diff --git a/CHANGELOG/CHANGELOG-1.28.md b/CHANGELOG/CHANGELOG-1.28.md index 47c06c42252..ced171b3995 100644 --- a/CHANGELOG/CHANGELOG-1.28.md +++ b/CHANGELOG/CHANGELOG-1.28.md @@ -1,39 +1,47 @@ -- [v1.28.102-akslts](#v128102-akslts) - - [Downloads for v1.28.102-akslts](#downloads-for-v128102-akslts) +- [v1.28.103-akslts](#v128103-akslts) + - [Downloads for v1.28.103-akslts](#downloads-for-v128103-akslts) - [Source Code](#source-code) - - [Changelog since v1.28.101-akslts](#changelog-since-v128101-akslts) + - [Changelog since v1.28.102-akslts](#changelog-since-v128102-akslts) - [Important Security Information](#important-security-information) - - [CVE-2025-5187: Nodes can delete themselves by adding an OwnerReference](#cve-2025-5187-nodes-can-delete-themselves-by-adding-an-ownerreference) + - [CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager](#cve-2025-13281-portworx-half-blind-ssrf-in-kube-controller-manager) - [Changes by Kind](#changes-by-kind) - [Bug or Regression](#bug-or-regression) +- [v1.28.102-akslts](#v128102-akslts) + - [Downloads for v1.28.102-akslts](#downloads-for-v128102-akslts) + - [Source Code](#source-code-1) + - [Changelog since v1.28.101-akslts](#changelog-since-v128101-akslts) + - [Important Security Information](#important-security-information-1) + - [CVE-2025-5187: Nodes can delete themselves by adding an OwnerReference](#cve-2025-5187-nodes-can-delete-themselves-by-adding-an-ownerreference) + - [Changes by Kind](#changes-by-kind-1) + - [Bug or Regression](#bug-or-regression-1) - [v1.28.101-akslts](#v128101-akslts) - [Downloads for v1.28.101-akslts](#downloads-for-v128101-akslts) - - [Source Code](#source-code-1) + - [Source Code](#source-code-2) - [Changelog since v1.28.100-akslts](#changelog-since-v128100-akslts) - - [Important Security Information](#important-security-information-1) + - [Important Security Information](#important-security-information-2) - [CVE-2025-0426: Node Denial of Service via kubelet Checkpoint API](#cve-2025-0426-node-denial-of-service-via-kubelet-checkpoint-api) - - [Changes by Kind](#changes-by-kind-1) + - [Changes by Kind](#changes-by-kind-2) - [Feature](#feature) - [v1.28.100-akslts](#v128100-akslts) - [Downloads for v1.28.100-akslts](#downloads-for-v128100-akslts) - - [Source Code](#source-code-2) + - [Source Code](#source-code-3) - [Changelog since v1.28.15](#changelog-since-v12815) - - [Important Security Information](#important-security-information-2) + - [Important Security Information](#important-security-information-3) - [CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API](#cve-2024-9042-command-injection-affecting-windows-nodes-via-nodeslogsquery-api) - - [Changes by Kind](#changes-by-kind-2) + - [Changes by Kind](#changes-by-kind-3) - [Feature](#feature-1) - [v1.28.15](#v12815) - [Downloads for v1.28.15](#downloads-for-v12815) - - [Source Code](#source-code-3) + - [Source Code](#source-code-4) - [Client Binaries](#client-binaries) - [Server Binaries](#server-binaries) - [Node Binaries](#node-binaries) - [Container Images](#container-images) - [Changelog since v1.28.14](#changelog-since-v12814) - - [Changes by Kind](#changes-by-kind-3) + - [Changes by Kind](#changes-by-kind-4) - [Feature](#feature-2) - - [Bug or Regression](#bug-or-regression-1) + - [Bug or Regression](#bug-or-regression-2) - [Other (Cleanup or Flake)](#other-cleanup-or-flake) - [Dependencies](#dependencies) - [Added](#added) @@ -41,77 +49,77 @@ - [Removed](#removed) - [v1.28.14](#v12814) - [Downloads for v1.28.14](#downloads-for-v12814) - - [Source Code](#source-code-4) + - [Source Code](#source-code-5) - [Client Binaries](#client-binaries-1) - [Server Binaries](#server-binaries-1) - [Node Binaries](#node-binaries-1) - [Container Images](#container-images-1) - [Changelog since v1.28.13](#changelog-since-v12813) - - [Changes by