Skip to content

k3s-1.33/1.33.5.1-r3: cve remediation #72115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

k3s-1.33/1.33.5.1-r3: cve remediation #72115

wants to merge 1 commit into from
+2 −1

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Nov 15, 2025

k3s-1.33/1.33.5.1-r3: fix GHSA-pwhc-rpq9-4c8w

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/k3s-1.33.advisories.yaml

"Breadcrumbs" for this automated service

@catmsred catmsred self-assigned this Nov 17, 2025
catmsred added a commit to catmsred/advisories that referenced this pull request Nov 17, 2025
@catmsred
doc(k3s): GHSA-pwhc-rpq9-4c8w
b471fed 
The affected component's suffix is non-standard for parsing. It treats -k3s1
as an unknown qualifier that sorts after known ones (alpha, beta, rc, ga,
etc.), which breaks version matching.

The suffix is used in k3s because k3s pull in their own fork of containerd. In
this case, all fixes associated with this vulnerability from upstream are also
mirrored in the k3s containerd fork. See below for details:

Fix commit in containerd from CVE advisory: containerd/containerd@7c59e8e

Verifying the same 4 file changes appear in https://github.com/k3s-io/containerd/tree/v2.1.5:

cmd/containerd/server/server.go

https://github.com/k3s-io/containerd/blob/v2.1.5/cmd/containerd/server/server.go#L82-87
https://github.com/k3s-io/containerd/blob/v2.1.5/cmd/containerd/server/server.go#L109
core/runtime/v2/task_manager.go

https://github.com/k3s-io/containerd/blob/v2.1.5/core/runtime/v2/task_manager.go#L78-79
plugins/cri/runtime/plugin.go

https://github.com/k3s-io/containerd/blob/v2.1.5/plugins/cri/runtime/plugin.go#L82-88
plugins/sandbox/controller.go

https://github.com/k3s-io/containerd/blob/v2.1.5/plugins/sandbox/controller.go#L71-75

Relates: wolfi-dev/os#72115
@catmsred catmsred mentioned this pull request Nov 17, 2025
Merged
@catmsred
Copy link
Member

catmsred commented Nov 17, 2025

Advisory PR: wolfi-dev/advisories#25404

catmsred added a commit to catmsred/advisories that referenced this pull request Nov 17, 2025
@catmsred
doc(k3s): GHSA-pwhc-rpq9-4c8w
899c5da 
The affected component's suffix is non-standard for parsing. It treats -k3s1
as an unknown qualifier that sorts after known ones (alpha, beta, rc, ga,
etc.), which breaks version matching.

The suffix is used in k3s because k3s pull in their own fork of containerd. In
this case, all fixes associated with this vulnerability from upstream are also
mirrored in the k3s containerd fork. See below for details:

Fix commit in containerd from CVE advisory: containerd/containerd@7c59e8e

Verifying the same 4 file changes appear in https://github.com/k3s-io/containerd/tree/v2.1.5:

cmd/containerd/server/server.go

https://github.com/k3s-io/containerd/blob/v2.1.5/cmd/containerd/server/server.go#L82-87
https://github.com/k3s-io/containerd/blob/v2.1.5/cmd/containerd/server/server.go#L109
core/runtime/v2/task_manager.go

https://github.com/k3s-io/containerd/blob/v2.1.5/core/runtime/v2/task_manager.go#L78-79
plugins/cri/runtime/plugin.go

https://github.com/k3s-io/containerd/blob/v2.1.5/plugins/cri/runtime/plugin.go#L82-88
plugins/sandbox/controller.go

https://github.com/k3s-io/containerd/blob/v2.1.5/plugins/sandbox/controller.go#L71-75

Relates: wolfi-dev/os#72115
catmsred added a commit to catmsred/advisories that referenced this pull request Nov 17, 2025
@catmsred
doc(k3s): GHSA-pwhc-rpq9-4c8w
565f30d 
The affected component's suffix is non-standard for parsing. It treats -k3s1
as an unknown qualifier that sorts after known ones (alpha, beta, rc, ga,
etc.), which breaks version matching.

The suffix is used in k3s because k3s pull in their own fork of containerd. In
this case, all fixes associated with this vulnerability from upstream are also
mirrored in the k3s containerd fork. See below for details:

Fix commit in containerd from CVE advisory: containerd/containerd@7c59e8e

Verifying the same 4 file changes appear in https://github.com/k3s-io/containerd/tree/v2.1.5:

cmd/containerd/server/server.go

https://github.com/k3s-io/containerd/blob/v2.1.5/cmd/containerd/server/server.go#L82-87
https://github.com/k3s-io/containerd/blob/v2.1.5/cmd/containerd/server/server.go#L109
core/runtime/v2/task_manager.go

https://github.com/k3s-io/containerd/blob/v2.1.5/core/runtime/v2/task_manager.go#L78-79
plugins/cri/runtime/plugin.go

https://github.com/k3s-io/containerd/blob/v2.1.5/plugins/cri/runtime/plugin.go#L82-88
plugins/sandbox/controller.go

https://github.com/k3s-io/containerd/blob/v2.1.5/plugins/sandbox/controller.go#L71-75

Relates: wolfi-dev/os#72115
github-merge-queue bot pushed a commit to wolfi-dev/advisories that referenced this pull request Nov 17, 2025
@catmsred
doc(k3s): GHSA-pwhc-rpq9-4c8w (#25404)
608836a 
The affected component's suffix is non-standard for parsing. It treats -k3s1
as an unknown qualifier that sorts after known ones (alpha, beta, rc, ga,
etc.), which breaks version matching.

The suffix is used in k3s because k3s pull in their own fork of containerd. In
this case, all fixes associated with this vulnerability from upstream are also
mirrored in the k3s containerd fork. See below for details:

Fix commit in containerd from CVE advisory: containerd/containerd@7c59e8e

Verifying the same 4 file changes appear in https://github.com/k3s-io/containerd/tree/v2.1.5:

cmd/containerd/server/server.go

https://github.com/k3s-io/containerd/blob/v2.1.5/cmd/containerd/server/server.go#L82-87
https://github.com/k3s-io/containerd/blob/v2.1.5/cmd/containerd/server/server.go#L109
core/runtime/v2/task_manager.go

https://github.com/k3s-io/containerd/blob/v2.1.5/core/runtime/v2/task_manager.go#L78-79
plugins/cri/runtime/plugin.go

https://github.com/k3s-io/containerd/blob/v2.1.5/plugins/cri/runtime/plugin.go#L82-88
plugins/sandbox/controller.go

https://github.com/k3s-io/containerd/blob/v2.1.5/plugins/sandbox/controller.go#L71-75

Relates: wolfi-dev/os#72115
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Nov 17, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-hf79-qpx3-hh49 has the latest event type of "false-positive-determination": https://github.com/wolfi-dev/advisories/blob/main/k3s-1.33.advisories.yaml

ID:      CGA-hf79-qpx3-hh49
Package: k3s-1.33
Aliases: CVE-2024-25621 GHSA-pwhc-rpq9-4c8w
Events:
  - "scan/v1" at 2025-11-08 09:57:11 UTC
  - "false-positive-determination" at 2025-11-17 15:18:19 UTC

@octo-sts octo-sts bot closed this Nov 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@catmsred catmsred

Labels

auto-approver-bot/initial-checks-failed auto-approver-bot/initial-checks-missing automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. cve-pr-closer/v2-adv-disagreement GHSA-pwhc-rpq9-4c8w go/bump k3s-1.33 request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catmsred