* [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8565 & CVE-2020-8566
@ 2023-08-22 8:27 vanusuri
2023-08-27 13:32 ` Bruce Ashfield
0 siblings, 1 reply; 2+ messages in thread
From: vanusuri @ 2023-08-22 8:27 UTC (permalink / raw)
To: meta-virtualization; +Cc: Vijay Anusuri
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-commit:https://github.com/kubernetes/kubernetes/commit/f0f52255412cbc6834bd225a59608ebb4a0d399b
& https://github.com/kubernetes/kubernetes/commit/e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
.../kubernetes/kubernetes/CVE-2020-8565.patch | 24 +++++++
.../kubernetes/kubernetes/CVE-2020-8566.patch | 67 +++++++++++++++++++
.../kubernetes/kubernetes_git.bb | 2 +
3 files changed, 93 insertions(+)
create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
new file mode 100644
index 0000000..c3772e9
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
@@ -0,0 +1,24 @@
+From f0f52255412cbc6834bd225a59608ebb4a0d399b Mon Sep 17 00:00:00 2001
+From: Sam Fowler <sfowler@redhat.com>
+Date: Tue, 6 Oct 2020 11:10:38 +1000
+Subject: [PATCH] Mask bearer token in logs when logLevel >= 9
+
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/f0f52255412cbc6834bd225a59608ebb4a0d399b]
+CVE: CVE-2020-8565
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ staging/src/k8s.io/client-go/transport/round_trippers.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/staging/src/k8s.io/client-go/transport/round_trippers.go b/staging/src/k8s.io/client-go/transport/round_trippers.go
+index a05208d924d3b..f4cfadbd3da8e 100644
+--- a/src/import/staging/src/k8s.io/client-go/transport/round_trippers.go
++++ b/src/import/staging/src/k8s.io/client-go/transport/round_trippers.go
+@@ -340,6 +340,7 @@ func (r *requestInfo) toCurl() string {
+ headers := ""
+ for key, values := range r.RequestHeaders {
+ for _, value := range values {
++ value = maskValue(key, value)
+ headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value))
+ }
+ }
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
new file mode 100644
index 0000000..7ed812d
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
@@ -0,0 +1,67 @@
+From e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea Mon Sep 17 00:00:00 2001
+From: Sam Fowler <sfowler@redhat.com>
+Date: Fri, 2 Oct 2020 10:48:11 +1000
+Subject: [PATCH] Mask Ceph RBD adminSecrets in logs when logLevel >= 4
+
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea]
+CVE: CVE-2020-8566
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/volume/rbd/rbd_util.go | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/pkg/volume/rbd/rbd_util.go b/pkg/volume/rbd/rbd_util.go
+index 85044e85fde..9593348de37 100644
+--- a/src/import/pkg/volume/rbd/rbd_util.go
++++ b/src/import/pkg/volume/rbd/rbd_util.go
+@@ -592,9 +592,9 @@ func (util *RBDUtil) CreateImage(p *rbdVolumeProvisioner) (r *v1.RBDPersistentVo
+ volSz := fmt.Sprintf("%d", sz)
+ mon := util.kernelRBDMonitorsOpt(p.Mon)
+ if p.rbdMounter.imageFormat == rbdImageFormat2 {
+- klog.V(4).Infof("rbd: create %s size %s format %s (features: %s) using mon %s, pool %s id %s key %s", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, p.rbdMounter.imageFeatures, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
++ klog.V(4).Infof("rbd: create %s size %s format %s (features: %s) using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, p.rbdMounter.imageFeatures, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
+ } else {
+- klog.V(4).Infof("rbd: create %s size %s format %s using mon %s, pool %s id %s key %s", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
++ klog.V(4).Infof("rbd: create %s size %s format %s using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
+ }
+ args := []string{"create", p.rbdMounter.Image, "--size", volSz, "--pool", p.rbdMounter.Pool, "--id", p.rbdMounter.adminId, "-m", mon, "--key=" + p.rbdMounter.adminSecret, "--image-format", p.rbdMounter.imageFormat}
+ if p.rbdMounter.imageFormat == rbdImageFormat2 {
+@@ -629,7 +629,7 @@ func (util *RBDUtil) DeleteImage(p *rbdVolumeDeleter) error {
+ }
+ // rbd rm.
