From 8d423dcbc87873a8b58c8a305d1a3c0c9ae77f42 Mon Sep 17 00:00:00 2001 From: Matei David Date: Wed, 20 Sep 2023 10:40:41 +0000 Subject: [PATCH] stable-2.13.7 This stable releases addresses backports two fixes that address security vulnerabilities. The proxy's dependency on the webpki library has been updated to patch [RUSTSEC-2023-0052], a potential CPU usage denial-of-service attack when accepting a TLS handshake from an untrusted peer. In addition, the CNI and proxy-init images have been updated to patch [CVE-2023-2603] surfaced in the runtime image's libcap library. Finally, the release contains a backported fix for service discovery on endpoints that use hostPorts which could potentially disrupt connections on pod restarts. * Control Plane * Changed how hostPort lookups are handled in the destination service. Previously, when doing service discovery for an endpoint bound on a hostPort, the destination service would return the corresponding pod IP. On pod restart, this could lead to loss of connectivity on the client's side. The destination service now always returns host IPs for service discovery on an endpoint that uses hostPorts [#11328] * Proxy * Addressed security vulnerability [RUSTSEC-2023-0052] [#11389] * CNI * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI plugin [#11348] [#11328]: https://github.com/linkerd/linkerd2/pull/11328 [#11348]: https://github.com/linkerd/linkerd2/pull/11348 [#11389]: https://github.com/linkerd/linkerd2/pull/11389 [RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html [CVE-2023-2603]: https://github.com/advisories/GHSA-wp54-pwvg-rqq5 Signed-off-by: Matei David --- CHANGES.md | 32 +++++++++++++++++++ charts/linkerd-control-plane/Chart.yaml | 2 +- charts/linkerd-control-plane/README.md | 2 +- charts/linkerd2-cni/Chart.yaml | 2 +- charts/linkerd2-cni/README.md | 2 +- jaeger/charts/linkerd-jaeger/Chart.yaml | 2 +- jaeger/charts/linkerd-jaeger/README.md | 2 +- .../charts/linkerd-multicluster/Chart.yaml | 2 +- .../charts/linkerd-multicluster/README.md | 2 +- viz/charts/linkerd-viz/Chart.yaml | 2 +- viz/charts/linkerd-viz/README.md | 2 +- 11 files changed, 42 insertions(+), 10 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 2c0656c827f1f..bcec4c77ee32a 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,5 +1,37 @@ # Changes +## stable-2.13.7 + +This stable releases addresses backports two fixes that address security +vulnerabilities. The proxy's dependency on the webpki library has been updated +to patch [RUSTSEC-2023-0052], a potential CPU usage denial-of-service attack +when accepting a TLS handshake from an untrusted peer. In addition, the CNI and +proxy-init images have been updated to patch [CVE-2023-2603] surfaced in the +runtime image's libcap library. Finally, the release contains a backported fix +for service discovery on endpoints that use hostPorts which could potentially +disrupt connections on pod restarts. + +* Control Plane + * Changed how hostPort lookups are handled in the destination service. + Previously, when doing service discovery for an endpoint bound on a + hostPort, the destination service would return the corresponding pod IP. On + pod restart, this could lead to loss of connectivity on the client's side. + The destination service now always returns host IPs for service discovery + on an endpoint that uses hostPorts [#11328] + +* Proxy + * Addressed security vulnerability [RUSTSEC-2023-0052] [#11389] + +* CNI + * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI + plugin [#11348] + +[#11328]: https://github.com/linkerd/linkerd2/pull/11328 +[#11348]: https://github.com/linkerd/linkerd2/pull/11348 +[#11389]: https://github.com/linkerd/linkerd2/pull/11389 +[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html +[CVE-2023-2603]: https://github.com/advisories/GHSA-wp54-pwvg-rqq5 + ## stable-2.13.6 This stable release fixes a regression introduced in stable-2.13.0 which diff --git a/charts/linkerd-control-plane/Chart.yaml b/charts/linkerd-control-plane/Chart.yaml index 0e4a2c86482c1..ca487b2604e73 100644 --- a/charts/linkerd-control-plane/Chart.yaml +++ b/charts/linkerd-control-plane/Chart.yaml @@ -16,7 +16,7 @@ dependencies: - name: partials version: 0.1.0 repository: file://../partials -version: 1.12.6 +version: 1.12.7 icon: https://linkerd.io/images/logo-only-200h.png maintainers: - name: Linkerd authors diff --git a/charts/linkerd-control-plane/README.md b/charts/linkerd-control-plane/README.md index d6a5e58e2fac9..7081d221da170 100644 --- a/charts/linkerd-control-plane/README.md +++ b/charts/linkerd-control-plane/README.md @@ -3,7 +3,7 @@ Linkerd gives you observability, reliability, and security for your microservices — with no code change required. -![Version: 1.12.6](https://img.shields.io/badge/Version-1.12.6-informational?style=flat-square) +![Version: 1.12.7](https://img.shields.io/badge/Version-1.12.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) diff --git a/charts/linkerd2-cni/Chart.yaml b/charts/linkerd2-cni/Chart.yaml index 7a8a83d28c559..f62a1906ad718 100644 --- a/charts/linkerd2-cni/Chart.yaml +++ b/charts/linkerd2-cni/Chart.yaml @@ -9,4 +9,4 @@ description: | kubeVersion: ">=1.21.0-0" icon: https://linkerd.io/images/logo-only-200h.png name: "linkerd2-cni" -version: 30.8.4 +version: 30.8.5 diff --git a/charts/linkerd2-cni/README.md b/charts/linkerd2-cni/README.md index 7486928e55e9b..5d0bb09b9184d 100644 --- a/charts/linkerd2-cni/README.md +++ b/charts/linkerd2-cni/README.md @@ -6,7 +6,7 @@ Linkerd [CNI plugin](https://linkerd.io/2/features/cni/) takes care of setting up your pod's network so incoming and outgoing traffic is proxied through the data plane. -![Version: 30.8.4](https://img.shields.io/badge/Version-30.8.4-informational?style=flat-square) +![Version: 30.8.5](https://img.shields.io/badge/Version-30.8.5-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) diff --git a/jaeger/charts/linkerd-jaeger/Chart.yaml b/jaeger/charts/linkerd-jaeger/Chart.yaml index b4c562035239f..e025ad0569bea 100644 --- a/jaeger/charts/linkerd-jaeger/Chart.yaml +++ b/jaeger/charts/linkerd-jaeger/Chart.yaml @@ -11,7 +11,7 @@ kubeVersion: ">=1.21.0-0" name: linkerd-jaeger sources: - https://github.com/linkerd/linkerd2/ -version: 30.8.6 +version: 30.8.7 icon: https://linkerd.io/images/logo-only-200h.png maintainers: - name: Linkerd authors diff --git a/jaeger/charts/linkerd-jaeger/README.md b/jaeger/charts/linkerd-jaeger/README.md index 54239f537e314..09903b0733480 100644 --- a/jaeger/charts/linkerd-jaeger/README.md +++ b/jaeger/charts/linkerd-jaeger/README.md @@ -3,7 +3,7 @@ The Linkerd-Jaeger extension adds distributed tracing to Linkerd using OpenCensus and Jaeger. -![Version: 30.8.6](https://img.shields.io/badge/Version-30.8.6-informational?style=flat-square) +![Version: 30.8.7](https://img.shields.io/badge/Version-30.8.7-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) diff --git a/multicluster/charts/linkerd-multicluster/Chart.yaml b/multicluster/charts/linkerd-multicluster/Chart.yaml index edb6da7a46f3d..7fe23521f56f3 100644 --- a/multicluster/charts/linkerd-multicluster/Chart.yaml +++ b/multicluster/charts/linkerd-multicluster/Chart.yaml @@ -11,7 +11,7 @@ kubeVersion: ">=1.21.0-0" name: "linkerd-multicluster" sources: - https://github.com/linkerd/linkerd2/ -version: 30.7.6 +version: 30.7.7 icon: https://linkerd.io/images/logo-only-200h.png maintainers: - name: Linkerd authors diff --git a/multicluster/charts/linkerd-multicluster/README.md b/multicluster/charts/linkerd-multicluster/README.md index 195adc777b83c..05ece647bd539 100644 --- a/multicluster/charts/linkerd-multicluster/README.md +++ b/multicluster/charts/linkerd-multicluster/README.md @@ -3,7 +3,7 @@ The Linkerd-Multicluster extension contains resources to support multicluster linking to remote clusters -![Version: 30.7.6](https://img.shields.io/badge/Version-30.7.6-informational?style=flat-square) +![Version: 30.7.7](https://img.shields.io/badge/Version-30.7.7-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) diff --git a/viz/charts/linkerd-viz/Chart.yaml b/viz/charts/linkerd-viz/Chart.yaml index a8a3331d3d51e..1630f1f5e2dc9 100644 --- a/viz/charts/linkerd-viz/Chart.yaml +++ b/viz/charts/linkerd-viz/Chart.yaml @@ -11,7 +11,7 @@ kubeVersion: ">=1.21.0-0" name: "linkerd-viz" sources: - https://github.com/linkerd/linkerd2/ -version: 30.8.6 +version: 30.8.7 icon: https://linkerd.io/images/logo-only-200h.png maintainers: - name: Linkerd authors diff --git a/viz/charts/linkerd-viz/README.md b/viz/charts/linkerd-viz/README.md index 1c289c4705913..017dccfb50ec0 100644 --- a/viz/charts/linkerd-viz/README.md +++ b/viz/charts/linkerd-viz/README.md @@ -3,7 +3,7 @@ The Linkerd-Viz extension contains observability and visualization components for Linkerd. -![Version: 30.8.6](https://img.shields.io/badge/Version-30.8.6-informational?style=flat-square) +![Version: 30.8.7](https://img.shields.io/badge/Version-30.8.7-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)