From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: Vijay Anusuri <vanusuri@mvista.com>
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8565 & CVE-2020-8566
Date: Sun, 27 Aug 2023 13:32:59 +0000 [thread overview]
Message-ID: <ZOtQi1eu9VMlMrzX@gmail.com> (raw)
In-Reply-To: <20230822082752.121479-1-vanusuri@mvista.com>
merged to dunfell.
Bruce
In message: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8565 & CVE-2020-8566
on 22/08/2023 Vijay Anusuri wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> Upstream-commit:https://github.com/kubernetes/kubernetes/commit/f0f52255412cbc6834bd225a59608ebb4a0d399b
> & https://github.com/kubernetes/kubernetes/commit/e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
> .../kubernetes/kubernetes/CVE-2020-8565.patch | 24 +++++++
> .../kubernetes/kubernetes/CVE-2020-8566.patch | 67 +++++++++++++++++++
> .../kubernetes/kubernetes_git.bb | 2 +
> 3 files changed, 93 insertions(+)
> create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
> create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
>
> diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
> new file mode 100644
> index 0000000..c3772e9
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
> @@ -0,0 +1,24 @@
> +From f0f52255412cbc6834bd225a59608ebb4a0d399b Mon Sep 17 00:00:00 2001
> +From: Sam Fowler <sfowler@redhat.com>
> +Date: Tue, 6 Oct 2020 11:10:38 +1000
> +Subject: [PATCH] Mask bearer token in logs when logLevel >= 9
> +
> +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/f0f52255412cbc6834bd225a59608ebb4a0d399b]
> +CVE: CVE-2020-8565
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + staging/src/k8s.io/client-go/transport/round_trippers.go | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/staging/src/k8s.io/client-go/transport/round_trippers.go b/staging/src/k8s.io/client-go/transport/round_trippers.go
> +index a05208d924d3b..f4cfadbd3da8e 100644
> +--- a/src/import/staging/src/k8s.io/client-go/transport/round_trippers.go
> ++++ b/src/import/staging/src/k8s.io/client-go/transport/round_trippers.go
> +@@ -340,6 +340,7 @@ func (r *requestInfo) toCurl() string {
> + headers := ""
> + for key, values := range r.RequestHeaders {
> + for _, value := range values {
> ++ value = maskValue(key, value)
> + headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value))
> + }
> + }
> diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
> new file mode 100644
> index 0000000..7ed812d
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
> @@ -0,0 +1,67 @@
> +From e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea Mon Sep 17 00:00:00 2001
> +From: Sam Fowler <sfowler@redhat.com>
> +Date: Fri, 2 Oct 2020 10:48:11 +1000
> +Subject: [PATCH] Mask Ceph RBD adminSecrets in logs when logLevel >= 4
> +
> +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea]
> +CVE: CVE-2020-8566
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + pkg/volume/rbd/rbd_util.go | 12 ++++++------
> + 1 file changed, 6 insertions(+), 6 deletions(-)
> +
> +diff --git a/pkg/volume/rbd/rbd_util.go b/pkg/volume/rbd/rbd_util.go
> +index 85044e85fde..9593348de37 100644
> +--- a/src/import/pkg/volume/rbd/rbd_util.go
> ++++ b/src/import/pkg/volume/rbd/rbd_util.go
> +@@ -592,9 +592,9 @@ func (util *RBDUtil) CreateImage(p *rbdVolumeProvisioner) (r *v1.RBDPersistentVo
> + volSz := fmt.Sprintf("%d", sz)
> + mon := util.kernelRBDMonitorsOpt(p.Mon)
> + if p.rbdMounter.imageFormat == rbdImageFormat2 {
> +- klog.V(4).Infof("rbd: create %s size %s format %s (features: %s) using mon %s, pool %s id %s key %s", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, p.rbdMounter.imageFeatures, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
> ++ klog.V(4).Infof("rbd: create %s size %s format %s (features: %s) using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, p.rbdMounter.imageFeatures, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
> + } else {
> +- klog.V(4).Infof("rbd: create %s size %s format %s using mon %s, pool %s id %s key %s", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
> ++ klog.V(4).Infof("rbd: create %s size %s format %s using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
> + }
> + args := []string{"create", p.rbdMounter.Image, "--size", volSz, "--pool", p.rbdMounter.Pool, "--id", p.rbdMounter.adminId, "-m", mon, "--key=" + p.rbdMounter.adminSecret, "--image-format", p.rbdMounter.imageFormat}
> + if p.rbdMounter.imageFormat == rbdImageFormat2 {
> +@@ -629,7 +629,7 @@ func (util *RBDUtil) DeleteImage(p *rbdVolumeDeleter) error {
> + }
> + // rbd rm.
