Shulou(Shulou.com)06/03 Report--

Kubernetes released a new patch version to fix two recent security vulnerabilities (CVE-2019-9512 and CVE-2019-9514). Rancher responded quickly and released the latest version of Rancher v2.2.8 in the early hours of the next day, supporting the new version of Kubernetes.

Kubernetes CVE and repair version

The Go language is affected by the CVE-2019-9512 and CVE-2019-9514 vulnerabilities, so all versions and all components of Kubernetes are affected by this vulnerability. In addition, HTTP/2 traffic (including/healthz) is also affected. These two vulnerabilities also allow untrusted clients to allocate unlimited amounts of memory until the server crashes. The Product Safety Committee has assigned this set of vulnerabilities as CVSS with a score of 7.5. Based on this, Go released go1.12.8 and go1.11.13,Kubernetes and updated the patch version accordingly:

V1.13.10

V1.14.6

V1.15.3

For the security of your cluster, it is recommended that you upgrade all Kubernetes clusters to the newly released repair version. For more details on CVE, please see:

Https://groups.google.com/forum/m/#!topic/kubernetes-announce/p-c33PN6pzw

Rancher 2.2.8 release

In the early morning of August 21, Beijing time, Rancher Labs released a new version of Rancher v2.2.8, which supports Kubernetes's newly released patch versions (v1.13.10, v1.14.6, v1.15.3), which supports Kubernetes v1.14.6 by default and Kubernetes v1.15.3 on an experimental basis. And fixed the main bug in Rancher v2.2.7.

Currently, the Latest and Stable versions of Rancher are as follows:

At the same time, Rancher Labs officially released v2.1.13, which is available to users who have not yet upgraded to Rancher 2.2.x. This version of Rancher currently supports only Kubernetes v1.13.10.

Please note:

Rancher 1.6.x users are not affected by these two security vulnerabilities of Kubernetes because Rancher 1.6.x itself does not support the version of Kubernetes affected by these two vulnerabilities.

About users of Rancher 2.0.x:

Similar to Rancher 1.6.x, Rancher 2.0.x does not support the above Kubernetes version, so it is not affected by the two security vulnerabilities of Kubernetes.

As shown on the Rancher terms of Service page, Rancher 2.0.x is currently in the EOM to EOL support phase of its product lifecycle. Therefore, Rancher officially has no plans to release a version of the v2.0.x patch to fix these two vulnerabilities. For enterprise subscription customers of Rancher, if you have special circumstances and need to fix these two vulnerabilities in v2.0.x, please contact Rancher's technical support team. Alternatively, upgrade your Rancher to the latest version before the v2.0.x EOL date (November 1, 2019).

Bug repair

Fixed an issue where the user's global role cannot be changed if the user creates a cluster [22281]

Fixed an issue where the custom role could not be saved correctly if you selected the custom built-in role by clicking the name instead of the check box [22260]

If you want to know more about the above issue, please enter the issue number in the Rancher Github issue interface to query:

Https://github.com/rancher/rancher/issues

Download and upgrade

You can go to the Rancher GitHub home page to read the full Rancher 2.2.8 Release Note, download and use the latest version, or learn more about upgrade rollback.

GitHub link:

Https://github.com/rancher/rancher/releases/tag/v2.2.8

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.