Debian Bug report logs -
#990793
kubernetes: CVE-2020-8554 CVE-2020-8562 CVE-2021-25735 CVE-2021-25737
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Janos Lenart <ocsi@debian.org>:
Bug#990793; Package src:kubernetes.
(Wed, 07 Jul 2021 15:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Janos Lenart <ocsi@debian.org>.
(Wed, 07 Jul 2021 15:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: kubernetes
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for kubernetes.
These are not relevant for bullseye, as it only includes the client
package, but relevant for updates via fasttrack after the release:
CVE-2020-8554[0]:
| Kubernetes API server in all versions allow an attacker who is able to
| create a ClusterIP service and set the spec.externalIPs field, to
| intercept traffic to that IP address. Additionally, an attacker who is
| able to patch the status (which is considered a privileged operation
| and should not typically be granted to users) of a LoadBalancer
| service can set the status.loadBalancer.ingress.ip to similar effect.
https://www.openwall.com/lists/oss-security/2020/12/07/5
https://github.com/kubernetes/kubernetes/issues/97076
CVE-2020-8562[1]:
https://www.openwall.com/lists/oss-security/2021/05/04/8
CVE-2021-25735[2]:
Validating Admission Webhook does not observe some previous fields
https://www.openwall.com/lists/oss-security/2021/04/14/1
https://github.com/kubernetes/kubernetes/issues/100096
CVE-2021-25737[3]:
https://www.openwall.com/lists/oss-security/2021/05/18/4
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-8554
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8554
[1] https://security-tracker.debian.org/tracker/CVE-2020-8562
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8562
[2] https://security-tracker.debian.org/tracker/CVE-2021-25735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25735
[3] https://security-tracker.debian.org/tracker/CVE-2021-25737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25737
Please adjust the affected versions in the BTS as needed.
Information forwarded
to debian-bugs-dist@lists.debian.org, Janos Lenart <ocsi@debian.org>:
Bug#990793; Package src:kubernetes.
(Wed, 07 Jul 2021 16:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Shengjing Zhu <zhsj@debian.org>:
Extra info received and forwarded to list. Copy sent to Janos Lenart <ocsi@debian.org>.
(Wed, 07 Jul 2021 16:30:02 GMT) (full text, mbox, link).
Message #10 received at 990793@bugs.debian.org (full text, mbox, reply):
On Wed, Jul 7, 2021 at 11:48 PM Moritz Mühlenhoff <jmm@inutil.org> wrote:
>
> Source: kubernetes
> X-Debbugs-CC: team@security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerabilities were published for kubernetes.
>
> These are not relevant for bullseye, as it only includes the client
> package, but relevant for updates via fasttrack after the release:
Bullseye still includes the server package.
$ rmadison -S kubernetes
kubernetes | 1.20.2-1 | testing | source
kubernetes | 1.20.5+really1.20.2-1 | unstable | source
kubernetes-client | 1.20.2-1 | testing | amd64, arm64,
armel, armhf, i386, s390x
kubernetes-client | 1.20.5+really1.20.2-1 | unstable | amd64, arm64,
armel, armhf, i386, s390x
kubernetes-master | 1.20.2-1 | testing | amd64, arm64,
armel, armhf, i386, s390x
kubernetes-node | 1.20.2-1 | testing | amd64, arm64,
armel, armhf, i386, s390x
--
Shengjing Zhu
Information forwarded
to debian-bugs-dist@lists.debian.org, Janos Lenart <ocsi@debian.org>:
Bug#990793; Package src:kubernetes.
(Wed, 07 Jul 2021 16:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Janos LENART <lenartj@gmail.com>:
Extra info received and forwarded to list. Copy sent to Janos Lenart <ocsi@debian.org>.
(Wed, 07 Jul 2021 16:36:04 GMT) (full text, mbox, link).
Message #15 received at 990793@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Thanks for the report Moritz.
As zhsj@ wrote bullseye atm has 1.20.2-1, which has the server packages,
instead of 1.20.5+really1.20.2-1, which does only includes that client it
was of course uploaded for exactly this reason. I will file a bug so the
correct version gets included in bullseye.
On Wed, 7 Jul 2021 at 17:30, Shengjing Zhu <zhsj@debian.org> wrote:
> On Wed, Jul 7, 2021 at 11:48 PM Moritz Mühlenhoff <jmm@inutil.org> wrote:
> >
> > Source: kubernetes
> > X-Debbugs-CC: team@security.debian.org
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > The following vulnerabilities were published for kubernetes.
> >
> > These are not relevant for bullseye, as it only includes the client
> > package, but relevant for updates via fasttrack after the release:
>
> Bullseye still includes the server package.
>
> $ rmadison -S kubernetes
> kubernetes | 1.20.2-1 | testing | source
> kubernetes | 1.20.5+really1.20.2-1 | unstable | source
> kubernetes-client | 1.20.2-1 | testing | amd64, arm64,
> armel, armhf, i386, s390x
> kubernetes-client | 1.20.5+really1.20.2-1 | unstable | amd64, arm64,
> armel, armhf, i386, s390x
> kubernetes-master | 1.20.2-1 | testing | amd64, arm64,
> armel, armhf, i386, s390x
> kubernetes-node | 1.20.2-1 | testing | amd64, arm64,
> armel, armhf, i386, s390x
>
> --
> Shengjing Zhu
>
--
LÉNÁRT, János
<lenartj@gmail.com>
[Message part 2 (text/html, inline)]
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 07 Jul 2021 17:33:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Janos Lenart <ocsi@debian.org>:
Bug#990793; Package src:kubernetes.
(Wed, 07 Jul 2021 18:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Janos Lenart <ocsi@debian.org>.
(Wed, 07 Jul 2021 18:03:03 GMT) (full text, mbox, link).
Message #22 received at 990793@bugs.debian.org (full text, mbox, reply):
On Thu, Jul 08, 2021 at 12:27:08AM +0800, Shengjing Zhu wrote:
> On Wed, Jul 7, 2021 at 11:48 PM Moritz Mühlenhoff <jmm@inutil.org> wrote:
> >
> > Source: kubernetes
> > X-Debbugs-CC: team@security.debian.org
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > The following vulnerabilities were published for kubernetes.
> >
> > These are not relevant for bullseye, as it only includes the client
> > package, but relevant for updates via fasttrack after the release:
>
> Bullseye still includes the server package.
Oh indeed. Janos, can you please file an unblock request?
Cheers,
Moritz
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jul 8 16:16:14 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon