kubevirt-tekton-tasks chore(deps): update module kubevirt.io/kubevirt to v1.2.1 [security] (release-v0.17)

chore(deps): update module kubevirt.io/kubevirt to v1.2.1 [security] (release-v0.17)

Open redhat-renovate-bot opened this issue 1 year ago • 6 comments

This PR contains the following updates:

Package	Type	Update	Change
kubevirt.io/kubevirt	require	minor	`v1.1.0` -> `v1.2.1`

KubeVirt NULL pointer dereference flaw

CVE-2024-31420 / GHSA-vjhf-6xfr-5p9g / GO-2024-2688

More information

Details

A NULL pointer dereference flaw was found in KubeVirt. This flaw allows an attacker who has access to a virtual machine guest on a node with DownwardMetrics enabled to cause a denial of service by issuing a high number of calls to vm-dump-metrics --virtio and then deleting the virtual machine.

Severity

CVSS Score: 6.5 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

kubevirt allows a local attacker to execute arbitrary code via a crafted command

CVE-2024-33394 / GHSA-4q63-mr2m-57hf / GO-2024-2816

More information

Details

An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component.

Severity

CVSS Score: 5.9 / 10 (Medium)
Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

kubevirt/kubevirt (kubevirt.io/kubevirt)

`v1.2.1`

Compare Source

tag v1.2.1 Tagger: Antonio Cardace [email protected]

This release follows v1.2.0 and consists of 288 changes, contributed by 31 people, leading to 423 files changed, 13593 insertions(+), 11123 deletions(-).

The source code and selected binaries are available for download at: https://github.com/kubevirt/kubevirt/releases/tag/v1.2.1.

The primary release artifact of KubeVirt is the git tree. The release tag is signed and can be verified using git tag -v v1.2.1.

Pre-built containers are published on Quay and can be viewed at: https://quay.io/kubevirt/.

Notable changes

[PR #11986][fossedihelm] Restart of a VM is required when the CPU socket count is reduced
[PR #11977][fossedihelm] Bug fix: Correctly reflect RestartRequired condition
[PR #11972][fossedihelm] Fix RerunOnFailure RunStrategy
[PR #11966][lyarwood] VirtualMachines referencing an instance type are now allowed when the LiveUpdate feature is enabled and will trigger the RestartRequired condition if the reference within the VirtualMachine is changed.
[PR #11649][kubevirt-bot] Updated common-instancetypes bundles to v1.0.0
[PR #11866][kubevirt-bot] Fix the live updates for volumes and disks
[PR #11853][fossedihelm] Updated go version of the client-go to 1.21
[PR #11691][kubevirt-bot] Improve the handling of ordinal pod interface name for upgrade
[PR #11675][tiraboschi] Make 'image' field in hook sidecar annotation optional.
[PR #11761][avlitman] New memory statistics added named kubevirt_memory_delta_from_requested_bytes
[PR #11720][assafad] Collect VMI OS info from the Guest agent as kubevirt_vmi_phase_count metric labels
[PR #11656][kubevirt-bot] Build the passtcustom CNI binary statically, for the passt network binding plugin.
[PR #11582][kubevirt-bot] Expose volumesnapshot error in vmsnapshot object
[PR #11502][kubevirt-bot] Allow to hotplug memory for VMs with memory limits set
[PR #11510][kubevirt-bot] Reduce the downwardMetrics server maximum number of request per second to 1.
[PR #11464][kubevirt-bot] Bugfix: Allow vmexport download redirections by printing logs into stderr
[PR #11463][kubevirt-bot] Bugfix: Improve handling of IOThreads with incompatible buses
[PR #11480][kubevirt-bot] Build KubeVirt with Go version 1.21.8
[PR #11371][kubevirt-bot] More information in the migration state of VMI / migration objects
[PR #11396][kubevirt-bot] BugFix: Ensure DataVolumes created by virt-controller (DataVolumeTemplates) are recreated and owned by the VM in the case of DR and backup/restore.
[PR #11263][alromeros] Bugfix: Improve error reporting when fsfreeze fails
[PR #11422][kubevirt-bot] add perf-scale benchmarks for release v1.2
[PR #11318][fossedihelm] fix(vmclone): delete vmclone resource when the target vm is deleted
[PR #11393][kubevirt-bot] Bug-fix: Fix nil panic if VM update fails
[PR #11354][kubevirt-bot] Fix perfscale buckets error
[PR #11378][fossedihelm] fix(ksm): set the kubevirt.io/ksm-enabled node label to true if the ksm is managed by KubeVirt, instead of reflect the actual ksm value.

