Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE feed: add RSS feed format #39513

Merged
merged 1 commit into from
Mar 14, 2023
Merged

CVE feed: add RSS feed format #39513

merged 1 commit into from
Mar 14, 2023

Conversation

mtardy
Copy link
Member

@mtardy mtardy commented Feb 17, 2023
edited
Loading

This PR fixes kubernetes/sig-security#77.

Preview here and RSS feed here.

It's based on the commits of this PR #38579 and thus should be merged after. Only the last commit is unique.
/hold

I choose the value of the fields based on this spec https://validator.w3.org/feed/docs/rss2.html, maybe some choices can be discussed (like guid).

Here is an extract of what it looks like:

<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Auto-refreshing Official CVE Feed</title>
    <link>http://localhost:1313/docs/reference/issues-security/official-cve-feed/</link>
    <description>Auto-refreshing official CVE feed for Kubernetes repository</description>
    <generator>Hugo -- gohugo.io</generator>
    <language>en-US</language>
	<copyright>The Kubernetes Authors</copyright>
    <lastBuildDate>Tue, 20 Dec 2022 15:12:31 +0000</lastBuildDate>
    <atom:link href="http://localhost:1313/docs/reference/issues-security/official-cve-feed/feed.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>CVE-2022-3294</title>
      <link>https://github.com/kubernetes/kubernetes/issues/113757</link>
      <pubDate>Tue, 08 Nov 2022 21:33:26 +0000</pubDate>
      <guid>https://www.cve.org/cverecord?id=CVE-2022-3294</guid>
      <description>Node address isn&amp;#39;t always verified when proxying</description>
    </item>
    <item>
      <title>CVE-2022-3162</title>
      <link>https://github.com/kubernetes/kubernetes/issues/113756</link>
      <pubDate>Tue, 08 Nov 2022 21:33:07 +0000</pubDate>
      <guid>https://www.cve.org/cverecord?id=CVE-2022-3162</guid>
      <description>Unauthorized read of Custom Resources</description>
    </item>
    <item>
      <title>CVE-2022-3172</title>
      <link>https://github.com/kubernetes/kubernetes/issues/112513</link>
      <pubDate>Fri, 16 Sep 2022 13:14:50 +0000</pubDate>
      <guid>https://www.cve.org/cverecord?id=CVE-2022-3172</guid>
      <description>Aggregated API server can cause clients to be redirected (SSRF)</description>
    </item>
    [...]

/sig security
cc @PushkarJ @nehaLohia27

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. sig/security Categorizes an issue or PR as relevant to SIG Security. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 17, 2023
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. language/en Issues or PRs related to English language sig/docs Categorizes an issue or PR as relevant to SIG Docs. labels Feb 17, 2023
sftim
sftim reviewed Feb 17, 2023
View reviewed changes
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW you might want to customise layouts/index.headers - for example, you can set a custom response header for the RSS feed, maybe Cache-Control:?

@mtardy
Copy link
Member Author

mtardy commented Feb 17, 2023

BTW you might want to customise layouts/index.headers - for example, you can set a custom response header for the RSS feed, maybe Cache-Control:?

Ok I see, good idea to indicate to avoid caching on this specific URL, but how can you add this header for only this page? I'm no hugo expert :D

@sftim
Copy link
Contributor

sftim commented Feb 20, 2023

Don't worry about the headers - I think we can do that in a later commit / PR.

@mtardy mtardy mentioned this pull request Feb 27, 2023
Merged
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 27, 2023
@netlify
Copy link

netlify bot commented Feb 27, 2023
edited
Loading

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit ad7b108
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/640b664903b5230008249d32
😎 Deploy Preview https://deploy-preview-39513--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@mtardy
Copy link
Member Author

mtardy commented Feb 27, 2023

/unhold now that #38579 has been merged!

