kubernetes: CVE-2017-1002102

Debian Bug report logs - #894051
kubernetes: CVE-2017-1002102

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: kubernetes: CVE-2017-1002102

Date: Sun, 25 Mar 2018 22:19:08 +0200

Source: kubernetes
Version: 1.7.7+dfsg-3
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/kubernetes/kubernetes/issues/60814

Hi,

the following vulnerability was published for kubernetes.

CVE-2017-1002102[0]:
| In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to
| versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap,
| projected or downwardAPI volume can trigger deletion of arbitrary
| files/directories from the nodes where they are running.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-1002102
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002102
[1] https://github.com/kubernetes/kubernetes/issues/60814

Regards,
Salvatore

Message #12 received at 894051-close@bugs.debian.org (full text, mbox, reply):

From: Dmitry Smirnov <onlyjob@debian.org>

To: 894051-close@bugs.debian.org

Subject: Bug#894051: fixed in kubernetes 1.7.16+dfsg-1

Date: Sun, 06 May 2018 09:01:55 +0000

Source: kubernetes
Source-Version: 1.7.16+dfsg-1

We believe that the bug you reported is fixed in the latest version of
kubernetes, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 894051@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dmitry Smirnov <onlyjob@debian.org> (supplier of updated kubernetes package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 06 May 2018 16:20:21 +1000
Source: kubernetes
Binary: kubernetes-client kubernetes-master kubernetes-node
Architecture: source amd64
Version: 1.7.16+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Dmitry Smirnov <onlyjob@debian.org>
Changed-By: Dmitry Smirnov <onlyjob@debian.org>
Description:
 kubernetes-client - Kubernetes client tools
 kubernetes-master - Kubernetes services for master host
 kubernetes-node - Kubernetes services for node host
Closes: 878254 892801 894051
Changes:
 kubernetes (1.7.16+dfsg-1) unstable; urgency=medium
 .
   [ Michael Stapelberg ]
   * Switch to XS-Go-Import-Path
 .
   [ Dmitry Smirnov ]
   * Resurrected "mergo.patch" that has been mistakenly removed
     (Closes: #878254).
   * Re-enabled safeguard test for the above problem.
   * New upstream release:
     + CVE-2017-1002101 (Closes: #892801)
     + CVE-2017-1002102 (Closes: #894051)
   * Updated Vcs URLs for Salsa.
   * Standards-Version: 4.1.4
   * Build-Depends:
     - golang-go
     + golang-any
     + golang-github-appc-cni-dev
     + golang-github-armon-circbuf-dev
     + golang-github-azure-azure-sdk-for-go-dev
     + golang-github-dgrijalva-jwt-go-v3-dev
     + golang-github-docker-distribution-dev
     + golang-github-docker-docker-dev
     + golang-github-emicklei-go-restful-swagger12-dev
     + golang-github-gogo-protobuf-dev
     + golang-github-gorilla-websocket-dev
     + golang-github-grpc-ecosystem-go-grpc-prometheus-dev
     + golang-github-karlseguin-ccache-dev
     - golang-github-opencontainers-runc-dev
     + golang-github-opencontainers-docker-runc-dev
     + golang-github-pmezard-go-difflib-dev
     + golang-golang-x-time-dev
     + golang-golang-x-tools-dev
     + golang-google-grpc-dev
     + golang-gopkg-warnings.v0-dev
     + golang-goprotobuf-dev
Checksums-Sha1:
 404d5580c7f36ae461b92f350052e35e00c04088 7926 kubernetes_1.7.16+dfsg-1.dsc
 2ebf5fab3c10a37382169fb6dfb0ad9a51c2b504 8667408 kubernetes_1.7.16+dfsg.orig.tar.xz
 ef9b4a95a1633d0658e3465b1a1f726258791431 131880 kubernetes_1.7.16+dfsg-1.debian.tar.xz
 692277e8f94d781f6e0107b266d1df8db15390a9 4100408 kubernetes-client-dbgsym_1.7.16+dfsg-1_amd64.deb
