Bug 33143 - kubernetes new security issue CVE-2024-3177
Summary: kubernetes new security issue CVE-2024-3177
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on: 33526
Blocks: 33802
  Show dependency treegraph
 
Reported: 2024-04-25 16:33 CEST by Nicolas Salguero
Modified: 2024-12-06 18:10 CET (History)
3 users (show)

See Also:
Source RPM: kubernetes
CVE: CVE-2024-3177
Status comment: Fixed upstream in 1.28.12, 1.29.7, 1.30.3 and 1.31.0


Attachments

Description Nicolas Salguero 2024-04-25 16:33:52 CEST
Fedora has issued an advisory on April 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WL54MTLGMTBZZO5PYGEGEBERTMADC4WC/

The problem is fixed in version 1.27.13.

Mageia 9 is also affected.
Nicolas Salguero 2024-04-25 16:34:48 CEST

CVE: (none) => CVE-2024-3177
Status comment: (none) => Fixed upstream in 1.27.13
Source RPM: (none) => kubernetes-1.27.3-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-04-28 20:47:59 CEST
Bruno looks to maintain this pkg, so assigning the update to you.

Assignee: bugsquad => bruno

Comment 2 Nicolas Salguero 2024-11-21 09:08:54 CET
CVE-2024-3177 is already fixed in Cauldron.

CVE-2024-10220 was announced here:
https://www.openwall.com/lists/oss-security/2024/11/20/1

Summary: kubernetes new security issue CVE-2024-3177 => kubernetes new security issues CVE-2024-3177 and CVE-2024-10220
Severity: normal => major
Status comment: Fixed upstream in 1.27.13 => Fixed upstream in 1.28.12, 1.29.7, 1.30.3 and 1.31.0
CVE: CVE-2024-3177 => CVE-2024-3177, CVE-2024-10220

Nicolas Salguero 2024-11-21 09:09:08 CET

Source RPM: kubernetes-1.27.3-1.mga9.src.rpm => kubernetes-1.27.13-1.mga10.src.rpm, kubernetes-1.27.3-1.mga9.src.rpm

Comment 3 Bruno Cornec 2024-11-26 02:08:05 CET
CVE-2024-10220 is not fixed by the versions given in comment. I'd prefer that a separate BR is create for this CVE so we can close at least the first one.

Status: NEW => ASSIGNED

Comment 4 Bruno Cornec 2024-11-26 02:10:51 CET
kubernetes-1.27.16-1.mga9.src.rpm

kubernetes-1.27.16-1.mga9.x86_64.rpm         
kubernetes-kubeadm-1.27.16-1.mga9.x86_64.rpm  
kubernetes-node-1.27.16-1.mga9.x86_64.rpm
kubernetes-client-1.27.16-1.mga9.x86_64.rpm  
kubernetes-master-1.27.16-1.mga9.x86_64.rpm

Have been pushed to updates_testing.

Assignee: bruno => qa-bugs

katnatek 2024-11-26 04:40:08 CET

Source RPM: kubernetes-1.27.13-1.mga10.src.rpm, kubernetes-1.27.3-1.mga9.src.rpm => kubernetes
Keywords: (none) => advisory
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Comment 5 katnatek 2024-11-26 04:47:54 CET
(In reply to Bruno Cornec from comment #3)
> CVE-2024-10220 is not fixed by the versions given in comment. I'd prefer
> that a separate BR is create for this CVE so we can close at least the first
> one.

Then I need to remove thet CVE from advisory?

CC: (none) => bruno

Comment 6 Nicolas Salguero 2024-11-26 09:13:21 CET
The build failed because it needs golang 1.22.5.

Assignee: qa-bugs => bruno

Nicolas Salguero 2024-11-26 09:14:56 CET

Blocks: (none) => 33802

Comment 7 Nicolas Salguero 2024-11-26 09:16:04 CET
CVE-2024-10220 now in bug 33802.

CVE: CVE-2024-3177, CVE-2024-10220 => CVE-2024-3177
Summary: kubernetes new security issues CVE-2024-3177 and CVE-2024-10220 => kubernetes new security issue CVE-2024-3177

Comment 8 Nicolas Salguero 2024-11-26 09:32:15 CET
See also: https://bugs.mageia.org/show_bug.cgi?id=33526#c2

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33526

Comment 9 Bruno Cornec 2024-11-27 00:09:20 CET
(In reply to Nicolas Salguero from comment #6)
> The build failed because it needs golang 1.22.5.