+ mon := util.kernelRBDMonitorsOpt(p.rbdMounter.Mon)
+- klog.V(4).Infof("rbd: rm %s using mon %s, pool %s id %s key %s", p.rbdMounter.Image, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
++ klog.V(4).Infof("rbd: rm %s using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
+ output, err = p.exec.Command("rbd",
+ "rm", p.rbdMounter.Image, "--pool", p.rbdMounter.Pool, "--id", p.rbdMounter.adminId, "-m", mon, "--key="+p.rbdMounter.adminSecret).CombinedOutput()
+ if err == nil {
+@@ -661,7 +661,7 @@ func (util *RBDUtil) ExpandImage(rbdExpander *rbdVolumeExpander, oldSize resourc
+
+ // rbd resize.
+ mon := util.kernelRBDMonitorsOpt(rbdExpander.rbdMounter.Mon)
+- klog.V(4).Infof("rbd: resize %s using mon %s, pool %s id %s key %s", rbdExpander.rbdMounter.Image, mon, rbdExpander.rbdMounter.Pool, rbdExpander.rbdMounter.adminId, rbdExpander.rbdMounter.adminSecret)
++ klog.V(4).Infof("rbd: resize %s using mon %s, pool %s id %s key <masked>", rbdExpander.rbdMounter.Image, mon, rbdExpander.rbdMounter.Pool, rbdExpander.rbdMounter.adminId)
+ output, err = rbdExpander.exec.Command("rbd",
+ "resize", rbdExpander.rbdMounter.Image, "--size", newVolSz, "--pool", rbdExpander.rbdMounter.Pool, "--id", rbdExpander.rbdMounter.adminId, "-m", mon, "--key="+rbdExpander.rbdMounter.adminSecret).CombinedOutput()
+ if err == nil {
+@@ -703,7 +703,7 @@ func (util *RBDUtil) rbdInfo(b *rbdMounter) (int, error) {
+ // # image does not exist (exit=2)
+ // rbd: error opening image 1234: (2) No such file or directory
+ //
+- klog.V(4).Infof("rbd: info %s using mon %s, pool %s id %s key %s", b.Image, mon, b.Pool, id, secret)
++ klog.V(4).Infof("rbd: info %s using mon %s, pool %s id %s key <masked>", b.Image, mon, b.Pool, id)
+ output, err = b.exec.Command("rbd",
+ "info", b.Image, "--pool", b.Pool, "-m", mon, "--id", id, "--key="+secret, "-k=/dev/null", "--format=json").CombinedOutput()
+
+@@ -766,7 +766,7 @@ func (util *RBDUtil) rbdStatus(b *rbdMounter) (bool, string, error) {
+ // # image does not exist (exit=2)
+ // rbd: error opening image kubernetes-dynamic-pvc-<UUID>: (2) No such file or directory
+ //
+- klog.V(4).Infof("rbd: status %s using mon %s, pool %s id %s key %s", b.Image, mon, b.Pool, id, secret)
++ klog.V(4).Infof("rbd: status %s using mon %s, pool %s id %s key <masked>", b.Image, mon, b.Pool, id)
+ cmd, err = b.exec.Command("rbd",
+ "status", b.Image, "--pool", b.Pool, "-m", mon, "--id", id, "--key="+secret).CombinedOutput()
+ output = string(cmd)
+--
+2.25.1
+
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index c73f988..2b0bfb7 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -12,6 +12,8 @@ SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=k
file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
file://0001-cross-don-t-build-tests-by-default.patch \
file://CVE-2020-8564.patch \
+ file://CVE-2020-8565.patch \
+ file://CVE-2020-8566.patch \
"
DEPENDS += "rsync-native \
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8565 & CVE-2020-8566
2023-08-22 8:27 [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8565 & CVE-2020-8566 vanusuri
@ 2023-08-27 13:32 ` Bruce Ashfield
0 siblings, 0 replies; 2+ messages in thread
From: Bruce Ashfield @ 2023-08-27 13:32 UTC (permalink / raw)
To: Vijay Anusuri; +Cc: meta-virtualization
merged to dunfell.
Bruce
In message: [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8565 & CVE-2020-8566
on 22/08/2023 Vijay Anusuri wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> Upstream-commit:https://github.com/kubernetes/kubernetes/commit/f0f52255412cbc6834bd225a59608ebb4a0d399b
> & https://github.com/kubernetes/kubernetes/commit/e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
> .../kubernetes/kubernetes/CVE-2020-8565.patch | 24 +++++++
> .../kubernetes/kubernetes/CVE-2020-8566.patch | 67 +++++++++++++++++++
> .../kubernetes/kubernetes_git.bb | 2 +
> 3 files changed, 93 insertions(+)
> create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
> create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
>
> diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
> new file mode 100644
> index 0000000..c3772e9
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
> @@ -0,0 +1,24 @@
> +From f0f52255412cbc6834bd225a59608ebb4a0d399b Mon Sep 17 00:00:00 2001
> +From: Sam Fowler <sfowler@redhat.com>
> +Date: Tue, 6 Oct 2020 11:10:38 +1000
> +Subject: [PATCH] Mask bearer token in logs when logLevel >= 9
> +
> +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/f0f52255412cbc6834bd225a59608ebb4a0d399b]
> +CVE: CVE-2020-8565
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + staging/src/k8s.io/client-go/transport/round_trippers.go | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/staging/src/k8s.io/client-go/transport/round_trippers.go b/staging/src/k8s.io/client-go/transport/round_trippers.go
> +index a05208d924d3b..f4cfadbd3da8e 100644
> +--- a/src/import/staging/src/k8s.io/client-go/transport/round_trippers.go
> ++++ b/src/import/staging/src/k8s.io/client-go/transport/round_trippers.go
> +@@ -340,6 +340,7 @@ func (r *requestInfo) toCurl() string {
> + headers := ""
> + for key, values := range r.RequestHeaders {
> + for _, value := range values {
> ++ value = maskValue(key, value)
> + headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value))
> + }
> + }
> diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
> new file mode 100644
> index 0000000..7ed812d
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
> @@ -0,0 +1,67 @@
> +From e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea Mon Sep 17 00:00:00 2001
> +From: Sam Fowler <sfowler@redhat.com>
> +Date: Fri, 2 Oct 2020 10:48:11 +1000
> +Subject: [PATCH] Mask Ceph RBD adminSecrets in logs when logLevel >= 4
> +
> +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea]
> +CVE: CVE-2020-8566
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + pkg/volume/rbd/rbd_util.go | 12 ++++++------
> + 1 file changed, 6 insertions(+), 6 deletions(-)
> +
> +diff --git a/pkg/volume/rbd/rbd_util.go b/pkg/volume/rbd/rbd_util.go
> +index 85044e85fde..9593348de37 100644
> +--- a/src/import/pkg/volume/rbd/rbd_util.go
> ++++ b/src/import/pkg/volume/rbd/rbd_util.go
> +@@ -592,9 +592,9 @@ func (util *RBDUtil) CreateImage(p *rbdVolumeProvisioner) (r *v1.RBDPersistentVo
> + volSz := fmt.Sprintf("%d", sz)
> + mon := util.kernelRBDMonitorsOpt(p.Mon)
> + if p.rbdMounter.imageFormat == rbdImageFormat2 {
> +- klog.V(4).Infof("rbd: create %s size %s format %s (features: %s) using mon %s, pool %s id %s key %s", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, p.rbdMounter.imageFeatures, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
> ++ klog.V(4).Infof("rbd: create %s size %s format %s (features: %s) using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, p.rbdMounter.imageFeatures, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
> + } else {
> +- klog.V(4).Infof("rbd: create %s size %s format %s using mon %s, pool %s id %s key %s", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
> ++ klog.V(4).Infof("rbd: create %s size %s format %s using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
> + }
> + args := []string{"create", p.rbdMounter.Image, "--size", volSz, "--pool", p.rbdMounter.Pool, "--id", p.rbdMounter.adminId, "-m", mon, "--key=" + p.rbdMounter.adminSecret, "--image-format", p.rbdMounter.imageFormat}
> + if p.rbdMounter.imageFormat == rbdImageFormat2 {
> +@@ -629,7 +629,7 @@ func (util *RBDUtil) DeleteImage(p *rbdVolumeDeleter) error {
> + }
> + // rbd rm.
