stable-2.13.7

This stable releases addresses backports two fixes that address security vulnerabilities. The proxy's dependency on the webpki library has been updated to patch [RUSTSEC-2023-0052], a potential CPU usage denial-of-service attack when accepting a TLS handshake from an untrusted peer. In addition, the CNI and proxy-init images have been updated to patch [CVE-2023-2603] surfaced in the runtime image's libcap library. Finally, the release contains a backported fix for service discovery on endpoints that use hostPorts which could potentially disrupt connections on pod restarts. * Control Plane * Changed how hostPort lookups are handled in the destination service. Previously, when doing service discovery for an endpoint bound on a hostPort, the destination service would return the corresponding pod IP. On pod restart, this could lead to loss of connectivity on the client's side. The destination service now always returns host IPs for service discovery on an endpoint that uses hostPorts [#11328] * Proxy * Addressed security vulnerability [RUSTSEC-2023-0052] [#11389] * CNI * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI plugin [#11348] [#11328]: #11328 [#11348]: #11348 [#11389]: #11389 [RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html [CVE-2023-2603]: GHSA-wp54-pwvg-rqq5 Signed-off-by: Matei David <[email protected]>
linkerd · Sep 20, 2023 · 8d423dc · 8d423dc
1 parent 21dfd08
commit 8d423dc
Show file tree

Hide file tree

Showing 11 changed files with 42 additions and 10 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,37 @@
 # Changes
 
+## stable-2.13.7
+
+This stable releases addresses backports two fixes that address security
+vulnerabilities. The proxy's dependency on the webpki library has been updated
+to patch [RUSTSEC-2023-0052], a potential CPU usage denial-of-service attack
+when accepting a TLS handshake from an untrusted peer. In addition, the CNI and
+proxy-init images have been updated to patch [CVE-2023-2603] surfaced in the
+runtime image's libcap library. Finally, the release contains a backported fix
+for service discovery on endpoints that use hostPorts which could potentially
+disrupt connections on pod restarts.
+
+* Control Plane
+  * Changed how hostPort lookups are handled in the destination service.
+    Previously, when doing service discovery for an endpoint bound on a
+    hostPort, the destination service would return the corresponding pod IP. On
+    pod restart, this could lead to loss of connectivity on the client's side.
+    The destination service now always returns host IPs for service discovery
+    on an endpoint that uses hostPorts [#11328]
+
+* Proxy
+  * Addressed security vulnerability [RUSTSEC-2023-0052] [#11389]
+
+* CNI
+  * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI
+    plugin [#11348]
+
+[#11328]: https://github.com/linkerd/linkerd2/pull/11328
+[#11348]: https://github.com/linkerd/linkerd2/pull/11348
+[#11389]: https://github.com/linkerd/linkerd2/pull/11389
+[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
+[CVE-2023-2603]: https://github.com/advisories/GHSA-wp54-pwvg-rqq5
+
 ## stable-2.13.6
 
 This stable release fixes a regression introduced in stable-2.13.0 which

diff --git a/charts/linkerd-control-plane/Chart.yaml b/charts/linkerd-control-plane/Chart.yaml
@@ -16,7 +16,7 @@ dependencies:
 - name: partials
   version: 0.1.0
   repository: file://../partials
-version: 1.12.6
+version: 1.12.7
 icon: https://linkerd.io/images/logo-only-200h.png
 maintainers:
   - name: Linkerd authors

diff --git a/charts/linkerd-control-plane/README.md b/charts/linkerd-control-plane/README.md
@@ -3,7 +3,7 @@
 Linkerd gives you observability, reliability, and security
 for your microservices — with no code change required.
 
-![Version: 1.12.6](https://img.shields.io/badge/Version-1.12.6-informational?style=flat-square)
+![Version: 1.12.7](https://img.shields.io/badge/Version-1.12.7-informational?style=flat-square)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)
 

diff --git a/charts/linkerd2-cni/Chart.yaml b/charts/linkerd2-cni/Chart.yaml
@@ -9,4 +9,4 @@ description: |
 kubeVersion: ">=1.21.0-0"
 icon: https://linkerd.io/images/logo-only-200h.png
 name: "linkerd2-cni"
-version: 30.8.4
+version: 30.8.5
diff --git a/charts/linkerd2-cni/README.md b/charts/linkerd2-cni/README.md
@@ -6,7 +6,7 @@ Linkerd [CNI plugin](https://linkerd.io/2/features/cni/) takes care of setting
 up your pod's network so  incoming and outgoing traffic is proxied through the
 data plane.
 
-![Version: 30.8.4](https://img.shields.io/badge/Version-30.8.4-informational?style=flat-square)
+![Version: 30.8.5](https://img.shields.io/badge/Version-30.8.5-informational?style=flat-square)
 
 ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)
 

diff --git a/jaeger/charts/linkerd-jaeger/Chart.yaml b/jaeger/charts/linkerd-jaeger/Chart.yaml
@@ -11,7 +11,7 @@ kubeVersion: ">=1.21.0-0"
 name: linkerd-jaeger
 sources:
 - https://github.com/linkerd/linkerd2/
-version: 30.8.6
+version: 30.8.7
 icon: https://linkerd.io/images/logo-only-200h.png
 maintainers:
   - name: Linkerd authors

diff --git a/jaeger/charts/linkerd-jaeger/README.md b/jaeger/charts/linkerd-jaeger/README.md
@@ -3,7 +3,7 @@
 The Linkerd-Jaeger extension adds distributed tracing to Linkerd using
 OpenCensus and Jaeger.
 
-![Version: 30.8.6](https://img.shields.io/badge/Version-30.8.6-informational?style=flat-square)
+![Version: 30.8.7](https://img.shields.io/badge/Version-30.8.7-informational?style=flat-square)
 
 ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)
 

diff --git a/multicluster/charts/linkerd-multicluster/Chart.yaml b/multicluster/charts/linkerd-multicluster/Chart.yaml
@@ -11,7 +11,7 @@ kubeVersion: ">=1.21.0-0"
 name: "linkerd-multicluster"
 sources:
 - https://github.com/linkerd/linkerd2/
-version: 30.7.6
+version: 30.7.7
 icon: https://linkerd.io/images/logo-only-200h.png
 maintainers:
   - name: Linkerd authors

diff --git a/multicluster/charts/linkerd-multicluster/README.md b/multicluster/charts/linkerd-multicluster/README.md
@@ -3,7 +3,7 @@
 The Linkerd-Multicluster extension contains resources to support multicluster
 linking to remote clusters
 
-![Version: 30.7.6](https://img.shields.io/badge/Version-30.7.6-informational?style=flat-square)
+![Version: 30.7.7](https://img.shields.io/badge/Version-30.7.7-informational?style=flat-square)
 
 ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)
 

diff --git a/viz/charts/linkerd-viz/Chart.yaml b/viz/charts/linkerd-viz/Chart.yaml
@@ -11,7 +11,7 @@ kubeVersion: ">=1.21.0-0"
 name: "linkerd-viz"
 sources:
 - https://github.com/linkerd/linkerd2/
-version: 30.8.6
+version: 30.8.7
 icon: https://linkerd.io/images/logo-only-200h.png
 maintainers:
   - name: Linkerd authors

diff --git a/viz/charts/linkerd-viz/README.md b/viz/charts/linkerd-viz/README.md
@@ -3,7 +3,7 @@
 The Linkerd-Viz extension contains observability and visualization
 components for Linkerd.
 
-![Version: 30.8.6](https://img.shields.io/badge/Version-30.8.6-informational?style=flat-square)
+![Version: 30.8.7](https://img.shields.io/badge/Version-30.8.7-informational?style=flat-square)
 
 ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)