From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: Vijay Anusuri <vanusuri@mvista.com>
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8565 & CVE-2020-8566
Date: Sun, 27 Aug 2023 13:32:59 +0000 [thread overview]
Message-ID: <ZOtQi1eu9VMlMrzX@gmail.com> (raw)
In-Reply-To: <20230822082752.121479-1-vanusuri@mvista.com>
merged to dunfell.
Bruce
In message: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8565 & CVE-2020-8566
on 22/08/2023 Vijay Anusuri wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> Upstream-commit:https://github.com/kubernetes/kubernetes/commit/f0f52255412cbc6834bd225a59608ebb4a0d399b
> & https://github.com/kubernetes/kubernetes/commit/e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
> .../kubernetes/kubernetes/CVE-2020-8565.patch | 24 +++++++
> .../kubernetes/kubernetes/CVE-2020-8566.patch | 67 +++++++++++++++++++
> .../kubernetes/kubernetes_git.bb | 2 +
> 3 files changed, 93 insertions(+)
> create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
> create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
>
> diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
> new file mode 100644
> index 0000000..c3772e9
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
> @@ -0,0 +1,24 @@
> +From f0f52255412cbc6834bd225a59608ebb4a0d399b Mon Sep 17 00:00:00 2001
> +From: Sam Fowler <sfowler@redhat.com>
> +Date: Tue, 6 Oct 2020 11:10:38 +1000
> +Subject: [PATCH] Mask bearer token in logs when logLevel >= 9
> +
> +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/f0f52255412cbc6834bd225a59608ebb4a0d399b]
> +CVE: CVE-2020-8565
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + staging/src/k8s.io/client-go/transport/round_trippers.go | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/staging/src/k8s.io/client-go/transport/round_trippers.go b/staging/src/k8s.io/client-go/transport/round_trippers.go
> +index a05208d924d3b..f4cfadbd3da8e 100644
> +--- a/src/import/staging/src/k8s.io/client-go/transport/round_trippers.go
> ++++ b/src/import/staging/src/k8s.io/client-go/transport/round_trippers.go
> +@@ -340,6 +340,7 @@ func (r *requestInfo) toCurl() string {
> + headers := ""
> + for key, values := range r.RequestHeaders {
> + for _, value := range values {
> ++ value = maskValue(key, value)
> + headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value))
> + }
> + }
> diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
> new file mode 100644
> index 0000000..7ed812d
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
> @@ -0,0 +1,67 @@
> +From e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea Mon Sep 17 00:00:00 2001
> +From: Sam Fowler <sfowler@redhat.com>
> +Date: Fri, 2 Oct 2020 10:48:11 +1000
> +Subject: [PATCH] Mask Ceph RBD adminSecrets in logs when logLevel >= 4
> +
> +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea]
> +CVE: CVE-2020-8566
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + pkg/volume/rbd/rbd_util.go | 12 ++++++------
> + 1 file changed, 6 insertions(+), 6 deletions(-)
> +
> +diff --git a/pkg/volume/rbd/rbd_util.go b/pkg/volume/rbd/rbd_util.go
> +index 85044e85fde..9593348de37 100644
> +--- a/src/import/pkg/volume/rbd/rbd_util.go
> ++++ b/src/import/pkg/volume/rbd/rbd_util.go
> +@@ -592,9 +592,9 @@ func (util *RBDUtil) CreateImage(p *rbdVolumeProvisioner) (r *v1.RBDPersistentVo
> + volSz := fmt.Sprintf("%d", sz)
> + mon := util.kernelRBDMonitorsOpt(p.Mon)
> + if p.rbdMounter.imageFormat == rbdImageFormat2 {
> +- klog.V(4).Infof("rbd: create %s size %s format %s (features: %s) using mon %s, pool %s id %s key %s", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, p.rbdMounter.imageFeatures, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
> ++ klog.V(4).Infof("rbd: create %s size %s format %s (features: %s) using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, p.rbdMounter.imageFeatures, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
> + } else {
> +- klog.V(4).Infof("rbd: create %s size %s format %s using mon %s, pool %s id %s key %s", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
> ++ klog.V(4).Infof("rbd: create %s size %s format %s using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
> + }
> + args := []string{"create", p.rbdMounter.Image, "--size", volSz, "--pool", p.rbdMounter.Pool, "--id", p.rbdMounter.adminId, "-m", mon, "--key=" + p.rbdMounter.adminSecret, "--image-format", p.rbdMounter.imageFormat}
> + if p.rbdMounter.imageFormat == rbdImageFormat2 {
> +@@ -629,7 +629,7 @@ func (util *RBDUtil) DeleteImage(p *rbdVolumeDeleter) error {
> + }
> + // rbd rm.
