Security update for kubernetes SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0554-1 Final 1 1 2020-04-26T14:12:22Z current 2020-04-26T14:12:22Z 2020-04-26T14:12:22Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for kubernetes This update introduces kubernetes version 1.14.1 and cri-o 1.17.1 to Leap 15.1. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-554 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4KLMQUDJXG7ORWF7M42NKLDUJSKHAUTS/ E-Mail link for openSUSE-SU-2020:0554-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1039663 SUSE Bug 1039663 https://bugzilla.suse.com/1042383 SUSE Bug 1042383 https://bugzilla.suse.com/1042387 SUSE Bug 1042387 https://bugzilla.suse.com/1057277 SUSE Bug 1057277 https://bugzilla.suse.com/1059207 SUSE Bug 1059207 https://bugzilla.suse.com/1061027 SUSE Bug 1061027 https://bugzilla.suse.com/1065972 SUSE Bug 1065972 https://bugzilla.suse.com/1069469 SUSE Bug 1069469 https://bugzilla.suse.com/1084765 SUSE Bug 1084765 https://bugzilla.suse.com/1084766 SUSE Bug 1084766 https://bugzilla.suse.com/1085009 SUSE Bug 1085009 https://bugzilla.suse.com/1086185 SUSE Bug 1086185 https://bugzilla.suse.com/1086412 SUSE Bug 1086412 https://bugzilla.suse.com/1095131 SUSE Bug 1095131 https://bugzilla.suse.com/1095154 SUSE Bug 1095154 https://bugzilla.suse.com/1096773 SUSE Bug 1096773 https://bugzilla.suse.com/1097473 SUSE Bug 1097473 https://bugzilla.suse.com/1100838 SUSE Bug 1100838 https://bugzilla.suse.com/1101010 SUSE Bug 1101010 https://bugzilla.suse.com/1104598 SUSE Bug 1104598 https://bugzilla.suse.com/1104821 SUSE Bug 1104821 https://bugzilla.suse.com/1112980 SUSE Bug 1112980 https://bugzilla.suse.com/1118897 SUSE Bug 1118897 https://bugzilla.suse.com/1118898 SUSE Bug 1118898 https://bugzilla.suse.com/1136403 SUSE Bug 1136403 https://bugzilla.suse.com/1144065 SUSE Bug 1144065 https://bugzilla.suse.com/1155323 SUSE Bug 1155323 https://bugzilla.suse.com/1161056 SUSE Bug 1161056 https://bugzilla.suse.com/1161179 SUSE Bug 1161179 https://www.suse.com/security/cve/CVE-2016-5195/ SUSE CVE CVE-2016-5195 page https://www.suse.com/security/cve/CVE-2016-8859/ SUSE CVE CVE-2016-8859 page https://www.suse.com/security/cve/CVE-2017-1002101/ SUSE CVE CVE-2017-1002101 page https://www.suse.com/security/cve/CVE-2018-1002105/ SUSE CVE CVE-2018-1002105 page https://www.suse.com/security/cve/CVE-2018-16873/ SUSE CVE CVE-2018-16873 page https://www.suse.com/security/cve/CVE-2018-16874/ SUSE CVE CVE-2018-16874 page https://www.suse.com/security/cve/CVE-2019-10214/ SUSE CVE CVE-2019-10214 page openSUSE Leap 15.1 cri-o-1.17.1-lp151.2.2 cri-o-kubeadm-criconfig-1.17.1-lp151.2.2 cri-tools-1.18.0-lp151.2.1 go1.14-1.14-lp151.6.1 go1.14-doc-1.14-lp151.6.1 go1.14-race-1.14-lp151.6.1 kubernetes-apiserver-1.18.0-lp151.5.1 kubernetes-client-1.18.0-lp151.5.1 kubernetes-controller-manager-1.18.0-lp151.5.1 kubernetes-kubeadm-1.18.0-lp151.5.1 kubernetes-kubelet-common-1.18.0-lp151.5.1 kubernetes-kubelet1.17-1.18.0-lp151.5.1 kubernetes-kubelet1.18-1.18.0-lp151.5.1 kubernetes-master-1.18.0-lp151.5.1 kubernetes-node-1.18.0-lp151.5.1 kubernetes-proxy-1.18.0-lp151.5.1 kubernetes-scheduler-1.18.0-lp151.5.1 cri-o-1.17.1-lp151.2.2 as a component of openSUSE Leap 15.1 cri-o-kubeadm-criconfig-1.17.1-lp151.2.2 as a component of openSUSE Leap 15.1 cri-tools-1.18.0-lp151.2.1 as a component of openSUSE Leap 15.1 go1.14-1.14-lp151.6.1 as a component of openSUSE Leap 15.1 go1.14-doc-1.14-lp151.6.1 as a component of openSUSE Leap 15.1 go1.14-race-1.14-lp151.6.1 as a component of openSUSE Leap 15.1 kubernetes-apiserver-1.18.0-lp151.5.1 as a component of openSUSE Leap 15.1 kubernetes-client-1.18.0-lp151.5.1 as a component of openSUSE Leap 15.1 kubernetes-controller-manager-1.18.0-lp151.5.1 as a component of openSUSE Leap 15.1 kubernetes-kubeadm-1.18.0-lp151.5.1 as a component of openSUSE Leap 15.1 kubernetes-kubelet-common-1.18.0-lp151.5.1 as a component of openSUSE Leap 15.1 kubernetes-kubelet1.17-1.18.0-lp151.5.1 as a component of openSUSE Leap 15.1 kubernetes-kubelet1.18-1.18.0-lp151.5.1 as a component of openSUSE Leap 15.1 kubernetes-master-1.18.0-lp151.5.1 as a component of openSUSE Leap 15.1 kubernetes-node-1.18.0-lp151.5.1 as a component of openSUSE Leap 15.1 kubernetes-proxy-1.18.0-lp151.5.1 as a component of openSUSE Leap 15.1 kubernetes-scheduler-1.18.0-lp151.5.1 as a component of openSUSE Leap 15.1 Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW." CVE-2016-5195 openSUSE Leap 15.1:cri-o-1.17.1-lp151.2.2 openSUSE Leap 15.1:cri-o-kubeadm-criconfig-1.17.1-lp151.2.2 openSUSE Leap 15.1:cri-tools-1.18.0-lp151.2.1 openSUSE Leap 15.1:go1.14-1.14-lp151.6.1 openSUSE Leap 15.1:go1.14-doc-1.14-lp151.6.1 openSUSE Leap 15.1:go1.14-race-1.14-lp151.6.1 openSUSE Leap 