Release log

• 1: v1.32
• 1.1: v1.32.13-lts.1
• 1.2: v1.32.13-lts.2
• 2: v1.31
• 2.1: v1.31.14-lts.1
• 2.2: v1.31.14-lts.2
• 3: v1.30
• 3.1: v1.30.14-lts.1
• 3.2: v1.30.14-lts.2
• 4: v1.29
• 4.1: v1.29.15-lts.1
• 4.2: v1.29.15-lts.2
• 5: v1.28
• 5.1: v1.28.15-lts.0
• 5.2: v1.28.15-lts.2
• 5.3: v1.28.15-lts.3
• 6: v1.27
• 6.1: v1.27.16-lts.0
• 6.2: v1.27.16-lts.1
• 6.3: v1.27.16-lts.2
• 7: v1.26
• 7.1: v1.26.15-lts.0
• 7.2: v1.26.15-lts.1
• 7.3: v1.26.15-lts.2
• 8: v1.25
• 8.1: v1.25.16-lts.0
• 8.2: v1.25.16-lts.1
• 8.3: v1.25.16-lts.2
• 9: v1.24
• 9.1: v1.24.17-lts.0
• 9.2: v1.24.17-lts.1
• 9.3: v1.24.17-lts.2
• 10: v1.23
• 10.1: v1.23.17-lts.0
• 10.2: v1.23.17-lts.1
• 10.3: v1.23.17-lts.2
• 10.4: v1.23.5-lts.1
• 11: v1.22
• 11.1: v1.22.17-lts.0
• 11.2: v1.22.17-lts.1
• 11.3: v1.22.17-lts.2
• 11.4: v1.22.8-lts.1
• 12: v1.21
• 12.1: v1.21.11-lts.1
• 12.2: v1.21.14-lts.2
• 12.3: v1.21.14-lts.3
• 13: v1.20
• 13.1: v1.20.15-lts.2
• 13.2: v1.20.15-lts.3
• 13.3: v1.20.16-lts.1
• 14: v1.19
• 14.1: v1.19.16-lts.3
• 14.2: v1.19.16-lts.4
• 15: v1.18
• 15.1: v1.18.20-lts.1
• 15.2: v1.18.20-lts.2
• 15.3: v1.18.20-lts.3
• 16: v1.17
• 16.1: v1.17.17-lts.1
• 16.2: v1.17.17-lts.3
• 17: v1.16
• 17.1: v1.16.15-lts.1
• 17.2: v1.16.15-lts.3
• 18: v1.15
• 18.1: v1.15.12-lts.1
• 19: v1.14
• 19.1: v1.14.10-lts.1
• 20: v1.13
• 20.1: v1.13.12-lts.1
• 21: v1.12
• 21.1: v1.12.10-lts.1
• 22: v1.11
• 22.1: v1.11.10-lts.1
• 23: v1.10
• 23.1: v1.10.13-lts.1

1 - v1.32

1.1 - v1.32.13-lts.1

This is the fixed release by KLTS for v1.32.13.

Patches

• Includes cumulative security fixes from base release v1.32.13-ci (including recently synced CVE fixes in /docs/kubernetes/patches/); this tag has no additional patch commits.

1.2 - v1.32.13-lts.2

This is the KLTS release for Kubernetes v1.32.13.

Highlights

• Rebuilds the v1.32 LTS line with Go 1.25.9.
• Carries the current KLTS image and etcd maintenance patch chain.
• Includes the v1.32 KLTS backports for allocation test compatibility and CVE-2025-1767.

Patch chain

• Base: v1.32.13
• CI chain: v1.32.13-ci
• Patches: no-delete-images.1.24, fix-etcd-put-key.1.24, bump-go-1-25-9.1.32, fix-allocsperrun-parallel, CVE-2025-1767

2 - v1.31

2.1 - v1.31.14-lts.1

This is the fixed release by KLTS for v1.31.14.

Patches

• Includes cumulative security fixes from base release v1.31.14-ci (including recently synced CVE fixes in /docs/kubernetes/patches/); this tag has no additional patch commits.

2.2 - v1.31.14-lts.2

This is the KLTS release for Kubernetes v1.31.14.

Highlights

• Rebuilds the v1.31 LTS line with Go 1.25.9.
• Includes Go 1.25 compatibility fixes for this line.
• Includes current KLTS security backports for this line: CVE-2025-13281 and CVE-2025-1767.

Patch chain

• Base: v1.31.14
• CI chain: v1.31.14-ci
• Patches: no-delete-images.1.24, fix-etcd-put-key.1.24, bump-go-1-25-9.1.31, fix-allocsperrun-parallel, fix-go1.25-compat.1.31, CVE-2025-13281, CVE-2025-1767

3 - v1.30

3.1 - v1.30.14-lts.1

This is the fixed release by KLTS for v1.30.14.

Patches

• Includes cumulative security fixes from base release v1.30.14-ci (including recently synced CVE fixes in /docs/kubernetes/patches/); this tag has no additional patch commits.

3.2 - v1.30.14-lts.2

This is the KLTS release for Kubernetes v1.30.14.

Highlights

• Rebuilds the v1.30 LTS line with Go 1.25.9.
• Includes Go 1.25 compatibility fixes and kubeadm preflight URL construction fixes for this line.
• Includes current KLTS security backports for this line: CVE-2025-13281, CVE-2025-1767, and CVE-2025-5187.

Patch chain

• Base: v1.30.14
• CI chain: v1.30.14-ci
• Patches: no-delete-images.1.24, fix-etcd-put-key.1.24, bump-go-1-25-9.1.30, fix-allocsperrun-parallel, fix-kubeadm-preflight-host-url-construction, fix-go1.25-compat.1.30, CVE-2025-13281, CVE-2025-1767, CVE-2025-5187

4 - v1.29

4.1 - v1.29.15-lts.1

This is the fixed release by KLTS for v1.29.15.

Patches

• Includes cumulative security fixes from base release v1.29.15-ci (including recently synced CVE fixes in /docs/kubernetes/patches/); this tag has no additional patch commits.

4.2 - v1.29.15-lts.2

This is the KLTS release for Kubernetes v1.29.15.

Highlights

• Rebuilds the v1.29 LTS line with Go 1.25.9.
• Includes Go 1.25 compatibility fixes and kubeadm preflight URL construction fixes for this line.
• Includes current KLTS security backports for this line: CVE-2025-13281, CVE-2025-1767, and CVE-2025-5187.

Patch chain

• Base: v1.29.15
• CI chain: v1.29.15-ci
• Patches: no-delete-images.1.24, fix-etcd-put-key.1.24, bump-go-1-25-9.1.29, fix-allocsperrun-parallel, fix-kubeadm-preflight-host-url-construction, fix-go1.25-compat.1.29, CVE-2025-13281, CVE-2025-1767, CVE-2025-5187

5 - v1.28

5.1 - v1.28.15-lts.0

This is the first fixed release by KLTS for v1.28.15.

Patches

• There are no fixes just CI processes running

5.2 - v1.28.15-lts.2

This is the fixed release by KLTS for v1.28.15.

Patches

• Includes cumulative security fixes from base release v1.28.15-ci.
• Bugfix: revert scheduler VolumeBinding behavior for this branch.
• fix-scheduler-volumebinding.1.28.patch

5.3 - v1.28.15-lts.3

This is the KLTS release for Kubernetes v1.28.15.

Highlights

• Rebuilds the v1.28 LTS line with Go 1.25.9.
• Keeps the scheduler volume binding fix from the previous KLTS release.
• Includes current KLTS security backports for this line: CVE-2024-9042, CVE-2025-0426, CVE-2025-13281, CVE-2025-1767, and CVE-2025-5187.