Argh ! the update was done automagically on my machine and I didn't realized that :-(
Ok working on updating golang then.
Bruno Cornec 2024-11-27 00:54:35 CET

Depends on: (none) => 33526

Comment 10 Bruno Cornec 2024-11-28 00:54:08 CET
Packages pushed to updates_testing now golang has been updated:

RPMS/x86_64/kubernetes-1.27.16-1.mga9.x86_64.rpm
RPMS/x86_64/kubernetes-client-1.27.16-1.mga9.x86_64.rpm
RPMS/x86_64/kubernetes-kubeadm-1.27.16-1.mga9.x86_64.rpm
RPMS/x86_64/kubernetes-master-1.27.16-1.mga9.x86_64.rpm
RPMS/x86_64/kubernetes-node-1.27.16-1.mga9.x86_64.rpm

SRPMS/kubernetes-1.27.16-1.mga9.src.rpm

Also fixes https://bugs.mageia.org/show_bug.cgi?id=33802

Assignee: bruno => qa-bugs

Comment 11 katnatek 2024-11-30 03:43:13 CET
RH x86_64

Just can test clean uodate

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing kubernetes-master-1.27.16-1.mga9.x86_64.rpm kubernetes-node-1.27.16-1.mga9.x86_64.rpm kubernetes-1.27.16-1.mga9.x86_64.rpm kubernetes-client-1.27.16-1.mga9.x86_64.rpm kubernetes-kubeadm-1.27.16-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/5: kubernetes-client     ##################################################################################################
      2/5: kubernetes-node       ##################################################################################################
      3/5: kubernetes-master     ##################################################################################################
      4/5: kubernetes            ##################################################################################################
      5/5: kubernetes-kubeadm    ##################################################################################################
      1/5: removing kubernetes-1.27.3-1.mga9.x86_64
                                 ##################################################################################################
      2/5: removing kubernetes-master-1.27.3-1.mga9.x86_64
                                 ##################################################################################################
      3/5: removing kubernetes-kubeadm-1.27.3-1.mga9.x86_64
                                 ##################################################################################################
      4/5: removing kubernetes-node-1.27.3-1.mga9.x86_64
                                 ##################################################################################################
      5/5: removing kubernetes-client-1.27.3-1.mga9.x86_64
                                 ##################################################################################################
/usr/lib/tmpfiles.d/kubernetes.conf:1: Line references path below legacy directory /var/run/, updating /var/run/kubernetes → /run/kubernetes; please update the tmpfiles.d/ drop-in file accordingly.

The final complaint is also present when install current packages, perhaps a thing to fix?

Keywords: (none) => feedback

Comment 12 katnatek 2024-12-03 21:26:16 CET
As the message

/usr/lib/tmpfiles.d/kubernetes.conf:1: Line references path below legacy directory /var/run/, updating /var/run/kubernetes → /run/kubernetes; please update the tmpfiles.d/ drop-in file accordingly

Is not regression and clean update should be good, final decision is yours Thomas, sorry

CC: (none) => andrewsfarm
Keywords: feedback => (none)

Comment 13 Bruno Cornec 2024-12-03 23:26:14 CET
Uploaded version 1.27.3-2 solving the warning you reported.
Comment 14 katnatek 2024-12-04 21:21:10 CET
RH x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing kubernetes-kubeadm-1.27.16-2.mga9.x86_64.rpm kubernetes-1.27.16-2.mga9.x86_64.rpm kubernetes-node-1.27.16-2.mga9.x86_64.rpm kubernetes-master-1.27.16-2.mga9.x86_64.rpm kubernetes-client-1.27.16-2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/5: kubernetes-client     ##################################################################################################
      2/5: kubernetes-node       ##################################################################################################
      3/5: kubernetes-master     ##################################################################################################
      4/5: kubernetes            ##################################################################################################
      5/5: kubernetes-kubeadm    ##################################################################################################
      1/5: removing kubernetes-1.27.3-1.mga9.x86_64
                                 ##################################################################################################
      2/5: removing kubernetes-master-1.27.3-1.mga9.x86_64
                                 ##################################################################################################
      3/5: removing kubernetes-kubeadm-1.27.3-1.mga9.x86_64
                                 ##################################################################################################
      4/5: removing kubernetes-node-1.27.3-1.mga9.x86_64
                                 ##################################################################################################
      5/5: removing kubernetes-client-1.27.3-1.mga9.x86_64
                                 ##################################################################################################

The warning is gone
Advisory updated
Comment 15 Thomas Andrews 2024-12-05 01:35:59 CET
I looked into this, briefly, found several tutorials on Youtube that promise to get the user started in times varying from 15 minutes to three hours. I found all to be way beyond me. 

This looks very much like something former deputy QA leader wilcal would call a "career builder," meaning you could build a whole career around learning about it.

I'm too old for that, so a clean install will have to do. Validating, now that the warning is gone.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2024-12-06 18:10:27 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0389.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.