k3s-1.21.3+k3s1-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10884-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z k3s-1.21.3+k3s1-1.2 on GA media These are all security issues fixed in the k3s-1.21.3+k3s1-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10884 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-1002101/ SUSE CVE CVE-2019-1002101 page https://www.suse.com/security/cve/CVE-2019-9946/ SUSE CVE CVE-2019-9946 page openSUSE Tumbleweed k3s-1.21.3+k3s1-1.2 k3s-1.21.3+k3s1-1.2 as a component of openSUSE Tumbleweed The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user's machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user's machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0. CVE-2019-1002101 openSUSE Tumbleweed:k3s-1.21.3+k3s1-1.2 moderate 5.8 AV:N/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1002101.html CVE-2019-1002101 https://bugzilla.suse.com/1131056 SUSE Bug 1131056 https://bugzilla.suse.com/1138929 SUSE Bug 1138929 https://bugzilla.suse.com/1144507 SUSE Bug 1144507 Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0. CVE-2019-9946 openSUSE Tumbleweed:k3s-1.21.3+k3s1-1.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9946.html CVE-2019-9946 https://bugzilla.suse.com/1131057 SUSE Bug 1131057