Emergency Out-of-Bound Kubernetes 1.25.2, 1.24.6, 1.23.12, 1.22.15 patch releases

Skip to first unread message

Marko Mudrinić

Sep 20, 2022, 3:30:36 PM9/20/22
to d...@kubernetes.io, kubernetes-sig-release

Hello kubefolx,

The latest Kubernetes patch releases (1.25.1, 1.24.5, 1.23.11, 1.22.14) fixed CVE-2022-3172 which is announced and explained here[1]. The CVE fix[2] changed the default behavior of kube-apiserver to reject 3xx requests unless explicitly enabled. However, this introduced a regression[3] as not all 3xx requests are redirects. Depending on the aggregated API server implementation, this regression might manifest as:

  • Breaking some features of the aggregated API server

  • Causing a huge amount of warning logs in the kube-apiserver

This regression has been fixed in PR #112526[4], as well as, on all active release branches in the appropriate cherry-pick PRs.

Considering that this is related to a security issue, we decided to release emergency out-of-bound Kubernetes patch releases:

  • 1.25.2

  • 1.24.6

  • 1.23.12

  • 1.22.15

The releases are planned for tomorrow, 21st September 2022.

If you already upgraded to the latest/affected patch releases (1.25.1, 1.24.5, 1.23.11, 1.22.14), we recommend upgrading to the new patch releases as soon as they are available. If you haven’t upgraded yet, we recommend waiting for the new patch releases to become available.

If you have questions about those releases, you can contact us on the #sig-release Slack channel[5].

Thanks for understanding.

SIG Release

[1]: https://groups.google.com/g/kubernetes-announce/c/aaOLnyQPXFg

[2]: https://github.com/kubernetes/kubernetes/pull/112193

[3]: https://github.com/kubernetes/kubernetes/issues/112524

[4]: https://github.com/kubernetes/kubernetes/pull/112526

[5]: https://kubernetes.slack.com/archives/C2C40FMNF

Marko Mudrinić

Sep 21, 2022, 5:11:19 PM9/21/22
to dev, Marko Mudrinić, kubernetes-sig-release
Hello kubefolx,

The announced emergency out-of-band patch releases are now available. You can find more information about those releases in the release announcement emails sent to the dev and kubernetes-announce mailing lists:
Please note that the CHANGELOG files in the kubernetes/kubernetes repository don't show that the regression has been fixed. This is because of a bug in the release-notes tool that we discovered today. We created a PR #112655[5] to manually add the missing changelog entries. The release announcement emails have all changelog entries.

SIG Release

Reply all
Reply to author
0 new messages