Patch chain

• Base: v1.28.15
• CI chain: v1.28.15-ci
• LTS wrapper patch: fix-scheduler-volumebinding.1.28
• Patches: no-delete-images.1.24, fix-etcd-put-key.1.24, bump-go-1-25-9.1.28, CVE-2024-9042, CVE-2025-0426, CVE-2025-13281, CVE-2025-1767, CVE-2025-5187

6 - v1.27

6.1 - v1.27.16-lts.0

This is the first fixed release by KLTS for v1.27.16.

Patches

• There are no fixes just CI processes running

6.2 - v1.27.16-lts.1

This is the fixed release by KLTS for v1.27.16.

Patches

• Includes cumulative security fixes from base release v1.27.16-ci (including recently synced CVE fixes in /docs/kubernetes/patches/); this tag has no additional patch commits.

6.3 - v1.27.16-lts.2

This is the KLTS release for Kubernetes v1.27.16.

Highlights

• Rebuilds the v1.27 LTS line with Go 1.25.9.
• Carries the current KLTS image, registry, and etcd maintenance patch chain.
• Includes current KLTS security backports for this line: CVE-2024-10220, CVE-2024-9042, CVE-2025-0426, CVE-2025-13281, CVE-2025-1767, and CVE-2025-5187.

Patch chain

• Base: v1.27.16
• CI chain: v1.27.16-ci
• Patches: no-delete-images.1.24, fix-etcd-put-key.1.24, bump-go-1-25-9.1.27, CVE-2024-10220, CVE-2024-9042, CVE-2025-0426, CVE-2025-13281, CVE-2025-1767, CVE-2025-5187

7 - v1.26

7.1 - v1.26.15-lts.0

This is the first fixed release by KLTS for v1.26.15.

Patches

• There are no fixes just CI processes running

7.2 - v1.26.15-lts.1

This is the fixed release by KLTS for v1.26.15.

Patches

• Includes cumulative security fixes from base release v1.26.15-ci (including recently synced CVE fixes in /docs/kubernetes/patches/); this tag has no additional patch commits.

7.3 - v1.26.15-lts.2

This is the KLTS release for Kubernetes v1.26.15.

Highlights

• Rebuilds the v1.26 LTS line with Go 1.25.9.
• Carries the current KLTS image, registry, and etcd maintenance patch chain.
• Includes current KLTS security backports for this line: CVE-2024-10220, CVE-2025-0426, CVE-2025-13281, CVE-2025-1767, and CVE-2025-5187.

Patch chain

• Base: v1.26.15
• CI chain: v1.26.15-ci
• Patches: fix-run-docker.1.24, no-delete-images.1.24, fix-etcd-put-key.1.24, bump-go-1-25-9.1.26, CVE-2024-10220, CVE-2025-0426, CVE-2025-13281, CVE-2025-1767, CVE-2025-5187

8 - v1.25

8.1 - v1.25.16-lts.0

This is the first fixed release by KLTS for v1.25.16.

Patches

• There are no fixes just CI processes running

8.2 - v1.25.16-lts.1

This is the fixed release by KLTS for v1.25.16.

Patches

• Includes cumulative security fixes from base release v1.25.16-ci (including recently synced CVE fixes in /docs/kubernetes/patches/); this tag has no additional patch commits.

8.3 - v1.25.16-lts.2

This is the KLTS release for Kubernetes v1.25.16.

Highlights

• Rebuilds the v1.25 LTS line with Go 1.25.9.
• Carries the current KLTS image, registry, code generation, and etcd maintenance patch chain.
• Includes current KLTS security backports for this line: CVE-2024-10220, CVE-2025-0426, CVE-2025-13281, CVE-2025-1767, and CVE-2025-5187.

Patch chain

• Base: v1.25.16
• CI chain: v1.25.16-ci
• Patches: fix-run-docker.1.24, no-delete-images.1.24, fix-etcd-put-key.1.24, codegens-to-scripts.1.25, bump-go-1-25-9.1.25, CVE-2024-10220, CVE-2025-0426, CVE-2025-13281, CVE-2025-1767, CVE-2025-5187

9 - v1.24

9.1 - v1.24.17-lts.0

This is the first fixed release by KLTS for v1.24.17.

Patches

• There are no fixes just CI processes running

9.2 - v1.24.17-lts.1

This is the fixed release by KLTS for v1.24.17.

Patches

• Includes cumulative security fixes from base release v1.24.17-ci (including recently synced CVE fixes in /docs/kubernetes/patches/); this tag has no additional patch commits.

9.3 - v1.24.17-lts.2

This is the KLTS release for Kubernetes v1.24.17.

Highlights

• Rebuilds the v1.24 LTS line with Go 1.25.9.
• Carries the current KLTS image, registry, code generation, and etcd maintenance patch chain.
• Includes current KLTS security backports for this line: CVE-2024-10220, CVE-2025-13281, CVE-2025-1767, and CVE-2025-5187.

Patch chain

• Base: v1.24.17
• CI chain: v1.24.17-ci
• Patches: fix-run-docker.1.24, no-delete-images.1.24, fix-etcd-put-key.1.24, codegens-to-scripts.1.24, bump-go-1-25-9.1.24, CVE-2024-10220, CVE-2025-13281, CVE-2025-1767, CVE-2025-5187

10 - v1.23

10.1 - v1.23.17-lts.0

This is the first fixed release by KLTS for v1.23.17.

Patches

• There are no fixes just CI processes running

10.2 - v1.23.17-lts.1

This is the fixed release by KLTS for v1.23.17.

Patches

• Includes cumulative security fixes from base release v1.23.17-ci (including recently synced CVE fixes in /docs/kubernetes/patches/); this tag has no additional patch commits.

10.3 - v1.23.17-lts.2

This is the KLTS release for Kubernetes v1.23.17.

Highlights

• Rebuilds the v1.23 LTS line with Go 1.25.9.
• Carries the current KLTS image, registry, and etcd maintenance patch chain.
• Includes current KLTS security backports for this line: CVE-2024-10220, CVE-2025-13281, CVE-2025-1767, and CVE-2025-5187.

Patch chain

• Base: v1.23.17
• CI chain: v1.23.17-ci
• Patches: fix-run-docker.1.24, no-delete-images.1.24, fix-etcd-put-key.1.23, bump-go-1-25-9.1.23, CVE-2024-10220, CVE-2025-13281, CVE-2025-1767, CVE-2025-5187

10.4 - v1.23.5-lts.1

This is the first fixed release by KLTS for v1.23.5.

Patches

• There are no fixes just CI processes running

11 - v1.22

11.1 - v1.22.17-lts.0

This is the first fixed release by KLTS for v1.22.17.

Patches

• There are no fixes just CI processes running

11.2 - v1.22.17-lts.1

This is the fixed release by KLTS for v1.22.17.

Patches

• Includes cumulative security fixes from base release v1.22.17-ci (including recently synced CVE fixes in /docs/kubernetes/patches/); this tag has no additional patch commits.

11.3 - v1.22.17-lts.2

This is the KLTS release for Kubernetes v1.22.17.

Highlights

• Rebuilds the v1.22 LTS line with Go 1.25.9.
• Carries the current KLTS image, registry, and etcd maintenance patch chain.
• Includes current KLTS security backports for this line: CVE-2024-10220, CVE-2025-13281, CVE-2025-1767, and CVE-2025-5187.

Patch chain

• Base: v1.22.17
• CI chain: v1.22.17-ci
• Patches: fix-run-docker.1.24, no-delete-images.1.24, fix-etcd-put-key.1.23, bump-go-1-25-9.1.22, CVE-2024-10220, CVE-2025-13281, CVE-2025-1767, CVE-2025-5187

11.4 - v1.22.8-lts.1

This is the first fixed release by KLTS for v1.22.8.

Patches

• There are no fixes just CI processes running

12 - v1.21

12.1 - v1.21.11-lts.1

This is the first fixed release by KLTS for v1.21.11.

