Hyperkube v1.5.2 Security Point Release

[patrick...@coreos.com]

A critical vulnerability was found in the jq binary shipped in the hyperkube image 'quay.io/coreos/hyperkube:v1.5.2_coreos.0'. A new image containing a fix is available on quay tagged as 'v1.5.2_coreos.1'.

While the vulnerability in jq is critical, in the context of the hyperkube image, this won't affect most kubernetes users. It is not a security vulnerability in any of the hyperkube components shipped in the image itself, but rather in the jq binary shipped in the rootfs of the image. No hyperkube components shell out to jq and so, by default, its not clear if there are any attack vectors that could utilize this vulernability

This vulnerability could be a problem in the context of hyperkube users that are utilizing plugins that shell out to jq. For example, here is a volume plugin utilizing the hyperkube jq: https://github.com/kubernetes/kubernetes/blob/master/examples/volumes/flexvolume/lvm#L72 

Only the hyperkube image tagged 'v1.5.2_coreos.0' is affected. If you are using that image please upgrade to 'v1.5.2_coreos.1'