Security information¶
The MKE 3.7.13 patch release focuses exclusively on CVE mitigation. To this end, the following middleware component versions have been upgraded to resolve vulnerabilities in MKE:
[MKE-11602] [MKE-11595] Debian stable-20240722-slim
Golang 1.22.5
Alpine Linux 3.19
Calico 3.28.1
The following table details the specific CVEs addressed, including which images are affected per CVE.
CVE |
Status |
Image mitigated |
Problem details from upstream |
---|---|---|---|
Resolved |
|
A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the “certtool –verify-chain” command. |
|
Resolved |
|
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the “KeyTrap” issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. |
|
Resolved |
|
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the “NSEC3” issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. |
|
Resolved |
|
.NET and Visual Studio Denial of Service Vulnerability. |
|
Resolved |
|
CVE has been reserved by an organization or individual and is not currently available in the NVD. |
|
Resolved |
|
Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. |
|
Resolved |
|
The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable. |
|
Resolved |
|
nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon’s (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. |