Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

kubernetes: CVE-2018-1002105

Related Vulnerabilities: CVE-2018-1002105  

Source

Debian Bug report logs - #915828
kubernetes: CVE-2018-1002105

version graph

Package: src:kubernetes; Maintainer for src:kubernetes is Dmitry Smirnov <onlyjob@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 7 Dec 2018 08:15:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version kubernetes/1.7.16+dfsg-1

Forwarded to https://github.com/kubernetes/kubernetes/issues/71411

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#915828; Package src:kubernetes. (Fri, 07 Dec 2018 08:15:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Dmitry Smirnov <onlyjob@debian.org>. (Fri, 07 Dec 2018 08:15:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kubernetes: CVE-2018-1002105
Date: Fri, 07 Dec 2018 09:10:15 +0100
Source: kubernetes
Version: 1.7.16+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/kubernetes/kubernetes/issues/71411

Hi,

The following vulnerability was published for kubernetes.

CVE-2018-1002105[0]:
| In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3,
| incorrect handling of error responses to proxied upgrade requests in
| the kube-apiserver allowed specially crafted requests to establish a
| connection through the Kubernetes API server to backend servers, then
| send arbitrary requests over the same connection directly to the
| backend, authenticated with the Kubernetes API server's TLS
| credentials used to establish the backend connection.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1002105
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002105
[1] https://groups.google.com/forum/#!topic/kubernetes-announce/GVllWCg6L88
[2] https://github.com/kubernetes/kubernetes/issues/71411

Regards,
Salvatore

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 13 Dec 2018 17:45:02 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:38:10 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started