From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: "Sambu, Soumya" <Soumya.Sambu@windriver.com>
Cc: "meta-virtualization@lists.yoctoproject.org"
<meta-virtualization@lists.yoctoproject.org>
Subject: Re: [meta-virtualization][mickledore][PATCH v3 1/1] kubernetes: Upgrade v1.27.1 -> v1.27.5
Date: Thu, 26 Oct 2023 08:58:10 -0400 [thread overview]
Message-ID: <CADkTA4N6CMOYydECzfx1ud2v1+FD6G=MOMZMzuzrN3Dg-GREQg@mail.gmail.com> (raw)
In-Reply-To: <BYAPR11MB339736CD2663FA3421CD6FC681DDA@BYAPR11MB3397.namprd11.prod.outlook.com>
Thanks! This is the summary I was looking for, it is very helpful.
Bruce
On Thu, Oct 26, 2023 at 7:18 AM Sambu, Soumya
<Soumya.Sambu@windriver.com> wrote:
>
> Hi Bruce,
>
> Below are the CVEs which are resolved with this upgrade in mickledore branch, with vulnerable version details:
>
> CVE-2023-2431 :
> Affected Versions
> v1.27.0 - v1.27.1
> v1.26.0 - v1.26.4
> v1.25.0 - v1.25.9
> <= v1.24.13
>
> CVE-2023-2727, CVE-2023-2728:
> Affected Versions
> v1.27.0 - v1.27.2
> v1.26.0 - v1.26.5
> v1.25.0 - v1.25.10
> <= v1.24.14
>
> CVE-2023-3676, CVE-2023-3955:
> Affected Versions
> <= v1.28.0
> <= v1.27.4
> <= v1.26.7
> <= v1.25.12
> <= v1.24.16
>
> master-next branch has kubernetes 1.28.2 version [https://git.yoctoproject.org/meta-virtualization/commit/?h=master-next&id=cfa0c956138814c1dcef26879cf240159bb7f097], not impacted by above mentioned CVEs.
>
> kirkstone branch has kubernetes v1.23.17 version, which is impacted by above CVEs. I am planning to backport fixes for these CVEs on kirkstone branch.
>
> Regards,
> Soumya
> ________________________________
> From: meta-virtualization@lists.yoctoproject.org <meta-virtualization@lists.yoctoproject.org> on behalf of Soumya via lists.yoctoproject.org <soumya.sambu=windriver.com@lists.yoctoproject.org>
> Sent: Thursday, October 26, 2023 4:43 PM
> To: meta-virtualization@lists.yoctoproject.org <meta-virtualization@lists.yoctoproject.org>
> Subject: [meta-virtualization][mickledore][PATCH v3 1/1] kubernetes: Upgrade v1.27.1 -> v1.27.5
>
> From: Soumya Sambu <soumya.sambu@windriver.com>
>
> Addresses CVE-2023-2431, CVE-2023-2727, CVE-2023-2728, CVE-2023-3676, CVE-2023-3955 and few other bugs.
>
> Bumping kubernetes to version v1.27.5, which comprises the following commits:
>
> 38c97fa67ed Merge pull request #120135 from ritazh/cherry-pick-cve-2023-3955-1.27
> 89048339422 Merge pull request #120130 from ritazh/cherry-pick-cve-2023-3676-1.27
> acc29048e6d Use environment varaibles for parameters in Powershell
> 172644fb55d Use env varaibles for passing path
> 00dfa0634be Merge pull request #119868 from liggitt/automated-cherry-pick-of-#119835-upstream-release-1.27
> 3b6bcaa0b96 Avoid returning nil responseKind in v1beta1 aggregated discovery
> bd722aa3ff5 Merge pull request #119828 from jeremyrickard/go1207-1.27
> 94b3e00eef0 [release-1.27] releng/go: Bump images, versions and deps to use Go 1.20.7
> de56018f04a Merge pull request #117269 from tnqn/automated-cherry-pick-of-#117245-#117249-upstream-release-1.27
> 521580378aa Merge pull request #119363 from jsafrane/automated-cherry-pick-of-#117804-upstream-release-1.27
> d35a1c8a7a7 Merge pull request #119620 from liggitt/automated-cherry-pick-of-#117710-upstream-release-1.27
> 579208d9616 Merge pull request #117486 from TommyStarK/automated-cherry-pick-of-#117449-upstream-release-1.27
> 2ac615ccde3 Merge pull request #117235 from cvvz/automated-cherry-pick-of-#116134-origin-release-1.27
> 559f43d49c6 Merge pull request #119466 from mimowo/automated-cherry-pick-of-#119434-upstream-release-1.27
> 382c283f339 Merge pull request #119113 from champtar/automated-cherry-pick-of-#118922-upstream-release-1.27
> 05b64c6b5e1 Merge pull request #119604 from a7i/automated-cherry-pick-of-#118549-upstream-release-1.27
> ecd45047e45 Merge pull request #119572 from andrewsykim/automated-cherry-pick-of-#118601-origin-release-1.27
> 927dba2589a e2e_node: move getSampleDevicePluginPod to device_plugin_test.go
> db832fdfa67 fix 'pod' in kubelet prober metrics
> 4c67c5d5e76 priority & fairness: support dynamically configuring work estimator max seats
> 6d31f4b31ba Merge pull request #119519 from jingxu97/automated-cherry-pick-of-#118451-upstream-release-1.27
> 17c98720e84 Add mininumKubelet tag into ReadWriteOncePod test
> ed0cdc9e0b2 Include ignored pods when computing backoff delay for Job pod failures
> ae24a5cf74b Remarks
> 9e1050b4d90 Adjust the algorithm for computing the pod finish time
> fa950050cc9 Update CHANGELOG/CHANGELOG-1.27.md for v1.27.4
> fa3d7990104 Release commit for Kubernetes v1.27.4
> d794e0e5cf8 Merge pull request #119366 from xmudrii/go1206-1.27
> a1b127ca7a1 [release-1.27] releng/go: Bump images, versions and deps to use Go 1.20.6
> aefc4d0392a Rename updateReconstructedFromAPIServer
> eeba02fc625 Rename volumesNeedDevicePath
> 5eb3b748e8e Update volumesInUse after attachability is confirmed
> f8bb161ab55 Add uncertain state of volume attach-ability
> 08b7937d256 Refactor FindAttachablePluginBySpec out of CSI code path
> 16fc1c954ce Merge pull request #119262 from HirazawaUi/automated-cherry-pick-of-#119229-upstream-release-1.27
> 3ca3e0ad484 Merge pull request #118947 from Evan-Reilly/automated-cherry-pick-of-#118237-upstream-release-1.27
> 5ee5d7346e1 Merge pull request #119096 from aleksandra-malinowska/automated-cherry-pick-of-#117865-upstream-release-1.27
> 1484a5c32f0 Fix the converts an empty string to nil.
> b5c876a05b7 Merge pull request #117226 from princepereira/automated-cherry-pick-of-#116749-upstream-release-1.27
> d98c5b8a026 Merge pull request #119160 from alculquicondor/automated-cherry-pick-of-#119159-upstream-release-1.27
> 28c79be6747 Add unit tests for parallel StatefulSet create & delete
> 66f980be120 Parallel StatefulSet pod create & delete
> 288504fbf8d Refactor StatefulSet controller update logic
> 92a0f58e2bf Only declare job as finished after removing all finalizers
> c655001fa48 Automated cherry pick of #118716 upstream release 1.27 (#118911)
> 052ac3eb1bf Merge pull request #119065 from xmudrii/automated-cherry-pick-of-#118899-upstream-release-1.27
> b667da8e08a Merge pull request #118683 from serathius/automated-cherry-pick-of-#118460-origin-release-1.27
> f8c1cc33cb6 Merge pull request #119139 from kmala/1.27
> 5bbacb11989 Merge pull request #118290 from HirazawaUi/automated-cherry-pick-of-#118177-upstream-release-1.27
> b383755e462 Hide numberOfMissedSchedules as an algorithm internal number
> 26db84e04c7 Update schedule logic to properly calculate missed schedules
> fe4e288bcdd Merge pull request #118855 from aojea/automated-cherry-pick-of-#118686-upstream-release-1.27
> a54590f218d Merge pull request #117936 from jsafrane/automated-cherry-pick-of-#117243-upstream-release-1.27
> ad569aec159 kubeadm: backdate generated CAs by 5 minutes
> 0fc5c972129 client-go: allow to set NotBefore in NewSelfSignedCACert()
> 0ed276fb568 Merge pull request #118199 from aleskandro/automated-cherry-pick-of-#118053-origin-release-1.27
> 04e86095d38 Merge pull request #118930 from atiratree/automated-cherry-pick-of-#118876-upstream-release-1.27
> 3c115eec0b9 Automated cherry pick of #118805: test comment should match the code in podgc (#118913)
> db247e1df34 Merge pull request #118969 from champtar/automated-cherry-pick-of-#117791-upstream-release-1.27
> 55872a8eb12 Merge pull request #119086 from neolit123/automated-cherry-pick-of-#118150-origin-release-1.27
> 39a4cd1a083 call ./hack/update-vendor.sh
> 33af2a45f53 kubeadm: remove function pointer comparison in phase test
> 3f4643682e3 CHANGELOG-1.27: Add note for AWS in-tree provider removal
> 703edddae4e Updating the nodeAffinity of gated pods having nil affinity should be allowed
> 3b874af3878 Merge pull request #118662 from mkowalski/automated-cherry-pick-of-#118329-upstream-release-1.27
> d936e6669bb Merge pull request #118841 from bobbypage/automated-cherry-pick-of-#118497-upstream-release-1.27
> 3aa21cec0ec fix the existing problem (0 SerialNumber in all certificate) as part of this PR in a separate commit
> cd08820ba9a update serial number to a valid non-zero number in ca certificate
> 5253d8e02c7 Merge pull request #118664 from pohly/automated-cherry-pick-of-#118524-origin-release-1.27
> 76b9400cea3 Merge pull request #118283 from pohly/automated-cherry-pick-of-#118257-origin-release-1.27
> 1260b845752 Delete CRDs created during field validation tests.
> f689046fb6b kubectl explain should work for both cluster and namespace resources and without a GET method
> f7d82bfdffe Merge pull request #118797 from harche/1.27_cadvisor_bump
> 59cd1d0b3bb always execute condition for wait.PollUntilContextTimeout with immediate=true
> 5423fffca9d Review remarks to improve HandlePodCleanups in kubelet
> 24c67c15240 Fix the deletion of rejected pods
> 0539a6a194a Merge pull request #118821 from helayoty/automated-cherry-pick-of-#118049-upstream-release-1.27
> 62cf5ee1cdb Unset gated pod info timestamp in addToActiveQ
> 027b4632bbb deps: Bump to cAdvisor v0.47.2
> ea2af58b5bd Make etcd component status consistent with health probes
> f2548642c4e e2e storage: terminate worker quietly on test completion
> 9a001cea215 Fix flaky persistent volumes e2e test
> eb5825b3a3c Set the node-ips annotation correctly with CloudDualStackNodeIPs