Contributors

31 people contributed to this release:

Additional Resources

Mailing list: https://groups.google.com/forum/#!forum/kubevirt-dev
Slack: https://kubernetes.slack.com/messages/virtualization
An easy to use demo: https://github.com/kubevirt/demo
How to contribute
License

-----BEGIN PGP SIGNATURE-----

iQJIBAABCAAyFiEEL3WFe2eU+K2zCASGa/gKvUPjd9MFAmZVlX8UHGFjYXJkYWNl QHJlZGhhdC5jb20ACgkQa/gKvUPjd9PHcg/9GKOBdiJvG4qKA/fLOvTyJrhFIoli S2OSnpEOEtQq2AnFrgQD8cIgpX9WahWYjKL841rbxmvOAKAuw868913/Y36R75Le xuyDVuN2dFdblCcx7oFw2USPWeThVqG283E+qhss+GHVuIFXGHatFYaI966QI9Xr qyNIj+hnjyLZsaq8CWowSlIWF73leRfj1csw5XkbcWU4rAgDzKHLJoYQeX3Ekkma rhn0NwYJi4jYHRxFzPhDGXwVn1ItwwtutyWQj1EnIxt04XojxZ8pyHJ6dBv96Hwc 3bo68aG9JmGI9P7bs7+5wbMlMFdHZVrSc44JxXcv6N6D1OVWQPJfSkFVKAMhHxZ9 vycFdBJ/1p3T4gu9loM063syw98L4UDBMmCZgfunn0gdgie9OsFTzVaFvi1brQ7E dMfvr1oj8t1TOWZo71rBIDWULlwryMS9NWsVT84CteTTaVOEUva02UIf6l7CV9oq DBax71hCK7vLGqBFT4evu8g9TNtmK9LArHVBeMwe16qXVlIyIqVeujBmLVr7Qly3 X6F96i+HqaUWyCRceTX1uOhD/r9AjghHzFJwDQX2C9+c3zFI/9/cy2ajwNemEHgx X1xf9vi17bn1HT+oRRoH+slf9JdHFW0T2pFvBcwNhakyaN45gG6k4K4nGGKNrw8U MDze3ObziJMJeuQ= =gs80 -----END PGP SIGNATURE-----

`v1.2.0`

Compare Source

tag v1.2.0 Tagger: Antonio Cardace [email protected]

This release follows v1.1.1 and consists of 822 changes, contributed by 65 people, leading to 1234 files changed, 46897 insertions(+), 22403 deletions(-). v1.2.0 is a promotion of release candidate v1.2.0-rc.1 which was originally published 2024-02-26 The source code and selected binaries are available for download at: https://github.com/kubevirt/kubevirt/releases/tag/v1.2.0.

The primary release artifact of KubeVirt is the git tree. The release tag is signed and can be verified using git tag -v v1.2.0.

Pre-built containers are published on Quay and can be viewed at: https://quay.io/kubevirt/.

Notable changes

API change

[PR #11064] [AlonaKaplan] Introduce a new API to mark a binding plugin as migratable.
[PR #10970] [alromeros] Expose fs disk information via GuestOsInfo
[PR #10905] [tiraboschi] Aggregate DVs conditions on VMI (and so VM)
[PR #10872] [RamLavi] IsolateEmulatorThread: Add cluster-wide parity completion setting
[PR #10846] [RamLavi] Change vm.status.PrintableStatus default value to "Stopped"
[PR #10774] [victortoso] Windows offline activation with ACPI SLIC table
[PR #10732] [AlonaKaplan] Extend kubvirt CR by adding domain attachment option to the network binding plugin API.
[PR #10658] [matthewei] Support "Clone API" to filter VirtualMachine.spec.template.annotation and VirtualMachine.spec.template.label

