From: "Sambu, Soumya" <Soumya.Sambu@windriver.com>
To: "meta-virtualization@lists.yoctoproject.org"
<meta-virtualization@lists.yoctoproject.org>,
"Sambu, Soumya" <Soumya.Sambu@windriver.com>,
"bruce.ashfield@gmail.com" <bruce.ashfield@gmail.com>
Subject: Re: [meta-virtualization][mickledore][PATCH v3 1/1] kubernetes: Upgrade v1.27.1 -> v1.27.5
Date: Thu, 26 Oct 2023 11:18:05 +0000 [thread overview]
Message-ID: <BYAPR11MB339736CD2663FA3421CD6FC681DDA@BYAPR11MB3397.namprd11.prod.outlook.com> (raw)
In-Reply-To: <1791A3F91AFAC571.20272@lists.yoctoproject.org>
[-- Attachment #1: Type: text/plain, Size: 12187 bytes --]
Hi Bruce,
Below are the CVEs which are resolved with this upgrade in mickledore branch, with vulnerable version details:
CVE-2023-2431 :
Affected Versions
v1.27.0 - v1.27.1
v1.26.0 - v1.26.4
v1.25.0 - v1.25.9
<= v1.24.13
CVE-2023-2727, CVE-2023-2728:
Affected Versions
v1.27.0 - v1.27.2
v1.26.0 - v1.26.5
v1.25.0 - v1.25.10
<= v1.24.14
CVE-2023-3676, CVE-2023-3955:
Affected Versions
<= v1.28.0
<= v1.27.4
<= v1.26.7
<= v1.25.12
<= v1.24.16
master-next branch has kubernetes 1.28.2 version [https://git.yoctoproject.org/meta-virtualization/commit/?h=master-next&id=cfa0c956138814c1dcef26879cf240159bb7f097], not impacted by above mentioned CVEs.
kirkstone branch has kubernetes v1.23.17 version, which is impacted by above CVEs. I am planning to backport fixes for these CVEs on kirkstone branch.
Regards,
Soumya
________________________________
From: meta-virtualization@lists.yoctoproject.org <meta-virtualization@lists.yoctoproject.org> on behalf of Soumya via lists.yoctoproject.org <soumya.sambu=windriver.com@lists.yoctoproject.org>
Sent: Thursday, October 26, 2023 4:43 PM
To: meta-virtualization@lists.yoctoproject.org <meta-virtualization@lists.yoctoproject.org>
Subject: [meta-virtualization][mickledore][PATCH v3 1/1] kubernetes: Upgrade v1.27.1 -> v1.27.5
From: Soumya Sambu <soumya.sambu@windriver.com>
Addresses CVE-2023-2431, CVE-2023-2727, CVE-2023-2728, CVE-2023-3676, CVE-2023-3955 and few other bugs.
Bumping kubernetes to version v1.27.5, which comprises the following commits:
38c97fa67ed Merge pull request #120135 from ritazh/cherry-pick-cve-2023-3955-1.27
89048339422 Merge pull request #120130 from ritazh/cherry-pick-cve-2023-3676-1.27
acc29048e6d Use environment varaibles for parameters in Powershell
172644fb55d Use env varaibles for passing path
00dfa0634be Merge pull request #119868 from liggitt/automated-cherry-pick-of-#119835-upstream-release-1.27
3b6bcaa0b96 Avoid returning nil responseKind in v1beta1 aggregated discovery
bd722aa3ff5 Merge pull request #119828 from jeremyrickard/go1207-1.27
94b3e00eef0 [release-1.27] releng/go: Bump images, versions and deps to use Go 1.20.7
de56018f04a Merge pull request #117269 from tnqn/automated-cherry-pick-of-#117245-#117249-upstream-release-1.27
521580378aa Merge pull request #119363 from jsafrane/automated-cherry-pick-of-#117804-upstream-release-1.27
d35a1c8a7a7 Merge pull request #119620 from liggitt/automated-cherry-pick-of-#117710-upstream-release-1.27
579208d9616 Merge pull request #117486 from TommyStarK/automated-cherry-pick-of-#117449-upstream-release-1.27
2ac615ccde3 Merge pull request #117235 from cvvz/automated-cherry-pick-of-#116134-origin-release-1.27
559f43d49c6 Merge pull request #119466 from mimowo/automated-cherry-pick-of-#119434-upstream-release-1.27
382c283f339 Merge pull request #119113 from champtar/automated-cherry-pick-of-#118922-upstream-release-1.27
05b64c6b5e1 Merge pull request #119604 from a7i/automated-cherry-pick-of-#118549-upstream-release-1.27
ecd45047e45 Merge pull request #119572 from andrewsykim/automated-cherry-pick-of-#118601-origin-release-1.27
927dba2589a e2e_node: move getSampleDevicePluginPod to device_plugin_test.go
db832fdfa67 fix 'pod' in kubelet prober metrics
4c67c5d5e76 priority & fairness: support dynamically configuring work estimator max seats
6d31f4b31ba Merge pull request #119519 from jingxu97/automated-cherry-pick-of-#118451-upstream-release-1.27
