Bug 29267

Summary: kubernetes has security issues
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Bruno Cornec <bruno>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: fri
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: kubernetes-1.20.4-3.mga9.src.rpm CVE:
Status comment:

Description David Walser 2021-07-19 23:32:11 CEST 
I just noticed that someone imported Kubernetes.  Ugh.  The most recent security issues for it posted on oss-security are:
https://www.openwall.com/lists/oss-security/2021/04/14/1
https://www.openwall.com/lists/oss-security/2021/05/04/8
https://www.openwall.com/lists/oss-security/2021/05/11/1
https://www.openwall.com/lists/oss-security/2021/05/18/4
https://www.openwall.com/lists/oss-security/2021/07/14/1

The maintainer needs to watch out for these and see that they get fixed if we're going to keep this package.
Comment 1 Lewis Smith 2021-07-21 20:19:57 CEST 
Someone = Bruno! [most recently]
Thu Mar 25 2021 bcornec : Import kubernetes
and subsequently.

Assignee: bugsquad => bruno

Bruno Cornec 2021-08-26 00:49:51 CEST

Status: NEW => ASSIGNED

Comment 3 Bruno Cornec 2021-10-17 00:45:29 CEST 
1.22.2 on its way to cauldron which is fixing all bu tthe last one which has no fix yet.
Comment 4 David Walser 2021-10-21 23:38:45 CEST 
Another one:
https://www.openwall.com/lists/oss-security/2021/10/21/3
Comment 5 Bruno Cornec 2021-10-25 00:27:52 CEST 
(In reply to David Walser from comment #4)
> Another one:
> https://www.openwall.com/lists/oss-security/2021/10/21/3

Seems that one can be mitigated by config which is not in our hands directly no ?
Comment 6 David Walser 2021-10-25 04:32:25 CEST 
Looks like it, yeah.  I guess upstream will have to add something about it to their documentation for the affected feature.  The "fix" will probably end up being a documentation enhancement.
Comment 7 Bruno Cornec 2022-08-30 01:05:44 CEST 
1.24.4 is now in cauldron, so think this one is not relevant anymore.

Resolution: (none) => WONTFIX
Status: ASSIGNED => RESOLVED

Comment 8 David Walser 2022-09-16 18:47:41 CEST 
https://www.openwall.com/lists/oss-security/2022/09/15/2

(you can just mark this FIXED when you update it again)

Status: RESOLVED => REOPENED
Resolution: WONTFIX => (none)

Comment 9 Bruno Cornec 2022-09-17 11:03:47 CEST 
1.25.1 pushed to cauldron fixing that issue.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2022-11-11 18:10:47 CET 
https://www.openwall.com/lists/oss-security/2022/11/10/3
https://www.openwall.com/lists/oss-security/2022/11/10/4

Fixed in 1.25.4.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 11 Bruno Cornec 2022-11-12 16:45:50 CET 
1.25.4 pushed to cauldron
Comment 12 Bruno Cornec 2022-11-12 16:46:42 CET 
1.25.4 is fixing the reported issue

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED

Comment 13 David Walser 2023-06-22 20:33:51 CEST 
https://www.openwall.com/lists/oss-security/2023/06/21/11

Fixed in 1.26.2.

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

Comment 14 Bruno Cornec 2023-06-26 03:20:54 CEST 
1.27.3 pushed to cauldron updates_testing

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED

Comment 15 Morgan Leijström 2023-06-26 09:04:55 CEST 
I think we should not set fixed until moved to release.
(or, later scenario, updates)
- so it is not forgotten left in testing :)

CC: (none) => fri
Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

Comment 16 Bruno Cornec 2023-06-26 11:41:23 CEST 
I asked for the move this morning. Let's see.
However, I don't understand why there is only 1 single BR for kubernetes as each time, these are different CVEs. Would make more sense for me to have a single BR per CVE in the future. Else, this BR will continue to be opened/closed at vitam aeternam :-(
Comment 17 David Walser 2023-06-26 13:42:57 CEST 
Because it's a Cauldron-only package.  Once it's in a stable release and needs to go through QA, it'll get new bug reports.
Comment 18 David Walser 2023-07-10 21:57:21 CEST 
https://www.openwall.com/lists/oss-security/2023/07/06/2
https://www.openwall.com/lists/oss-security/2023/07/06/3

These issues were fixed in 1.27.3, which was already moved to core/release.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED