File _patchinfo of Package patchinfo.19269
<patchinfo incident="19269"> <issue tracker="cve" id="2025-30204"/> <issue tracker="cve" id="2019-14697"/> <issue tracker="cve" id="2023-45288"/> <issue tracker="bnc" id="1236522">VUL-0: CVE-2023-45288: flannel: golang.org/x/net/http2: close connections when receiving too many headers</issue> <issue tracker="bnc" id="1240516">VUL-0: CVE-2025-30204: flannel: github.com/golang-jwt/jwt/v4,github.com/golang-jwt/jwt/v5: jwt-go allows excessive memory allocation during header parsing</issue> <issue tracker="bnc" id="1218694">[k8s,kube-flannel] YAML File to set up Flannel Network Add-On is outdated</issue> <packager>psaggu</packager> <rating>important</rating> <category>security</category> <summary>Security update for flannel</summary> <description>This update for flannel fixes the following issues: - Update to version 0.27.4: * Removed PodSecurityPolicy manifest creation * Fix interface IP address detection in dual-stack mode * Fix: recreate VXLAN device (flannel.*) when external interface is deleted and re-added (#2247) * golangci-lint: fix iptables_test * firewall: add option to disable fully-random mode for MASQUERADE * Bump the tencent group with 2 updates * Bump github.com/coreos/go-systemd/v22 in the other-go-modules group * Bump golang.org/x/sys in the other-go-modules group * Bump the etcd group with 4 updates * Bump etcd version in tests * Stop using deprecated cache.NewIndexerInformer function * Bump k8s test version * Bump k8s deps to v0.31.11 * Bump the other-go-modules group with 2 updates * helm chart: add nodeSelector in the helm chart * Updated Alpine image * Added flag to enable blackhole route locally for Canal * Bump golang.org/x/sync in the other-go-modules group * make enqueueLeaseEvent context aware and prevent dangling goroutines when context is done - fixed a typo/build error * make retry interval exp backoff * cont_when_cache_not_ready configurable with fail by default * use semaphore as opposed to raw signal channel * Update pkg/subnet/kube/kube.go * Fix deadlock in startup for large clusters * enable setting resources in helm chart * capture close() err on subnet file save (#2248) * doc: document flag --iptables-forward-rules * Bump netlink to v1.3.1 * fix: clean-up rules when starting instead of shutting down * Bump k8s and sles test version * Add modprobe br_netfilter step in test workflows * test: don't run the workflows on "push" events * Update to the latest flannel cni-plugins v1.7.1 * Move to go 1.23.6 - Update to version 0.26.6: * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common * Bump the etcd group with 4 updates * Bump the tencent group with 2 updates * Organize dependabot PR's more clearly by using groups * Use peer's wireguard port, not our own * Bump to codeql v3 * Pin all GHA to a specific SHA commit * Bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (fix CVE-2025-30204, boo#1240516) * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common * Bump go.etcd.io/etcd/tests/v3 from 3.5.18 to 3.5.20 * add missing GH_TOKEN env var in release.yaml * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Upload chart archive with the release files * make deps * refactor release.yaml to reduce use of potentially vulnerable GH Actions * Bump golang.org/x/net from 0.34.0 to 0.36.0 * enable setting CNI directory paths in helm chart * Added cni file configuration on the chart * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Bump github.com/avast/retry-go/v4 from 4.6.0 to 4.6.1 - Update to version 0.26.4: * Moved to github container registry * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Bump go.etcd.io/etcd/tests/v3 from 3.5.17 to 3.5.18 * fix: Fix high CPU usage when losing etcd connection and try to re-establish connection with exponential backoff * Bump github.com/containernetworking/plugins from 1.6.1 to 1.6.2 * Bump alpine from 20240923 to 20250108 in /images * Bump golang.org/x/net from 0.31.0 to 0.33.0 * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Bump github.com/jonboulle/clockwork from 0.4.0 to 0.5.0 * feat: add bool to control CNI config installation using Helm * fix: add missing MY_NODE_NAME env in chart * Bump k8s deps to 0.29.12 * Don't panic upon shutdown when running in standalone mode * Bump golang.org/x/crypto from 0.29.0 to 0.31.0 * Bump alpine from 20240807 to 20240923 in /images * Bump github.com/containernetworking/plugins from 1.6.0 to 1.6.1 * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Bump github.com/vishvananda/netns from 0.0.4 to 0.0.5 * Use the standard context library * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common * Updated flannel cni image to 1.6.0 * Updated CNI plugins version on the README * Bump sigs.k8s.io/knftables from 0.0.17 to 0.0.18 * Bump github.com/golang-jwt/jwt/v4 from 4.4.2 to 4.5.1 * Bump github.com/Microsoft/hcsshim from 0.12.8 to 0.12.9 * Added check to not check br_filter in case of windows * Bumo golangci-lint to latest version * Bump to go 1.23 * Added checks for br_netfilter module * Try not to cleanup multiple peers behind same PublicIP * fix trivy check * check that the lease includes an IP address of the requested family before configuring the flannel interface * Fixed IPv6 chosen in case of public-ipv6 configured * add timeout to e2e test pipelines * Update k8s version ine2e tests to v1.29.8 * Update netlink to v1.3.0 * Fixed values file on flannel chart * Bump k8s.io/klog/v2 from 2.120.1 to 2.130.1 * Updated Flannel chart with Netpol containter and removed clustercidr * Fix bug in hostgw-windows * Fix bug in the logic polling the interface * Added