Patches

• There are no fixes just CI processes running

12.2 - v1.21.14-lts.2

This is the fixed release by KLTS for v1.21.14.

Patches

• Includes cumulative security fixes from base release v1.21.14-ci (including recently synced CVE fixes in /docs/kubernetes/patches/); this tag has no additional patch commits.

12.3 - v1.21.14-lts.3

This is the KLTS release for Kubernetes v1.21.14.

Highlights

• Rebuilds the v1.21 LTS line with Go 1.25.9.
• Carries the current KLTS image, registry, and etcd maintenance patch chain.
• Includes current KLTS security backports for this line: CVE-2024-10220, CVE-2025-13281, CVE-2025-1767, and CVE-2025-5187.

Patch chain

• Base: v1.21.14
• CI chain: v1.21.14-ci
• Patches: fix-run-docker.1.24, no-delete-images.1.24, fix-etcd-put-key.1.23, bump-go-1-25-9.1.21, CVE-2024-10220, CVE-2025-13281, CVE-2025-1767, CVE-2025-5187

13 - v1.20

13.1 - v1.20.15-lts.2

This is the second fixed release by KLTS for v1.20.15.

Patches

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

13.2 - v1.20.15-lts.3

This is the fixed release by KLTS for v1.20.15.

Patches

• Includes cumulative security fixes from base release v1.20.15-ci.
• Bugfix: kubectl convert compatibility update.
• fix-kubectl-convert-97644.1.20.patch
• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

13.3 - v1.20.16-lts.1

This is the KLTS release for Kubernetes v1.20.16.

Highlights

• Adds KLTS support for Kubernetes v1.20 through v1.23.
• Fixes the kmem issue for this release.

Related patch

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

• GitHub release notes

14 - v1.19

14.1 - v1.19.16-lts.3

This is the third fixed release by KLTS for v1.19.16.

Patches

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

• CVE-2020-8554

  A man-in-the-middle risk in Kubernetes Service traffic handling allows an actor with Service write permissions to redirect traffic using ExternalIPs or LoadBalancer status fields.

14.2 - v1.19.16-lts.4

This is the fixed release by KLTS for v1.19.16.

Patches

• Includes cumulative security fixes from base release v1.19.16-ci.
• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

• Security fix: CVE-2020-8554.1.19.patch

15 - v1.18

15.1 - v1.18.20-lts.1

This is the first fixed release by KLTS for v1.18.20.

Patches

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

• CVE-2021-25741

  This is a volume security issue related to permission access. A user can access files and directories outside the volume mounting directory, including the host’s file system, through the volume mounting method of subpath in the created container.

15.2 - v1.18.20-lts.2

This is the second fixed release by KLTS for v1.18.20.

Patches

• Bugfix: reducing race risk in kubelet for missing KUBERNETES_SERVICE_HOST

15.3 - v1.18.20-lts.3

This is the fixed release by KLTS for v1.18.20.

Patches

• Includes cumulative security fixes from base release v1.18.20-ci.
• CVE-2021-25741

  This is a volume security issue related to permission access. A user can access files and directories outside the volume mounting directory, including the host’s file system, through the volume mounting method of subpath in the created container.

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

• Security fix: CVE-2020-8554.1.18.patch
• Bugfix: fix-missing-env-91500.1.18.patch

16 - v1.17

16.1 - v1.17.17-lts.1

This is the first fixed release by KLTS for v1.17.17.

Patches

• CVE-2021-3121

  A program with this vulnerability may crash because of processing some messages that contain malicious Protobuf. If the version of Gogo Protobuf you are using is too low, this vulnerability may exist.

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

16.2 - v1.17.17-lts.3

This is the fixed release by KLTS for v1.17.17.

Patches

• Includes cumulative security fixes from base release v1.17.17-ci.
• CVE-2021-3121

  A program with this vulnerability may crash because of processing some messages that contain malicious Protobuf. If the version of Gogo Protobuf you are using is too low, this vulnerability may exist.