@mtardy
Copy link
Member Author

mtardy commented Feb 27, 2023

/unhold

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 27, 2023
@mtardy mtardy force-pushed the cve-feed-rss branch 2 times, most recently from e966185 to 5141a60 Compare February 28, 2023 10:20
@mtardy
Copy link
Member Author

mtardy commented Feb 28, 2023
edited
Loading

cc @kbhawkey, this PR, apart from its main goal, fixes the two issues discussed in the previous CVE feed-related PR, see the following commits and their commit message:

EDIT: See #39727

@mtardy
Copy link
Member Author

mtardy commented Feb 28, 2023

For me this PR is ready!
/cc @PushkarJ
/cc @nehaLohia27

sftim
sftim reviewed Feb 28, 2023
View reviewed changes
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer to see the changes from 141a60dc7b585d7bc6e3396373ec54cd37edcfc happening in a separate PR.

This PR should just add the RSS output.

@mtardy
Copy link
Member Author

mtardy commented Feb 28, 2023

I'd prefer to see the changes from 141a60dc7b585d7bc6e3396373ec54cd37edcfc happening in a separate PR.

This PR should just add the RSS output.

ok fine, let's do it. #39727

PushkarJ
PushkarJ reviewed Feb 28, 2023
View reviewed changes
content/en/docs/reference/issues-security/official-cve-feed.md
```shell
curl -Lv https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason to remove verbose flag?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was mostly wondering why using it? And I thought it was maybe a bit unrelevant, but is there a reason? :)

Copy link
Member

@PushkarJ PushkarJ Mar 1, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mainly for "content-type" in curl response header and to verify that redirects (301) happens safely

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See example for xml file:

curl -lv https://localhost:1313/docs/reference/issues-security/official-cve-feed/feed.xml

< Content-Type: application/xml; charset=utf-8

Same thing applies for json file too.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I put back the verbose flag if you think it's better this way!

PushkarJ
PushkarJ suggested changes Mar 1, 2023
View reviewed changes
Copy link
Member

@PushkarJ PushkarJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor thing for escaping and unescaping quotes

layouts/_default/cve-feed.rss.xml
<link>{{ .url }}</link>
<pubDate>{{ time.Format "Mon, 02 Jan 2006 15:04:05 -0700" .date_published | safeHTML }}</pubDate>
<guid>{{ .external_url }}</guid>
<description>{{ htmlEscape .summary }}</description>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<description>{{ htmlEscape .summary }}</description>
<description>{{ htmlEscape .summary | safeHTML }}</description>

This will allow the ' and other valid HTML characters to show as is. Untested but you can verify if it works by the title / description of the topmost CVE that uses the word isn't

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested this after coming home. This seems to fix it.

Before:

<description>Node address isn&#39;t always verified when proxying</description>

After:

<description>Node address isn't always verified when proxying</description>

Ref: https://gohugo.io/functions/safehtml/

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes but we absolutely need to escape characters like & and so, the feed is not a valid RSS feed without escaping those. Let me test indeed, I was thinking safeHTML was the inverse to htmlEscape but maybe not!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the RSS validator fails after the change then happy to approve it as is.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, this is the result and it's not valid because of this:

This feed does not validate.

[line 233](https://validator.w3.org/feed/check.cgi#l233), column 55: XML parsing error: <unknown>:233:55: not well-formed (invalid token) [[help](https://validator.w3.org/feed/docs/error/SAXError.html)]

<description>`kubectl:-http-cache=<world-accessible dir>` creates world-writ ...

We are lucky that we have a title containing > char to trigger the error.

<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>Auto-refreshing Official CVE Feed</title>
<link>http://localhost:1313/docs/reference/issues-security/official-cve-feed/</link>
<description>Auto-refreshing official CVE feed for Kubernetes repository</description>
<generator>Hugo -- gohugo.io</generator>
<language>en-US</language>
<copyright>The Kubernetes Authors</copyright>
<lastBuildDate>Fri, 10 Mar 2023 13:07:53 +0000</lastBuildDate>
