This release addresses the following upstream CVEs:
- CVE-2020-10749 - IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements
- CVE-2020-8555 - kube-controller-manager SSRF
These CVEs are described in more detail in this issue.
Changes since v1.17.5+k3s1:
- Upgrade Kubernetes to v1.17.6 - CVE-2020-8555 was patched in Kubernetes v1.18.1+, v1.17.5+, v1.16.9+. Thus, this vulnerability is already patched in v1.17.5+k3s1, but to ensure you have the latest stable version of k3s v1.17 available, this release upgrades to Kubernetes 1.17.6
- Upgrade cni plugin to v0.8.6 - CVE-2020-10749 affects k3s's embedded Flannel CNI integration. It is being addressed by upgrading the version of the https://github.com/containernetworking/plugins that k3s uses
- Upgrade Go to v1.13.11 - This is unrelated to the CVEs, but was done as part of routine maintenance
Helpful Links
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our Slack channel
- Check out our documentation for guidance on how to get started or to dive deep into K3s.