From 02028eb5addbbdc3d06cb29e315ed13dfa827a81 Mon Sep 17 00:00:00 2001 From: Henry Beberman Date: Mon, 31 Aug 2020 12:52:09 -0700 Subject: [PATCH] Update kubernetes to 1.16.14 to resolve 3 CVEs (#67) * Update kubernetes to 1.16.14 Updating to version 1.16.14 resolves the following CVEs: CVE-2020-8557, CVE-2020-8558, CVE-2020-8559 * Remove reference to VSO work item * Update kubernetes version in cgmanifest --- .../kubernetes-1.16.signatures.json | 2 +- SPECS/kubernetes/kubernetes-1.16.spec | 8 +- SPECS/kubernetes/kubernetes-mariner.patch | 136 ------------------ cgmanifest.json | 4 +- 4 files changed, 7 insertions(+), 143 deletions(-) delete mode 100644 SPECS/kubernetes/kubernetes-mariner.patch diff --git a/SPECS/kubernetes/kubernetes-1.16.signatures.json b/SPECS/kubernetes/kubernetes-1.16.signatures.json index 3e3d6f7fb2..b343aeb3b2 100644 --- a/SPECS/kubernetes/kubernetes-1.16.signatures.json +++ b/SPECS/kubernetes/kubernetes-1.16.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { "contrib-0.7.0.tar.gz": "1d4e651ea59ea0d2b440e290fda5e166a21847891abca2907b8a1683c2252b8d", - "kubernetes-1.16.10.tar.gz": "f49f59d4df6212f61bf3a2a1e8ab7c7357071aa290fb7a1ce087dcdceb668911" + "kubernetes-1.16.14.tar.gz": "6cd27520ccde59cf2b9127075cb1f9e7812734d27b423fa744f0a22d541951b2" } } \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.16.spec b/SPECS/kubernetes/kubernetes-1.16.spec index 91f8576493..90dccced62 100644 --- a/SPECS/kubernetes/kubernetes-1.16.spec +++ b/SPECS/kubernetes/kubernetes-1.16.spec @@ -9,7 +9,7 @@ Summary: Kubernetes cluster management Name: kubernetes -Version: 1.16.10 +Version: 1.16.14 Release: 1%{?dist} License: ASL 2.0 URL: https://github.com/kubernetes @@ -17,9 +17,8 @@ URL: https://github.com/kubernetes Source0: %{name}-%{version}.tar.gz #Source1: %{url}-retired/contrib/archive/0.7.0.tar.gz # This is NOT the source from the project page linked above. Its name is identical to the official version -# but the signature is different. To be fixed as part of https://microsoft.visualstudio.com/OS/_workitems/edit/25936171. +# but the signature is different. Source1: contrib-0.7.0.tar.gz -Patch0: kubernetes-mariner.patch Group: Development/Tools Vendor: Microsoft Corporation Distribution: Mariner @@ -69,7 +68,6 @@ A pod setup process that holds a pod's namespace. %prep -p exit %setup -q -%patch0 -p1 cd .. tar xf %{SOURCE1} --no-same-owner sed -i -e 's|127.0.0.1:4001|127.0.0.1:2379|g' contrib-0.7.0/init/systemd/environ/apiserver @@ -236,6 +234,8 @@ fi %endif %changelog +* Tue Aug 18 2020 Henry Beberman 1.16.14-1 +- Update to 1.16.14 to fix: CVE-2020-8557, CVE-2020-8558, CVE-2020-8559 * Tue Jun 16 2020 Andrew Phelps 1.16.10-1 - Update to 1.16.10 to fix: CVE-2020-8552, CVE-2019-11254 * Tue May 26 2020 Mateusz Malisz 1.16.2-8 diff --git a/SPECS/kubernetes/kubernetes-mariner.patch b/SPECS/kubernetes/kubernetes-mariner.patch deleted file mode 100644 index dc466826bd..0000000000 --- a/SPECS/kubernetes/kubernetes-mariner.patch +++ /dev/null @@ -1,136 +0,0 @@ -diff -ru kubernetes-1.16.2-orig/hack/lib/golang.sh kubernetes-1.16.2/hack/lib/golang.sh ---- kubernetes-1.16.2-orig/hack/lib/golang.sh 2019-10-11 21:42:37.000000000 -0700 -+++ kubernetes-1.16.2/hack/lib/golang.sh 2020-04-22 16:29:42.391063645 -0700 -@@ -146,13 +146,17 @@ - # Returns a sorted newline-separated list containing only duplicated items. - kube::golang::dups() { - # We use printf to insert newlines, which are required by sort. -- printf "%s\n" "$@" | sort | uniq -d -+ local __tmpfile=$(mktemp dups-XXXXXX) -+ printf "%s\n" "$@" | sort | uniq -d > $__tmpfile -+ echo $__tmpfile - } - - # Returns a sorted newline-separated list with duplicated items removed. - kube::golang::dedup() { - # We use printf to insert newlines, which are required by sort. -- printf "%s\n" "$@" | sort -u -+ local __tmpfile=$(mktemp dedup-XXXXXX) -+ printf "%s\n" "$@" | sort -u > $__tmpfile -+ echo $__tmpfile - } - - # Depends on values of user-facing KUBE_BUILD_PLATFORMS, KUBE_FASTBUILD, -@@ -175,33 +179,43 @@ - - # Deduplicate to ensure the intersection trick with kube::golang::dups - # is not defeated by duplicates in user input. -- kube::util::read-array platforms < <(kube::golang::dedup "${platforms[@]}") -+ TMPFILE=$(kube::golang::dedup "${platforms[@]}") -+ kube::util::read-array truc < $TMPFILE -+ rm -f $TMPFILE - - # Use kube::golang::dups to restrict the builds to the platforms in - # KUBE_SUPPORTED_*_PLATFORMS. Items should only appear at most once in each - # set, so if they appear twice after the merge they are in the intersection. -- kube::util::read-array KUBE_SERVER_PLATFORMS < <(kube::golang::dups \ -+ TMPFILE=$(kube::golang::dups \ - "${platforms[@]}" \ - "${KUBE_SUPPORTED_SERVER_PLATFORMS[@]}" \ - ) -+ kube::util::read-array KUBE_SERVER_PLATFORMS < $TMPFILE -+ rm -f $TMPFILE - readonly KUBE_SERVER_PLATFORMS - -- kube::util::read-array KUBE_NODE_PLATFORMS < <(kube::golang::dups \ -+ TMPFILE=$(kube::golang::dups \ - "${platforms[@]}" \ - "${KUBE_SUPPORTED_NODE_PLATFORMS[@]}" \ - ) -+ kube::util::read-array KUBE_NODE_PLATFORMS < $TMPFILE -+ rm -f $TMPFILE - readonly KUBE_NODE_PLATFORMS - -- kube::util::read-array KUBE_TEST_PLATFORMS < <(kube::golang::dups \ -+ TMPFILE=$(kube::golang::dups \ - "${platforms[@]}" \ - "${KUBE_SUPPORTED_TEST_PLATFORMS[@]}" \ - ) -+ kube::util::read-array KUBE_TEST_PLATFORMS < $TMPFILE -+ rm -f $TMPFILE - readonly KUBE_TEST_PLATFORMS - -- kube::util::read-array KUBE_CLIENT_PLATFORMS < <(kube::golang::dups \ -+ TMPFILE=$(kube::golang::dups \ - "${platforms[@]}" \ - "${KUBE_SUPPORTED_CLIENT_PLATFORMS[@]}" \ - ) -+ kube::util::read-array KUBE_CLIENT_PLATFORMS < $TMPFILE -+ rm -f $TMPFILE - readonly KUBE_CLIENT_PLATFORMS - - elif [[ "${KUBE_FASTBUILD:-}" == "true" ]]; then -@@ -456,6 +470,7 @@ - - # Ensure the go tool exists and is a viable version. - kube::golang::verify_go_version() { -+ - if [[ -z "$(command -v go)" ]]; then - kube::log::usage_from_stdin < $TMPFILE -+ while IFS="" read -r binary; do binaries+=("$binary"); done < $TMPFILE -+ rm $TMPFILE - - local parallel=false -- if [[ ${#platforms[@]} -gt 1 ]]; then -- local gigs -- gigs=$(kube::golang::get_physmem) -- -- if [[ ${gigs} -ge ${KUBE_PARALLEL_BUILD_MEMORY} ]]; then -- kube::log::status "Multiple platforms requested and available ${gigs}G >= threshold ${KUBE_PARALLEL_BUILD_MEMORY}G, building platforms in parallel" -- parallel=true -- else -- kube::log::status "Multiple platforms requested, but available ${gigs}G < threshold ${KUBE_PARALLEL_BUILD_MEMORY}G, building platforms in serial" -- parallel=false -- fi -- fi -+ # if [[ ${#platforms[@]} -gt 1 ]]; then -+ # local gigs -+ # gigs=$(kube::golang::get_physmem) -+ -+ # if [[ ${gigs} -ge ${KUBE_PARALLEL_BUILD_MEMORY} ]]; then -+ # kube::log::status "Multiple platforms requested and available ${gigs}G >= threshold ${KUBE_PARALLEL_BUILD_MEMORY}G, building platforms in parallel" -+ # parallel=true -+ # else -+ # kube::log::status "Multiple platforms requested, but available ${gigs}G < threshold ${KUBE_PARALLEL_BUILD_MEMORY}G, building platforms in serial" -+ # parallel=false -+ # fi -+ # fi - - if [[ "${parallel}" == "true" ]]; then - kube::log::status "Building go targets for {${platforms[*]}} in parallel (output will appear in a burst when complete):" "${targets[@]}" -diff -ru kubernetes-1.16.2-orig/hack/make-rules/clean.sh kubernetes-1.16.2/hack/make-rules/clean.sh ---- kubernetes-1.16.2-orig/hack/make-rules/clean.sh 2019-10-11 21:42:37.000000000 -0700 -+++ kubernetes-1.16.2/hack/make-rules/clean.sh 2020-04-22 16:29:52.483010688 -0700 -@@ -29,10 +29,13 @@ - ) - - for pattern in "${CLEAN_PATTERNS[@]}"; do -+ TMPFILE=$(mktemp clean-XXXXXX) -+ find "${KUBE_ROOT}" -iregex "^${KUBE_ROOT}/${pattern}$" > $TMPFILE - while IFS=$'\n' read -r match; do - echo "Removing ${match#${KUBE_ROOT}\/} .." - rm -rf "${match#${KUBE_ROOT}\/}" -- done < <(find "${KUBE_ROOT}" -iregex "^${KUBE_ROOT}/${pattern}$") -+ done < $TMPFILE -+ rm $TMPFILE - done - - # ex: ts=2 sw=2 et filetype=sh diff --git a/cgmanifest.json b/cgmanifest.json index c105b846de..7d4940ee2a 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -1845,8 +1845,8 @@ "type": "other", "other": { "name": "kubernetes", - "version": "1.16.10", - "downloadUrl": "https://github.com/kubernetes/kubernetes/archive/v1.16.10.tar.gz" + "version": "1.16.14", + "downloadUrl": "https://github.com/kubernetes/kubernetes/archive/v1.16.14.tar.gz" } } },