17c98720e84 Add mininumKubelet tag into ReadWriteOncePod test
ed0cdc9e0b2 Include ignored pods when computing backoff delay for Job pod failures
ae24a5cf74b Remarks
9e1050b4d90 Adjust the algorithm for computing the pod finish time
fa950050cc9 Update CHANGELOG/CHANGELOG-1.27.md for v1.27.4
fa3d7990104 Release commit for Kubernetes v1.27.4
d794e0e5cf8 Merge pull request #119366 from xmudrii/go1206-1.27
a1b127ca7a1 [release-1.27] releng/go: Bump images, versions and deps to use Go 1.20.6
aefc4d0392a Rename updateReconstructedFromAPIServer
eeba02fc625 Rename volumesNeedDevicePath
5eb3b748e8e Update volumesInUse after attachability is confirmed
f8bb161ab55 Add uncertain state of volume attach-ability
08b7937d256 Refactor FindAttachablePluginBySpec out of CSI code path
16fc1c954ce Merge pull request #119262 from HirazawaUi/automated-cherry-pick-of-#119229-upstream-release-1.27
3ca3e0ad484 Merge pull request #118947 from Evan-Reilly/automated-cherry-pick-of-#118237-upstream-release-1.27
5ee5d7346e1 Merge pull request #119096 from aleksandra-malinowska/automated-cherry-pick-of-#117865-upstream-release-1.27
1484a5c32f0 Fix the converts an empty string to nil.
b5c876a05b7 Merge pull request #117226 from princepereira/automated-cherry-pick-of-#116749-upstream-release-1.27
d98c5b8a026 Merge pull request #119160 from alculquicondor/automated-cherry-pick-of-#119159-upstream-release-1.27
28c79be6747 Add unit tests for parallel StatefulSet create & delete
66f980be120 Parallel StatefulSet pod create & delete
288504fbf8d Refactor StatefulSet controller update logic
92a0f58e2bf Only declare job as finished after removing all finalizers
c655001fa48 Automated cherry pick of #118716 upstream release 1.27 (#118911)
052ac3eb1bf Merge pull request #119065 from xmudrii/automated-cherry-pick-of-#118899-upstream-release-1.27
b667da8e08a Merge pull request #118683 from serathius/automated-cherry-pick-of-#118460-origin-release-1.27
f8c1cc33cb6 Merge pull request #119139 from kmala/1.27
5bbacb11989 Merge pull request #118290 from HirazawaUi/automated-cherry-pick-of-#118177-upstream-release-1.27
b383755e462 Hide numberOfMissedSchedules as an algorithm internal number
26db84e04c7 Update schedule logic to properly calculate missed schedules
fe4e288bcdd Merge pull request #118855 from aojea/automated-cherry-pick-of-#118686-upstream-release-1.27
a54590f218d Merge pull request #117936 from jsafrane/automated-cherry-pick-of-#117243-upstream-release-1.27
ad569aec159 kubeadm: backdate generated CAs by 5 minutes
0fc5c972129 client-go: allow to set NotBefore in NewSelfSignedCACert()
0ed276fb568 Merge pull request #118199 from aleskandro/automated-cherry-pick-of-#118053-origin-release-1.27
04e86095d38 Merge pull request #118930 from atiratree/automated-cherry-pick-of-#118876-upstream-release-1.27
3c115eec0b9 Automated cherry pick of #118805: test comment should match the code in podgc (#118913)
db247e1df34 Merge pull request #118969 from champtar/automated-cherry-pick-of-#117791-upstream-release-1.27
55872a8eb12 Merge pull request #119086 from neolit123/automated-cherry-pick-of-#118150-origin-release-1.27
39a4cd1a083 call ./hack/update-vendor.sh
33af2a45f53 kubeadm: remove function pointer comparison in phase test
3f4643682e3 CHANGELOG-1.27: Add note for AWS in-tree provider removal
703edddae4e Updating the nodeAffinity of gated pods having nil affinity should be allowed
3b874af3878 Merge pull request #118662 from mkowalski/automated-cherry-pick-of-#118329-upstream-release-1.27
d936e6669bb Merge pull request #118841 from bobbypage/automated-cherry-pick-of-#118497-upstream-release-1.27
3aa21cec0ec fix the existing problem (0 SerialNumber in all certificate) as part of this PR in a separate commit
cd08820ba9a update serial number to a valid non-zero number in ca certificate
5253d8e02c7 Merge pull request #118664 from pohly/automated-cherry-pick-of-#118524-origin-release-1.27
76b9400cea3 Merge pull request #118283 from pohly/automated-cherry-pick-of-#118257-origin-release-1.27
1260b845752 Delete CRDs created during field validation tests.