Kind](#changes-by-kind-4) + - [Changes by Kind](#changes-by-kind-5) - [Feature](#feature-3) - - [Bug or Regression](#bug-or-regression-2) + - [Bug or Regression](#bug-or-regression-3) - [Dependencies](#dependencies-1) - [Added](#added-1) - [Changed](#changed-1) - [Removed](#removed-1) - [v1.28.13](#v12813) - [Downloads for v1.28.13](#downloads-for-v12813) - - [Source Code](#source-code-5) + - [Source Code](#source-code-6) - [Client Binaries](#client-binaries-2) - [Server Binaries](#server-binaries-2) - [Node Binaries](#node-binaries-2) - [Container Images](#container-images-2) - [Changelog since v1.28.12](#changelog-since-v12812) - - [Changes by Kind](#changes-by-kind-5) + - [Changes by Kind](#changes-by-kind-6) - [API Change](#api-change) - - [Bug or Regression](#bug-or-regression-3) + - [Bug or Regression](#bug-or-regression-4) - [Dependencies](#dependencies-2) - [Added](#added-2) - [Changed](#changed-2) - [Removed](#removed-2) - [v1.28.12](#v12812) - [Downloads for v1.28.12](#downloads-for-v12812) - - [Source Code](#source-code-6) + - [Source Code](#source-code-7) - [Client Binaries](#client-binaries-3) - [Server Binaries](#server-binaries-3) - [Node Binaries](#node-binaries-3) - [Container Images](#container-images-3) - [Changelog since v1.28.11](#changelog-since-v12811) - - [Important Security Information](#important-security-information-3) + - [Important Security Information](#important-security-information-4) - [CVE-2024-5321: Incorrect permissions on Windows containers logs](#cve-2024-5321-incorrect-permissions-on-windows-containers-logs) - - [Changes by Kind](#changes-by-kind-6) + - [Changes by Kind](#changes-by-kind-7) - [Feature](#feature-4) - - [Bug or Regression](#bug-or-regression-4) + - [Bug or Regression](#bug-or-regression-5) - [Dependencies](#dependencies-3) - [Added](#added-3) - [Changed](#changed-3) - [Removed](#removed-3) - [v1.28.11](#v12811) - [Downloads for v1.28.11](#downloads-for-v12811) - - [Source Code](#source-code-7) + - [Source Code](#source-code-8) - [Client Binaries](#client-binaries-4) - [Server Binaries](#server-binaries-4) - [Node Binaries](#node-binaries-4) - [Container Images](#container-images-4) - [Changelog since v1.28.10](#changelog-since-v12810) - - [Changes by Kind](#changes-by-kind-7) + - [Changes by Kind](#changes-by-kind-8) - [API Change](#api-change-1) - [Feature](#feature-5) - - [Bug or Regression](#bug-or-regression-5) + - [Bug or Regression](#bug-or-regression-6) - [Dependencies](#dependencies-4) - [Added](#added-4) - [Changed](#changed-4) - [Removed](#removed-4) - [v1.28.10](#v12810) - [Downloads for v1.28.10](#downloads-for-v12810) - - [Source Code](#source-code-8) + - [Source Code](#source-code-9) - [Client Binaries](#client-binaries-5) - [Server Binaries](#server-binaries-5) - [Node Binaries](#node-binaries-5) - [Container Images](#container-images-5) - [Changelog since v1.28.9](#changelog-since-v1289) - - [Changes by Kind](#changes-by-kind-8) - - [Bug or Regression](#bug-or-regression-6) + - [Changes by Kind](#changes-by-kind-9) + - [Bug or Regression](#bug-or-regression-7) - [Other (Cleanup or Flake)](#other-cleanup-or-flake-1) - [Dependencies](#dependencies-5) - [Added](#added-5) @@ -119,32 +127,32 @@ - [Removed](#removed-5) - [v1.28.9](#v1289) - [Downloads for v1.28.9](#downloads-for-v1289) - - [Source Code](#source-code-9) + - [Source Code](#source-code-10) - [Client Binaries](#client-binaries-6) - [Server Binaries](#server-binaries-6) - [Node Binaries](#node-binaries-6) - [Container Images](#container-images-6) - [Changelog since v1.28.8](#changelog-since-v1288) - - [Important Security Information](#important-security-information-4) + - [Important Security Information](#important-security-information-5) - [CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin](#cve-2024-3177-bypassing-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin) - - [Changes by Kind](#changes-by-kind-9) + - [Changes by Kind](#changes-by-kind-10) - [Feature](#feature-6) - - [Bug or Regression](#bug-or-regression-7) + - [Bug or Regression](#bug-or-regression-8) - [Dependencies](#dependencies-6) - [Added](#added-6) - [Changed](#changed-6) - [Removed](#removed-6) - [v1.28.8](#v1288) - [Downloads for v1.28.8](#downloads-for-v1288) - - [Source Code](#source-code-10) + - [Source Code](#source-code-11) - [Client Binaries](#client-binaries-7) - [Server Binaries](#server-binaries-7) - [Node Binaries](#node-binaries-7) - [Container Images](#container-images-7) - [Changelog since v1.28.7](#changelog-since-v1287) - - [Changes by Kind](#changes-by-kind-10) + - [Changes by Kind](#changes-by-kind-11) - [Feature](#feature-7) - - [Bug or Regression](#bug-or-regression-8) + - [Bug or Regression](#bug-or-regression-9) - [Other (Cleanup or Flake)](#other-cleanup-or-flake-2) - [Dependencies](#dependencies-7) - [Added](#added-7) @@ -152,30 +160,30 @@ - [Removed](#removed-7) - [v1.28.7](#v1287) - [Downloads for v1.28.7](#downloads-for-v1287) - - [Source Code](#source-code-11) + - [Source Code](#source-code-12) - [Client Binaries](#client-binaries-8) - [Server Binaries](#server-binaries-8) - [Node Binaries](#node-binaries-8) - [Container Images](#container-images-8) - [Changelog since v1.28.6](#changelog-since-v1286) - - [Changes by Kind](#changes-by-kind-11) + - [Changes by Kind](#changes-by-kind-12) - [Feature](#feature-8) - - [Bug or Regression](#bug-or-regression-9) + - [Bug or Regression](#bug-or-regression-10) - [Dependencies](#dependencies-8) - [Added](#added-8) - [Changed](#changed-8) - [Removed](#removed-8) - [v1.28.6](#v1286) - [Downloads for v1.28.6](#downloads-for-v1286) - - [Source Code](#source-code-12) + - [Source Code](#source-code-13) - [Client Binaries](#client-binaries-9) - [Server Binaries](#server-binaries-9) - [Node Binaries](#node-binaries-9) - [Container Images](#container-images-9) - [Changelog since v1.28.5](#changelog-since-v1285) - - [Changes by Kind](#changes-by-kind-12) + - [Changes by Kind](#changes-by-kind-13) - [Feature](#feature-9) - - [Bug or Regression](#bug-or-regression-10) + - [Bug or Regression](#bug-or-regression-11) - [Other (Cleanup or Flake)](#other-cleanup-or-flake-3) - [Dependencies](#dependencies-9) - [Added](#added-9) @@ -183,15 +191,15 @@ - [Removed](#removed-9) - [v1.28.5](#v1285) - [Downloads for v1.28.5](#downloads-for-v1285) - - [Source Code](#source-code-13) + - [Source Code](#source-code-14) - [Client Binaries](#client-binaries-10) - [Server Binaries](#server-binaries-10) - [Node Binaries](#node-binaries-10) - [Container Images](#container-images-10) - [Changelog since v1.28.4](#changelog-since-v1284) - - [Changes by Kind](#changes-by-kind-13) + - [Changes by Kind](#changes-by-kind-14) - [Feature](#feature-10) - - [Bug or Regression](#bug-or-regression-11) + - [Bug or Regression](#bug-or-regression-12) - [Other (Cleanup or Flake)](#other-cleanup-or-flake-4) - [Dependencies](#dependencies-10) - [Added](#added-10) @@ -199,34 +207,34 @@ - [Removed](#removed-10) - [v1.28.4](#v1284) - [Downloads for v1.28.4](#downloads-for-v1284) - - [Source Code](#source-code-14) + - [Source Code](#source-code-15) - [Client Binaries](#client-binaries-11) - [Server Binaries](#server-binaries-11) - [Node Binaries](#node-binaries-11) - [Container Images](#container-images-11) - [Changelog since v1.28.3](#changelog-since-v1283) - - [Important Security Information](#important-security-information-5) + - [Important Security Information](#important-security-information-6) - [CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes](#cve-2023-5528-insufficient-input-sanitization-in-in-tree-storage-plugin-leads-to-privilege-escalation-on-windows-nodes) - - [Changes by Kind](#changes-by-kind-14) + - [Changes by Kind](#changes-by-kind-15) - [API