From: vanusuri@mvista.com
To: meta-virtualization@lists.yoctoproject.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8565 & CVE-2020-8566
Date: Tue, 22 Aug 2023 13:57:52 +0530 [thread overview]
Message-ID: <20230822082752.121479-1-vanusuri@mvista.com> (raw)
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-commit:https://github.com/kubernetes/kubernetes/commit/f0f52255412cbc6834bd225a59608ebb4a0d399b
& https://github.com/kubernetes/kubernetes/commit/e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
.../kubernetes/kubernetes/CVE-2020-8565.patch | 24 +++++++
.../kubernetes/kubernetes/CVE-2020-8566.patch | 67 +++++++++++++++++++
.../kubernetes/kubernetes_git.bb | 2 +
3 files changed, 93 insertions(+)
create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
new file mode 100644
index 0000000..c3772e9
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
@@ -0,0 +1,24 @@
+From f0f52255412cbc6834bd225a59608ebb4a0d399b Mon Sep 17 00:00:00 2001
+From: Sam Fowler <sfowler@redhat.com>
+Date: Tue, 6 Oct 2020 11:10:38 +1000
+Subject: [PATCH] Mask bearer token in logs when logLevel >= 9
+
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/f0f52255412cbc6834bd225a59608ebb4a0d399b]
+CVE: CVE-2020-8565
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ staging/src/k8s.io/client-go/transport/round_trippers.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/staging/src/k8s.io/client-go/transport/round_trippers.go b/staging/src/k8s.io/client-go/transport/round_trippers.go
+index a05208d924d3b..f4cfadbd3da8e 100644
+--- a/src/import/staging/src/k8s.io/client-go/transport/round_trippers.go
++++ b/src/import/staging/src/k8s.io/client-go/transport/round_trippers.go
+@@ -340,6 +340,7 @@ func (r *requestInfo) toCurl() string {
+ headers := ""
+ for key, values := range r.RequestHeaders {
+ for _, value := range values {
++ value = maskValue(key, value)
+ headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value))
+ }
+ }
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
new file mode 100644
index 0000000..7ed812d
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
@@ -0,0 +1,67 @@
+From e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea Mon Sep 17 00:00:00 2001
+From: Sam Fowler <sfowler@redhat.com>
+Date: Fri, 2 Oct 2020 10:48:11 +1000
+Subject: [PATCH] Mask Ceph RBD adminSecrets in logs when logLevel >= 4
+
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea]
+CVE: CVE-2020-8566
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/volume/rbd/rbd_util.go | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/pkg/volume/rbd/rbd_util.go b/pkg/volume/rbd/rbd_util.go
+index 85044e85fde..9593348de37 100644
+--- a/src/import/pkg/volume/rbd/rbd_util.go
++++ b/src/import/pkg/volume/rbd/rbd_util.go
+@@ -592,9 +592,9 @@ func (util *RBDUtil) CreateImage(p *rbdVolumeProvisioner) (r *v1.RBDPersistentVo
+ volSz := fmt.Sprintf("%d", sz)
+ mon := util.kernelRBDMonitorsOpt(p.Mon)
+ if p.rbdMounter.imageFormat == rbdImageFormat2 {
+- klog.V(4).Infof("rbd: create %s size %s format %s (features: %s) using mon %s, pool %s id %s key %s", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, p.rbdMounter.imageFeatures, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
++ klog.V(4).Infof("rbd: create %s size %s format %s (features: %s) using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, p.rbdMounter.imageFeatures, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
+ } else {
+- klog.V(4).Infof("rbd: create %s size %s format %s using mon %s, pool %s id %s key %s", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
++ klog.V(4).Infof("rbd: create %s size %s format %s using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
+ }
+ args := []string{"create", p.rbdMounter.Image, "--size", volSz, "--pool", p.rbdMounter.Pool, "--id", p.rbdMounter.adminId, "-m", mon, "--key=" + p.rbdMounter.adminSecret, "--image-format", p.rbdMounter.imageFormat}
+ if p.rbdMounter.imageFormat == rbdImageFormat2 {
+@@ -629,7 +629,7 @@ func (util *RBDUtil) DeleteImage(p *rbdVolumeDeleter) error {
+ }
+ // rbd rm.
+ mon := util.kernelRBDMonitorsOpt(p.rbdMounter.Mon)
+- klog.V(4).Infof("rbd: rm %s using mon %s, pool %s id %s key %s", p.rbdMounter.Image, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
++ klog.V(4).Infof("rbd: rm %s using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
+ output, err = p.exec.Command("rbd",
+ "rm", p.rbdMounter.Image, "--pool", p.rbdMounter.Pool, "--id", p.rbdMounter.adminId, "-m", mon, "--key="+p.rbdMounter.adminSecret).CombinedOutput()
+ if err == nil {
+@@ -661,7 +661,7 @@ func (util *RBDUtil) ExpandImage(rbdExpander *rbdVolumeExpander, oldSize resourc
+
+ // rbd resize.
+ mon := util.kernelRBDMonitorsOpt(rbdExpander.rbdMounter.Mon)
+- klog.V(4).Infof("rbd: resize %s using mon %s, pool %s id %s key %s", rbdExpander.rbdMounter.Image, mon, rbdExpander.rbdMounter.Pool, rbdExpander.rbdMounter.adminId, rbdExpander.rbdMounter.adminSecret)
++ klog.V(4).Infof("rbd: resize %s using mon %s, pool %s id %s key <masked>", rbdExpander.rbdMounter.Image, mon, rbdExpander.rbdMounter.Pool, rbdExpander.rbdMounter.adminId)
+ output, err = rbdExpander.exec.Command("rbd",
+ "resize", rbdExpander.rbdMounter.Image, "--size", newVolSz, "--pool", rbdExpander.rbdMounter.Pool, "--id", rbdExpander.rbdMounter.adminId, "-m", mon, "--key="+rbdExpander.rbdMounter.adminSecret).CombinedOutput()
+ if err == nil {
+@@ -703,7 +703,7 @@ func (util *RBDUtil) rbdInfo(b *rbdMounter) (int, error) {
+ // # image does not exist (exit=2)
+ // rbd: error opening image 1234: (2) No such file or directory
+ //
+- klog.V(4).Infof("rbd: info %s using mon %s, pool %s id %s key %s", b.Image, mon, b.Pool, id, secret)
++ klog.V(4).Infof("rbd: info %s using mon %s, pool %s id %s key <masked>", b.Image, mon, b.Pool, id)
+ output, err = b.exec.Command("rbd",
+ "info", b.Image, "--pool", b.Pool, "-m", mon, "--id", id, "--key="+secret, "-k=/dev/null", "--format=json").CombinedOutput()
+
+@@ -766,7 +766,7 @@ func (util *RBDUtil) rbdStatus(b *rbdMounter) (bool, string, error) {
+ // # image does not exist (exit=2)
+ // rbd: error opening image kubernetes-dynamic-pvc-<UUID>: (2) No such file or directory
+ //
+- klog.V(4).Infof("rbd: status %s using mon %s, pool %s id %s key %s", b.Image, mon, b.Pool, id, secret)
++ klog.V(4).Infof("rbd: status %s using mon %s, pool %s id %s key <masked>", b.Image, mon, b.Pool, id)
+ cmd, err = b.exec.Command("rbd",
+ "status", b.Image, "--pool", b.Pool, "-m", mon, "--id", id, "--key="+secret).CombinedOutput()
+ output = string(cmd)
+--
+2.25.1
+
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index c73f988..2b0bfb7 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -12,6 +12,8 @@ SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=k
file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
file://0001-cross-don-t-build-tests-by-default.patch \
file://CVE-2020-8564.patch \
+ file://CVE-2020-8565.patch \
+ file://CVE-2020-8566.patch \
"
DEPENDS += "rsync-native \
--
2.25.1
next reply other threads:[~2023-08-22 8:28 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-22 8:27 vanusuri [this message]
2023-08-27 13:32 ` [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8565 & CVE-2020-8566 Bruce Ashfield
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230822082752.121479-1-vanusuri@mvista.com \
--to=vanusuri@mvista.com \
--cc=meta-virtualization@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).