> + mon := util.kernelRBDMonitorsOpt(p.rbdMounter.Mon)
> +- klog.V(4).Infof("rbd: rm %s using mon %s, pool %s id %s key %s", p.rbdMounter.Image, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
> ++ klog.V(4).Infof("rbd: rm %s using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
> + output, err = p.exec.Command("rbd",
> + "rm", p.rbdMounter.Image, "--pool", p.rbdMounter.Pool, "--id", p.rbdMounter.adminId, "-m", mon, "--key="+p.rbdMounter.adminSecret).CombinedOutput()
> + if err == nil {
> +@@ -661,7 +661,7 @@ func (util *RBDUtil) ExpandImage(rbdExpander *rbdVolumeExpander, oldSize resourc
> +
> + // rbd resize.
> + mon := util.kernelRBDMonitorsOpt(rbdExpander.rbdMounter.Mon)
> +- klog.V(4).Infof("rbd: resize %s using mon %s, pool %s id %s key %s", rbdExpander.rbdMounter.Image, mon, rbdExpander.rbdMounter.Pool, rbdExpander.rbdMounter.adminId, rbdExpander.rbdMounter.adminSecret)
> ++ klog.V(4).Infof("rbd: resize %s using mon %s, pool %s id %s key <masked>", rbdExpander.rbdMounter.Image, mon, rbdExpander.rbdMounter.Pool, rbdExpander.rbdMounter.adminId)
> + output, err = rbdExpander.exec.Command("rbd",
> + "resize", rbdExpander.rbdMounter.Image, "--size", newVolSz, "--pool", rbdExpander.rbdMounter.Pool, "--id", rbdExpander.rbdMounter.adminId, "-m", mon, "--key="+rbdExpander.rbdMounter.adminSecret).CombinedOutput()
> + if err == nil {
> +@@ -703,7 +703,7 @@ func (util *RBDUtil) rbdInfo(b *rbdMounter) (int, error) {
> + // # image does not exist (exit=2)
> + // rbd: error opening image 1234: (2) No such file or directory
> + //
> +- klog.V(4).Infof("rbd: info %s using mon %s, pool %s id %s key %s", b.Image, mon, b.Pool, id, secret)
> ++ klog.V(4).Infof("rbd: info %s using mon %s, pool %s id %s key <masked>", b.Image, mon, b.Pool, id)
> + output, err = b.exec.Command("rbd",
> + "info", b.Image, "--pool", b.Pool, "-m", mon, "--id", id, "--key="+secret, "-k=/dev/null", "--format=json").CombinedOutput()
> +
> +@@ -766,7 +766,7 @@ func (util *RBDUtil) rbdStatus(b *rbdMounter) (bool, string, error) {
> + // # image does not exist (exit=2)
> + // rbd: error opening image kubernetes-dynamic-pvc-<UUID>: (2) No such file or directory
> + //
> +- klog.V(4).Infof("rbd: status %s using mon %s, pool %s id %s key %s", b.Image, mon, b.Pool, id, secret)
> ++ klog.V(4).Infof("rbd: status %s using mon %s, pool %s id %s key <masked>", b.Image, mon, b.Pool, id)
> + cmd, err = b.exec.Command("rbd",
> + "status", b.Image, "--pool", b.Pool, "-m", mon, "--id", id, "--key="+secret).CombinedOutput()
> + output = string(cmd)
> +--
> +2.25.1
> +
> diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
> index c73f988..2b0bfb7 100644
> --- a/recipes-containers/kubernetes/kubernetes_git.bb
> +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> @@ -12,6 +12,8 @@ SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=k
> file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
> file://0001-cross-don-t-build-tests-by-default.patch \
> file://CVE-2020-8564.patch \
> + file://CVE-2020-8565.patch \
> + file://CVE-2020-8566.patch \
> "
>
> DEPENDS += "rsync-native \
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#8218): https://lists.yoctoproject.org/g/meta-virtualization/message/8218
> Mute This Topic: https://lists.yoctoproject.org/mt/100890412/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2023-08-27 13:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-22 8:27 [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8565 & CVE-2020-8566 vanusuri
2023-08-27 13:32 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZOtQi1eu9VMlMrzX@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=vanusuri@mvista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.