Change](#api-change-2) - [Feature](#feature-11) - - [Bug or Regression](#bug-or-regression-12) + - [Bug or Regression](#bug-or-regression-13) - [Dependencies](#dependencies-11) - [Added](#added-11) - [Changed](#changed-11) - [Removed](#removed-11) - [v1.28.3](#v1283) - [Downloads for v1.28.3](#downloads-for-v1283) - - [Source Code](#source-code-15) + - [Source Code](#source-code-16) - [Client Binaries](#client-binaries-12) - [Server Binaries](#server-binaries-12) - [Node Binaries](#node-binaries-12) - [Container Images](#container-images-12) - [Changelog since v1.28.2](#changelog-since-v1282) - - [Changes by Kind](#changes-by-kind-15) + - [Changes by Kind](#changes-by-kind-16) - [Feature](#feature-12) - [Failing Test](#failing-test) - - [Bug or Regression](#bug-or-regression-13) + - [Bug or Regression](#bug-or-regression-14) - [Other (Cleanup or Flake)](#other-cleanup-or-flake-5) - [Dependencies](#dependencies-12) - [Added](#added-12) @@ -234,32 +242,32 @@ - [Removed](#removed-12) - [v1.28.2](#v1282) - [Downloads for v1.28.2](#downloads-for-v1282) - - [Source Code](#source-code-16) + - [Source Code](#source-code-17) - [Client Binaries](#client-binaries-13) - [Server Binaries](#server-binaries-13) - [Node Binaries](#node-binaries-13) - [Container Images](#container-images-13) - [Changelog since v1.28.1](#changelog-since-v1281) - - [Changes by Kind](#changes-by-kind-16) + - [Changes by Kind](#changes-by-kind-17) - [API Change](#api-change-3) - [Feature](#feature-13) - - [Bug or Regression](#bug-or-regression-14) + - [Bug or Regression](#bug-or-regression-15) - [Dependencies](#dependencies-13) - [Added](#added-13) - [Changed](#changed-13) - [Removed](#removed-13) - [v1.28.1](#v1281) - [Downloads for v1.28.1](#downloads-for-v1281) - - [Source Code](#source-code-17) + - [Source Code](#source-code-18) - [Client Binaries](#client-binaries-14) - [Server Binaries](#server-binaries-14) - [Node Binaries](#node-binaries-14) - [Container Images](#container-images-14) - [Changelog since v1.28.0](#changelog-since-v1280) - - [Important Security Information](#important-security-information-6) + - [Important Security Information](#important-security-information-7) - [CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation](#cve-2023-3955-insufficient-input-sanitization-on-windows-nodes-leads-to-privilege-escalation) - [CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation](#cve-2023-3676-insufficient-input-sanitization-on-windows-nodes-leads-to-privilege-escalation) - - [Changes by Kind](#changes-by-kind-17) + - [Changes by Kind](#changes-by-kind-18) - [Other (Cleanup or Flake)](#other-cleanup-or-flake-6) - [Dependencies](#dependencies-14) - [Added](#added-14) @@ -267,7 +275,7 @@ - [Removed](#removed-14) - [v1.28.0](#v1280) - [Downloads for v1.28.0](#downloads-for-v1280) - - [Source Code](#source-code-18) + - [Source Code](#source-code-19) - [Client Binaries](#client-binaries-15) - [Server Binaries](#server-binaries-15) - [Node Binaries](#node-binaries-15) @@ -275,13 +283,13 @@ - [Changelog since v1.27.0](#changelog-since-v1270) - [Urgent Upgrade Notes](#urgent-upgrade-notes) - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade) - - [Changes by Kind](#changes-by-kind-18) + - [Changes by Kind](#changes-by-kind-19) - [Deprecation](#deprecation) - [API Change](#api-change-4) - [Feature](#feature-14) - [Documentation](#documentation) - [Failing Test](#failing-test-1) - - [Bug or Regression](#bug-or-regression-15) + - [Bug or Regression](#bug-or-regression-16) - [Other (Cleanup or Flake)](#other-cleanup-or-flake-7) - [Dependencies](#dependencies-15) - [Added](#added-15) @@ -289,29 +297,29 @@ - [Removed](#removed-15) - [v1.28.0-rc.1](#v1280-rc1) - [Downloads for v1.28.0-rc.1](#downloads-for-v1280-rc1) - - [Source Code](#source-code-19) + - [Source Code](#source-code-20) - [Client