Skip to content

block traffic to 168.63.129.16 port 80 for cve-2021-27075#690

Merged
k8s-ci-robot merged 1 commit intokubernetes-sigs:masterfrom
devigned:fix-cve-2021-27075
Sep 14, 2021
Merged

block traffic to 168.63.129.16 port 80 for cve-2021-27075#690
k8s-ci-robot merged 1 commit intokubernetes-sigs:masterfrom
devigned:fix-cve-2021-27075

Conversation

@devigned
Copy link
Contributor

@devigned devigned commented Sep 10, 2021
edited
Loading

What this PR does / why we need it:

This PR explicitly ensures that TCP traffic bound for the reserved Azure IP 168.63.129.16 via TCP on port 80 is dropped to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.

Needs: #691

/cc @CecileRobertMichon

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Sep 10, 2021
@devigned
Copy link
Contributor Author

devigned commented Sep 10, 2021

/retest

1 similar comment
@devigned
Copy link
Contributor Author

devigned commented Sep 10, 2021

/retest

@devigned devigned mentioned this pull request Sep 10, 2021
Merged
@CecileRobertMichon CecileRobertMichon mentioned this pull request Sep 11, 2021
Closed
3 tasks
@devigned
Copy link
Contributor Author

devigned commented Sep 11, 2021

/retest

CecileRobertMichon
CecileRobertMichon reviewed Sep 13, 2021
View reviewed changes
Copy link
Contributor

@CecileRobertMichon CecileRobertMichon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/assign @codenrhoden

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 13, 2021
@codenrhoden
Copy link
Contributor

codenrhoden commented Sep 14, 2021

/approve

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Sep 14, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: codenrhoden, devigned

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 14, 2021
@k8s-ci-robot k8s-ci-robot merged commit 226f54e into kubernetes-sigs:master Sep 14, 2021
@devigned devigned mentioned this pull request Sep 14, 2021
Merged
@devigned devigned deleted the fix-cve-2021-27075 branch September 16, 2021 23:14
@devigned devigned mentioned this pull request Oct 11, 2021
Merged
@invidian
Copy link
Contributor

invidian commented Jun 1, 2022
edited
Loading

I wonder, what's the rationale on blocking this traffic specifically on image-builder level? Security group or CNI network policy could be used as well, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@CecileRobertMichon CecileRobertMichon CecileRobertMichon left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@codenrhoden codenrhoden

@CecileRobertMichon CecileRobertMichon

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@devigned @codenrhoden @k8s-ci-robot @invidian @CecileRobertMichon

Comments