Source: kubernetes X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for kubernetes. These are not relevant for bullseye, as it only includes the client package, but relevant for updates via fasttrack after the release: CVE-2020-8554[0]: | Kubernetes API server in all versions allow an attacker who is able to | create a ClusterIP service and set the spec.externalIPs field, to | intercept traffic to that IP address. Additionally, an attacker who is | able to patch the status (which is considered a privileged operation | and should not typically be granted to users) of a LoadBalancer | service can set the status.loadBalancer.ingress.ip to similar effect. https://www.openwall.com/lists/oss-security/2020/12/07/5 https://github.com/kubernetes/kubernetes/issues/97076 CVE-2020-8562[1]: https://www.openwall.com/lists/oss-security/2021/05/04/8 CVE-2021-25735[2]: Validating Admission Webhook does not observe some previous fields https://www.openwall.com/lists/oss-security/2021/04/14/1 https://github.com/kubernetes/kubernetes/issues/100096 CVE-2021-25737[3]: https://www.openwall.com/lists/oss-security/2021/05/18/4 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8554 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8554 [1] https://security-tracker.debian.org/tracker/CVE-2020-8562 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8562 [2] https://security-tracker.debian.org/tracker/CVE-2021-25735 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25735 [3] https://security-tracker.debian.org/tracker/CVE-2021-25737 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25737 Please adjust the affected versions in the BTS as needed.