Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-82hx-w2r5-c2wq] Kubernetes API Server DoS Via API Requests #2742

Merged
merged 1 commit into from
Sep 20, 2023
Merged

[GHSA-82hx-w2r5-c2wq] Kubernetes API Server DoS Via API Requests #2742

merged 1 commit into from
Sep 20, 2023

Conversation

skitt
Copy link

@skitt skitt commented Sep 19, 2023

Updates

  • Affected products

Comments
Go versions of k8s.io artifacts start with 0, see for example https://pkg.go.dev/k8s.io/apiserver?tab=versions. The version corresponding to Kubernetes 1.17.3 is 0.17.3.

@github-actions github-actions bot changed the base branch from main to skitt/advisory-improvement-2742 September 19, 2023 11:14
@skitt skitt mentioned this pull request Sep 19, 2023
Merged
@darakian
Copy link
Contributor

Gah, sorry about the error and thanks for the PR. Any chance you have some release notes that correspond with these api server releases? I'm not finding much in their repo.

@skitt
Copy link
Author

skitt commented Sep 20, 2023

The corresponding release note was

Removed the 'client' label from apiserver_request_total.

See the PR description in kubernetes/kubernetes#87669. There’s no direct mention of the CVE in the release notes, the CVE was tracked in kubernetes/kubernetes#89378 and versions with fixes are listed there (as Kubernetes versions, not Go module versions).

The note above appears only as a deprecation in the 1.18 changelog; I don’t see it in the corresponding backport releases in earlier branches.

@chrischdi chrischdi mentioned this pull request Sep 20, 2023
Closed
@skitt skitt mentioned this pull request Sep 20, 2023
Merged
@darakian
Copy link
Contributor

Gotcha. Looks like The 0.x versions are also published over here
https://github.com/kubernetes/apiserver
and the commit notes point out that they are based on the corresponding 1.x releases of the main project.

Many thanks for the PR. This should close #2745 as well.

@advisory-database advisory-database bot merged commit 8e04389 into skitt/advisory-improvement-2742 Sep 20, 2023
@advisory-database advisory-database bot deleted the skitt-GHSA-82hx-w2r5-c2wq branch September 20, 2023 22:42
@advisory-database
Copy link
Contributor

Hi @skitt! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@skitt @darakian