Binaries](#client-binaries-16) - [Server Binaries](#server-binaries-16) - [Node Binaries](#node-binaries-16) - [Container Images](#container-images-16) - [Changelog since v1.28.0-rc.0](#changelog-since-v1280-rc0) - - [Changes by Kind](#changes-by-kind-19) + - [Changes by Kind](#changes-by-kind-20) - [API Change](#api-change-5) - [Feature](#feature-15) - - [Bug or Regression](#bug-or-regression-16) + - [Bug or Regression](#bug-or-regression-17) - [Dependencies](#dependencies-16) - [Added](#added-16) - [Changed](#changed-16) - [Removed](#removed-16) - [v1.28.0-rc.0](#v1280-rc0) - [Downloads for v1.28.0-rc.0](#downloads-for-v1280-rc0) - - [Source Code](#source-code-20) + - [Source Code](#source-code-21) - [Client Binaries](#client-binaries-17) - [Server Binaries](#server-binaries-17) - [Node Binaries](#node-binaries-17) - [Container Images](#container-images-17) - [Changelog since v1.28.0-beta.0](#changelog-since-v1280-beta0) - - [Changes by Kind](#changes-by-kind-20) + - [Changes by Kind](#changes-by-kind-21) - [API Change](#api-change-6) - [Feature](#feature-16) - [Dependencies](#dependencies-17) @@ -320,18 +328,18 @@ - [Removed](#removed-17) - [v1.28.0-beta.0](#v1280-beta0) - [Downloads for v1.28.0-beta.0](#downloads-for-v1280-beta0) - - [Source Code](#source-code-21) + - [Source Code](#source-code-22) - [Client Binaries](#client-binaries-18) - [Server Binaries](#server-binaries-18) - [Node Binaries](#node-binaries-18) - [Container Images](#container-images-18) - [Changelog since v1.28.0-alpha.4](#changelog-since-v1280-alpha4) - - [Changes by Kind](#changes-by-kind-21) + - [Changes by Kind](#changes-by-kind-22) - [Deprecation](#deprecation-1) - [API Change](#api-change-7) - [Feature](#feature-17) - [Failing Test](#failing-test-2) - - [Bug or Regression](#bug-or-regression-17) + - [Bug or Regression](#bug-or-regression-18) - [Other (Cleanup or Flake)](#other-cleanup-or-flake-8) - [Dependencies](#dependencies-18) - [Added](#added-18) @@ -339,7 +347,7 @@ - [Removed](#removed-18) - [v1.28.0-alpha.4](#v1280-alpha4) - [Downloads for v1.28.0-alpha.4](#downloads-for-v1280-alpha4) - - [Source Code](#source-code-22) + - [Source Code](#source-code-23) - [Client Binaries](#client-binaries-19) - [Server Binaries](#server-binaries-19) - [Node Binaries](#node-binaries-19) @@ -347,11 +355,11 @@ - [Changelog since v1.28.0-alpha.3](#changelog-since-v1280-alpha3) - [Urgent Upgrade Notes](#urgent-upgrade-notes-1) - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade-1) - - [Changes by Kind](#changes-by-kind-22) + - [Changes by Kind](#changes-by-kind-23) - [Deprecation](#deprecation-2) - [API Change](#api-change-8) - [Feature](#feature-18) - - [Bug or Regression](#bug-or-regression-18) + - [Bug or Regression](#bug-or-regression-19) - [Other (Cleanup or Flake)](#other-cleanup-or-flake-9) - [Dependencies](#dependencies-19) - [Added](#added-19) @@ -359,17 +367,17 @@ - [Removed](#removed-19) - [v1.28.0-alpha.3](#v1280-alpha3) - [Downloads for v1.28.0-alpha.3](#downloads-for-v1280-alpha3) - - [Source Code](#source-code-23) + - [Source Code](#source-code-24) - [Client Binaries](#client-binaries-20) - [Server Binaries](#server-binaries-20) - [Node Binaries](#node-binaries-20) - [Container Images](#container-images-20) - [Changelog since v1.28.0-alpha.2](#changelog-since-v1280-alpha2) - - [Changes by Kind](#changes-by-kind-23) + - [Changes by Kind](#changes-by-kind-24) - [Deprecation](#deprecation-3) - [API Change](#api-change-9) - [Feature](#feature-19) - - [Bug or Regression](#bug-or-regression-19) + - [Bug or Regression](#bug-or-regression-20) - [Other (Cleanup or Flake)](#other-cleanup-or-flake-10) - [Dependencies](#dependencies-20) - [Added](#added-20) @@ -377,7 +385,7 @@ - [Removed](#removed-20) - [v1.28.0-alpha.2](#v1280-alpha2) - [Downloads for v1.28.0-alpha.2](#downloads-for-v1280-alpha2) - - [Source