microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update kubernetes to 1.16.14 to resolve 3 CVEs (#67) 

* Update kubernetes to 1.16.14

Updating to version 1.16.14 resolves the following CVEs:
CVE-2020-8557, CVE-2020-8558, CVE-2020-8559

* Remove reference to VSO work item

* Update kubernetes version in cgmanifest
This commit is contained in:
Henry Beberman 2020-08-31 12:52:09 -07:00 коммит произвёл GitHub
Родитель 28f551fef9
Коммит 02028eb5ad
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
4 изменённых файлов: 7 добавлений и 143 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
SPECS/kubernetes/kubernetes-1.16.signatures.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"Signatures": {
"contrib-0.7.0.tar.gz": "1d4e651ea59ea0d2b440e290fda5e166a21847891abca2907b8a1683c2252b8d",
"kubernetes-1.16.10.tar.gz": "f49f59d4df6212f61bf3a2a1e8ab7c7357071aa290fb7a1ce087dcdceb668911"
"kubernetes-1.16.14.tar.gz": "6cd27520ccde59cf2b9127075cb1f9e7812734d27b423fa744f0a22d541951b2"
}
}

8
SPECS/kubernetes/kubernetes-1.16.spec
Просмотреть файл

@ -9,7 +9,7 @@
Summary: Kubernetes cluster management
Name: kubernetes
Version: 1.16.10
Version: 1.16.14
Release: 1%{?dist}
License: ASL 2.0
URL: https://github.com/kubernetes
@ -17,9 +17,8 @@ URL: https://github.com/kubernetes
Source0: %{name}-%{version}.tar.gz
#Source1: %{url}-retired/contrib/archive/0.7.0.tar.gz
# This is NOT the source from the project page linked above. Its name is identical to the official version
# but the signature is different. To be fixed as part of https://microsoft.visualstudio.com/OS/_workitems/edit/25936171.
# but the signature is different.
Source1: contrib-0.7.0.tar.gz
Patch0: kubernetes-mariner.patch
Group: Development/Tools
Vendor: Microsoft Corporation
Distribution: Mariner
@ -69,7 +68,6 @@ A pod setup process that holds a pod's namespace.
%prep -p exit
%setup -q
%patch0 -p1
cd ..
tar xf %{SOURCE1} --no-same-owner
sed -i -e 's|127.0.0.1:4001|127.0.0.1:2379|g' contrib-0.7.0/init/systemd/environ/apiserver
@ -236,6 +234,8 @@ fi
%endif
%changelog
* Tue Aug 18 2020 Henry Beberman <henry.beberman@microsoft.com> 1.16.14-1
- Update to 1.16.14 to fix: CVE-2020-8557, CVE-2020-8558, CVE-2020-8559
* Tue Jun 16 2020 Andrew Phelps <anphel@microsoft.com> 1.16.10-1
- Update to 1.16.10 to fix: CVE-2020-8552, CVE-2019-11254
* Tue May 26 2020 Mateusz Malisz <mamalisz@microsoft.com> 1.16.2-8

136
SPECS/kubernetes/kubernetes-mariner.patch
Просмотреть файл

@ -1,136 +0,0 @@
diff -ru kubernetes-1.16.2-orig/hack/lib/golang.sh kubernetes-1.16.2/hack/lib/golang.sh
--- kubernetes-1.16.2-orig/hack/lib/golang.sh 2019-10-11 21:42:37.000000000 -0700
+++ kubernetes-1.16.2/hack/lib/golang.sh 2020-04-22 16:29:42.391063645 -0700
@@ -146,13 +146,17 @@
# Returns a sorted newline-separated list containing only duplicated items.
kube::golang::dups() {
# We use printf to insert newlines, which are required by sort.
- printf "%s\n" "$@" | sort | uniq -d
+ local __tmpfile=$(mktemp dups-XXXXXX)
+ printf "%s\n" "$@" | sort | uniq -d > $__tmpfile
+ echo $__tmpfile
}
# Returns a sorted newline-separated list with duplicated items removed.
kube::golang::dedup() {
# We use printf to insert newlines, which are required by sort.
- printf "%s\n" "$@" | sort -u
+ local __tmpfile=$(mktemp dedup-XXXXXX)
+ printf "%s\n" "$@" | sort -u > $__tmpfile
+ echo $__tmpfile
}
# Depends on values of user-facing KUBE_BUILD_PLATFORMS, KUBE_FASTBUILD,
@@ -175,33 +179,43 @@
# Deduplicate to ensure the intersection trick with kube::golang::dups
# is not defeated by duplicates in user input.
- kube::util::read-array platforms < <(kube::golang::dedup "${platforms[@]}")
+ TMPFILE=$(kube::golang::dedup "${platforms[@]}")
+ kube::util::read-array truc < $TMPFILE
+ rm -f $TMPFILE
# Use kube::golang::dups to restrict the builds to the platforms in
# KUBE_SUPPORTED_*_PLATFORMS. Items should only appear at most once in each
# set, so if they appear twice after the merge they are in the intersection.
- kube::util::read-array KUBE_SERVER_PLATFORMS < <(kube::golang::dups \
+ TMPFILE=$(kube::golang::dups \
"${platforms[@]}" \
"${KUBE_SUPPORTED_SERVER_PLATFORMS[@]}" \
)
+ kube::util::read-array KUBE_SERVER_PLATFORMS < $TMPFILE
+ rm -f $TMPFILE
readonly KUBE_SERVER_PLATFORMS
- kube::util::read-array KUBE_NODE_PLATFORMS < <(kube::golang::dups \
+ TMPFILE=$(kube::golang::dups \
"${platforms[@]}" \
"${KUBE_SUPPORTED_NODE_PLATFORMS[@]}" \
)
+ kube::util::read-array KUBE_NODE_PLATFORMS < $TMPFILE
+ rm -f $TMPFILE
readonly KUBE_NODE_PLATFORMS
- kube::util::read-array KUBE_TEST_PLATFORMS < <(kube::golang::dups \
+ TMPFILE=$(kube::golang::dups \
"${platforms[@]}" \
"${KUBE_SUPPORTED_TEST_PLATFORMS[@]}" \
)
+ kube::util::read-array KUBE_TEST_PLATFORMS < $TMPFILE
+ rm -f $TMPFILE
readonly KUBE_TEST_PLATFORMS
- kube::util::read-array KUBE_CLIENT_PLATFORMS < <(kube::golang::dups \
+ TMPFILE=$(kube::golang::dups \
"${platforms[@]}" \
"${KUBE_SUPPORTED_CLIENT_PLATFORMS[@]}" \
)
+ kube::util::read-array KUBE_CLIENT_PLATFORMS < $TMPFILE
+ rm -f $TMPFILE
readonly KUBE_CLIENT_PLATFORMS
elif [[ "${KUBE_FASTBUILD:-}" == "true" ]]; then
@@ -456,6 +470,7 @@
# Ensure the go tool exists and is a viable version.
kube::golang::verify_go_version() {
+
if [[ -z "$(command -v go)" ]]; then
kube::log::usage_from_stdin <<EOF
Can't find 'go' in PATH, please fix and retry.
@@ -808,21 +823,24 @@
fi
local -a binaries
- while IFS="" read -r binary; do binaries+=("$binary"); done < <(kube::golang::binaries_from_targets "${targets[@]}")
+ TMPFILE=$(mktemp mkbin-XXXXXX)
+ kube::golang::binaries_from_targets "${targets[@]}" > $TMPFILE
+ while IFS="" read -r binary; do binaries+=("$binary"); done < $TMPFILE
+ rm $TMPFILE
local parallel=false
- if [[ ${#platforms[@]} -gt 1 ]]; then
- local gigs
- gigs=$(kube::golang::get_physmem)
-
- if [[ ${gigs} -ge ${KUBE_PARALLEL_BUILD_MEMORY} ]]; then
- kube::log::status "Multiple platforms requested and available ${gigs}G >= threshold ${KUBE_PARALLEL_BUILD_MEMORY}G, building platforms in parallel"
- parallel=true
- else
- kube::log::status "Multiple platforms requested, but available ${gigs}G < threshold ${KUBE_PARALLEL_BUILD_MEMORY}G, building platforms in serial"
- parallel=false
- fi
- fi
+ # if [[ ${#platforms[@]} -gt 1 ]]; then
+ # local gigs
+ # gigs=$(kube::golang::get_physmem)
+
+ # if [[ ${gigs} -ge ${KUBE_PARALLEL_BUILD_MEMORY} ]]; then
+ # kube::log::status "Multiple platforms requested and available ${gigs}G >= threshold ${KUBE_PARALLEL_BUILD_MEMORY}G, building platforms in parallel"
+ # parallel=true
+ # else
+ # kube::log::status "Multiple platforms requested, but available ${gigs}G < threshold ${KUBE_PARALLEL_BUILD_MEMORY}G, building platforms in serial"
+ # parallel=false
+ # fi
+ # fi
if [[ "${parallel}" == "true" ]]; then
kube::log::status "Building go targets for {${platforms[*]}} in parallel (output will appear in a burst when complete):" "${targets[@]}"
diff -ru kubernetes-1.16.2-orig/hack/make-rules/clean.sh kubernetes-1.16.2/hack/make-rules/clean.sh
--- kubernetes-1.16.2-orig/hack/make-rules/clean.sh 2019-10-11 21:42:37.000000000 -0700
+++ kubernetes-1.16.2/hack/make-rules/clean.sh 2020-04-22 16:29:52.483010688 -0700
@@ -29,10 +29,13 @@
)
for pattern in "${CLEAN_PATTERNS[@]}"; do
+ TMPFILE=$(mktemp clean-XXXXXX)
+ find "${KUBE_ROOT}" -iregex "^${KUBE_ROOT}/${pattern}$" > $TMPFILE
while IFS=$'\n' read -r match; do
echo "Removing ${match#${KUBE_ROOT}\/} .."
rm -rf "${match#${KUBE_ROOT}\/}"
- done < <(find "${KUBE_ROOT}" -iregex "^${KUBE_ROOT}/${pattern}$")
+ done < $TMPFILE
+ rm $TMPFILE
done
# ex: ts=2 sw=2 et filetype=sh

4
cgmanifest.json
Просмотреть файл

@ -1845,8 +1845,8 @@
"type": "other",
"other": {
"name": "kubernetes",
"version": "1.16.10",
"downloadUrl": "https://github.com/kubernetes/kubernetes/archive/v1.16.10.tar.gz"
"version": "1.16.14",
"downloadUrl": "https://github.com/kubernetes/kubernetes/archive/v1.16.14.tar.gz"
}
}
},