CVE-2022-27664

Advisory

Kfp-tekton 1.6.5 includes 'kfp' v1.8.20 to address kubernetes vulnerabilities.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

- Support Tekton 0.47.0 and Openshift pipelines v1.10
- Support Kustomize v5 for deployment manifests.
- Deployment images moved to quay.io
- Scheduled workflow now can store Tekton metadata
- Updated metadata writer dependencies to ml-metadata 1.5.0 with LRU cache
- Move Tekton default status setting to minimal
- Address Tekton minimal status migration for anysequencer and persistent agent
- Added new way to opt-out metadata tracking at pipeline level
- Drop Python 3.7 support
- Bug patch and performance enhancement.

What's Changed
* fix(backend): Add the permissions to access customruns by yhwang in https://github.com/kubeflow/kfp-tekton/pull/1161
* Chore(backend) update kube and python dependency for backend by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1162
* Chore(release): Add 1.6.1 release patch by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1165
* chore(sdk): update package dependency source by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1166
* fix(backend): proper handle customrun status by yhwang in https://github.com/kubeflow/kfp-tekton/pull/1167
* chore(manifests): Update embedded status to minimal by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1168
* fix(test): call kfp api instead of kube api by yhwang in https://github.com/kubeflow/kfp-tekton/pull/1171
* Fix(any-sequencer): Make any sequencer able to detect child reference status by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1172
* chore(manifests): upgrade mysql image to kfp v2 standards for cves mitigation by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1175
* chore(cleanup): Remove unnecessary cloud build files from google and travis by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1178
* feat(sdk): make metadata component spec gen flag configurable on pipeline level by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1177
* fix(sdk): fix v1 api sdk client package bug by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1179
* fix(sdk): fix v1 api package typo by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1180
* chore(release): Add 1.6.2 backend release, 1.6.3 sdk release by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1184
* chore(docs): Update docs on custom task parameters by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1187
* fix(sdk): Update aipipeline images to quay by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1186
* fix(test): update toolchain image/script by yhwang in https://github.com/kubeflow/kfp-tekton/pull/1189
* chore(tekton-catalog): Remove legacy v1alpha1 condtion since it is no longer supported by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1188
* fix(test): fix typo in the toolchain task by yhwang in https://github.com/kubeflow/kfp-tekton/pull/1190
* feat(manifests): use kustomize v5 by yhwang in https://github.com/kubeflow/kfp-tekton/pull/1194
* fix(backend): Fix metadata writer dependencies by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1193
* fix(test): update GH action and toolchain task by yhwang in https://github.com/kubeflow/kfp-tekton/pull/1195
* chore(release): Add 1.6.3 backend and 1.6.4 sdk release by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1196
* chore(docs): Update kfp-tekton openshift instruction to also include Tekton SCC by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1197
* fix(sdk): Remove print statement for compiler to reduce log size by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1198
* fix(test): enhance build scripts by yhwang in https://github.com/kubeflow/kfp-tekton/pull/1200
* feat(CI): Create periodic codeql code scan to detect possible static bugs by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1201
* fix(deps): Tekton 0.44.2 patch and dependencies update by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1202
* chore(release): Add backend 1.6.4 release by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1203
* chore(cleanup): Remove deprecated api directory by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1204
* chore(samples): Remove deprecated samples by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1205
* fix(sdk): Update sdk to 1.6.5 with new kfp 1.8.20 to address kubernetes cves by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1206
* fix(python): Remove python 3.7 support by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1207
* chore(samples): Update data passing samples to a more meaningful folder by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1209
* chore(deps): Update go deps to fix high cves by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1210
* fix(backend): Use childReference instead of taskRuns by yhwang in https://github.com/kubeflow/kfp-tekton/pull/1211
* chore(manifests): update mysql log config to align with upstream by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1212
* chore(requirements.txt): Remove unused lock files to better scan security vulnerability by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1213
* chore(release): Add backend 1.6.5 release by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1214
* feat(backend):Update backend to support Tekton 0.47 by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1215
* fix(backend): Fix integration test template object bugs by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1216
* chore(docs): Remove inactive community links by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1218
* fix(test): update ibmcloud command by yhwang in https://github.com/kubeflow/kfp-tekton/pull/1217
* feat(manifest): Add openshift pipelines kustomize integration by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1220
* fix(backend): add license files by yhwang in https://github.com/kubeflow/kfp-tekton/pull/1222
* feat(backend): Add metadata field to scheduled workflow by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1221
* fix(backend): Fix global cache flag by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1224
* fix(manifests): fix unsaved kustomization.yaml for openshift pipelines by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1229
* feat(manifests): opt-out sidecar injection feature flag to increase performance by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1230
* fix(sdk): Update kfp version to fix appengine bug by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1235
* fix(sdk): Update wait_for_run_completion function to handle tekton status; by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1234
* chore(release): Add 1.6.6-backend release by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1236
* chore(release): Add KFP-Tekton 1.7.0 release files by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1237
* fix(manifests): Update manifests to make it work on both k8s and openshift by Tomcli in https://github.com/kubeflow/kfp-tekton/pull/1239


**Full Changelog**: https://github.com/kubeflow/kfp-tekton/compare/v1.6.0...v1.7.0

Resources

• https://pypi.org/project/kfp-tekton
• https://pyup.io/changelogs/kfp-tekton/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2011
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27664