f689046fb6b kubectl explain should work for both cluster and namespace resources and without a GET method
f7d82bfdffe Merge pull request #118797 from harche/1.27_cadvisor_bump
59cd1d0b3bb always execute condition for wait.PollUntilContextTimeout with immediate=true
5423fffca9d Review remarks to improve HandlePodCleanups in kubelet
24c67c15240 Fix the deletion of rejected pods
0539a6a194a Merge pull request #118821 from helayoty/automated-cherry-pick-of-#118049-upstream-release-1.27
62cf5ee1cdb Unset gated pod info timestamp in addToActiveQ
027b4632bbb deps: Bump to cAdvisor v0.47.2
ea2af58b5bd Make etcd component status consistent with health probes
f2548642c4e e2e storage: terminate worker quietly on test completion
9a001cea215 Fix flaky persistent volumes e2e test
eb5825b3a3c Set the node-ips annotation correctly with CloudDualStackNodeIPs
a2ba2626e85 Update CHANGELOG/CHANGELOG-1.27.md for v1.27.3
25b4e43193b Release commit for Kubernetes v1.27.3
aae883e5fa7 Merge pull request #118553 from puerco/bump-1.27-go1.20.5
e13e5915a78 Merge pull request #118307 from SataQiu/automated-cherry-pick-of-#117169-upstream-release-1.27
e0a2a6efdd1 update-vendor: update vendored go.sums
82b2c5aefa3 releng/go: Update images, dependencies and version to Go 1.20.5
e2cc1a3b21b Merge pull request #118515 from aojea/automated-cherry-pick-of-#118499-upstream-release-1.27
3a77d5a59f0 Merge pull request #118471 from ritazh/automated-cherry-pick-of-#118356-upstream-release-1.27
b30e94b1253 kube-proxy avoid race condition using LocalModeNodeCIDR
5e00018fccf Merge pull request #117948 from dlipovetsky/automated-cherry-pick-of-#117792-#117724-upstream-release-1.27
76f14499624 Merge pull request #118281 from aojea/automated-cherry-pick-of-#118256-upstream-release-1.27
d59b91d97b4 Add ephemeralcontainer to imagepolicy securityaccount admission plugin
d71d96a5d24 Merge pull request #118219 from mimowo/automated-cherry-pick-of-#117586-upstream-release-1.27
c48bdec2ced Merge pull request #118279 from aojea/automated-cherry-pick-of-#118200-upstream-release-1.27
c345ce91a03 supported version of etcd 3.5.7-0 for Kubernetes v1.27.0-rc.0
22e8a99ec6e Fix the git-repo test error caused by the correct use of loop variables
009a7a6fb9f dra scheduler plugin test: fix loopvar bug and "reserve" expected data
7888798873e e2e framework retry on Service unavailable errors
f41a169a354 e2e: apply timeout for CSI Storage Capacity test only to node
916bc55a7bf Merge pull request #118178 from HirazawaUi/automated-cherry-pick-of-#118156-upstream-release-1.27
e407c2b4b02 Add DisruptionTarget condition when preempting for critical pod
d2bd738e274 update webhook test to go 1.21
4025005877a Merge pull request #118105 from SataQiu/automated-cherry-pick-of-#118069-upstream-release-1.27
af024b2a086 Merge pull request #118111 from liggitt/automated-cherry-pick-of-#118104-upstream-release-1.27
9107eee6583 Test APIService safe handling at startup
0bff4e35669 Fix waiting for CRD sync at server start
1ae728f4344 kubeadm: fix a bug where the static pod changes detection logic is inconsistent with kubelet
f404d1c4d3c Update CHANGELOG/CHANGELOG-1.27.md for v1.27.2
7f6f68fdabc Release commit for Kubernetes v1.27.2
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
recipes-containers/kubernetes/kubernetes_git.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index 3a6e7119..560fd8b7 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -5,8 +5,8 @@ applications across multiple hosts, providing basic mechanisms for deployment, \
maintenance, and scaling of applications. \
"
-PV = "v1.27.1+git${SRCREV_kubernetes}"
-SRCREV_kubernetes = "2555e0f90e80a13628f47eca5cde34decc89babb"
+PV = "v1.27.5+git${SRCREV_kubernetes}"
+SRCREV_kubernetes = "93e0d7146fb9c3e9f68aa41b2b4265b2fcdb0a4c"
SRCREV_kubernetes-release = "21382abdbfa8e6a43fd417306fa649cb651cc06e"
PE = "1"
--
2.40.0
[-- Attachment #2: Type: text/html, Size: 19295 bytes --]
next parent reply other threads:[~2023-10-26 11:18 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1791A3F91AFAC571.20272@lists.yoctoproject.org>
2023-10-26 11:18 ` Sambu, Soumya [this message]
2023-10-26 12:58 ` [meta-virtualization][mickledore][PATCH v3 1/1] kubernetes: Upgrade v1.27.1 -> v1.27.5 Bruce Ashfield
2023-10-26 11:13 ssambu
2023-10-27 3:22 ` Bruce Ashfield
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BYAPR11MB339736CD2663FA3421CD6FC681DDA@BYAPR11MB3397.namprd11.prod.outlook.com \
--to=soumya.sambu@windriver.com \
--cc=bruce.ashfield@gmail.com \
--cc=meta-virtualization@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).