#kubernetes

### Impact Note: "Pebble" here refers to [Canonical's service manager](https://github.com/canonical/pebble), not the [Let's Encrypt ACME test server](https://github.com/letsencrypt/pebble). The API behind `pebble pull`, used to read files from the workload container by Juju charms, allows access from any user, instead of just admin. In Juju Kubernetes sidecar charms, Pebble and the charm run as root, so they have full access. But if another restricted unix user gains local access to the container host, they could hit the Pebble `GET /v1/files?action=read` API and would be allowed to read any file in the workload container, for example an ssh key or database password or other sensitive information. If there are ssh keys they could then potentially ssh into the workload, or if something like a database password they could log into the database. Note that this requires local user access to the host machine. It seems unlikely that an attacker could gain this level of access in a Juju Ku...

Red Hat Security Advisory 2024-1662-03 - An update is now available for Red Hat build of Quarkus. Issues addressed include denial of service, information leakage, and memory leak vulnerabilities.

Red Hat Security Advisory 2024-1574-03 - Red Hat OpenShift Container Platform release 4.12.54 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-1572-03 - Red Hat OpenShift Container Platform release 4.12.54 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Security Advisory 2024-1563-03 - Red Hat OpenShift Container Platform release 4.15.6 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-1561-03 - Red Hat build of MicroShift release 4.15.6 is now available with updates to packages and images that fix several bugs.

Red Hat Security Advisory 2024-1559-03 - Red Hat OpenShift Container Platform release 4.15.6 is now available with updates to packages and images that fix several bugs and add enhancements.

Debian Linux Security Advisory 5649-1 - Andres Freund discovered that the upstream source tarballs for xz-utils, the XZ-format compression utilities, are compromised and inject malicious code, at build time, into the resulting liblzma5 library.

Red Hat Security Advisory 2024-1570-03 - Updated images are now available for Red Hat Advanced Cluster Security. Issues addressed include a denial of service vulnerability.

### Impact Users of [IPsec transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption-ipsec/) in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to the following attacks by a man-in-the-middle attacker: - Chosen plaintext attacks - Key recovery attacks - Replay attacks These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique keys for each IPsec tunnel established between nodes, resolving all of the above attacks. **Important:** After upgrading, users must perform a key rotation using the instructions [here](https://docs.cilium.io/en/latest/security/network/encryption-ipsec/#key-rotation) to ensure that they are no longer vulnerable to this issue. Please note that the key rotation instructions have recently been updated, and users must use the new instructions to proper...