fix CVE-2025-0426

Signed-off-by: liuxu <liuxu156@huawei.com> (cherry picked from commit d958dcc6a96052790d5cdf15809402bc7ae8431f)
2025-02-24 05:57:06 +08:00 · 2025-02-24 05:57:06 +08:00 · e20a34b5b9
commit e20a34b5b9
parent 7e825e061b
2 changed files with 61 additions and 1 deletions
--- a/0008-Kubelet-server-handler-cleanup.patch
+++ b/0008-Kubelet-server-handler-cleanup.patch
@ -0,0 +1,52 @@
 From ce40efb4ef6efddc12e371a688687aa818d1ee53 Mon Sep 17 00:00:00 2001
 From: Tim Allclair <tallclair@google.com>
 Date: Tue, 21 Jan 2025 16:31:52 -0800
 Subject: [PATCH] Kubelet server handler cleanup
 ---
 pkg/kubelet/server/server.go | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)
 diff --git a/pkg/kubelet/server/server.go b/pkg/kubelet/server/server.go
 index 87a017f9ccc..483faa60f4f 100644
 --- a/pkg/kubelet/server/server.go
 +++ b/pkg/kubelet/server/server.go
@@ -443,17 +443,6 @@ func (s *Server) InstallDefaultHandlers() {
 	s.restfulCont.Handle(proberMetricsPath,
 		compbasemetrics.HandlerFor(p, compbasemetrics.HandlerOpts{ErrorHandling: compbasemetrics.ContinueOnError}),
 	)
 -
 -	// Only enable checkpoint API if the feature is enabled
 -	if utilfeature.DefaultFeatureGate.Enabled(features.ContainerCheckpoint) {
 -		s.addMetricsBucketMatcher("checkpoint")
 -		ws = &restful.WebService{}
 -		ws.Path("/checkpoint").Produces(restful.MIME_JSON)
 -		ws.Route(ws.POST("/{podNamespace}/{podID}/{containerName}").
 -			To(s.checkpoint).
 -			Operation("checkpoint"))
 -		s.restfulCont.Add(ws)
 -	}
 }
 // InstallDebuggingHandlers registers the HTTP request patterns that serve logs or run commands/containers
@@ -548,6 +537,17 @@ func (s *Server) InstallDebuggingHandlers() {
 		To(s.getRunningPods).
 		Operation("getRunningPods"))
 	s.restfulCont.Add(ws)
 +
 +	// Only enable checkpoint API if the feature is enabled
 +	if utilfeature.DefaultFeatureGate.Enabled(features.ContainerCheckpoint) {
 +		s.addMetricsBucketMatcher("checkpoint")
 +		ws = &restful.WebService{}
 +		ws.Path("/checkpoint").Produces(restful.MIME_JSON)
 +		ws.Route(ws.POST("/{podNamespace}/{podID}/{containerName}").
 +			To(s.checkpoint).
 +			Operation("checkpoint"))
 +		s.restfulCont.Add(ws)
 +	}
 }
 // InstallDebuggingDisabledHandlers registers the HTTP request patterns that provide better error message
 -- 
 2.34.1
--- a/kubernetes.spec
+++ b/kubernetes.spec
@ -3,7 +3,7 @@
 Name:         kubernetes
 Version:      1.29.1
-Release:      10
+Release:      11
 Summary:      Container cluster management
 License:      ASL 2.0
 URL:          https://k8s.io/kubernetes
@ -31,6 +31,7 @@ Patch0004: 0004-Add-processStartTime-in-metrics-slis.patch
 Patch0005: 0005-fix-a-bug-where-the-uploaded-kubelet-configuration-in-kube-system-kubelet-config-ConfigMap-does-not-respect-user.patch
 Patch0006: 0006-adapt-go-version.patch
 Patch0007: 0007-gitRepo-volume-directory-must-be-max-1-level-deep.patch
 Patch0008: 0008-Kubelet-server-handler-cleanup.patch
 Patch1000: 1000-Add-riscv64-support-for-v1.29.1-kubernetes.patch
 Patch1001: 1001-Add-loong64-host-build-support.patch 
@ -102,6 +103,7 @@ Help documents for kubernetes.
 %patch 0005 -p1
 %patch 0006 -p1
 %patch 0007 -p1
 %patch 0008 -p1
 %ifarch riscv64
 %patch 1000 -p1
@ -288,6 +290,12 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \
 %systemd_postun kubelet kube-proxy
 %changelog
 * Mon Feb 24 2025 liuxu <liuxu156@huawei.com> - 1.29.1-11
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC:fix CVE-2025-0426
 * Fri Dec 06 2024 shenzhongwei <shenzhongwei@kylinos.cn> - 1.29.1-10
 - TypeLbugfix
 - CVE:NA