ALT-PU-2019-1074-3

Package kubernetes updated to version 1.13.2-alt1 for branch sisyphus in task 219598.

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()

Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: HIGH (8.1)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

http://www.securityfocus.com/bid/108053
https://github.com/kubernetes/kubernetes/issues/76797
https://security.netapp.com/advisory/ntap-20190509-0002/
http://www.securityfocus.com/bid/108053
https://github.com/kubernetes/kubernetes/issues/76797
https://security.netapp.com/advisory/ntap-20190509-0002/

Kubernetes did not effectively clear service account credentials

Severity: HIGH (8.1)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

https://nvd.nist.gov/vuln/detail/CVE-2019-11243
https://github.com/kubernetes/kubernetes/issues/76797
https://github.com/kubernetes/kubernetes
https://security.netapp.com/advisory/ntap-20190509-0002

Version: 2.1.2

Package kubernetes update in sisyphus on 2019-01-18

ALT-PU-2019-1074-3

Closed vulnerabilities

CVE-2019-11243

GHSA-gc2p-g4fg-29vh