Security update for kubernetes

Announcement ID: SUSE-SU-2018:1982-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2018-1002100 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
  • CVE-2018-1002100 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected Products:
  • SUSE Container as a Service Platform 1.0
  • SUSE Container as a Service Platform 2.0

An update that solves one vulnerability and has two security fixes can now be installed.

Description:

This update for kubernetes to version 1.8.10+044cd262c40234014f01b40ed7b9d09adbafe9b1 fixes the following issues:

This security issue was fixed:

  • CVE-2018-1002100: The kubectl cp command insecurely handled tar data returned from the container. This could have been used to overwrite arbitrary local files (bsc#1089654).

These non-security issues were fixed:

  • Prevent the Kubernetes image GC from cleaning the images that have been loaded using container-feeder (bsc#1069469)
  • Update hosts in EnsureLoadBalancer()
  • external lb - move target pool operation into its own function
  • Update event-exporter
  • Fixes the regression of GCEPD not provisioning correctly on alpha clusters.
  • Allow update/patch of CRD while terminating
  • add remount logic for azure file plugin
  • 1.8 edition: Pass in etcd TLS credentials during migrate and rollback
  • purge all the -v references from e2e.go
  • Check whether it is running locally when UseInstanceMetadata
  • Get external IP for azure standard nodes
  • Kubernetes version v1.8.10-beta.0 openapi-spec file updates
  • Fix CleanupGCEResources for regional test
  • Detect backsteps correctly in base path detection
  • Add atomic writer subpath e2e tests
  • Exclude commas when pulling the tag out of the git export-subst format string
  • bugfix(mount): lstat with abs path of parent instead of '/..' (bsc#1089991)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Container as a Service Platform 2.0
    To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.
  • SUSE Container as a Service Platform 1.0
    To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

  • SUSE Container as a Service Platform 2.0 (x86_64)
    • kubernetes-common-1.8.10-3.3.1
    • kubernetes-kubelet-1.8.10-3.3.1
    • kubernetes-client-1.8.10-3.3.1
    • kubernetes-master-1.8.10-3.3.1
    • kubernetes-node-1.8.10-3.3.1
  • SUSE Container as a Service Platform 1.0 (x86_64)
    • kubernetes-common-1.8.10-3.3.1
    • kubernetes-kubelet-1.8.10-3.3.1
    • kubernetes-client-1.8.10-3.3.1
    • kubernetes-master-1.8.10-3.3.1
    • kubernetes-node-1.8.10-3.3.1

References: