SUSE Security Update: Security update for velum
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:0416-1
Rating:             important
References:         #1114832 #1121146 #1121147 #1121148 #1121447 
                    #1122439 #1123291 #1123650 
Cross-References:   CVE-2019-3682
Affected Products:
                    SUSE CaaS Platform 3.0
______________________________________________________________________________

   An update that solves one vulnerability and has 7 fixes is
   now available.

Description:

   This update provides the following fixes:

   kubernetes-salt:

   - Force basename on the system certificate name to prevent path traversal
     (bsc#1121147)
   - CVE-2019-3682: Disable insecure port in kube-apiserver (bsc#1121148)
   - Insecure API port exposed to all Master Node guest containers     (bsc#1121148)
   - Fixes included in this change:
     * bsc#1121146 - Kubernetes – Kubelet Service allows unauthenticated
       access to Kubelet API
     * bsc#1122439 - failed to parse bool none (bsc#1122439)
     * bsc#1123291 - CaasP 3.0 Update Admin node, worker and master failed
     * bsc#1123650 - ExperimentalCriticalPodAnnotation feature not enabled
     * bsc#1114832 - Running supportconfig on any node can take lots of
       resources, even fill the hard disk on big/long-running clusters
   velum:

   - Do not allow '.' or '/' symbols in system certificate names.
     (bsc#1121447)
   - Reverting ignore_vol_az option back to Velum CPI (bsc#1122439)
   - Adding LDAP support to Velum that will create the requisite org units in
     LDAP if they are missing

   sles12sp3-velum-image:

   - Release 3.1.9 to include a fix (bsc#1122439,bsc#1121447)

   docker-kubic:

   - Add daemon.json file with rotation logs configuration (bsc#1114832)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE CaaS Platform 3.0:

      To install this update, use the SUSE CaaS Platform Velum dashboard.
      It will inform you if it detects new updates and let you then trigger
      updating of the complete cluster in a controlled way.



Package List:

   - SUSE CaaS Platform 3.0 (x86_64):

      docker-kubic-17.09.1_ce-7.6.1
      docker-kubic-debuginfo-17.09.1_ce-7.6.1
      docker-kubic-debugsource-17.09.1_ce-7.6.1
      sles12-velum-image-3.1.9-3.33.4

   - SUSE CaaS Platform 3.0 (noarch):

      kubernetes-salt-3.0.0+git_r931_9cdca5a-3.47.1


References:

   https://www.suse.com/security/cve/CVE-2019-3682.html
   https://bugzilla.suse.com/1114832
   https://bugzilla.suse.com/1121146
   https://bugzilla.suse.com/1121147
   https://bugzilla.suse.com/1121148
   https://bugzilla.suse.com/1121447
   https://bugzilla.suse.com/1122439
   https://bugzilla.suse.com/1123291
   https://bugzilla.suse.com/1123650

SUSE: 2019:0416-1 important: velum

February 15, 2019
An update that solves one vulnerability and has 7 fixes is now available

Summary

This update provides the following fixes: kubernetes-salt: - Force basename on the system certificate name to prevent path traversal (bsc#1121147) - CVE-2019-3682: Disable insecure port in kube-apiserver (bsc#1121148) - Insecure API port exposed to all Master Node guest containers (bsc#1121148) - Fixes included in this change: * bsc#1121146 - Kubernetes – Kubelet Service allows unauthenticated access to Kubelet API * bsc#1122439 - failed to parse bool none (bsc#1122439) * bsc#1123291 - CaasP 3.0 Update Admin node, worker and master failed * bsc#1123650 - ExperimentalCriticalPodAnnotation feature not enabled * bsc#1114832 - Running supportconfig on any node can take lots of resources, even fill the hard disk on big/long-running clusters velum: - Do not allow '.' or '/' symbols in system certificate names. (bsc#1121447) - Reverting ignore_vol_az option back to Velum CPI (bsc#1122439) - Adding LDAP support to Velum that will create the requisite org units in LDAP if they are missing sles12sp3-velum-image: - Release 3.1.9 to include a fix (bsc#1122439,bsc#1121447) docker-kubic: - Add daemon.json file with rotation logs configuration (bsc#1114832) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 3.0 (x86_64): docker-kubic-17.09.1_ce-7.6.1 docker-kubic-debuginfo-17.09.1_ce-7.6.1 docker-kubic-debugsource-17.09.1_ce-7.6.1 sles12-velum-image-3.1.9-3.33.4 - SUSE CaaS Platform 3.0 (noarch): kubernetes-salt-3.0.0+git_r931_9cdca5a-3.47.1

References

#1114832 #1121146 #1121147 #1121148 #1121447

#1122439 #1123291 #1123650

Cross- CVE-2019-3682

Affected Products:

SUSE CaaS Platform 3.0

https://www.suse.com/security/cve/CVE-2019-3682.html

https://bugzilla.suse.com/1114832

https://bugzilla.suse.com/1121146

https://bugzilla.suse.com/1121147

https://bugzilla.suse.com/1121148

https://bugzilla.suse.com/1121447

https://bugzilla.suse.com/1122439

https://bugzilla.suse.com/1123291

https://bugzilla.suse.com/1123650

Severity
Announcement ID: SUSE-SU-2019:0416-1
Rating: important

Related News

19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved