Update kubernetes to 1.16.14 to resolve 3 CVEs (#67)
* Update kubernetes to 1.16.14 Updating to version 1.16.14 resolves the following CVEs: CVE-2020-8557, CVE-2020-8558, CVE-2020-8559 * Remove reference to VSO work item * Update kubernetes version in cgmanifest
This commit is contained in:
Родитель
28f551fef9
Коммит
02028eb5ad
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"Signatures": {
|
||||
"contrib-0.7.0.tar.gz": "1d4e651ea59ea0d2b440e290fda5e166a21847891abca2907b8a1683c2252b8d",
|
||||
"kubernetes-1.16.10.tar.gz": "f49f59d4df6212f61bf3a2a1e8ab7c7357071aa290fb7a1ce087dcdceb668911"
|
||||
"kubernetes-1.16.14.tar.gz": "6cd27520ccde59cf2b9127075cb1f9e7812734d27b423fa744f0a22d541951b2"
|
||||
}
|
||||
}
|
|
@ -9,7 +9,7 @@
|
|||
|
||||
Summary: Kubernetes cluster management
|
||||
Name: kubernetes
|
||||
Version: 1.16.10
|
||||
Version: 1.16.14
|
||||
Release: 1%{?dist}
|
||||
License: ASL 2.0
|
||||
URL: https://github.com/kubernetes
|
||||
|
@ -17,9 +17,8 @@ URL: https://github.com/kubernetes
|
|||
Source0: %{name}-%{version}.tar.gz
|
||||
#Source1: %{url}-retired/contrib/archive/0.7.0.tar.gz
|
||||
# This is NOT the source from the project page linked above. Its name is identical to the official version
|
||||
# but the signature is different. To be fixed as part of https://microsoft.visualstudio.com/OS/_workitems/edit/25936171.
|
||||
# but the signature is different.
|
||||
Source1: contrib-0.7.0.tar.gz
|
||||
Patch0: kubernetes-mariner.patch
|
||||
Group: Development/Tools
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -69,7 +68,6 @@ A pod setup process that holds a pod's namespace.
|
|||
|
||||
%prep -p exit
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
cd ..
|
||||
tar xf %{SOURCE1} --no-same-owner
|
||||
sed -i -e 's|127.0.0.1:4001|127.0.0.1:2379|g' contrib-0.7.0/init/systemd/environ/apiserver
|
||||
|
@ -236,6 +234,8 @@ fi
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Aug 18 2020 Henry Beberman <henry.beberman@microsoft.com> 1.16.14-1
|
||||
- Update to 1.16.14 to fix: CVE-2020-8557, CVE-2020-8558, CVE-2020-8559
|
||||
* Tue Jun 16 2020 Andrew Phelps <anphel@microsoft.com> 1.16.10-1
|
||||
- Update to 1.16.10 to fix: CVE-2020-8552, CVE-2019-11254
|
||||
* Tue May 26 2020 Mateusz Malisz <mamalisz@microsoft.com> 1.16.2-8
|
||||
|
|
|
@ -1,136 +0,0 @@
|
|||
diff -ru kubernetes-1.16.2-orig/hack/lib/golang.sh kubernetes-1.16.2/hack/lib/golang.sh
|
||||
--- kubernetes-1.16.2-orig/hack/lib/golang.sh 2019-10-11 21:42:37.000000000 -0700
|
||||
+++ kubernetes-1.16.2/hack/lib/golang.sh 2020-04-22 16:29:42.391063645 -0700
|
||||
@@ -146,13 +146,17 @@
|
||||
# Returns a sorted newline-separated list containing only duplicated items.
|
||||
kube::golang::dups() {
|
||||
# We use printf to insert newlines, which are required by sort.
|
||||
- printf "%s\n" "$@" | sort | uniq -d
|
||||
+ local __tmpfile=$(mktemp dups-XXXXXX)
