This release upgrades containerd to version v1.3.9 to address CVE-2020-15257 found in previous versions of containerd.
This vulnerability is present in the following releases:
- v1.18.12+rke2r1 and prior
The security issue affects containerd BEFORE versions 1.3.9 and 1.4.3. In these prior versions, the containerd-shim API is improperly exposed to host network containers. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. Please see containerd's security advisory for more information.
Packaged Component Versions
| Component | Version |
|---|---|
| Kubernetes | v1.18.12 |
| Etcd | v3.4.13-k3s1 |
| Containerd | v1.3.9-k3s1 |
| Runc | v1.0.0-rc92 |
| CNI Plugins | v0.8.7 |
| Flannel | v0.13.0-rancher1 |
| Calico | v3.13.3 |
| Metrics-server | v0.3.6 |
| CoreDNS | v1.6.9 |
| Ingress-Nginx | v1.36.3 |
| Helm-controller | v0.7.3 |
Known Issues
- Helm-controller sometimes leave behind failed install job pods with reason "NodeAffinity". This is due to an upstream issue. This is harmless as the pods will be recreated and eventually succeed, but the failed pods will remain until manually deleted. #127
These items will be addressed in an upcoming release.
Helpful Links
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our Slack channel
- Check out our documentation for guidance on how to get started.