Code](#source-code-24) + - [Source Code](#source-code-25) - [Client Binaries](#client-binaries-21) - [Server Binaries](#server-binaries-21) - [Node Binaries](#node-binaries-21) @@ -385,9 +393,9 @@ - [Changelog since v1.28.0-alpha.1](#changelog-since-v1280-alpha1) - [Urgent Upgrade Notes](#urgent-upgrade-notes-2) - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade-2) - - [Changes by Kind](#changes-by-kind-24) + - [Changes by Kind](#changes-by-kind-25) - [Feature](#feature-20) - - [Bug or Regression](#bug-or-regression-20) + - [Bug or Regression](#bug-or-regression-21) - [Other (Cleanup or Flake)](#other-cleanup-or-flake-11) - [Dependencies](#dependencies-21) - [Added](#added-21) @@ -395,19 +403,19 @@ - [Removed](#removed-21) - [v1.28.0-alpha.1](#v1280-alpha1) - [Downloads for v1.28.0-alpha.1](#downloads-for-v1280-alpha1) - - [Source Code](#source-code-25) + - [Source Code](#source-code-26) - [Client Binaries](#client-binaries-22) - [Server Binaries](#server-binaries-22) - [Node Binaries](#node-binaries-22) - [Container Images](#container-images-22) - [Changelog since v1.27.0](#changelog-since-v1270-1) - - [Changes by Kind](#changes-by-kind-25) + - [Changes by Kind](#changes-by-kind-26) - [Deprecation](#deprecation-4) - [API Change](#api-change-10) - [Feature](#feature-21) - [Documentation](#documentation-1) - [Failing Test](#failing-test-3) - - [Bug or Regression](#bug-or-regression-21) + - [Bug or Regression](#bug-or-regression-22) - [Other (Cleanup or Flake)](#other-cleanup-or-flake-12) - [Dependencies](#dependencies-22) - [Added](#added-22) @@ -415,6 +423,42 @@ - [Removed](#removed-22) +# v1.28.103-akslts + +## Downloads for v1.28.103-akslts +### Source Code +filename | sha512 hash +-------- | ----------- +[kubernetes.tar.gz](https://github.com/aks-lts/kubernetes/archive/refs/tags/v1.28.103-akslts.tar.gz) | a056d1f7dce1701deab1e6e89b6709c1fc42d96b66cffb9c002e1e69ff97aca80489d7bd7ccb455c2ee732a98da319a5b4bfba572e475988249024a86cc1b7ac +[kubernetes.zip](https://github.com/aks-lts/kubernetes/archive/refs/tags/v1.28.103-akslts.zip) | 2d9facad26c115966d31d148fdcfb6adda8df36a956a571f50f22829478d4925e67439a23b999c72f56c5b0466a63f24d0bf03cf430b367e26efe76fd96b1215 + +## Changelog since v1.28.102-akslts + +## Important Security Information + +This release contains changes that address the following vulnerabilities: + +### CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager + +A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This was patched for other in-tree StorageClasses (GlusterFS, Quobyte, StorageOS, and ScaleIO) as part of CVE-2020-8555. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services). + +An attacker with permissions to create a pod using the built-in Portworx StorageClass can cause kube-controller-manager to make GET requests (without an attacker controlled request body) from within the control plane’s host network and make the corresponding HTTP response body visible as part of event objects created by kube-controller-manager. + +The in-tree Portworx StorageClass has been disabled by default starting in version v1.31 from the CSIMigrationPortworx feature gate. As a result, currently supported versions greater than or equal to v1.32 are not impacted unless the CSIMigrationPortworx feature gate is disabled with an override. + +The issue was fixed and coordinated by Ankit Gohil @gohilankit + +**CVSS Rating:** Medium (5.8) [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N) + +Upstream tracking: [[kubernetes/kubernetes#135525]](https://github.com/kubernetes/kubernetes/issues/135525) + + +## Changes by Kind +### Bug or Regression + +- Cherry pick #135525 on release-1.28 to clean up event messages for errors in Portworx in-tree driver ([#76](https://github.com/aks-lts/kubernetes/pull/76)) + + # v1.28.102-akslts ## Downloads for v1.28.102-akslts