> + mon := util.kernelRBDMonitorsOpt(p.rbdMounter.Mon)
> +- klog.V(4).Infof("rbd: rm %s using mon %s, pool %s id %s key %s", p.rbdMounter.Image, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
> ++ klog.V(4).Infof("rbd: rm %s using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
> + output, err = p.exec.Command("rbd",
> + "rm", p.rbdMounter.Image, "--pool", p.rbdMounter.Pool, "--id", p.rbdMounter.adminId, "-m", mon, "--key="+p.rbdMounter.adminSecret).CombinedOutput()
> + if err == nil {
> +@@ -661,7 +661,7 @@ func (util *RBDUtil) ExpandImage(rbdExpander *rbdVolumeExpander, oldSize resourc
> +
> + // rbd resize.
> + mon := util.kernelRBDMonitorsOpt(rbdExpander.rbdMounter.Mon)
> +- klog.V(4).Infof("rbd: resize %s using mon %s, pool %s id %s key %s", rbdExpander.rbdMounter.Image, mon, rbdExpander.rbdMounter.Pool, rbdExpander.rbdMounter.adminId, rbdExpander.rbdMounter.adminSecret)
> ++ klog.V(4).Infof("rbd: resize %s using mon %s, pool %s id %s key <masked>", rbdExpander.rbdMounter.Image, mon, rbdExpander.rbdMounter.Pool, rbdExpander.rbdMounter.adminId)
> + output, err = rbdExpander.exec.Command("rbd",
> + "resize", rbdExpander.rbdMounter.Image, "--size", newVolSz, "--pool", rbdExpander.rbdMounter.Pool, "--id", rbdExpander.rbdMounter.adminId, "-m", mon, "--key="+rbdExpander.rbdMounter.adminSecret).CombinedOutput()
> + if err == nil {
> +@@ -703,7 +703,7 @@ func (util *RBDUtil) rbdInfo(b *rbdMounter) (int, error) {
> + // # image does not exist (exit=2)
> + // rbd: error opening image 1234: (2) No such file or directory
> + //
> +- klog.V(4).Infof("rbd: info %s using mon %s, pool %s id %s key %s", b.Image, mon, b.Pool, id, secret)
> ++ klog.V(4).Infof("rbd: info %s using mon %s, pool %s id %s key <masked>", b.Image, mon, b.Pool, id)
> + output, err = b.exec.Command("rbd",
> + "info", b.Image, "--pool", b.Pool, "-m", mon, "--id", id, "--key="+secret, "-k=/dev/null", "--format=json").CombinedOutput()
> +
> +@@ -766,7 +766,7 @@ func (util *RBDUtil) rbdStatus(b *rbdMounter) (bool, string, error) {
> + // # image does not exist (exit=2)
> + // rbd: error opening image kubernetes-dynamic-pvc-<UUID>: (2) No such file or directory
> + //
> +- klog.V(4).Infof("rbd: status %s using mon %s, pool %s id %s key %s", b.Image, mon, b.Pool, id, secret)
> ++ klog.V(4).Infof("rbd: status %s using mon %s, pool %s id %s key <masked>", b.Image, mon, b.Pool, id)
> + cmd, err = b.exec.Command("rbd",
> + "status", b.Image, "--pool", b.Pool, "-m", mon, "--id", id, "--key="+secret).CombinedOutput()
> + output = string(cmd)
> +--
> +2.25.1
> +
> diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
> index c73f988..2b0bfb7 100644
> --- a/recipes-containers/kubernetes/kubernetes_git.bb
> +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> @@ -12,6 +12,8 @@ SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=k
> file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
> file://0001-cross-don-t-build-tests-by-default.patch \
> file://CVE-2020-8564.patch \
> + file://CVE-2020-8565.patch \
> + file://CVE-2020-8566.patch \
> "
>
> DEPENDS += "rsync-native \
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#8218): https://lists.yoctoproject.org/g/meta-virtualization/message/8218
> Mute This Topic: https://lists.yoctoproject.org/mt/100890412/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-08-27 13:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-22 8:27 [meta-virtualization][dunfell][PATCH] kubernetes: Backport fix for CVE-2020-8565 & CVE-2020-8566 vanusuri
2023-08-27 13:32 ` Bruce Ashfield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.