<atom:link href="http://localhost:1313/docs/reference/issues-security/official-cve-feed/feed.xml" rel="self" type="application/rss+xml"/>
<item>
<title>CVE-2022-3294</title>
<link>https://github.com/kubernetes/kubernetes/issues/113757</link>
<pubDate>Tue, 08 Nov 2022 21:33:26 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2022-3294</guid>
<description>Node address isn't always verified when proxying</description>
</item>
<item>
<title>CVE-2022-3162</title>
<link>https://github.com/kubernetes/kubernetes/issues/113756</link>
<pubDate>Tue, 08 Nov 2022 21:33:07 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2022-3162</guid>
<description>Unauthorized read of Custom Resources</description>
</item>
<item>
<title>CVE-2022-3172</title>
<link>https://github.com/kubernetes/kubernetes/issues/112513</link>
<pubDate>Fri, 16 Sep 2022 13:14:50 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2022-3172</guid>
<description>Aggregated API server can cause clients to be redirected (SSRF)</description>
</item>
<item>
<title>CVE-2021-25749</title>
<link>https://github.com/kubernetes/kubernetes/issues/112192</link>
<pubDate>Thu, 01 Sep 2022 21:02:01 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2021-25749</guid>
<description>`runAsNonRoot` logic bypass for Windows containers</description>
</item>
<item>
<title>CVE-2021-25741</title>
<link>https://github.com/kubernetes/kubernetes/issues/104980</link>
<pubDate>Mon, 13 Sep 2021 20:58:56 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2021-25741</guid>
<description>Symlink Exchange Can Allow Host Filesystem Access</description>
</item>
<item>
<title>CVE-2021-25737</title>
<link>https://github.com/kubernetes/kubernetes/issues/102106</link>
<pubDate>Tue, 18 May 2021 19:14:27 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2021-25737</guid>
<description>Holes in EndpointSlice Validation Enable Host Network Hijack</description>
</item>
<item>
<title>CVE-2021-3121</title>
<link>https://github.com/kubernetes/kubernetes/issues/101435</link>
<pubDate>Fri, 23 Apr 2021 18:07:32 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2021-3121</guid>
<description>Processes may panic upon receipt of malicious protobuf messages</description>
</item>
<item>
<title>CVE-2021-25735</title>
<link>https://github.com/kubernetes/kubernetes/issues/100096</link>
<pubDate>Wed, 10 Mar 2021 18:18:01 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2021-25735</guid>
<description>Validating Admission Webhook does not observe some previous fields</description>
</item>
<item>
<title>CVE-2020-8554</title>
<link>https://github.com/kubernetes/kubernetes/issues/97076</link>
<pubDate>Fri, 04 Dec 2020 20:02:15 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8554</guid>
<description>Man in the middle using LoadBalancer or ExternalIPs</description>
</item>
<item>
<title>CVE-2020-8566</title>
<link>https://github.com/kubernetes/kubernetes/issues/95624</link>
<pubDate>Thu, 15 Oct 2020 22:07:53 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8566</guid>
<description>Ceph RBD adminSecrets exposed in logs when loglevel >= 4</description>
</item>
<item>
<title>CVE-2020-8565</title>
<link>https://github.com/kubernetes/kubernetes/issues/95623</link>
<pubDate>Thu, 15 Oct 2020 22:05:32 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8565</guid>
<description>Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9</description>
</item>
<item>
<title>CVE-2020-8564</title>
<link>https://github.com/kubernetes/kubernetes/issues/95622</link>
<pubDate>Thu, 15 Oct 2020 22:03:19 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8564</guid>
<description>Docker config secrets leaked when file is malformed and log level >= 4</description>
</item>
<item>
<title>CVE-2020-8563</title>
<link>https://github.com/kubernetes/kubernetes/issues/95621</link>
<pubDate>Thu, 15 Oct 2020 22:00:44 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8563</guid>
<description>Secret leaks in kube-controller-manager when using vSphere provider</description>
</item>
<item>
<title>CVE-2020-8557</title>
<link>https://github.com/kubernetes/kubernetes/issues/93032</link>
<pubDate>Mon, 13 Jul 2020 18:39:08 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8557</guid>
<description>Node disk DOS by writing to container /etc/hosts</description>
</item>
<item>
<title>CVE-2020-8559</title>
<link>https://github.com/kubernetes/kubernetes/issues/92914</link>
<pubDate>Wed, 08 Jul 2020 17:03:16 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8559</guid>
<description>Privilege escalation from compromised node to cluster</description>
</item>
<item>
<title>CVE-2020-8558</title>
