What's the delta from v1 ? Also, given that this isn't the final 1.16 kubernetes release, I'd rather version bump than apply patches.
Bruce On Mon, Sep 30, 2019 at 6:16 PM Muminul Islam <[email protected]> wrote: > > Signed-off-by: Muminul Islam <[email protected]> > --- > .../kubernetes/CVE-2018-1002105.patch | 87 +++++++++++++++++++ > .../kubernetes/kubernetes_git.bb | 1 + > 2 files changed, 88 insertions(+) > create mode 100644 > recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch > > diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch > b/recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch > new file mode 100644 > index 0000000..505450c > --- /dev/null > +++ b/recipes-containers/kubernetes/kubernetes/CVE-2018-1002105.patch > @@ -0,0 +1,87 @@ > +From b2c05ca842b97090df424e0401968ba8d7ee3ecb Mon Sep 17 00:00:00 2001 > +From: Jordan Liggitt <[email protected]> > +Date: Mon, 5 Nov 2018 23:50:35 -0500 > +Subject: [PATCH] Verify backend upgraded connection > +Reply-To: [email protected] > + > +Signed-off-by: Muminul Islam <[email protected]> > + > +CVE: CVE-2018-1002105 > + > +Upstream-Status: Backport > +--- > + .../pkg/util/proxy/upgradeaware.go | 37 +++++++++++++++++++ > + 1 file changed, 37 insertions(+) > + > +diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go > b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go > +index 4d5cd34d48..b14819079c 100644 > +--- > a/src/import/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go > ++++ > b/src/import/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go > +@@ -17,6 +17,7 @@ limitations under the License. > + package proxy > + > + import ( > ++ "bufio" > + "bytes" > + "context" > + "fmt" > +@@ -269,6 +270,18 @@ func (h *UpgradeAwareHandler) tryUpgrade(w > http.ResponseWriter, req *http.Reques > + } > + defer backendConn.Close() > + > ++ // determine the http response code from the backend by reading from > rawResponse+backendConn > ++ rawResponseCode, headerBytes, err := > getResponseCode(io.MultiReader(bytes.NewReader(rawResponse), backendConn)) > ++ if err != nil { > ++ glog.V(6).Infof("Proxy connection error: %v", err) > ++ h.Responder.Error(w, req, err) > ++ return true > ++ } > ++ if len(headerBytes) > len(rawResponse) { > ++ // we read beyond the bytes stored in rawResponse, update > rawResponse to the full set of bytes read from the backend > ++ rawResponse = headerBytes > ++ } > ++ > + // Once the connection is hijacked, the ErrorResponder will no longer > work, so > + // hijacking should be the last step in the upgrade. > + requestHijacker, ok := w.(http.Hijacker) > +@@ -293,6 +306,17 @@ func (h *UpgradeAwareHandler) tryUpgrade(w > http.ResponseWriter, req *http.Reques > + } > + } > + > ++ if rawResponseCode != http.StatusSwitchingProtocols { > ++ // If the backend did not upgrade the request, finish echoing > the response from the backend to the client and return, closing the > connection. > ++ glog.V(6).Infof("Proxy upgrade error, status code %d", > rawResponseCode) > ++ _, err := io.Copy(requestHijackedConn, backendConn) > ++ if err != nil && !strings.Contains(err.Error(), "use of > closed network connection") { > ++ glog.Errorf("Error proxying data from backend to > client: %v", err) > ++ } > ++ // Indicate we handled the request > ++ return true > ++ } > ++ > + // Proxy the connection. This is bidirectional, so we need a goroutine > + // to copy in each direction. Once one side of the connection exits, > we > + // exit the function which performs cleanup and in the process closes > +@@ -354,6 +378,19 @@ func (h *UpgradeAwareHandler) DialForUpgrade(req > *http.Request) (net.Conn, error > + return dial(updatedReq, h.UpgradeTransport) > + } > + > ++// getResponseCode reads a http response from the given reader, returns the > status code, > ++// the bytes read from the reader, and any error encountered > ++func getResponseCode(r io.Reader) (int, []byte, error) { > ++ rawResponse := bytes.NewBuffer(make([]byte, 0, 256)) > ++ // Save the bytes read while reading the response headers into the > rawResponse buffer > ++ resp, err := http.ReadResponse(bufio.NewReader(io.TeeReader(r, > rawResponse)), nil) > ++ if err != nil { > ++ return 0, nil, err > ++ } > ++ // return the http status code and the raw bytes consumed from the > reader in the process > ++ return resp.StatusCode, rawResponse.Bytes(), nil > ++} > ++ > + // dial dials the backend at req.URL and writes req to it. > + func dial(req *http.Request, transport http.RoundTripper) (net.Conn, error) > { > + conn, err := DialURL(req.Context(), req.URL, transport) > +-- > +2.23.0 > + > diff --git a/recipes-containers/kubernetes/kubernetes_git.bb > b/recipes-containers/kubernetes/kubernetes_git.bb > index a0e0e47..b587e16 100644 > --- a/recipes-containers/kubernetes/kubernetes_git.bb > +++ b/recipes-containers/kubernetes/kubernetes_git.bb > @@ -12,6 +12,7 @@ SRC_URI = > "git://github.com/kubernetes/kubernetes.git;branch=master;name=kuberne > file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \ > file://0001-cross-don-t-build-tests-by-default.patch \ > > file://0001-fix-compiling-failure-execvp-bin-bash-Argument-list-.patch \ > + file://CVE-2018-1002105.patch \ > " > > DEPENDS += "rsync-native \ > -- > 2.23.0 > > -- > _______________________________________________ > meta-virtualization mailing list > [email protected] > https://lists.yoctoproject.org/listinfo/meta-virtualization -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II -- _______________________________________________ meta-virtualization mailing list [email protected] https://lists.yoctoproject.org/listinfo/meta-virtualization
