SUSE: 2019:0416-1 Important: Velum Path Traversal and API Fix
suse
February 15, 2019
An update that solves one vulnerability and has 7 fixes is now available
Summary
This update provides the following fixes: kubernetes-salt: - Force basename on the system certificate name to prevent path traversal (bsc#1121147) - CVE-2019-3682: Disable insecure port in kube-apiserver (bsc#1121148) - Insecure API port exposed to all Master Node guest containers (bsc#1121148) - Fixes included in this change: * bsc#1121146 - Kubernetes – Kubelet Service allows unauthenticated access to Kubelet API * bsc#1122439 - failed to parse bool none (bsc#1122439) * bsc#1123291 - CaasP 3.0 Update Admin node, worker and master failed * bsc#1123650 - ExperimentalCriticalPodAnnotation feature not enabled * bsc#1114832 - Running supportconfig on any node can take lots of resources, even fill the hard disk on big/long-running clusters velum: - Do not allow '.' or '/' symbols in system certificate names.
References
#1114832 #1121146 #1121147 #1121148 #1121447
#1122439 #1123291 #1123650
Cross- CVE-2019-3682
Affected Products:
SUSE CaaS Platform 3.0
https://www.suse.com/security/cve/CVE-2019-3682.html
https://bugzilla.suse.com/1114832
https://bugzilla.suse.com/1121146
https://bugzilla.suse.com/1121147
https://bugzilla.suse.com/1121148
https://bugzilla.suse.com/1121447
https://bugzilla.suse.com/1122439
https://bugzilla.suse.com/1123291
https://bugzilla.suse.com/1123650
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Announcement ID: SUSE-SU-2019:0416-1
Rating: important
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!