15.1:kubernetes-apiserver-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-client-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-controller-manager-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubeadm-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet-common-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet1.17-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet1.18-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-master-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-node-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-proxy-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-scheduler-1.18.0-lp151.5.1 important 6.6 AV:L/AC:M/Au:S/C:C/I:C/A:C 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4KLMQUDJXG7ORWF7M42NKLDUJSKHAUTS/ https://www.suse.com/security/cve/CVE-2016-5195.html CVE-2016-5195 https://bugzilla.suse.com/1004418 SUSE Bug 1004418 https://bugzilla.suse.com/1004419 SUSE Bug 1004419 https://bugzilla.suse.com/1004436 SUSE Bug 1004436 https://bugzilla.suse.com/1006323 SUSE Bug 1006323 https://bugzilla.suse.com/1006695 SUSE Bug 1006695 https://bugzilla.suse.com/1007291 SUSE Bug 1007291 https://bugzilla.suse.com/1008110 SUSE Bug 1008110 https://bugzilla.suse.com/1030118 SUSE Bug 1030118 https://bugzilla.suse.com/1046453 SUSE Bug 1046453 https://bugzilla.suse.com/1069496 SUSE Bug 1069496 https://bugzilla.suse.com/1149725 SUSE Bug 1149725 https://bugzilla.suse.com/870618 SUSE Bug 870618 https://bugzilla.suse.com/986445 SUSE Bug 986445 https://bugzilla.suse.com/998689 SUSE Bug 998689 Multiple integer overflows in the TRE library and musl libc allow attackers to cause memory corruption via a large number of (1) states or (2) tags, which triggers an out-of-bounds write. CVE-2016-8859 openSUSE Leap 15.1:cri-o-1.17.1-lp151.2.2 openSUSE Leap 15.1:cri-o-kubeadm-criconfig-1.17.1-lp151.2.2 openSUSE Leap 15.1:cri-tools-1.18.0-lp151.2.1 openSUSE Leap 15.1:go1.14-1.14-lp151.6.1 openSUSE Leap 15.1:go1.14-doc-1.14-lp151.6.1 openSUSE Leap 15.1:go1.14-race-1.14-lp151.6.1 openSUSE Leap 15.1:kubernetes-apiserver-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-client-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-controller-manager-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubeadm-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet-common-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet1.17-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet1.18-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-master-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-node-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-proxy-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-scheduler-1.18.0-lp151.5.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4KLMQUDJXG7ORWF7M42NKLDUJSKHAUTS/ https://www.suse.com/security/cve/CVE-2016-8859.html CVE-2016-8859 https://bugzilla.suse.com/1005483 SUSE Bug 1005483 In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem. CVE-2017-1002101 openSUSE Leap 15.1:cri-o-1.17.1-lp151.2.2 openSUSE Leap 15.1:cri-o-kubeadm-criconfig-1.17.1-lp151.2.2 openSUSE Leap 15.1:cri-tools-1.18.0-lp151.2.1 openSUSE Leap 15.1:go1.14-1.14-lp151.6.1 openSUSE Leap 15.1:go1.14-doc-1.14-lp151.6.1 openSUSE Leap 15.1:go1.14-race-1.14-lp151.6.1 openSUSE Leap 15.1:kubernetes-apiserver-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-client-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-controller-manager-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubeadm-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet-common-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet1.17-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet1.18-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-master-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-node-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-proxy-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-scheduler-1.18.0-lp151.5.1 important 5.5 AV:N/AC:L/Au:S/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4KLMQUDJXG7ORWF7M42NKLDUJSKHAUTS/ https://www.suse.com/security/cve/CVE-2017-1002101.html CVE-2017-1002101 https://bugzilla.suse.com/1084923 SUSE Bug 1084923 https://bugzilla.suse.com/1085007 SUSE Bug 1085007 https://bugzilla.suse.com/1085009 SUSE Bug 1085009 https://bugzilla.suse.com/1096726 SUSE Bug 1096726 In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection. CVE-2018-1002105 openSUSE Leap 15.1:cri-o-1.17.1-lp151.2.2 openSUSE Leap 15.1:cri-o-kubeadm-criconfig-1.17.1-lp151.2.2 openSUSE Leap 15.1:cri-tools-1.18.0-lp151.2.1 openSUSE Leap 15.1:go1.14-1.14-lp151.6.1 openSUSE Leap 15.1:go1.14-doc-1.14-lp151.6.1 openSUSE Leap 15.1:go1.14-race-1.14-lp151.6.1 openSUSE Leap 15.1:kubernetes-apiserver-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-client-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-controller-manager-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubeadm-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet-common-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet1.17-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet1.18-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-master-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-node-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-proxy-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-scheduler-1.18.0-lp151.5.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4KLMQUDJXG7ORWF7M42NKLDUJSKHAUTS/ https://www.suse.com/security/cve/CVE-2018-1002105.html CVE-2018-1002105 https://bugzilla.suse.com/1118198 SUSE Bug 1118198 https://bugzilla.suse.com/1118260 SUSE Bug 1118260 In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u". CVE-2018-16873 openSUSE Leap 15.1:cri-o-1.17.1-lp151.2.2 openSUSE Leap 15.1:cri-o-kubeadm-criconfig-1.17.1-lp151.2.2 openSUSE Leap 15.1:cri-tools-1.18.0-lp151.2.1 openSUSE Leap 15.1:go1.14-1.14-lp151.6.1 openSUSE Leap 15.1:go1.14-doc-1.14-lp151.6.1 openSUSE Leap 15.1:go1.14-race-1.14-lp151.6.1 openSUSE Leap 15.1:kubernetes-apiserver-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-client-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-controller-manager-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubeadm-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet-common-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet1.17-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet1.18-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-master-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-node-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-proxy-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-scheduler-1.18.0-lp151.5.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4KLMQUDJXG7ORWF7M42NKLDUJSKHAUTS/ https://www.suse.com/security/cve/CVE-2018-16873.html CVE-2018-16873 https://bugzilla.suse.com/1118897 SUSE Bug 1118897 https://bugzilla.suse.com/1118898 SUSE Bug 1118898 https://bugzilla.suse.com/1118899 SUSE Bug 1118899 In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution. CVE-2018-16874 openSUSE Leap 15.1:cri-o-1.17.1-lp151.2.2 openSUSE Leap 15.1:cri-o-kubeadm-criconfig-1.17.1-lp151.2.2 openSUSE Leap 15.1:cri-tools-1.18.0-lp151.2.1 openSUSE Leap 15.1:go1.14-1.14-lp151.6.1 openSUSE Leap 15.1:go1.14-doc-1.14-lp151.6.1 openSUSE Leap 15.1:go1.14-race-1.14-lp151.6.1 openSUSE Leap 15.1:kubernetes-apiserver-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-client-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-controller-manager-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubeadm-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet-common-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet1.17-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet1.18-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-master-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-node-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-proxy-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-scheduler-1.18.0-lp151.5.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4KLMQUDJXG7ORWF7M42NKLDUJSKHAUTS/ https://www.suse.com/security/cve/CVE-2018-16874.html CVE-2018-16874 https://bugzilla.suse.com/1118897 SUSE Bug 1118897 https://bugzilla.suse.com/1118898 SUSE Bug 1118898 https://bugzilla.suse.com/1118899 SUSE Bug 1118899 The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens. CVE-2019-10214 openSUSE Leap 15.1:cri-o-1.17.1-lp151.2.2 openSUSE Leap 15.1:cri-o-kubeadm-criconfig-1.17.1-lp151.2.2 openSUSE Leap 15.1:cri-tools-1.18.0-lp151.2.1 openSUSE Leap 15.1:go1.14-1.14-lp151.6.1 openSUSE Leap 15.1:go1.14-doc-1.14-lp151.6.1 openSUSE Leap 15.1:go1.14-race-1.14-lp151.6.1 openSUSE Leap 15.1:kubernetes-apiserver-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-client-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-controller-manager-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubeadm-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet-common-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet1.17-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-kubelet1.18-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-master-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-node-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-proxy-1.18.0-lp151.5.1 openSUSE Leap 15.1:kubernetes-scheduler-1.18.0-lp151.5.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4KLMQUDJXG7ORWF7M42NKLDUJSKHAUTS/ https://www.suse.com/security/cve/CVE-2019-10214.html CVE-2019-10214 https://bugzilla.suse.com/1144065 SUSE Bug 1144065