Fedora has issued an advisory on April 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WL54MTLGMTBZZO5PYGEGEBERTMADC4WC/ The problem is fixed in version 1.27.13. Mageia 9 is also affected.
CVE: (none) => CVE-2024-3177Status comment: (none) => Fixed upstream in 1.27.13Source RPM: (none) => kubernetes-1.27.3-1.mga9.src.rpmWhiteboard: (none) => MGA9TOO
Bruno looks to maintain this pkg, so assigning the update to you.
Assignee: bugsquad => bruno
CVE-2024-3177 is already fixed in Cauldron. CVE-2024-10220 was announced here: https://www.openwall.com/lists/oss-security/2024/11/20/1
Summary: kubernetes new security issue CVE-2024-3177 => kubernetes new security issues CVE-2024-3177 and CVE-2024-10220Severity: normal => majorStatus comment: Fixed upstream in 1.27.13 => Fixed upstream in 1.28.12, 1.29.7, 1.30.3 and 1.31.0CVE: CVE-2024-3177 => CVE-2024-3177, CVE-2024-10220
Source RPM: kubernetes-1.27.3-1.mga9.src.rpm => kubernetes-1.27.13-1.mga10.src.rpm, kubernetes-1.27.3-1.mga9.src.rpm
CVE-2024-10220 is not fixed by the versions given in comment. I'd prefer that a separate BR is create for this CVE so we can close at least the first one.
Status: NEW => ASSIGNED
kubernetes-1.27.16-1.mga9.src.rpm kubernetes-1.27.16-1.mga9.x86_64.rpm kubernetes-kubeadm-1.27.16-1.mga9.x86_64.rpm kubernetes-node-1.27.16-1.mga9.x86_64.rpm kubernetes-client-1.27.16-1.mga9.x86_64.rpm kubernetes-master-1.27.16-1.mga9.x86_64.rpm Have been pushed to updates_testing.
Assignee: bruno => qa-bugs
Source RPM: kubernetes-1.27.13-1.mga10.src.rpm, kubernetes-1.27.3-1.mga9.src.rpm => kubernetesKeywords: (none) => advisoryWhiteboard: MGA9TOO => (none)Version: Cauldron => 9
(In reply to Bruno Cornec from comment #3) > CVE-2024-10220 is not fixed by the versions given in comment. I'd prefer > that a separate BR is create for this CVE so we can close at least the first > one. Then I need to remove thet CVE from advisory?
CC: (none) => bruno
The build failed because it needs golang 1.22.5.
Assignee: qa-bugs => bruno
Blocks: (none) => 33802
CVE-2024-10220 now in bug 33802.
CVE: CVE-2024-3177, CVE-2024-10220 => CVE-2024-3177Summary: kubernetes new security issues CVE-2024-3177 and CVE-2024-10220 => kubernetes new security issue CVE-2024-3177
See also: https://bugs.mageia.org/show_bug.cgi?id=33526#c2
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33526
(In reply to Nicolas Salguero from comment #6) > The build failed because it needs golang 1.22.5. Argh ! the update was done automagically on my machine and I didn't realized that :-( Ok working on updating golang then.
Depends on: (none) => 33526
Packages pushed to updates_testing now golang has been updated: RPMS/x86_64/kubernetes-1.27.16-1.mga9.x86_64.rpm RPMS/x86_64/kubernetes-client-1.27.16-1.mga9.x86_64.rpm RPMS/x86_64/kubernetes-kubeadm-1.27.16-1.mga9.x86_64.rpm RPMS/x86_64/kubernetes-master-1.27.16-1.mga9.x86_64.rpm RPMS/x86_64/kubernetes-node-1.27.16-1.mga9.x86_64.rpm SRPMS/kubernetes-1.27.16-1.mga9.src.rpm Also fixes https://bugs.mageia.org/show_bug.cgi?id=33802
RH x86_64 Just can test clean uodate LC_ALL=C urpmi --auto --auto-update medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Nonfree 32bit Updates (distrib37)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing kubernetes-master-1.27.16-1.mga9.x86_64.rpm kubernetes-node-1.27.16-1.mga9.x86_64.rpm kubernetes-1.27.16-1.mga9.x86_64.rpm kubernetes-client-1.27.16-1.mga9.x86_64.rpm kubernetes-kubeadm-1.27.16-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/5: kubernetes-client ################################################################################################## 2/5: kubernetes-node ################################################################################################## 3/5: kubernetes-master ################################################################################################## 4/5: kubernetes ################################################################################################## 5/5: kubernetes-kubeadm ################################################################################################## 1/5: removing kubernetes-1.27.3-1.mga9.x86_64 ################################################################################################## 2/5: removing kubernetes-master-1.27.3-1.mga9.x86_64 ################################################################################################## 3/5: removing kubernetes-kubeadm-1.27.3-1.mga9.x86_64 ################################################################################################## 4/5: removing kubernetes-node-1.27.3-1.mga9.x86_64 ################################################################################################## 5/5: removing kubernetes-client-1.27.3-1.mga9.x86_64 ################################################################################################## /usr/lib/tmpfiles.d/kubernetes.conf:1: Line references path below legacy directory /var/run/, updating /var/run/kubernetes → /run/kubernetes; please update the tmpfiles.d/ drop-in file accordingly. The final complaint is also present when install current packages, perhaps a thing to fix?
Keywords: (none) => feedback
As the message /usr/lib/tmpfiles.d/kubernetes.conf:1: Line references path below legacy directory /var/run/, updating /var/run/kubernetes → /run/kubernetes; please update the tmpfiles.d/ drop-in file accordingly Is not regression and clean update should be good, final decision is yours Thomas, sorry
CC: (none) => andrewsfarmKeywords: feedback => (none)
Uploaded version 1.27.3-2 solving the warning you reported.
RH x86_64 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Nonfree 32bit Updates (distrib37)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing kubernetes-kubeadm-1.27.16-2.mga9.x86_64.rpm kubernetes-1.27.16-2.mga9.x86_64.rpm kubernetes-node-1.27.16-2.mga9.x86_64.rpm kubernetes-master-1.27.16-2.mga9.x86_64.rpm kubernetes-client-1.27.16-2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/5: kubernetes-client ################################################################################################## 2/5: kubernetes-node ################################################################################################## 3/5: kubernetes-master ################################################################################################## 4/5: kubernetes ################################################################################################## 5/5: kubernetes-kubeadm ################################################################################################## 1/5: removing kubernetes-1.27.3-1.mga9.x86_64 ################################################################################################## 2/5: removing kubernetes-master-1.27.3-1.mga9.x86_64 ################################################################################################## 3/5: removing kubernetes-kubeadm-1.27.3-1.mga9.x86_64 ################################################################################################## 4/5: removing kubernetes-node-1.27.3-1.mga9.x86_64 ################################################################################################## 5/5: removing kubernetes-client-1.27.3-1.mga9.x86_64 ################################################################################################## The warning is gone Advisory updated
I looked into this, briefly, found several tutorials on Youtube that promise to get the user started in times varying from 15 minutes to three hours. I found all to be way beyond me. This looks very much like something former deputy QA leader wilcal would call a "career builder," meaning you could build a whole career around learning about it. I'm too old for that, so a clean install will have to do. Validating, now that the warning is gone.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA9-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0389.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED