[$] Handling the Kubernetes symbolic link vulnerability

Post Syndicated from jake original https://lwn.net/Articles/775182/rss

A year-old bug in Kubernetes was the
topic of a talk given by Michelle Au and Jan Šafránek at KubeCon
+ CloudNativeCon North America
, which was held mid-December in
Seattle. In the talk, they looked at the details of the bug and the
response from the Kubernetes product
security team
(PST). While the bug was fairly straightforward, it was
surprisingly hard to fix. The whole process also provided experience that
will help improve vulnerability handling in the future.