> + mon := util.kernelRBDMonitorsOpt(p.rbdMounter.Mon)
> +- klog.V(4).Infof("rbd: rm %s using mon %s, pool %s id %s key %s", p.rbdMounter.Image, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
> ++ klog.V(4).Infof("rbd: rm %s using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
> + output, err = p.exec.Command("rbd",
> + "rm", p.rbdMounter.Image, "--pool", p.rbdMounter.Pool, "--id", p.rbdMounter.adminId, "-m", mon, "--key="+p.rbdMounter.adminSecret).CombinedOutput()
> + if err == nil {
> +@@ -661,7 +661,7 @@ func (util *RBDUtil) ExpandImage(rbdExpander *rbdVolumeExpander, oldSize resourc
> +
> + // rbd resize.
> + mon := util.kernelRBDMonitorsOpt(rbdExpander.rbdMounter.Mon)
> +- klog.V(4).Infof("rbd: resize %s using mon %s, pool %s id %s key %s", rbdExpander.rbdMounter.Image, mon, rbdExpander.rbdMounter.Pool, rbdExpander.rbdMounter.adminId, rbdExpander.rbdMounter.adminSecret)
> ++ klog.V(4).Infof("rbd: resize %s using mon %s, pool %s id %s key <masked>", rbdExpander.rbdMounter.Image, mon, rbdExpander.rbdMounter.Pool, rbdExpander.rbdMounter.adminId)
> + output, err = rbdExpander.exec.Command("rbd",
> + "resize", rbdExpander.rbdMounter.Image, "--size", newVolSz, "--pool", rbdExpander.rbdMounter.Pool, "--id", rbdExpander.rbdMounter.adminId, "-m", mon, "--key="+rbdExpander.rbdMounter.adminSecret).CombinedOutput()
> + if err == nil {
> +@@ -703,7 +703,7 @@ func (util *RBDUtil) rbdInfo(b *rbdMounter) (int, error) {
> + // # image does not exist (exit=2)
> + // rbd: error opening image 1234: (2) No such file or directory
> + //
> +- klog.V(4).Infof("rbd: info %s using mon %s, pool %s id %s key %s", b.Image, mon, b.Pool, id, secret)
> ++ klog.V(4).Infof("rbd: info %s using mon %s, pool %s id %s key <masked>", b.Image, mon, b.Pool, id)
> + output, err = b.exec.Command("rbd",
> + "info", b.Image, "--pool", b.Pool, "-m", mon, "--id", id, "--key="+secret, "-k=/dev/null", "--format=json").CombinedOutput()
> +
> +@@ -766,7 +766,7 @@ func (util *RBDUtil) rbdStatus(b *rbdMounter) (bool, string, error) {
> + // # image does not exist (exit=2)
> + // rbd: error opening image kubernetes-dynamic-pvc-<UUID>: (2) No such file or directory
> + //
> +- klog.V(4).Infof("rbd: status %s using mon %s, pool %s id %s key %s", b.Image, mon, b.Pool, id, secret)
> ++ klog.V(4).Infof("rbd: status %s using mon %s, pool %s id %s key <masked>", b.Image, mon, b.Pool, id)
> + cmd, err = b.exec.Command("rbd",
> + "status", b.Image, "--pool", b.Pool, "-m", mon, "--id", id, "--key="+secret).CombinedOutput()
> + output = string(cmd)
> +--
> +2.25.1
> +
> diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
> index c73f988..2b0bfb7 100644
> --- a/recipes-containers/kubernetes/kubernetes_git.bb
> +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> @@ -12,6 +12,8 @@ SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=k
> file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
> file://0001-cross-don-t-build-tests-by-default.patch \
> file://CVE-2020-8564.patch \
> + file://CVE-2020-8565.patch \
> + file://CVE-2020-8566.patch \
> "
>
> DEPENDS += "rsync-native \
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#8218): https://lists.yoctoproject.org/g/meta-virtualization/message/8218
> Mute This Topic: https://lists.yoctoproject.org/mt/100890412/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2023-08-27 13:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-22 8:27 [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8565 & CVE-2020-8566 vanusuri
2023-08-27 13:32 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZOtQi1eu9VMlMrzX@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=vanusuri@mvista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).