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

17 - v1.16

17.1 - v1.16.15-lts.1

This is the first fixed release by KLTS for v1.16.15.

Patches

• CVE-2021-3121

  A program with this vulnerability may crash because of processing some messages that contain malicious Protobuf. If the version of Gogo Protobuf you are using is too low, this vulnerability may exist.

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

17.2 - v1.16.15-lts.3

This is the fixed release by KLTS for v1.16.15.

Patches

• Includes cumulative security fixes from base release v1.16.15-ci.
• CVE-2021-3121

  A program with this vulnerability may crash because of processing some messages that contain malicious Protobuf. If the version of Gogo Protobuf you are using is too low, this vulnerability may exist.

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

18 - v1.15

18.1 - v1.15.12-lts.1

This is the first fixed release by KLTS for v1.15.12.

Patches

• CVE-2020-8558

  The kube-proxy component was found to set the kernel parameter net.ipv4.conf.all.route_localnet=1 in both iptables and ipvs modes to allow local loopback access. An attacker may use the container sharing the host network, or bind and listen to the TCP/UDP service of the local 127.0.0.1 on the cluster node to access the same LAN or adjacent node under the second layer network to obtain interface information. If your service does not set the necessary security certification, it may cause the risk of information leakage.

• CVE-2021-3121

  A program with this vulnerability may crash because of processing some messages that contain malicious Protobuf. If the version of Gogo Protobuf you are using is too low, this vulnerability may exist.

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

19 - v1.14

19.1 - v1.14.10-lts.1

This is the first fixed release by KLTS for v1.14.10.

Patches

• CVE-2020-8552

  This vulnerability may make the API Server vulnerable to a DoS (Denial of Service) attack caused by successful API requests.

• CVE-2020-8558

  The kube-proxy component was found to set the kernel parameter net.ipv4.conf.all.route_localnet=1 in both iptables and ipvs modes to allow local loopback access. An attacker may use the container sharing the host network, or bind and listen to the TCP/UDP service of the local 127.0.0.1 on the cluster node to access the same LAN or adjacent node under the second layer network to obtain interface information. If your service does not set the necessary security certification, it may cause the risk of information leakage.

• CVE-2020-8559

  This is a security vulnerability of the kube-apiserver component. An attacker can intercept certain upgrade requests sent to the node kubelet, and forward the request to other target nodes through the original access credentials in the request that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

• CVE-2021-3121

  A program with this vulnerability may crash because of processing some messages that contain malicious Protobuf. If the version of Gogo Protobuf you are using is too low, this vulnerability may exist.

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

20 - v1.13

20.1 - v1.13.12-lts.1

This is the first fixed release by KLTS for v1.13.12.

Patches

• CVE-2020-8552

  This vulnerability may make the API Server vulnerable to a DoS (Denial of Service) attack caused by successful API requests.

• CVE-2020-8558

  The kube-proxy component was found to set the kernel parameter net.ipv4.conf.all.route_localnet=1 in both iptables and ipvs modes to allow local loopback access. An attacker may use the container sharing the host network, or bind and listen to the TCP/UDP service of the local 127.0.0.1 on the cluster node to access the same LAN or adjacent node under the second layer network to obtain interface information. If your service does not set the necessary security certification, it may cause the risk of information leakage.

• CVE-2021-3121

  A program with this vulnerability may crash because of processing some messages that contain malicious Protobuf. If the version of Gogo Protobuf you are using is too low, this vulnerability may exist.

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

21 - v1.12

21.1 - v1.12.10-lts.1

This is the first fixed release by KLTS for v1.12.10.

Patches

• CVE-2019-11245

  Containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node.

• CVE-2019-11247

  API Server mistakenly allows access to a cluster-scoped custom resource.

• CVE-2019-11249

  This vulnerability may allow an attacker to use the kubectl cp command to write malicious files in the container tar package to any path on the host using Path Traversal. This process is limited only by the system permissions of the local user.