node-public-ip annotation * Try several times to contact kube-api before failing * Fixed IPv6 0 initialization * wireguard backend: avoid error message if route already exists * Bump github.com/avast/retry-go/v4 from 4.5.1 to 4.6.0 * use wait.PollUntilContextTimeout instead of deprecated wait.Poll * troubleshooting.md: add `ethtool -K flannel.1 tx-checksum-ip-generic off` for NAT * Added configuration for pulic-ip through node annotation * extension/vxlan: remove arp commands from vxlan examples * Refactor TrafficManager windows files to clarify logs * Add persistent-mac option to v6 too * fix comparison with previous networks in SetupAndEnsureMasqRules * show content of stdout and stderr when running iptables-restore returns an error * Add extra check before contacting kube-api * remove unimplemented error in windows trafficmngr * remove --dirty flags in git describe * Added leaseAttr string method with logs on VxLan * remove multiClusterCidr related-code. * Implement nftables masquerading for flannel * fix: ipv6 iptables rules were created even when IPv6 was disabled * Add tolerations to the flannel chart * Added additional check for n.spec.podCIDRs * Remove net-tools since it's an old package that we are not using * fix iptables_windows.go * Clean-up Makefile and use docker buildx locally * Use manual test to ensure iptables-* binaries are present * Bump github.com/containerd/containerd from 1.6.23 to 1.6.26 * Bump github.com/joho/godotenv * SubnetManager should use the main context * Simplify TrafficManager interface * refactor iptables package to prepare for nftables-based implementation - flannel v0.26.4, includes `golang.org/x/net/http2` at v0.34.0, which fixes boo#1236522 (CVE-2023-45288) - Update to version 0.24.2: * Prepare for v0.24.2 release * Increase the time out for interface checking in windows * Prepare for v0.24.1 release * Provide support to select the interface in Windows * Improve the log from powershell * Wait all the jobs to finish before deploy the github-page * remove remaining references to mips64le * add multi-arch dockerfile * add missing riscv64 in docker manifest create step * prepare for v0.24.0 release * Bump golang.org/x/crypto from 0.15.0 to 0.17.0 * Add the VNI to the error message in Windows * chart: add possibility for defining image pull secrets in daemonset * Remove multiclustercidr logic from code * Update opentelemetry dependencies * Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc * Add riscv64 arch in GH actions * vxlan vni should not be type uint16 * Quote wireguard psk in helm chart * add riscv64 support - Update to 0.14.0: * Add tencent cloud VPC network support * moving go modules to flannel-io/flannel and updating to go 1.16 * fix(windows): nil pointer panic * Preserve environment for extension backend * Fix flannel hang if lease expired * Documentation for the Flannel upgrade/downgrade procedure * Move from glog to klog * fix(host-gw): failed to restart if gateway hnsep existed * ipsec: use well known paths of charon daemon * upgrade client-go to 1.19.4 * move from juju/errors to pkg/errors * subnets: move forward the cursor to skip illegal subnet * Fix Expired URL to Deploying Flannel with kubeadm * Modify kube-flannel.yaml to use rbac.authorization.k8s.io/v1 * preserve AccessKey & AccessKeySecret environment on sudo fix some typo in doc. * iptables: handle errors that prevent rule deletes - Sync manifest with upstream (0.13.0 release). Includes the following changes: * Fix typo and invalid indent in kube-flannel.yml * Use stable os and arch label for node * set priorityClassName to system-node-critical * Add NET_RAW capability to support cri-o * Use multi-arch Docker images in the Kubernetes manifest - Set GO111MODULE=auto to build with go1.16+ * Default changed to GO111MODULE=on in go1.16 * Set temporarily until using upstream version with go.mod - update to 0.13.0: * Use multi-arch Docker images in the Kubernetes manifest * Accept existing XMRF policies and update them intead of raising errors * Add --no-sanity-check to iptables-wrapper-installer.sh for architectures other than amd64 * Use "docker manifest" to publish multi-arch Docker images * Add NET_RAW capability to support cri-o * remove glide * switch to go modules * Add and implement iptables-wrapper-installer.sh from https://github.com/kubernetes-sigs/iptables-wrappers * documentation: set priorityClassName to system-node-critical * Added a hint for firewall rules * Disabling ipv6 accept_ra explicitely on the created interface * use alpine 3.12 everywhere * windows: replace old netsh (rakelkar/gonetsh) with powershell commands * fix CVE-2019-14697 * Bugfix: VtepMac would be empty when lease re-acquire for windows * Use stable os and arch label for node * doc(awsvpc): correct the required permissions - update to 0.12.0: * fix deleteLease * Use publicIP lookup iface if --public-ip indicated * kubernetes 1.16 cni error * Add cniVersion to general CNI plugin configuration. * Needs to clear NodeNetworkUnavailable flag on Kubernetes * Replaces gorillalabs go-powershell with bhendo/go-powershell * Make VXLAN device learning attribute configurable * change nodeSelector to nodeAffinity and schedule the pod to linux node * This PR adds the cni version to the cni-conf.yaml inside the kube-flannel-cfg configmap * EnableNonPersistent flag for Windows Overlay networks * snap package. * Update lease with DR Mac * main.go: add the "net-config-path" flag * Deploy Flannel with unprivileged PSP * Enable local host to local pod connectivity in Windows VXLAN * Update hcsshim for HostRoute policy in Windows VXLAN </description> </patchinfo>