<link>https://github.com/kubernetes/kubernetes/issues/92315</link>
<pubDate>Fri, 19 Jun 2020 18:38:58 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8558</guid>
<description>Node setting allows for neighboring hosts to bypass localhost boundary</description>
</item>
<item>
<title>CVE-2020-8555</title>
<link>https://github.com/kubernetes/kubernetes/issues/91542</link>
<pubDate>Thu, 28 May 2020 16:13:34 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8555</guid>
<description>Half-Blind SSRF in kube-controller-manager</description>
</item>
<item>
<title>CVE-2020-10749</title>
<link>https://github.com/kubernetes/kubernetes/issues/91507</link>
<pubDate>Wed, 27 May 2020 19:32:29 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-10749</guid>
<description>IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements</description>
</item>
<item>
<title>CVE-2019-11254</title>
<link>https://github.com/kubernetes/kubernetes/issues/89535</link>
<pubDate>Thu, 26 Mar 2020 18:55:26 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11254</guid>
<description>kube-apiserver Denial of Service vulnerability from malicious YAML payloads</description>
</item>
<item>
<title>CVE-2020-8552</title>
<link>https://github.com/kubernetes/kubernetes/issues/89378</link>
<pubDate>Mon, 23 Mar 2020 18:35:34 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8552</guid>
<description>apiserver DoS (oom)</description>
</item>
<item>
<title>CVE-2020-8551</title>
<link>https://github.com/kubernetes/kubernetes/issues/89377</link>
<pubDate>Mon, 23 Mar 2020 18:34:40 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8551</guid>
<description>Kubelet DoS via API</description>
</item>
<item>
<title>CVE-2019-11251</title>
<link>https://github.com/kubernetes/kubernetes/issues/87773</link>
<pubDate>Mon, 03 Feb 2020 15:12:22 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11251</guid>
<description>kubectl cp symlink vulnerability</description>
</item>
<item>
<title>CVE-2018-1002102</title>
<link>https://github.com/kubernetes/kubernetes/issues/85867</link>
<pubDate>Tue, 03 Dec 2019 22:58:37 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2018-1002102</guid>
<description>Unvalidated redirect</description>
</item>
<item>
<title>CVE-2019-11255</title>
<link>https://github.com/kubernetes/kubernetes/issues/85233</link>
<pubDate>Wed, 13 Nov 2019 20:57:31 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11255</guid>
<description>CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation</description>
</item>
<item>
<title>CVE-2019-11253</title>
<link>https://github.com/kubernetes/kubernetes/issues/83253</link>
<pubDate>Fri, 27 Sep 2019 16:53:31 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11253</guid>
<description>Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack</description>
</item>
<item>
<title>CVE-2019-11250</title>
<link>https://github.com/kubernetes/kubernetes/issues/81114</link>
<pubDate>Thu, 08 Aug 2019 02:03:04 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11250</guid>
<description>Bearer tokens are revealed in logs</description>
</item>
<item>
<title>CVE-2019-11248</title>
<link>https://github.com/kubernetes/kubernetes/issues/81023</link>
<pubDate>Tue, 06 Aug 2019 14:34:33 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11248</guid>
<description>/debug/pprof exposed on kubelet's healthz port</description>
</item>
<item>
<title>CVE-2019-11249</title>
<link>https://github.com/kubernetes/kubernetes/issues/80984</link>
<pubDate>Mon, 05 Aug 2019 12:44:23 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11249</guid>
<description>Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal</description>
</item>
<item>
<title>CVE-2019-11247</title>
<link>https://github.com/kubernetes/kubernetes/issues/80983</link>
<pubDate>Mon, 05 Aug 2019 12:44:08 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11247</guid>
<description>API server allows access to custom resources via wrong scope</description>
</item>
<item>
<title>CVE-2019-11245</title>
<link>https://github.com/kubernetes/kubernetes/issues/78308</link>
<pubDate>Fri, 24 May 2019 16:14:49 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11245</guid>
<description>container uid changes to root after first restart or if image is already pulled to the node</description>
</item>
<item>
<title>CVE-2019-11243</title>
<link>https://github.com/kubernetes/kubernetes/issues/76797</link>
<pubDate>Thu, 18 Apr 2019 21:31:53 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11243</guid>
<description>rest.AnonymousClientConfig() does not remove the serviceaccount credentials from config created by rest.InClusterConfig()</description>