• CVE-2019-11251

  This vulnerability may allow an attacker to use the kubectl cp command to write malicious files in the container tar package to any path on the host using Path Traversal. This process is limited only by the system permissions of the local user.

• CVE-2020-8552

  This vulnerability may make the API Server vulnerable to a DoS (Denial of Service) attack caused by successful API requests.

• CVE-2020-8558

  The kube-proxy component was found to set the kernel parameter net.ipv4.conf.all.route_localnet=1 in both iptables and ipvs modes to allow local loopback access. An attacker may use the container sharing the host network, or bind and listen to the TCP/UDP service of the local 127.0.0.1 on the cluster node to access the same LAN or adjacent node under the second layer network to obtain interface information. If your service does not set the necessary security certification, it may cause the risk of information leakage.

• CVE-2021-3121

  A program with this vulnerability may crash because of processing some messages that contain malicious Protobuf. If the version of Gogo Protobuf you are using is too low, this vulnerability may exist.

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

22 - v1.11

22.1 - v1.11.10-lts.1

This is the first fixed release by KLTS for v1.11.10.

Patches

• CVE-2019-11245

  Containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node.

• CVE-2019-11246

  This vulnerability may allow an attacker to use the kubectl cp command to write malicious files in the container tar package to any path on the host using Path Traversal. This process is limited only by the system permissions of the local user.

• CVE-2019-11247

  API Server mistakenly allows access to a cluster-scoped custom resource.

• CVE-2019-11248

  The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port.

• CVE-2019-11249

  This vulnerability may allow an attacker to use the kubectl cp command to write malicious files in the container tar package to any path on the host using Path Traversal. This process is limited only by the system permissions of the local user.

• CVE-2019-11251

  This vulnerability may allow an attacker to use the kubectl cp command to write malicious files in the container tar package to any path on the host using Path Traversal. This process is limited only by the system permissions of the local user.

• CVE-2020-8552

  This vulnerability may make the API Server vulnerable to a DoS (Denial of Service) attack caused by successful API requests.

• CVE-2020-8558

  The kube-proxy component was found to set the kernel parameter net.ipv4.conf.all.route_localnet=1 in both iptables and ipvs modes to allow local loopback access. An attacker may use the container sharing the host network, or bind and listen to the TCP/UDP service of the local 127.0.0.1 on the cluster node to access the same LAN or adjacent node under the second layer network to obtain interface information. If your service does not set the necessary security certification, it may cause the risk of information leakage.

• CVE-2021-3121

  A program with this vulnerability may crash because of processing some messages that contain malicious Protobuf. If the version of Gogo Protobuf you are using is too low, this vulnerability may exist.

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.

23 - v1.10

23.1 - v1.10.13-lts.1

This is the first fixed release by KLTS for v1.10.13.

Patches

• CVE-2019-11245

  Containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node.

• CVE-2019-1002101

  This vulnerability may allow an attacker to modify or monitor any file in the directory with the same name in the symbolic link header during the unpacking process of the kubectl cp command, thereby causing damage.

• CVE-2019-11246

  This vulnerability may allow an attacker to use the kubectl cp command to write malicious files in the container tar package to any path on the host using Path Traversal. This process is limited only by the system permissions of the local user.

• CVE-2019-11248

  The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port.

• CVE-2019-11249

  This vulnerability may allow an attacker to use the kubectl cp command to write malicious files in the container tar package to any path on the host using Path Traversal. This process is limited only by the system permissions of the local user.

• CVE-2019-11251

  This vulnerability may allow an attacker to use the kubectl cp command to write malicious files in the container tar package to any path on the host using Path Traversal. This process is limited only by the system permissions of the local user.

• CVE-2020-8552

  This vulnerability may make the API Server vulnerable to a DoS (Denial of Service) attack caused by successful API requests.

• CVE-2021-3121

  A program with this vulnerability may crash because of processing some messages that contain malicious Protobuf. If the version of Gogo Protobuf you are using is too low, this vulnerability may exist.

• nokmem

  The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.