 703d7d88fa48ca131365a18b807b45dcb7246ac0 6858060 kubernetes-client_1.7.16+dfsg-1_amd64.deb
 31679876806cead36b47b259568fdde6c147f65d 11423752 kubernetes-master-dbgsym_1.7.16+dfsg-1_amd64.deb
 648440e3573c339031e0347cd3fcba812d91701b 51340116 kubernetes-master_1.7.16+dfsg-1_amd64.deb
 1b3be64137be863674eb15417ddcddca6a6842fd 12587424 kubernetes-node-dbgsym_1.7.16+dfsg-1_amd64.deb
 62ef20c3bf1b7b63f5e3bc83a0083de225191036 19678472 kubernetes-node_1.7.16+dfsg-1_amd64.deb
 4ab7704a3a7588e23b4ace68bdd7e9c6775cfc43 26663 kubernetes_1.7.16+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 8f835f0e4ccbbbf6f06701a8a605f80bf5388f9e974285e683279865f6185902 7926 kubernetes_1.7.16+dfsg-1.dsc
 996ea7a765459a182f3a64405d0d50e63aca26eb07250869a2d947f1e6047718 8667408 kubernetes_1.7.16+dfsg.orig.tar.xz
 11548aa5b65ef7eb6d3ab0222963eb5606fbe13c358849a93dc8e28a49a5336d 131880 kubernetes_1.7.16+dfsg-1.debian.tar.xz
 ec2fa6006cdfb0d39131b05156c29d60450742cedac36a0fb5e2253c859eeb20 4100408 kubernetes-client-dbgsym_1.7.16+dfsg-1_amd64.deb
 be2f33654ebcbe9a023d27d420786f41a808aeb8b66d3e210082977b952ae2b7 6858060 kubernetes-client_1.7.16+dfsg-1_amd64.deb
 02ad8ec6c23fe5562e42d4ca8460ecd0b1dbe8c6fba9367d660906a9aca5279a 11423752 kubernetes-master-dbgsym_1.7.16+dfsg-1_amd64.deb
 39d9cb887c00959291a5354b06a8554cda421186541c57a94a710dbb9d77f3fc 51340116 kubernetes-master_1.7.16+dfsg-1_amd64.deb
 0dc787788b58380654df7b2f60aa496c010492d5049e4dc7fa44c61fe246bae4 12587424 kubernetes-node-dbgsym_1.7.16+dfsg-1_amd64.deb
 432bf53470bd0b45d336b3b37984b90329d6e3934fb6302b7019a52374c67b65 19678472 kubernetes-node_1.7.16+dfsg-1_amd64.deb
 3ecad6055a062f36d1aa7242b728ccb37506b0435ca15eea048eea33c4bfcb2a 26663 kubernetes_1.7.16+dfsg-1_amd64.buildinfo
Files:
 40f37dffbf741374a799ce50c23528bb 7926 admin optional kubernetes_1.7.16+dfsg-1.dsc
 d58831437c9cae53266a609ac8a8e702 8667408 admin optional kubernetes_1.7.16+dfsg.orig.tar.xz
 1536696e92e556438c47839fb62b8678 131880 admin optional kubernetes_1.7.16+dfsg-1.debian.tar.xz
 aae41947b81c6428d5d702f5c2a72c42 4100408 debug optional kubernetes-client-dbgsym_1.7.16+dfsg-1_amd64.deb
 ed4e03a135f723a23cf34109b23df2fa 6858060 admin optional kubernetes-client_1.7.16+dfsg-1_amd64.deb
 ef9914c6f3d60189766b2729a9fa896c 11423752 debug optional kubernetes-master-dbgsym_1.7.16+dfsg-1_amd64.deb
 3109bf5d3b5303f634cc9b3b82e35daf 51340116 admin optional kubernetes-master_1.7.16+dfsg-1_amd64.deb
 8013f004ff9b67635e420f8dbd2f62c2 12587424 debug optional kubernetes-node-dbgsym_1.7.16+dfsg-1_amd64.deb
 331df0f1d74b08026cfd48531aa5bdad 19678472 admin optional kubernetes-node_1.7.16+dfsg-1_amd64.deb
 fafeb932730d5079a3312e4b80747987 26663 admin optional kubernetes_1.7.16+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEULx8+TnSDCcqawZWUra72VOWjRsFAlruqwQACgkQUra72VOW
jRvlAw//Qm+9cVh+XaeLwgXtfaav09miXecni+FQ9wITCrcg5YKIFTY/oO0YjwM7
Zt3KswQWXZt0AybCrzCGBDTqQm3vo7jwchuW43wcJgA6m54a/RRRxG7k77Y72fCX
qGIJmqR4oEEFAYsNdVteK9EhR0xHnWcwBWe9EKHSza5mHILeCbtmo7FRavn5aNyH
lekFquK3VntZbFSpL2lYON8KcfMdLUHYKw29oCoQcgxm7S2WabFD9D3ppBoxenRO
H6LqQbnY9b9pGhBB1qRQpSs2Ow+XxQgjQas1HXlKM3s1g2qRYefvH3orsQlZd8A/
feaIObCfR4XCopinVGzjNCLgp4OGVNZIj03bAHiFVlGr6R470kwC2xU9HxL1k82Y
Iu9KlPx34PIXH7uFC3HqonVCN50uJ79vn+pT+aRPjGF6q+P7j8q9GEDU+5BLPP/P
vgAMH6JxJNi3znsGzNU1R7f5sGwSFDI2A3iQSY1ZQs40kfuhlX9ltj+93Oanf3eW
hOBx17q2vzJb7DBCRD1Vm1qhPQ9I8f7pGFLT5R1ndg00WGO72e9DPdlQbX2w2ZZg
hZKK3KGEGWGheDj38pEaQdWmKt+m9rSF0CXib68JX/N9z4BXeUJUVtu3/RsKltVB
5AhKbW5kPzpte4cytQKZ3PN0Gs7z8g/6ZQv/MagWG9sglQhVbwQ=
=pNaS
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.