|
||||
+ printf "%s\n" "$@" | sort | uniq -d > $__tmpfile
|
||||
+ echo $__tmpfile
|
||||
}
|
||||
|
||||
# Returns a sorted newline-separated list with duplicated items removed.
|
||||
kube::golang::dedup() {
|
||||
# We use printf to insert newlines, which are required by sort.
|
||||
- printf "%s\n" "$@" | sort -u
|
||||
+ local __tmpfile=$(mktemp dedup-XXXXXX)
|
||||
+ printf "%s\n" "$@" | sort -u > $__tmpfile
|
||||
+ echo $__tmpfile
|
||||
}
|
||||
|
||||
# Depends on values of user-facing KUBE_BUILD_PLATFORMS, KUBE_FASTBUILD,
|
||||
@@ -175,33 +179,43 @@
|
||||
|
||||
# Deduplicate to ensure the intersection trick with kube::golang::dups
|
||||
# is not defeated by duplicates in user input.
|
||||
- kube::util::read-array platforms < <(kube::golang::dedup "${platforms[@]}")
|
||||
+ TMPFILE=$(kube::golang::dedup "${platforms[@]}")
|
||||
+ kube::util::read-array truc < $TMPFILE
|
||||
+ rm -f $TMPFILE
|
||||
|
||||
# Use kube::golang::dups to restrict the builds to the platforms in
|
||||
# KUBE_SUPPORTED_*_PLATFORMS. Items should only appear at most once in each
|
||||
# set, so if they appear twice after the merge they are in the intersection.
|
||||
- kube::util::read-array KUBE_SERVER_PLATFORMS < <(kube::golang::dups \
|
||||
+ TMPFILE=$(kube::golang::dups \
|
||||
"${platforms[@]}" \
|
||||
"${KUBE_SUPPORTED_SERVER_PLATFORMS[@]}" \
|
||||
)
|
||||
+ kube::util::read-array KUBE_SERVER_PLATFORMS < $TMPFILE
|
||||
+ rm -f $TMPFILE
|
||||
readonly KUBE_SERVER_PLATFORMS
|
||||
|
||||
- kube::util::read-array KUBE_NODE_PLATFORMS < <(kube::golang::dups \
|
||||
+ TMPFILE=$(kube::golang::dups \
|
||||
"${platforms[@]}" \
|
||||
"${KUBE_SUPPORTED_NODE_PLATFORMS[@]}" \
|
||||
)
|
||||
+ kube::util::read-array KUBE_NODE_PLATFORMS < $TMPFILE
|
||||
+ rm -f $TMPFILE
|
||||
readonly KUBE_NODE_PLATFORMS
|
||||
|
||||
- kube::util::read-array KUBE_TEST_PLATFORMS < <(kube::golang::dups \
|
||||
+ TMPFILE=$(kube::golang::dups \
|
||||
"${platforms[@]}" \
|
||||
"${KUBE_SUPPORTED_TEST_PLATFORMS[@]}" \
|
||||
)
|
||||
+ kube::util::read-array KUBE_TEST_PLATFORMS < $TMPFILE
|
||||
+ rm -f $TMPFILE
|
||||
readonly KUBE_TEST_PLATFORMS
|
||||
|
||||
- kube::util::read-array KUBE_CLIENT_PLATFORMS < <(kube::golang::dups \
|
||||
+ TMPFILE=$(kube::golang::dups \
|
||||
"${platforms[@]}" \
|
||||
"${KUBE_SUPPORTED_CLIENT_PLATFORMS[@]}" \
|
||||
)
|
||||
+ kube::util::read-array KUBE_CLIENT_PLATFORMS < $TMPFILE
|
||||
+ rm -f $TMPFILE
|
||||
readonly KUBE_CLIENT_PLATFORMS
|
||||
|
||||
elif [[ "${KUBE_FASTBUILD:-}" == "true" ]]; then
|
||||
@@ -456,6 +470,7 @@
|
||||
|
||||
# Ensure the go tool exists and is a viable version.
|
||||
kube::golang::verify_go_version() {
|
||||
+
|
||||
if [[ -z "$(command -v go)" ]]; then
|
||||
kube::log::usage_from_stdin <<EOF
|
||||
Can't find 'go' in PATH, please fix and retry.
|
||||
@@ -808,21 +823,24 @@
|
||||
fi
|
||||
|
||||
local -a binaries
|
||||
- while IFS="" read -r binary; do binaries+=("$binary"); done < <(kube::golang::binaries_from_targets "${targets[@]}")
|
||||
+ TMPFILE=$(mktemp mkbin-XXXXXX)
|
||||
+ kube::golang::binaries_from_targets "${targets[@]}" > $TMPFILE
|
||||
+ while IFS="" read -r binary; do binaries+=("$binary"); done < $TMPFILE
|
||||
+ rm $TMPFILE
|
||||
|
||||
local parallel=false
|
||||
- if [[ ${#platforms[@]} -gt 1 ]]; then
|
||||
- local gigs
|
||||
- gigs=$(kube::golang::get_physmem)
|
||||
-
|
||||
- if [[ ${gigs} -ge ${KUBE_PARALLEL_BUILD_MEMORY} ]]; then
|
||||
- kube::log::status "Multiple platforms requested and available ${gigs}G >= threshold ${KUBE_PARALLEL_BUILD_MEMORY}G, building platforms in parallel"
|
||||
- parallel=true
|
||||
- else
|
||||
- kube::log::status "Multiple platforms requested, but available ${gigs}G < threshold ${KUBE_PARALLEL_BUILD_MEMORY}G, building platforms in serial"
|
||||
- parallel=false
|
||||
- fi
|
||||
- fi
|
||||
+ # if [[ ${#platforms[@]} -gt 1 ]]; then
|
||||
+ # local gigs
|
||||
+ # gigs=$(kube::golang::get_physmem)
|
||||
+
|
||||
+ # if [[ ${gigs} -ge ${KUBE_PARALLEL_BUILD_MEMORY} ]]; then
|
||||
+ # kube::log::status "Multiple platforms requested and available ${gigs}G >= threshold ${KUBE_PARALLEL_BUILD_MEMORY}G, building platforms in parallel"
|
||||
+ # parallel=true
|
||||
+ # else
|
||||
+ # kube::log::status "Multiple platforms requested, but available ${gigs}G < threshold ${KUBE_PARALLEL_BUILD_MEMORY}G, building platforms in serial"
|
||||
+ # parallel=false
|
||||
+ # fi
|
||||
+ # fi
|
||||
|
||||
if [[ "${parallel}" == "true" ]]; then
|
||||
kube::log::status "Building go targets for {${platforms[*]}} in parallel (output will appear in a burst when complete):" "${targets[@]}"
|
||||
diff -ru kubernetes-1.16.2-orig/hack/make-rules/clean.sh kubernetes-1.16.2/hack/make-rules/clean.sh
|
||||
--- kubernetes-1.16.2-orig/hack/make-rules/clean.sh 2019-10-11 21:42:37.000000000 -0700
|
||||
+++ kubernetes-1.16.2/hack/make-rules/clean.sh 2020-04-22 16:29:52.483010688 -0700
|
||||
@@ -29,10 +29,13 @@
|
||||
)
|
||||
|
||||
for pattern in "${CLEAN_PATTERNS[@]}"; do
|
||||
+ TMPFILE=$(mktemp clean-XXXXXX)
|
||||
+ find "${KUBE_ROOT}" -iregex "^${KUBE_ROOT}/${pattern}$" > $TMPFILE
|
||||
while IFS=$'\n' read -r match; do
|
||||
echo "Removing ${match#${KUBE_ROOT}\/} .."
|
||||
rm -rf "${match#${KUBE_ROOT}\/}"
|
||||
- done < <(find "${KUBE_ROOT}" -iregex "^${KUBE_ROOT}/${pattern}$")
|
||||
+ done < $TMPFILE
|
||||
+ rm $TMPFILE
|
||||
done
|
||||
|
||||
# ex: ts=2 sw=2 et filetype=sh
|
|
@ -1845,8 +1845,8 @@
|
|||
"type": "other",
|
||||
"other": {
|
||||
"name": "kubernetes",
|
||||
"version": "1.16.10",
|
||||
"downloadUrl": "https://github.com/kubernetes/kubernetes/archive/v1.16.10.tar.gz"
|
||||
"version": "1.16.14",
|
||||
"downloadUrl": "https://github.com/kubernetes/kubernetes/archive/v1.16.14.tar.gz"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
Загрузка…
Ссылка в новой задаче