SUSE Security Update: Security changes in Kubernetes, etcd, and helm; Bugfix in cri-o package
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:3760-1
Rating:             moderate
References:         #1174219 #1174951 #1176752 #1176753 #1176754 
                    #1176755 #1177661 #1177662 
Cross-References:   CVE-2020-15106 CVE-2020-15112 CVE-2020-15184
                    CVE-2020-15185 CVE-2020-15186 CVE-2020-15187
                    CVE-2020-8565 CVE-2020-8566
Affected Products:
                    SUSE Linux Enterprise Module for Containers 15-SP1
                    SUSE CaaS Platform 4.0
______________________________________________________________________________

   An update that fixes 8 vulnerabilities is now available.

Description:

    = Required Actions

   == Kubernetes & etcd (Security fixes)

   This fix involves an upgrade of Kubernetes and some add-ons. See
   https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_upd
   ates.html#_updating_kubernetes_components for the upgrade procedure.

   == Skuba & helm/helm3

   In order to update skuba and helm or helm 3, you need to update the
   management workstation. See detailed instructions at
   https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_upd
   ates.html#_update_management_workstation

   = Known Issues

   Modifying the file `/etc/sysconfig/kubelet` directly is not supported:
   documentation at
   https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_miscellaneo
   us.html#_configuring_kubelet

   Be sure to check the Release Notes at
   https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_2_4
   for any additional known issues or behavioral changes.


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Containers 15-SP1:

      zypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2020-3760=1

   - SUSE CaaS Platform 4.0:

      To install this update, use the SUSE CaaS Platform 'skuba' tool. It
      will inform you if it detects new updates and let you then trigger
      updating of the complete cluster in a controlled way.



Package List:

   - SUSE Linux Enterprise Module for Containers 15-SP1 (x86_64):

      kubernetes-client-1.17.13-4.21.2
      kubernetes-common-1.17.13-4.21.2

   - SUSE CaaS Platform 4.0 (x86_64):

      caasp-release-4.2.4-24.36.1
      cri-o-1.16.1-3.37.3
      cri-o-kubeadm-criconfig-1.16.1-3.37.3
      etcdctl-3.4.13-4.15.1
      helm-2.16.12-3.10.1
      kubernetes-client-1.17.13-4.21.2
      kubernetes-common-1.17.13-4.21.2
      kubernetes-kubeadm-1.17.13-4.21.2
      kubernetes-kubelet-1.17.13-4.21.2
      skuba-1.4.11-3.49.2
      terraform-provider-aws-2.59.0-1.6.1

   - SUSE CaaS Platform 4.0 (noarch):

      skuba-update-1.4.11-3.49.2


References:

   https://www.suse.com/security/cve/CVE-2020-15106.html
   https://www.suse.com/security/cve/CVE-2020-15112.html
   https://www.suse.com/security/cve/CVE-2020-15184.html
   https://www.suse.com/security/cve/CVE-2020-15185.html
   https://www.suse.com/security/cve/CVE-2020-15186.html
   https://www.suse.com/security/cve/CVE-2020-15187.html
   https://www.suse.com/security/cve/CVE-2020-8565.html
   https://www.suse.com/security/cve/CVE-2020-8566.html
   https://bugzilla.suse.com/1174219
   https://bugzilla.suse.com/1174951
   https://bugzilla.suse.com/1176752
   https://bugzilla.suse.com/1176753
   https://bugzilla.suse.com/1176754
   https://bugzilla.suse.com/1176755
   https://bugzilla.suse.com/1177661
   https://bugzilla.suse.com/1177662