</item>
<item>
<title>CVE-2019-11244</title>
<link>https://github.com/kubernetes/kubernetes/issues/76676</link>
<pubDate>Tue, 16 Apr 2019 20:14:25 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11244</guid>
<description>`kubectl:-http-cache=<world-accessible dir>` creates world-writeable cached schema files</description>
</item>
<item>
<title>CVE-2019-1002100</title>
<link>https://github.com/kubernetes/kubernetes/issues/74534</link>
<pubDate>Mon, 25 Feb 2019 19:39:09 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-1002100</guid>
<description>json-patch requests can exhaust apiserver resources</description>
</item>
<item>
<title>CVE-2018-1002105</title>
<link>https://github.com/kubernetes/kubernetes/issues/71411</link>
<pubDate>Mon, 26 Nov 2018 11:07:36 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2018-1002105</guid>
<description>proxy request handling in kube-apiserver can leave vulnerable TCP connections</description>
</item>
<item>
<title>CVE-2018-1002101</title>
<link>https://github.com/kubernetes/kubernetes/issues/65750</link>
<pubDate>Tue, 03 Jul 2018 08:06:15 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2018-1002101</guid>
<description>smb mount security issue</description>
</item>
<item>
<title>CVE-2018-1002100</title>
<link>https://github.com/kubernetes/kubernetes/issues/61297</link>
<pubDate>Fri, 16 Mar 2018 19:24:46 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2018-1002100</guid>
<description>Kubectl copy doesn't check for paths outside of it's destination directory.</description>
</item>
<item>
<title>CVE-2017-1002102</title>
<link>https://github.com/kubernetes/kubernetes/issues/60814</link>
<pubDate>Mon, 05 Mar 2018 20:55:20 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2017-1002102</guid>
<description>atomic writer volume handling allows arbitrary file deletion in host filesystem</description>
</item>
<item>
<title>CVE-2017-1002101</title>
<link>https://github.com/kubernetes/kubernetes/issues/60813</link>
<pubDate>Mon, 05 Mar 2018 20:53:58 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2017-1002101</guid>
<description>subpath volume mount handling allows arbitrary file access in host filesystem</description>
</item>
<item>
<title>CVE-2017-1002100</title>
<link>https://github.com/kubernetes/kubernetes/issues/47611</link>
<pubDate>Thu, 15 Jun 2017 18:59:13 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2017-1002100</guid>
<description>Azure PV should be Private scope not Container scope</description>
</item>
<item>
<title>CVE-2017-1000056</title>
<link>https://github.com/kubernetes/kubernetes/issues/43459</link>
<pubDate>Tue, 21 Mar 2017 15:22:29 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2017-1000056</guid>
<description>PodSecurityPolicy admission plugin authorizes incorrectly</description>
</item>
</channel>
</rss>

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for checking this!

@mtardy
CVE feed: add RSS feed format
ad7b108 
Add tabs to display the various feeds thanks to sftim!
@PushkarJ
Copy link
Member

/lgtm
/assign @sftim

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 10, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: d6e4f0a6aa17ec9cd783a9d7992d4b59e69b0bda

@tengqm
Copy link
Contributor

tengqm commented Mar 14, 2023

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tengqm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 14, 2023
@k8s-ci-robot k8s-ci-robot merged commit 46a7445 into kubernetes:main Mar 14, 2023
@mtardy mtardy deleted the cve-feed-rss branch March 14, 2023 08:21
@mtardy mtardy mentioned this pull request Mar 14, 2023
Open
12 tasks
@PushkarJ PushkarJ mentioned this pull request Mar 14, 2023
Open
14 tasks
@Shubham82 Shubham82 mentioned this pull request Mar 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sftim sftim sftim left review comments

@PushkarJ PushkarJ PushkarJ requested changes

@bradtopol bradtopol Awaiting requested review from bradtopol

@natalisucks natalisucks Awaiting requested review from natalisucks

@nehaLohia27 nehaLohia27 Awaiting requested review from nehaLohia27

Assignees

@PushkarJ PushkarJ

@sftim sftim

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/en Issues or PRs related to English language lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/docs Categorizes an issue or PR as relevant to SIG Docs. sig/security Categorizes an issue or PR as relevant to SIG Security. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support RSS feeds by generating data in Atom format
5 participants
@mtardy @sftim @PushkarJ @k8s-ci-robot @tengqm