jhunt / k8s-boshrelease

A BOSH Release for deploying Kubernetes clusters
MIT License
13 stars 9 forks source link

Flannel need to be updated #43

Open obeyler opened 4 years ago

obeyler commented 4 years ago

Flannel docker image needs to be updated as soon as the flannel image with fix CVE is released.

see https://quay.io/repository/coreos/flannel?tag=v0.10.0-amd64&tab=tags

https://github.com/jhunt/k8s-boshrelease/blob/2a771c749900d96fb5999314f80602fdcbffb6ae/jobs/net-flannel/templates/k8s-init/flannel.yml#L123

jhunt commented 4 years ago

For the record, the CVE impacting Flannel is CVE-2019-14697.

There's no real detail in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697, but the GLSA for it does: https://security.gentoo.org/glsa/202003-13. Specifically, it says:

A flaw in musl libc’s arch-specific math assembly code for i386 was found which can lead to x87 stack overflow in the execution of subsequent math code.

It seems like there's already a fix available, in musl-1.1.24 and beyond. Here's what the release notes from musl say:

This version adds the GLOB_TILDE extension for glob, a non-stub implementation of the catgets localization API, and posix_spawn extensions for chdir in the child. Many arch-specific bugs are fixed, some serious, including CVE-2019-14697 affecting several math functions only on i386, broken riscv64 atomics, broken lseek with large offsets on x32 and mipsn32, and broken setjmp/longjmp on mipsr6. Various low-severity, non-arch-specific bugs are also fixed.

While I 💯 support updating Flannel when it needs it, I don't know how many i386 BOSH deployments of Kubernetes we're doing...