> a2ba2626e85 Update CHANGELOG/CHANGELOG-1.27.md for v1.27.3
> 25b4e43193b Release commit for Kubernetes v1.27.3
> aae883e5fa7 Merge pull request #118553 from puerco/bump-1.27-go1.20.5
> e13e5915a78 Merge pull request #118307 from SataQiu/automated-cherry-pick-of-#117169-upstream-release-1.27
> e0a2a6efdd1 update-vendor: update vendored go.sums
> 82b2c5aefa3 releng/go: Update images, dependencies and version to Go 1.20.5
> e2cc1a3b21b Merge pull request #118515 from aojea/automated-cherry-pick-of-#118499-upstream-release-1.27
> 3a77d5a59f0 Merge pull request #118471 from ritazh/automated-cherry-pick-of-#118356-upstream-release-1.27
> b30e94b1253 kube-proxy avoid race condition using LocalModeNodeCIDR
> 5e00018fccf Merge pull request #117948 from dlipovetsky/automated-cherry-pick-of-#117792-#117724-upstream-release-1.27
> 76f14499624 Merge pull request #118281 from aojea/automated-cherry-pick-of-#118256-upstream-release-1.27
> d59b91d97b4 Add ephemeralcontainer to imagepolicy securityaccount admission plugin
> d71d96a5d24 Merge pull request #118219 from mimowo/automated-cherry-pick-of-#117586-upstream-release-1.27
> c48bdec2ced Merge pull request #118279 from aojea/automated-cherry-pick-of-#118200-upstream-release-1.27
> c345ce91a03 supported version of etcd 3.5.7-0 for Kubernetes v1.27.0-rc.0
> 22e8a99ec6e Fix the git-repo test error caused by the correct use of loop variables
> 009a7a6fb9f dra scheduler plugin test: fix loopvar bug and "reserve" expected data
> 7888798873e e2e framework retry on Service unavailable errors
> f41a169a354 e2e: apply timeout for CSI Storage Capacity test only to node
> 916bc55a7bf Merge pull request #118178 from HirazawaUi/automated-cherry-pick-of-#118156-upstream-release-1.27
> e407c2b4b02 Add DisruptionTarget condition when preempting for critical pod
> d2bd738e274 update webhook test to go 1.21
> 4025005877a Merge pull request #118105 from SataQiu/automated-cherry-pick-of-#118069-upstream-release-1.27
> af024b2a086 Merge pull request #118111 from liggitt/automated-cherry-pick-of-#118104-upstream-release-1.27
> 9107eee6583 Test APIService safe handling at startup
> 0bff4e35669 Fix waiting for CRD sync at server start
> 1ae728f4344 kubeadm: fix a bug where the static pod changes detection logic is inconsistent with kubelet
> f404d1c4d3c Update CHANGELOG/CHANGELOG-1.27.md for v1.27.2
> 7f6f68fdabc Release commit for Kubernetes v1.27.2
>
> Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
> ---
> recipes-containers/kubernetes/kubernetes_git.bb | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
> index 3a6e7119..560fd8b7 100644
> --- a/recipes-containers/kubernetes/kubernetes_git.bb
> +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> @@ -5,8 +5,8 @@ applications across multiple hosts, providing basic mechanisms for deployment, \
> maintenance, and scaling of applications. \
> "
>
> -PV = "v1.27.1+git${SRCREV_kubernetes}"
> -SRCREV_kubernetes = "2555e0f90e80a13628f47eca5cde34decc89babb"
> +PV = "v1.27.5+git${SRCREV_kubernetes}"
> +SRCREV_kubernetes = "93e0d7146fb9c3e9f68aa41b2b4265b2fcdb0a4c"
> SRCREV_kubernetes-release = "21382abdbfa8e6a43fd417306fa649cb651cc06e"
> PE = "1"
>
> --
> 2.40.0
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
next prev parent reply other threads:[~2023-10-26 12:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1791A3F91AFAC571.20272@lists.yoctoproject.org>
2023-10-26 11:18 ` [meta-virtualization][mickledore][PATCH v3 1/1] kubernetes: Upgrade v1.27.1 -> v1.27.5 Sambu, Soumya
2023-10-26 12:58 ` Bruce Ashfield [this message]
2023-10-26 11:13 ssambu
2023-10-27 3:22 ` Bruce Ashfield
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADkTA4N6CMOYydECzfx1ud2v1+FD6G=MOMZMzuzrN3Dg-GREQg@mail.gmail.com' \
--to=bruce.ashfield@gmail.com \
--cc=Soumya.Sambu@windriver.com \
--cc=meta-virtualization@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).