ELSA-2020-5654
- ULN >
- Oracle Linux Errata repository >
- ELSA-2020-5654
ELSA-2020-5654 - kubernetes kubeadm-ha-setup kubeadm-upgrade security update
| Type: | SECURITY |
| Severity: | IMPORTANT |
| Release Date: | 2020-04-17 |
Description
kubernetes
[1.12.10-1.0.11]
- [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads
[1.12.10-1.0.10]
- [CVE-2019-16276] Kubernetes Vulnerabilities Allow Authentication Bypass, DoS
[1.12.10-1.0.9]
- Define rolling update for flannel
[1.12.10-1.0.8]
- Modify flannel/dashboard image tags to use images that have the cve fix
[1.12.10-1.0.7]
- [CVE-2019-11253] Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack
[1.12.10-1.0.6]
- [CVE-2019-16276] bump golang to 1.12.10
[1.12.10-1.0.5]
- added THIRD_PARTY_LICENSES.txt file
[1.12.10-1.0.4]
- fix for CVE-2019-11251
[1.12.10-1.0.3]
- replacing references to kubernetes-dashboard-amd64 with kubernetes-dashboard
[1.12.10-1.0.2]
- Added Oracle specific build files for Kubernetes
kubeadm-ha-setup
[0.0.2-1.0.69]
- [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads
[0.0.2-1.0.68]
- Pull image prior to update and fix image repo for addons
[0.0.2-1.0.67]
- Bump golang build version
[0.0.2-1.0.66]
- [CVE-2019-16276] Support patching flannel/dashboard on upgrade
[0.0.2-1.0.65]
- [CVE 2019-16276] Support deploygin 1.12 and 1.13 with CVE patched
[0.0.2-1.0.64]
- [CVE-2019-16276] Support patching etcd on upgrade
[0.0.2-1.0.63]
- [CVE-2019-16276] while upgrading a cluster patch the coredns image
[0.0.2-1.0.62]
- CVE-2019-16276 : Update flannel , etcd coredns and dashboard images.
[0.0.2-1.0.61]
- Added Support for 1.13.11 and removed support for 1.13.10
[0.0.2-1.0.59]
- Remove Support for 1.14.6
[0.0.2-1.0.58]
- Replacing reference to kubernetes-dashboard-amd64 with kubernetes-dashboard
[0.0.2-1.0.57]
- Support 1.12.10
[0.0.2-1.0.56]
- Support 1.14.6
[0.0.2-1.0.55]
- Support 1.13.10
[0.0.2-1.0.54]
- Support 1.13.9
[0.0.2-1.0.53]
- Mark 1.14 as a developer build
[0.0.2-1.0.52]
- Restore fails when trying to restore after a failed update
[0.0.2-1.0.51]
- Minor version update doesn't update kubeadm on all master nodes
[0.0.2-1.0.50]
- Make k8s 1.14 specific changes
[0.0.2-1.0.49]
- Remove 1.10 and 1.11 version since they are incompatable
[0.0.2-1.0.48]
- Support deploying 5 master nodes
[0.0.2-1.0.47]
- Only update/upgrade the controlplane images if they changed in the Release object
[0.0.2-1.0.46]
- Fix version comparison function during upgrade
[0.0.2-1.0.45]
- Fix rpm version compare
- Allow kubernetes updates for patch version
[0.0.2-1.0.44]
- Allow assume yes to deploy a single master without the prompt
[0.0.2-1.0.43]
- Post cluster creation should check only for master nodes
[0.0.2-1.0.42]
- Update keepalived check api server to ensure we are grepping the correct IP
[0.0.2-1.0.41]
- Make ha.yaml an optional argument in the cli for single master cluster
[0.0.2-1.0.40]
- Add pod cidr default and refactor ha.yaml example
[0.0.2-1.0.39]
- Remove features: feature1_13=true from config
[0.0.2-1.0.38]
- Default kubernetes version to latest production version
[0.0.2-1.0.37]
- Fix keepalived issue when firewalld is disable
[0.0.2-1.0.36]
- Default kubernetes version to latest production version
[0.0.2-1.0.35]
- Add addons template and config files
[0.0.2-1.0.34]
- Enhance tests
[0.0.2-1.0.33]
- fix regression of previous firewall fix
[0.0.2-1.0.32]
- Fix firewall issues during restore
[0.0.2-1.0.31]
- Fix firewall issues
[0.0.2-1.0.30]
- Enhance output while validating the system
[0.0.2-1.0.29]
- Fix DR in 1.13
[0.0.2-1.0.28]
- Fix apiserver_cert_extra_sans for 1.13 clusters
[0.0.2-1.0.27]
- Fix update/upgrade output message
[0.0.2-1.0.26]
- Fix major upgrade
[0.0.2-1.0.25]
- Add registry migration
[0.0.2-1.0.24]
- Return stdout and stderr from Run function to allow the caller decided what to display
[0.0.2-1.0.23]
- Proxy variable is inherited in remote master
[0.0.2-1.0.22]
- The Trim function doesn't work for replacing strings
- Upgrade should use the pause container instead of pause-amd64
[0.0.2-1.0.21]
- Include 1.12.7 image and update 1.13 and metric servers info
[0.0.2-1.0.20]
- Support new registries and allow for password to have a colon
[0.0.2-1.0.19]
- --force flag for full restore
[0.0.2-1.0.18]
- Change update help message
[0.0.2-1.0.17]
- Change update message, add ha install command and ask for confirmation
[0.0.2-1.0.16]
- Change upgrade command name to update
[0.0.2-1.0.15]
- Fix upgrade for point release
[0.0.2-1.0.14]
- Move file.go to config.go
[0.0.2-1.0.13]
- Feature Flag 1.13 code
[0.0.2-1.0.12]
- Add support of upgrading HA master nodes
[0.0.2-1.0.11]
- Support deploying Kubernetes version 1.13.2
[0.0.2-1.0.10]
- CVE-2018-16875
[0.0.2-1.0.9]
- Add timeout to Run() (gitlab issues #3)
- Rename path to linux-git.us.oracle.com/Kubernetes
[0.0.2-1.0.8]
- Remove releases.json dependency
[0.0.2-1.0.7]
- Pin dependent kubernetes packages
[0.0.2-1.0.6]
- Update deps for kube 1.13
[0.0.2-1.0.5]
- Add test runner in makefile and execute it in CI/CD
[0.0.2-1.0.4]
- Fix backup path issue again found by Tom Cocozzello
[0.0.2-1.0.3]
- [Orabug 29152516] Backup and restore /var/lib/kubelet/kubeadm-flags.env too
- Cleanup kube-ipvs0 interface too
- More code cleanup
- Use map for checking kernel module
- Fix client joining errors
- Addressing Tom Cocozzello's review
- Enabling IPVS in HA
[0.0.2-1.0.2]
- Update dashboard image (CVE-2018-18264)
[0.0.2-1.0.1]
- Allow Oracle certified addons to be installed via cli
[0.0.1-2.0.9]
- Use 'dep ensure' to clean up symlinks in the vendor directory
[0.0.1-2.0.5]
- Clean up un-used build scripts
[0.0.1-2.0.4]
- Add Makefile for building and testing code
[0.0.1-2.0.3]
- Fix file restore issue when it contains './'
[0.0.1-2.0.2]
- Resolve the full filepath when '.' is passed in
- Addressing review by Muminul Islam
[0.0.1-2.0.1]
- Remove 'firewall-cmd --reload' as it can hangs OCI
- Fix some errors reported by Shubham
- Error out if options is not currently supported in HandleEtcdOps
- Fix down issue
- Dump log output to /var/log/kubeadm-ha-setup
[0.0.1-1.0.37]
- Fix kubernetes version
- Include log printing when error occurs
- Fix client.go regression due to new down function
[0.0.1-1.0.36]
- Remove Godeps, using dep for now
- Check if image is not set before referencing
- Rename getEtcdConfigV2 to getEtcdConfig
- Adding down functionality
- Update ha.yaml file
[0.0.1-1.0.35]
- Removing etcd.go
- Addressing Tom Cocozzello review
- [Orabug 28977571]
[0.0.1-1.0.34]
- Enabling full restore on HA master and single master
- Cleanup
- Enable single master backup
- Double the context request timeout
- Implement retryable AddMember
[0.0.1-1.0.33]
- Modified DR for One node case to use new etcd API
- Enhanced the helper scripts such that it will error out
- HealthCheck re-implementation
[0.0.1-1.0.32]
- Update dashboard image
[0.0.1-1.0.31]
- Needs to be run as a privileged user
- Enable CoreDNS as default
[0.0.1-1.0.30]
- Enable single master setup
[0.0.1-1.0.29]
- Redesigned for setting up v1.12 HA clusters
[0.0.1-1.0.28]
- Fixes for v1.11
- Addressing Laszlo Peter review
- Addressing Daniel Krasinski review
[0.0.1-1.0.27]
- Fix build failure
- Add UPL LICENSE
- Fix the usage of defer
- Re-try when docker pull image gets a timeout
- Refactor SetupCreds()
- Remove --force flag for restore
- When something fail, we should lenghten the timeout time
[0.0.1-1.0.26]
- When context timed out catch it and print stdout, stderr
[0.0.1-1.0.25]
- Check output from docker client and probe for error
[0.0.1-1.0.24]
- Properly parse if repo has a special ':' character
[0.0.1-1.0.23]
- Checking the total nodes would be better implementation
- Fixup etcd add member errors
[0.0.1-1.0.22]
- Pod count could be >= 20
- Remove port 30000-32767/tcp check for client node
- Querying k8s cluster health instead of etcd for backup
- Cosmestic fix
- Etcd one node restore problems
[0.0.1-1.0.21]
- Check whether repo needs auth even in one node restore case
- Fixup the restore script
- docker pull image change in behavior in 18.03
- Include client side image repo checking too
- Provide a full repo path for comparison
- Make kubernetes_developer as the sample repo
- Use strings.Contains to compare strings
- Fix README
- Initial README
- Include changes in kube.go
[0.0.1-1.0.20]
- In OCI LB can takes time to setup properly
- Fix random string
- [Orabug 28445064]
- Replace RunCmdExec() with just Run()
- Sanity check for # of master
- Make kubeadm token default to be random
[0.0.1-1.0.19]
- Check if docker exec etcd returns Error
- Check env first before trying to pull image
- [Orabug 28461826]
[0.0.1-1.0.18]
- Fixing LB, kubelet, kubectl-proxy
- Add a DEBUG flag for more verbose output
[0.0.1-1.0.17]
- Don't loop forever in client, make Run() more consistent in master
- Fixup LB for OCI
- Add apiserver-bind-port capability
[0.0.1-1.0.17]
- Include apiserver_cert_extra_sans and service_cidr
[0.0.1-1.0.16]
- Include restoring keepalived for one and full restore
- For Full Restore we need to first clean up before anything else
- Clean up DR, make backup check etcd health first
- Properly clean-up flannel.1 and cni0
[0.0.1-1.0.15]
- DR code cleanup
- Changed permission on the created dir to 0755
- Fix filename not found error
[0.0.1-1.0.14]
- Don't panic()
- In One node restore case verify the ca.crt MD5SUM
- Full DR feature
- Redesign of the DR
- Include file and its line number for logging
- Put the binary full path
- Re-arrange varibles for ssh.go
- Separate etcd cli to another file (etcd.go)
- Addition to kubectl cli
- Check if MyIP for local node is missing/empty
[0.0.1-1.0.13]
- Replace binary names
- Include the ability to re-try master setup
[0.0.1-1.0.12]
- Renamed the whole REPO to kubeadm-ha-setup
- Don't print out more logs as necessary
[0.0.1-1.0.12]
- Enhance ssh/sftp code
[0.0.1-1.0.11]
- Change the storePath
- Include keepalived backup and change backup.sh/restore.sh
[0.0.1-1.0.10]
- Continuing on the restore part
- Make the script to query all KUBEDIR directory from a single file
- Consolidate KUBEDIR
- Make systemd related file 0644
[0.0.1-1.0.9]
- Fixup the hardcoded directory as such we are reading from only limited source
- Include the Docker API for restore
- Initial implementation of DR
[0.0.1-1.0.8]
- Fixup kubeadm-setup join
- systemctl enable kubelet
[0.0.1-1.0.7]
- Fix LoadBalancer to take care of extra steps
[0.0.1-1.0.6]
- Cleanup some stdout
- Add token field in ha.yaml for ease of automated setup
[0.0.1-1.0.5]
- If Loadbalancer is preferred/used
[0.0.1-1.0.4]
- Remove goroutine sleep - unnecessary
- Provides structure to store required files and cert files
- Fix merge errors
[0.0.1-1.0.3]
- Create /run/kubeadm w-w/o --skip
[0.0.1-1.0.2]
- NoHA and LoadBalancer
[0.0.1-1.0.1]
- Initial build
kubeadm-upgrade
[0.0.1-1.0.28]
-- [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads
[0.0.1-1.0.27]
-- [CVE-2019-16276] Kubernetes Vulnerabilities Allow Authentication Bypass, DoS
[0.0.1-1.0.26]
-- Create log folder before any log write or error exit [ orabug: 29806186 ]
[0.0.1-1.0.25]
-- Enforce exit on errors
[0.0.1-1.0.24]
-- Dashboard yaml location was moved in Kubernetes 1.12.7
[0.0.1-1.0.23]
-- Detect latest kubernetes version from yum
[0.0.1-1.0.22]
-- Bump up 1.12.7 version for coredns fix
[0.0.1-1.0.21]
-- CVE-2019-9946
[0.0.1-1.0.20]
-- CVE-2019-1002101
[0.0.1-1.0.19]
-- Bump up 1.12.6 version
[0.0.1-1.0.18]
-- Upgrade from 1.9 to 1.12 fails
[0.0.1-1.0.17]
-- Update the Kubernetes version to include the conntrack fix
[0.0.1-1.0.16]
-- CVE-2019-1002100
[0.0.1-1.0.15]
-- CVE-2018-1002105
[0.0.1-1.0.14]
-- Fix kube version for 1.10.5
[0.0.1-1.0.13]
-- Updating 1.10 and 1.11 version for CVE fixes
-- Include flannel and dashboard upgrade
[0.0.1-1.0.12]
-- Upgrade to 1.12.5-2.1.1
[0.0.1-1.0.11]
-- Upgrade to 1.12.5
[0.0.1-1.0.10]
-- Add license info to the script
[0.0.1-1.0.9]
-- Add license file
[0.0.1-1.0.8]
-- Fix the bug on number of CPU checking
[0.0.1-1.0.7]
-- Use install instead of update for a specifc 1.12 version
[0.0.1-1.0.6]
-- Upgrade cluster to 1.12.3-* version only
[0.0.1-1.0.5]
-- Add exit handler to gather logs on failure
[0.0.1-1.0.4]
-- Enhance logging and check return code after kubeadm apply. Checking CPU and Memory of the system
[0.0.1-1.0.3]
-- Change REPO_PREFIX to use a single repo, increased timeout during cluster health check
[0.0.1-1.0.2]
-- Added comments and fix rpm name
[0.0.1-1.0.1]
- Upgrade to 1.12.3
Related CVEs
Updated Packages
| Release/Architecture | Filename | MD5sum | Superseded By Advisory |
| Oracle Linux 7 (x86_64) | kubeadm-ha-setup-0.0.2-1.0.69.el7.src.rpm | cba4bd49c0186b7648dd04afa404ad9c | ELSA-2020-5825 |
| kubeadm-upgrade-0.0.1-1.0.28.el7.src.rpm | cb6fde7d9629a213ac1eba41f57257b4 | - | |
| kubernetes-1.12.10-1.0.11.el7.src.rpm | 57c9b09aac238b8912326fa015e63cd2 | ELBA-2021-9240 | |
| kubeadm-1.12.10-1.0.11.el7.x86_64.rpm | 33810e20a0159bfe5cfe97c1301da8a9 | ELBA-2021-9240 | |
| kubeadm-ha-setup-0.0.2-1.0.69.el7.x86_64.rpm | e84aa1d67ace500c0301d17462f56904 | ELSA-2020-5825 | |
| kubeadm-upgrade-0.0.1-1.0.28.el7.x86_64.rpm | 4d3a768ae4d31b26816d44ca3206c99d | - | |
| kubectl-1.12.10-1.0.11.el7.x86_64.rpm | 4a891041f3cb2306a7e153ef19609779 | ELBA-2021-9240 | |
| kubelet-1.12.10-1.0.11.el7.x86_64.rpm | 89c5b38174ac4a2ba1b9ef30c097c0a4 | ELBA-2021-9240 | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
