Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump CNI plugin and proxy-init versions #11348

Merged
merged 1 commit into from
Sep 7, 2023
Merged

Conversation

mateiidavid
Copy link
Member

Bump CNI plugin to v1.2.1
Bump proxy-init to v2.2.2

Both dependencies include a fix for CVE-2023-2603. Since alpine is used as the runtime image, there is a security vulnerability detected in the produced images (due to an issue with libcap). The alpine images have been bumped to address the CVE.

Release link:
https://github.com/linkerd/linkerd2-proxy-init/releases/tag/cni-plugin%2Fv1.2.1
https://github.com/linkerd/linkerd2-proxy-init/releases/tag/proxy-init%2Fv2.2.2

Bump CNI plugin to v1.2.1
Bump proxy-init to v2.2.2

Both dependencies include a fix for CVE-2023-2603. Since alpine is used
as the runtime image, there is a security vulnerability detected in the
produced images (due to an issue with libcap). The alpine images have
been bumped to address the CVE.

Signed-off-by: Matei David <[email protected]>
@mateiidavid mateiidavid requested a review from a team as a code owner September 7, 2023 13:14
@mateiidavid mateiidavid mentioned this pull request Sep 7, 2023
Copy link
Member

@alpeb alpeb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@mateiidavid mateiidavid merged commit c0da3b9 into main Sep 7, 2023
38 checks passed
@mateiidavid mateiidavid deleted the matei/bump-cni-n-init branch September 7, 2023 15:27
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023
* Bump CNI plugin to v1.2.1
* Bump proxy-init to v2.2.2

Both dependencies include a fix for CVE-2023-2603. Since alpine is used
as the runtime image, there is a security vulnerability detected in the
produced images (due to an issue with libcap). The alpine images have
been bumped to address the CVE.

Signed-off-by: Matei David <[email protected]>
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023
* Bump CNI plugin to v1.2.1
* Bump proxy-init to v2.2.2

Both dependencies include a fix for CVE-2023-2603. Since alpine is used
as the runtime image, there is a security vulnerability detected in the
produced images (due to an issue with libcap). The alpine images have
been bumped to address the CVE.

Signed-off-by: Matei David <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
mateiidavid added a commit that referenced this pull request Sep 20, 2023
* Bump CNI plugin to v1.2.1
* Bump proxy-init to v2.2.2

Both dependencies include a fix for CVE-2023-2603. Since alpine is used
as the runtime image, there is a security vulnerability detected in the
produced images (due to an issue with libcap). The alpine images have
been bumped to address the CVE.

Signed-off-by: Matei David <[email protected]>
mateiidavid added a commit that referenced this pull request Sep 20, 2023
This stable releases addresses backports two fixes that address security
vulnerabilities. The proxy's dependency on the webpki library has been updated
to patch [RUSTSEC-2023-0052], a potential CPU usage denial-of-service attack
when accepting a TLS handshake from an untrusted peer. In addition, the CNI and
proxy-init images have been updated to patch [CVE-2023-2603] surfaced in the
runtime image's libcap library. Finally, the release contains a backported fix
for service discovery on endpoints that use hostPorts which could potentially
disrupt connections on pod restarts.

* Control Plane
  * Changed how hostPort lookups are handled in the destination service.
    Previously, when doing service discovery for an endpoint bound on a
    hostPort, the destination service would return the corresponding pod IP. On
    pod restart, this could lead to loss of connectivity on the client's side.
    The destination service now always returns host IPs for service discovery
    on an endpoint that uses hostPorts [#11328]

* Proxy
  * Addressed security vulnerability [RUSTSEC-2023-0052] [#11389]

* CNI
  * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI
    plugin [#11348]

[#11328]: #11328
[#11348]: #11348
[#11389]: #11389
[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
[CVE-2023-2603]: GHSA-wp54-pwvg-rqq5

Signed-off-by: Matei David <[email protected]>
@mateiidavid mateiidavid mentioned this pull request Sep 20, 2023
mateiidavid added a commit that referenced this pull request Sep 25, 2023
This stable releases addresses backports two fixes that address security
vulnerabilities. The proxy's dependency on the webpki library has been updated
to patch [RUSTSEC-2023-0052], a potential CPU usage denial-of-service attack
when accepting a TLS handshake from an untrusted peer. In addition, the CNI and
proxy-init images have been updated to patch [CVE-2023-2603] surfaced in the
runtime image's libcap library. Finally, the release contains a backported fix
for service discovery on endpoints that use hostPorts which could potentially
disrupt connections on pod restarts.

* Control Plane
  * Changed how hostPort lookups are handled in the destination service.
    Previously, when doing service discovery for an endpoint bound on a
    hostPort, the destination service would return the corresponding pod IP. On
    pod restart, this could lead to loss of connectivity on the client's side.
    The destination service now always returns host IPs for service discovery
    on an endpoint that uses hostPorts [#11328]

* Proxy
  * Addressed security vulnerability [RUSTSEC-2023-0052] [#11389]

* CNI
  * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI
    plugin [#11348]

[#11328]: #11328
[#11348]: #11348
[#11389]: #11389
[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
[CVE-2023-2603]: GHSA-wp54-pwvg-rqq5


Signed-off-by: Matei David <[email protected]>
Signed-off-by: Eliza Weisman <[email protected]>
Co-authored-by: Alejandro Pedraza <[email protected]>
Co-authored-by: Eliza Weisman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants