Kubernetes v1.25.13 is live!

[Marko Mudrinić]

Kubernetes Community,

Kubernetes v1.25.13 has been built and pushed using Golang version 1.20.7.

The release notes have been updated in CHANGELOG-1.25.md, with a pointer to them on GitHub:

---

v1.25.13

Downloads for v1.25.13

Source Code

filename	sha512 hash
kubernetes.tar.gz	950e8389ce4113297aa7c2b9fb4fc47988be1a270bef7f3f3e9b1fff8b09d11dd1cb01434a387bba7405f9934942719997c44690e8fa7ecd491e88f29d835924
kubernetes-src.tar.gz	841ca8a138aa949052f7c1a854ecf82d83007ec4c08b878f6e3dec5f36862a2fbf00245518dfe41cc5288a2fbc0f7899fb0b8c673bbabdc915971239b82cd3d0

Client Binaries

filename	sha512 hash
kubernetes-client-darwin-amd64.tar.gz	f897f826335abfa46ae4f6db338bccd3fd7defc41a983cddd8e09f5cbe84497c254466092b42b6d19b6792567d9dda57638595ed9c19b892ea9195685f5acdbb
kubernetes-client-darwin-arm64.tar.gz	2a8b6c79ca2414fb711ede8d4a1ecba2501106d9c28d4ad2b3ceb16b02b8310a38c957942a893f4ce8a59fa5935127974e9eb42c11471b8a5b375d5e8f955d8c
kubernetes-client-linux-386.tar.gz	3a3b0491a6c975b3e0f727b6529c40a36bcc61699fc3e964e39d595749c52ed38c8c5199b2b53f12aa7dfe5570b4fda8b86c2dd826c791d75d41b928dbc87a76
kubernetes-client-linux-amd64.tar.gz	621b0e8c737a54d84aebfa516ac0b5b175c91eea1af2792b83dd6870b2569032980e447a51798467c2b8b4fbf61c974aa640e457b297319e98184da358abd2a6
kubernetes-client-linux-arm.tar.gz	0527a2c97878fbc9db3a7014fefd75a391544a3552cc8eb13c7a6f68c0ea7bf2cd9db13a900114f4afbb950affce3e28aea43cb82a714f2b6695bf709a22c4b0
kubernetes-client-linux-arm64.tar.gz	8bfae3a7c6a77fc861bb9180c19325c062d52f4db350791396eaeab496f7cadc4634c37f37850ce254b151156ddfc4aab40fcbf1bd5ca19c2c1d58cc33d70e94
kubernetes-client-linux-ppc64le.tar.gz	ab0e8cf03cbb144ae359c697263ed1788939ed09953685eb3b11d08462347cdbcf1586a79a0fd7c1926ec1c15782767d4568ba3d7fbd9d0ced3b9366e93bbfdd
kubernetes-client-linux-s390x.tar.gz	56ea73b7634f0ad4ed94ef05897d1a9ce40fc4fb1e9f563ece87f16b9357bbc797cb4f1cac6c56da87833e5f53b76a2bb53bb0420e4c7a0c24943fa3d85b716a
kubernetes-client-windows-386.tar.gz	03fec1783464e20bbae04d31c65ec3ac1b1455fa0924b8c6e84333ba141ed99ab0e24611382b68908dfd5e90cc925551ae880aef982837224e967002a08063f1
kubernetes-client-windows-amd64.tar.gz	9a11606a417206bca2d777c65e9f51e1ff38a6960c074a4c22f702ec08f29b564dea19ad9733a9ef2238df332f39dd74941af3ec19d551739ae5d82c7c06c740
kubernetes-client-windows-arm64.tar.gz	a09ae6253ffd5227408117bcec5e2b922c60f57b1db2ee37d79d175a33f85e671fe960f69ed280c871ae8ff1bcf5707e04f63507d85b8ae5f1f8f532d5df8365

Server Binaries

filename	sha512 hash
kubernetes-server-linux-amd64.tar.gz	ad25eb2aa2e0df40876c5ee4f27d8fb422b138a0a6ad6d867bfcd54038229a91f63ab5d8c0edbd5ba9a85734796c72f97d5d400c8a2f825d0c8ab63d9136e883
kubernetes-server-linux-arm.tar.gz	36b47746359653282ca02780dd25ee3858e19a0a0e9d7b45dc2638b05e4d063fad9a1c46ee50470e19756971205858a8fef661c5c93933c137ffc905d3a8f0b1
kubernetes-server-linux-arm64.tar.gz	03dcdc966d7d5255d2f1fdb166f69fd3cd2a3285150f40c63bd7b6498ccf969572b7117aaf1951395c4f397bbc0d1b0148881a3950388bcd82e315bcfc9ef97c
kubernetes-server-linux-ppc64le.tar.gz	c78062f340900921d24034b324776a35d6f9fba4b19ef9b4a5f4b7e2ecbf9c6e2b52ec84926b99550ea87da6cf9318b6af9d4c0f19ec5a76f053703f8acb4b54
kubernetes-server-linux-s390x.tar.gz	71f7bd24b99f703486977a50238b5ae1d925ce92ddc5a29d7301a590d267db70191f1f8449b5e14122496e204d090c875bc1ab298178acf2f6b288bd40dc941d

Node Binaries

filename	sha512 hash
kubernetes-node-linux-amd64.tar.gz	4c24d74ba435ccd9079da19476fcf3fb3771915603e187a6791d8e32a2736946d400816ac5b1e174187c77ba20889acc11acf4b9187c3c8bb2e27cf89b9ebe97
kubernetes-node-linux-arm.tar.gz	96eb22ab7957952552a45a28aaa5901ecc2b7deea1832bcc877e2e88e787a7ca06daaee870307a3ade02e2d764388216d47fbadc9fe5a1fac95c2a1cd4d38c42
kubernetes-node-linux-arm64.tar.gz	91d80f10b04e7d8734e9f508f2e5935d9d000ae5503f36ef26a832a254a8c092000b0cc04b8f1126939b78c1f1761b243cbb7818be4990ad9cfec8b9c6e925fb
kubernetes-node-linux-ppc64le.tar.gz	6449652501588f86d500dc2d53a0d89435003db74466b851aacb500e3a07ddbd2c4f61ea8064240cdbdee83faedccae38ada66ff083cc9701503fe40ad65eec5
kubernetes-node-linux-s390x.tar.gz	59929f0520afd8824a8fbbf7587466d55a8d1202978b6a555cc5ccfc74c49e1969d6eecaa7dbd17f14b7cc778083bfe0eae14ef8798f66c80ee5e000eac9de01
kubernetes-node-windows-amd64.tar.gz	39510d6da1bec049f0021f5854c62256105da903555c90961d8bb3c43e019c68691a7d79209afb6c66811eb19448be7f76b0dd570ad6a65b192a83569083a099

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name	architectures
registry.k8s.io/conformance:v1.25.13	amd64, arm, arm64, ppc64le, s390x
registry.k8s.io/kube-apiserver:v1.25.13	amd64, arm, arm64, ppc64le, s390x
registry.k8s.io/kube-controller-manager:v1.25.13	amd64, arm, arm64, ppc64le, s390x
registry.k8s.io/kube-proxy:v1.25.13	amd64, arm, arm64, ppc64le, s390x
registry.k8s.io/kube-scheduler:v1.25.13	amd64, arm, arm64, ppc64le, s390x

Changelog since v1.25.12

Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

Affected Versions:

• kubelet <= v1.28.0
• kubelet <= v1.27.4
• kubelet <= v1.26.7
• kubelet <= v1.25.12
• kubelet <= v1.24.16

Fixed Versions:

• kubelet v1.28.1
• kubelet v1.27.5
• kubelet v1.26.8
• kubelet v1.25.13
• kubelet v1.24.17

This vulnerability was discovered by James Sturtevant @jsturtevant and Mark Rossetti @marosset during the process of fixing CVE-2023-3676 (that original CVE was reported by Tomer Peled @tomerpeled92)

CVSS Rating: High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

Affected Versions:

• kubelet <= v1.28.0
• kubelet <= v1.27.4
• kubelet <= v1.26.7
• kubelet <= v1.25.12
• kubelet <= v1.24.16

Fixed Versions:

• kubelet v1.28.1
• kubelet v1.27.5
• kubelet v1.26.8
• kubelet v1.25.13
• kubelet v1.24.17

This vulnerability was reported by Tomer Peled @tomerpeled92

CVSS Rating: High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Changes by Kind

Feature

• Kubeadm: generate CA certificates with a start time that is offset 5 minutes in the past relative to the current system time to workaround cases of clock desync. client-go: allow to set NotBefore in NewSelfSignedCACert() (#119115, @champtar) [SIG API Machinery, Auth and Cluster Lifecycle]
• Kubernetes is now built with Go 1.20.7 (#119836, @jeremyrickard) [SIG Release and Testing]

Bug or Regression

• Fix Topology Aware Hints not working when the topology.kubernetes.io/zone label is added after Node creation

  • Fix a data race in TopologyCache when AddHints and SetNodes are called concurrently (#117267, @tnqn) [SIG Apps and Network]

• Revert kubelet prober metrics pod tag to include actual pod name (#118549, @a7i) [SIG Node]

• Update kube-apiserver's priority & fairness work estimator such that 'max seats' is MIN(0.15 x nominalCL, nominalCL / handSize)

  This fixes a bug where clients with requests using hand size x max seats greater than the nominal concurrency limit can starve other requests in the same priority level. (#118601, @andrewsykim) [SIG API Machinery]

• Update the Event series starting count when emitting isomorphic events from 1 to 2. (#119376, @dgrisonnet) [SIG API Machinery and Testing]

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

---

Contributors, the CHANGELOG-1.25.md has been bootstrapped with v1.25.13 release notes and you may edit now as needed.

Published by your Kubernetes Release Managers.