Jump to content

SUSE CaaS Platform 4.5.1 Release Notes

Publication Date: 2020-10-02

SUSE CaaS Platform is an enterprise-ready Kubernetes-based container management solution.

1 About the Release Notes

The most recent version of the Release Notes is available online at https://susedoc.github.io/r/caasp-45-rn

Entries can be listed multiple times if they are important and belong to multiple sections.

Release notes usually only list changes that happened between two subsequent releases. Certain important entries from the release notes documents of previous product versions may be repeated. To make such entries easier to identify, they contain a note to that effect.

2 SUSE CaaS Platform

SUSE CaaS Platform is an enterprise-ready Kubernetes-based container management solution used by application development and DevOps teams to more easily and efficiently deploy and manage containerized applications and services. Enterprises use SUSE CaaS Platform to reduce application delivery cycle times and improve business agility.

3 Supported Platforms

This release supports deployment on:

  • SUSE OpenStack Cloud 8

  • VMware ESXi 6.7

  • KVM

  • Bare Metal x86_64

  • Amazon Web Services (technological preview)

(SUSE CaaS Platform 4.5.1 supports hardware that is certified for SLES through the YES certification program. You will find a database of certified hardware at https://www.suse.com/yessearch/.)

4 Changes in 4.5.1

4.1 Deprecations in 4.5.1

None

4.2 Required Actions

  • Run skuba addons upgrade apply to update Cilium images to rev3 which has the bug fixes to be installed.

  • In order to use the latest skuba fixes, you need to update the admin workstation. For detailed instructions, see the Administration Guide

  • Envoy security fixes will be updated with skuba addons upgrade apply. The bugs and security fixes applied are listed in the following sections.

4.3 Bugs Fixed in 4.5.1 since 4.5.0

  • bsc#1173559 [envoy] - CVE-2020-12605,CVE-2020-8663,CVE-2020-12603,CVE-2020-12604: envoy-proxy, cilium-proxy: multiple resource exhaustion issues

  • bsc#1176755 [helm3] - CVE-2020-15184: helm3: alias field on a Chart.yaml is not properly sanitized

  • bsc#1176754 [helm] - CVE-2020-15185: helm3: Helm repository can contain duplicates of the same chart

  • bsc#1176752 [helm3] - CVE-2020-15187: helm3: plugin can contain duplicates of the same entry

  • bsc#1174075 [kubernetes] - Changing %{_libexecdir} breaks some packages which are misusing the macro

  • bsc#1167073 [envoy] - CaaSPv5: envoy-proxy doesn’t build on SLE15SP2

  • bsc#1176753 [helm3] - CVE-2020-15186: helm3: plugin names are not sanitized properly

4.4 Security issues fixed in 4.5.1 since 4.5.0

  • CVE-2020-12603: "Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (i.e. 1 byte) data frames."

  • CVE-2020-12604: "Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream."

  • CVE-2020-12605: "Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs."

  • CVE-2020-8663: "Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections."

  • CVE-2020-15187: "In Helm before version 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin’s install hooks, causing a local execution attack."

  • CVE-2020-15185: "In Helm before version 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository."

  • CVE-2020-15184: "In Helm before version 3.3.2 there is a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart."

  • CVE-2020-15186: "In Helm before version 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to hellm --help."

4.5 Documentation Changes

  • None

4.6 Known Issues

  • https://bugzilla.suse.com/show_bug.cgi?id=1176225 - Upgraded v4.5 cluster is running etcd from v4 namespace

  • https://bugzilla.suse.com/show_bug.cgi?id=1172270 - cilium-init:1.6.6 does not exist in registry

  • Kubeproxy is not fully deprecated since envoyproxy requires support of Linux Kernel 5.3 and upwards.

  • If the cluster node(s) was bootstrapped/joined before kubernetes version 1.17, you have to manually modify the contents of /etc/kubernetes/kubelet.conf to point to the automatically rotated kubelet client certificates by replacing client-certificate-data and client-key-data with:

    client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
    client-key: /var/lib/kubelet/pki/kubelet-client-current.pem

5 Legal Notices

SUSE makes no representations or warranties with regard to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, SUSE reserves the right to revise this publication and to make changes to its content, at any time, without the obligation to notify any person or entity of such revisions or changes.

Further, SUSE makes no representations or warranties with regard to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, SUSE reserves the right to make changes to any and all parts of SUSE software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classifications to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical/biological weaponry end uses. Refer to https://www.suse.com/company/legal/ for more information on exporting SUSE software. SUSE assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2010-2020 SUSE LLC.

This release notes document is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License (CC-BY-SA-4.0). You should have received a copy of the license along with this document. If not, see https://creativecommons.org/licenses/by-sa/4.0/.

SUSE has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at https://www.suse.com/company/legal/ and one or more additional patents or pending patent applications in the U.S. and other countries.

For SUSE trademarks, see SUSE Trademark and Service Mark list (https://www.suse.com/company/legal/). All third-party trademarks are the property of their respective owners.

Print this page