Security update for cri-o and kubernetes packages

Announcement ID: SUSE-SU-2018:4020-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2016-8859 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-1002105 ( SUSE ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-1002105 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE CaaS Platform 3.0

An update that solves two vulnerabilities and has seven security fixes can now be installed.

Description:

This update provide fixes for kubernetes, kubernetes-salt, cri-o, and caasp-container-manifests:

  • VUL-0: kubernetes: proxy request handling in kube-apiserver can leave vulnerable TCP connections (bsc#1118198)
  • Error in Velum when applying the k8s 1.10.8 on CRI-O cluster (bsc#1116933)
  • Update regexp for SUSE images (bsc#1111341)
  • Require kubernetes-kubelet for kubeadm (bsc#1084765)
  • Move deprecated flags to kubelet config.yaml (bsc#1114645)
  • Update to k8s 1.10.x (bsc#1114645)
  • Fix kubelet failing to get device for dir "/var/lib/kubelet (bsc#1095131)
  • Set NOFILE and NPROC limit to 1048576 to align with Docker/containerd and the upstream unit file. (bsc#1112980)
  • Update cluster-proportional-autoscaler-amd64 in typha addon to w/ fix for (CVE-2016-8859)
  • Add a whitelist for returned events so we only save events that we care about (bsc#1112967)
  • Aggregation layer needs configuration (bsc#1108195)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE CaaS Platform 3.0
    To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

  • SUSE CaaS Platform 3.0 (noarch)
    • caasp-container-manifests-3.0.0+git_r291_33f7b2d-3.6.3
    • kubernetes-salt-3.0.0+git_r888_7af7095-3.33.2
  • SUSE CaaS Platform 3.0 (x86_64)
    • cri-o-1.10.6-4.8.5
    • kubernetes-master-1.10.11-4.8.2
    • cri-tools-1.0.0beta2-3.3.3
    • kubernetes-client-1.10.11-4.8.2
    • kubernetes-node-1.10.11-4.8.2
    • kubernetes-common-1.10.11-4.8.2
    • kubernetes-kubelet-1.10.11-4.8.2

References: