[AUTO-CHERRYPICK] [Medium] Patch CVE-2020-8565 to fix local-path-provisioner - branch 3.0-dev (#13038)

CBL-Mariner-Bot · archana25-ms · web-flow · commit a25f92c1cd1a · 2025-03-26T20:02:56.000-04:00
Co-authored-by: Archana Shettigar &lt;v-shettigara@microsoft.com&gt;
diff --git a/SPECS/local-path-provisioner/CVE-2020-8565.patch b/SPECS/local-path-provisioner/CVE-2020-8565.patch
@@ -0,0 +1,26 @@
+From 0e2a9c6cdbf88b5f4ec393d9e8794866bd2e7f17 Mon Sep 17 00:00:00 2001
+From: archana25-ms <v-shettigara@microsoft.com>
+Date: Wed, 12 Feb 2025 09:32:34 +0000
+Subject: [PATCH] Address CVE-2020-8565
+
+Source link: https://github.com/kubernetes/kubernetes/pull/95316
+
+---
+ vendor/k8s.io/client-go/transport/round_trippers.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/vendor/k8s.io/client-go/transport/round_trippers.go b/vendor/k8s.io/client-go/transport/round_trippers.go
+index a05208d..f4cfadb 100644
+--- a/vendor/k8s.io/client-go/transport/round_trippers.go
++++ b/vendor/k8s.io/client-go/transport/round_trippers.go
+@@ -340,6 +340,7 @@ func (r *requestInfo) toCurl() string {
+ 	headers := ""
+ 	for key, values := range r.RequestHeaders {
+ 		for _, value := range values {
++			value = maskValue(key, value)
+ 			headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value))
+ 		}
+ 	}
+-- 
+2.45.2
+
diff --git a/SPECS/local-path-provisioner/local-path-provisioner.spec b/SPECS/local-path-provisioner/local-path-provisioner.spec
@@ -1,7 +1,7 @@
 Summary:        Provides a way for the Kubernetes users to utilize the local storage in each node
 Name:           local-path-provisioner
 Version:        0.0.24
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        ASL 2.0
 URL:            https://github.com/rancher/local-path-provisioner
 Group:          Applications/Text
@@ -12,6 +12,7 @@ Source0:        https://github.com/rancher/%{name}/archive/refs/tags/v%{version}
 Patch0:         CVE-2023-45288.patch
 Patch1:         CVE-2023-39325.patch
 Patch2:         CVE-2023-44487.patch
+Patch3:		CVE-2020-8565.patch
 BuildRequires: golang
 
 %description
@@ -32,9 +33,13 @@ install local-path-provisioner %{buildroot}%{_bindir}/local-path-provisioner
 %{_bindir}/local-path-provisioner
 
 %changelog
+* Wed Mar 05 2025 Archana Shettigar <v-shettigara@microsoft.com> - 0.0.24-5
+- Address CVE-2020-8565
+
 * Tue Mar 04 2025 corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> - 0.0.24-4
 * Address CVE-2023-44487
 
+
 * Fri Feb 14 2025 Kanishk Bansal <kanbansal@microsoft.com> - 0.0.24-3
 - Address CVE-2023-45288, CVE-2023-39325
 
