoo.org> sys-cluster/kubernetes/Manifest | 3 + sys-cluster/kubernetes/kubernetes-1.16.13.ebuild | 90 ++++++++++++++++++++++++ sys-cluster/kubernetes/kubernetes-1.17.9.ebuild | 90 ++++++++++++++++++++++++ sys-cluster/kubernetes/kubernetes-1.18.6.ebuild | 90 ++++++++++++++++++++++++ 4 files changed, 273 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d5c81e3a09631096b050b94aafb25d0bbf0bfa0 commit 1d5c81e3a09631096b050b94aafb25d0bbf0bfa0 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-07-24 18:34:45 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-07-24 18:35:51 +0000 sys-cluster/kubernetes: security cleanup Bug: https://bugs.gentoo.org/732762 Signed-off-by: William Hubbs <williamh@gentoo.org> sys-cluster/kubernetes/Manifest | 6 -- .../kubernetes/kubernetes-1.16.11-r1.ebuild | 90 ---------------------- sys-cluster/kubernetes/kubernetes-1.16.11.ebuild | 90 ---------------------- .../kubernetes/kubernetes-1.16.12-r1.ebuild | 90 ---------------------- sys-cluster/kubernetes/kubernetes-1.16.12.ebuild | 90 ---------------------- sys-cluster/kubernetes/kubernetes-1.17.7-r1.ebuild | 90 ---------------------- sys-cluster/kubernetes/kubernetes-1.17.7.ebuild | 90 ---------------------- sys-cluster/kubernetes/kubernetes-1.17.8-r1.ebuild | 90 ---------------------- sys-cluster/kubernetes/kubernetes-1.17.8.ebuild | 90 ---------------------- sys-cluster/kubernetes/kubernetes-1.18.4-r1.ebuild | 90 ---------------------- sys-cluster/kubernetes/kubernetes-1.18.4.ebuild | 90 ---------------------- sys-cluster/kubernetes/kubernetes-1.18.5-r1.ebuild | 90 ---------------------- sys-cluster/kubernetes/kubernetes-1.18.5.ebuild | 90 ---------------------- 13 files changed, 1086 deletions(-)
Thanks William.
If we can't move kubernetes into split packages, we will actually need cleanup for kubelet <1.17.9.
Cleanup done, all done!