Security update for velum

Announcement ID:	SUSE-SU-2019:0416-1
Rating:	important
References:	bsc#1114832 bsc#1121146 bsc#1121147 bsc#1121148 bsc#1121447 bsc#1122439 bsc#1123291 bsc#1123650
Cross-References:	CVE-2019-3682
CVSS scores:	CVE-2019-3682 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE CaaS Platform 3.0

An update that solves one vulnerability and has seven security fixes can now be installed.

Description:

This update provides the following fixes:

kubernetes-salt:

• Force basename on the system certificate name to prevent path traversal (bsc#1121147)
• CVE-2019-3682: Disable insecure port in kube-apiserver (bsc#1121148)
• Insecure API port exposed to all Master Node guest containers (bsc#1121148)
• Fixes included in this change:
• bsc#1121146 - Kubernetes – Kubelet Service allows unauthenticated access to Kubelet API
• bsc#1122439 - failed to parse bool none (bsc#1122439)
• bsc#1123291 - CaasP 3.0 Update Admin node, worker and master failed
• bsc#1123650 - ExperimentalCriticalPodAnnotation feature not enabled
• bsc#1114832 - Running supportconfig on any node can take lots of resources, even fill the hard disk on big/long-running clusters

velum:

• Do not allow '.' or '/' symbols in system certificate names. (bsc#1121447)
• Reverting ignore_vol_az option back to Velum CPI (bsc#1122439)
• Adding LDAP support to Velum that will create the requisite org units in LDAP if they are missing

sles12sp3-velum-image:

• Release 3.1.9 to include a fix (bsc#1122439,bsc#1121447)

docker-kubic:

• Add daemon.json file with rotation logs configuration (bsc#1114832)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE CaaS Platform 3.0
  To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

• SUSE CaaS Platform 3.0 (x86_64)
  • docker-kubic-debugsource-17.09.1_ce-7.6.1
  • docker-kubic-17.09.1_ce-7.6.1
  • docker-kubic-debuginfo-17.09.1_ce-7.6.1
  • sles12-velum-image-3.1.9-3.33.4
• SUSE CaaS Platform 3.0 (noarch)
  • kubernetes-salt-3.0.0+git_r931_9cdca5a-3.47.1

References:

• https://www.suse.com/security/cve/CVE-2019-3682.html
• https://bugzilla.suse.com/show_bug.cgi?id=1114832
• https://bugzilla.suse.com/show_bug.cgi?id=1121146
• https://bugzilla.suse.com/show_bug.cgi?id=1121147
• https://bugzilla.suse.com/show_bug.cgi?id=1121148
• https://bugzilla.suse.com/show_bug.cgi?id=1121447
• https://bugzilla.suse.com/show_bug.cgi?id=1122439
• https://bugzilla.suse.com/show_bug.cgi?id=1123291
• https://bugzilla.suse.com/show_bug.cgi?id=1123650