Bug fix

[PR #11271] [kubevirt-bot] Bug fix: VM controller doesn't corrupt its cache anymore
[PR #11242] [kubevirt-bot] Fix migration breaking in case the VM has an rng device after hotplugging a block volume on cgroupsv2
[PR #11069] [ormergi] Bug fix: Packet drops during the initial phase of VM live migration https://issues.redhat.com/browse/CNV-28040
[PR #11065] [fossedihelm] fix(vmclone): Generate VM patches from vmsnapshotcontent, instead of current VM
[PR #10963] [alromeros] Bugfix: Reject volume exports when no output is specified
[PR #10888] [fossedihelm] [Bugfix] Clone VM with WaitForFirstConsumer binding mode PVC now works.
[PR #10860] [akalenyu] BugFix: Double cloning with filter fails isolateEmulatorThread feature (BZ#2228103).
[PR #10845] [orelmisan] Reject VirtualMachineClone creation when target name is equal to source name
[PR #10753] [victortoso] Fixes permission when using USB host passthrough
[PR #10747] [acardace] Fix KubeVirt for CRIO 1.28 by using checksums to verify containerdisks when migrating VMIs
[PR #10699] [qinqon] virt-launcher: fix qemu non root log path
[PR #10689] [akalenyu] BugFix: cgroupsv2 device allowlist is bound to virt-handler internal state/block disk device overwritten on hotplug
[PR #10593] [RamLavi] Fixes SMT Alignment Error in virt-launcher pod by optimizing
[PR #11050] [fossedihelm] restrict default cluster role to authenticated only users
[PR #11047] [jschintag] Fix potential crash when trying to list USB devices on host without any
[PR #10916] [orelmisan] Fix the value of VMI Status.GuestOSInfo.Version
[PR #10046] [victortoso] Add v1alpha3 for hooks and fix migration when using sidecars

Deprecation

[PR #10924] [AlonaKaplan] Deprecate macvtap

SIG-compute

[PR #11054] [jean-edouard] New cluster-wide vmRolloutStrategy setting to define whether changes to VMs should either be always staged or live-updated when possible.
[PR #10961] [jcanocan] Reduced VM rescheduling time on node failure
[PR #10840] [acardace] Requests/Limits can now be configured when using CPU/Memory hotplug
[PR #10839] [RamLavi] Change second emulator thread assign strategy to best-effort.
[PR #10809] [orelmisan] Source virt-launcher: Log migration info by default
[PR #10783] [RamLavi] Support multiple CPUs in Housekeeping cgroup
[PR #11001] [fossedihelm] Allow kubevirt.io:default clusterRole to get,list kubevirts
[PR #10918] [orelmisan] VMClone: Emit an event in case restore creation fails
[PR #10898] [matthewei] vmi status's guestOsInfo adds Machine

SIG-storage

[PR #10657] [germag] Exposing Filesystem Persistent Volumes (PVs) to the VM using unprivilege virtiofsd.
[PR #10529] [alromeros] Allow LUN disks to be hotplugged

SIG-network

[PR #10981] [AlonaKaplan] Report IP of interfaces using network binding plugin.
[PR #10866] [AlonaKaplan] Raise an error in case passt feature gate or API are used.
[PR #10800] [AlonaKaplan] Support macvtap as a binding plugin
[PR #10425] [ormergi] Introduce network binding plugin for Passt networking, interfacing with Kubevirt new network binding plugin API.

SIG-infra

[PR #11025] [0xFelix] Allow unprivileged users read-only access to VirtualMachineCluster{Instancetypes,Preferences} by default.
[PR #10922] [kubevirt-bot] Updated common-instancetypes bundles to v0.4.0

SIG-scale

[PR #10571] [tiraboschi] vmi memory footprint increase by 35M when guest serial console logging is turned on (default on).

Monitoring

[PR #10982] [machadovilaca] Refactor monitoring metrics
[PR #10962] [machadovilaca] Update monitoring file structure
[PR #10853] [machadovilaca] Refactor monitoring collectors
[PR #10700] [machadovilaca] Refactor monitoring alerts
[PR #10693] [machadovilaca] Remove MigrateVmiDiskTransferRateMetric
[PR #10651] [machadovilaca] Refactor monitoring recording-rules
[PR #10570] [machadovilaca] Fix LowKVMNodesCount not firing
[PR #10418] [machadovilaca] Add total VMs created metric

Uncategorized

[PR #11144] [0xFelix] virtctl: Specifying size when creating a VM and using --volume-import to clone a PVC or a VolumeSnapshot is optional now
[PR #11122] [brianmcarey] Update runc dependency to v1.1.12
[PR #11068] [brianmcarey] Update container base image to use current stable debian 12 base
[PR #10914] [brianmcarey] KubeVirt is now built with go 1.21.5
[PR #10879] [brianmcarey] Built with golang 1.20.12
[PR #10863] [dhiller] Remove year from generated code copyright
[PR #10787] [matthewei] virtctl support to add template label and annotation filters
[PR #10720] [awels] Restored hotplug attachment pod request/limit to original value
[PR #10637] [dharmit] Functional tests for sidecar hook with ConfigMap
[PR #10615] [orelmisan] Remove leftover NonRoot feature gate
[PR #10598] [alicefr] Add PVC option to the hook sidecars for supplying additional debugging tools
[PR #10596] [mhenriks] Disable HTTP/2 to mitigate CVE-2023-44487
[PR #10582] [orelmisan] Remove leftover NonRootExperimental feature gate
[PR #10567] [awels] Attachment pod creation is now rate limited
[PR #10526] [cfilleke] Documents steps to build the KubeVirt builder container
[PR #10479] [dharmit] Ability to run scripts through hook sidecardevice
[PR #10244] [hshitomi] Added “adm” subcommand under “virtctl”, and “log-verbosity" subcommand under “adm”. The log-verbosity command is: to show the log verbosity of one or more components, to set the log verbosity of one or more components, and to reset the log verbosity of all components (reset to the default verbosity (2)).

Contributors

65 people contributed to this release:

Additional Resources

Mailing list: https://groups.google.com/forum/#!forum/kubevirt-dev
Slack: https://kubernetes.slack.com/messages/virtualization
An easy to use demo: https://github.com/kubevirt/demo
How to contribute
License

-----BEGIN PGP SIGNATURE-----

iQJIBAABCAAyFiEEL3WFe2eU+K2zCASGa/gKvUPjd9MFAmXnf6AUHGFjYXJkYWNl QHJlZGhhdC5jb20ACgkQa/gKvUPjd9MnKhAAq7FarHyi742Ara/2KdSnICUrwx2w ud9VQvPuvb0t9PbH4feUZar5cGg1thFZXf7kx5xk+1vEvHD1Wue5h2t5i0+qq17C om5fs4ZRy7zIiFWftAglcqLC/3iMTODo3esmReY5ALkwgDgXWRMORBVTAt34xI9+ PO2zTDB3caO1Dr5oDXVVLrgxMl2uPmhZkh46nlgq3AGtmByWrWO3Zdg0S9ym7RMK pA0E+71MX32Tti25lMkdLs4I0+kKHMIdHoLjedYGDoJ8Z+rDqg1e/9JF6/4z/Zl5 ArxMo0HDXmDhLqE4zJN7UdQGUppjj+CiGe4Eiox0rj4nj34vjlHOQDvD2dYdOs4l +Ca8vPzPMf7dCwuBra7VHJN1t62+wzoqxr1mNQ6Yhf2z87+MCm6i25h8V279ivSA qervlzzBjBDj9H+IwzSZET9sY8uAASz3lvSolhN9JBzX2J5vZXapYpKsbrSMBhOX nyaOUu75Ow7f67fJBnKkF+NR00gtMgPWTvu+rg1yvLFV0W3cTmFJK3aWkktNHwId SQVdCwODyDH9ZlYwceugiqBcEVPUaRcwpFC6kfJBejBsifG4OVgSzHQ5YDNmU2bc pzM6JMxpUnJw3o4VnsM0HdV2q0qb7jcASRVaHTs1lW/Xymiyrlq00sX8mf6Lz0fl Rwne5ssktT+kHd0= =WB1r -----END PGP SIGNATURE-----

`v1.1.1`

Compare Source

tag v1.1.1 Tagger: Luboslav Pivarc [email protected]

This release follows v1.1.0 and consists of 110 changes, contributed by 17 people, leading to 258 files changed, 12215 insertions(+), 3245 deletions(-).

The source code and selected binaries are available for download at: https://github.com/kubevirt/kubevirt/releases/tag/v1.1.1.

The primary release artifact of KubeVirt is the git tree. The release tag is signed and can be verified using git tag -v v1.1.1.

Pre-built containers are published on Quay and can be viewed at: https://quay.io/kubevirt/.

Notable changes

[PR #10757][RamLavi] Fixes SMT Alignment Error in virt-launcher pod by optimizing isolateEmulatorThread feature: https://issues.redhat.com/browse/CNV-31584.
[PR #10873][kubevirt-bot] Fix KubeVirt for CRIO 1.28 by using checksums to verify containerdisks when migrating VMIs
[PR #10869][akalenyu] BugFix: Double cloning with filter fails
[PR #10854][kubevirt-bot] Reject VirtualMachineClone creation when target name is equal to source name
[PR #10831][kubevirt-bot] Fix macvtap as a binding plugin
[PR #10829][kubevirt-bot] Fixes device permission when using USB host passthrough
[PR #10820][kubevirt-bot] Source virt-launcher: Log migration info by default
[PR #10816][kubevirt-bot] Extend kubvirt CR by adding domain attachment option to the network binding plugin API.
[PR #10714][kubevirt-bot] BugFix: cgroupsv2 device allowlist is bound to virt-handler internal state/block disk device overwritten on hotplug
[PR #10709][kubevirt-bot] virt-launcher: fix qemu non root log path
[PR #10669][kubevirt-bot] Introduce network binding plugin for Passt networking, interfacing with Kubevirt new network binding plugin API.

Contributors

17 people contributed to this release:

18 Edward Haas [email protected] 15 Ram Lavi [email protected] 14 Alona Paz [email protected] 6 Or Mergi [email protected] 5 Antonio Cardace [email protected] 5 Vasiliy Ulyanov [email protected] 4 Alex Kalenyuk [email protected] 4 Denis Ollier [email protected] 3 fossedihelm [email protected] 2 Orel Misan [email protected] 2 Victor Toso [email protected] 1 Enrique Llorente [email protected] 1 Felix Matouschek [email protected] 1 Karel Simon [email protected] 1 Michael Henriksen [email protected]

Additional Resources

Mailing list: https://groups.google.com/forum/#!forum/kubevirt-dev
Slack: https://kubernetes.slack.com/messages/virtualization
An easy to use demo: https://github.com/kubevirt/demo
How to contribute
License

-----BEGIN PGP SIGNATURE-----

iIkEABEIADEWIQS5aL5huPTZew1hSy9m6XN7mspnmQUCZYlexhMcbHBpdmFyY0By ZWRoYXQuY29tAAoJEGbpc3uaymeZt1oA/RZZ8Ci4pBvm0KFbzAug28NiCXeTN0qn DPomhtehWMecAQCpKWSJBJz3r2E6eD8R8zECZPdQRRx3SrimSCQX2ZLoPA== =uiB8 -----END PGP SIGNATURE-----

Merge pull request #10757 from RamLavi/release-1.1_add-full-pcpu-only-support

[release 1.1] isolateEmulatorThread: Add full-pcpu-only support

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Jul 29 '24 11:07 redhat-renovate-bot

kubevirt-tekton-tasks kubevirt-tekton-tasks copied to clipboard

chore(deps): update module kubevirt.io/kubevirt to v1.2.1 [security] (release-v0.17)

KubeVirt NULL pointer dereference flaw

Details

Severity

References

kubevirt allows a local attacker to execute arbitrary code via a crafted command

Details

Severity

References

Release Notes

v1.2.1

Notable changes

Contributors

Additional Resources

v1.2.0

Notable changes

API change

Bug fix

Deprecation

SIG-compute

SIG-storage

SIG-network

SIG-infra

SIG-scale

Monitoring

Uncategorized

Contributors

Additional Resources

v1.1.1

Notable changes

Contributors

Additional Resources

Configuration

kubevirt-tekton-tasks
kubevirt-tekton-tasks copied to clipboard

`v1.2.1`

`v1.2.0`

`v1.1.1`