-
Notifications
You must be signed in to change notification settings - Fork 29
docs: point CVE-2026-53359 at the Talos v1.13.6 kernel fix #602
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
da0b834
2e6346f
ebd8f09
8a84587
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -126,8 +126,12 @@ Discovered open port 50000/tcp on 192.168.123.13 | |
| - 10.96.0.0/16 | ||
| ``` | ||
|
|
||
| {{% alert title="Update Talos to v1.13.6 or newer (CVE-2026-53359)" color="warning" %}} | ||
| [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both are fixed in the kernel, and Talos v1.13.6 is the first release that carries both fixes — it ships Linux 6.18.38. If the image tag above resolves to an earlier release, set it to `v1.13.6` or newer. Nested virtualization stays enabled: the kernel fix removes the bug itself, so workloads that rely on nested virtualization keep working. | ||
| {{% /alert %}} | ||
|
Comment on lines
+129
to
+131
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Clarify the nested-virtualization default. This alert still says nested virtualization stays enabled and that dependent workloads keep working, but the PR intent is to document the Cozystack Talos image default-disablement and the rebuild/re-enable path. Please reword it so readers don't miss the mitigation. 🤖 Prompt for AI Agents |
||
|
|
||
| {{% alert title="Do not change op: on these entries" color="warning" %}} | ||
| Talos rejects `op: create` for any file outside `/var`, returning the error `create operation not allowed outside of /var` — the only exception is the special-cased `/etc/cri/conf.d/20-customization.part`. Because `/etc/lvm/lvm.conf` already exists on the node, it must use `op: overwrite`. Changing the op (or pointing `create` at another `/etc` path) fails the `WriteUserFiles` boot step: the node pauses and enters a reboot loop, and `talosctl bootstrap` reports only `bootstrap is not available yet` with no obvious cause. | ||
| Talos rejects `op: create` for any file outside `/var`, returning the error `create operation not allowed outside of /var` — the only exception is the special-cased `/etc/cri/conf.d/20-customization.part`. Because `/etc/lvm/lvm.conf` already exists on the node, it must use `op: overwrite`. Changing the op (or pointing `create` at another `/etc` path) fails the `WriteUserFiles` boot step: the node pauses and enters a reboot loop, and `talosctl bootstrap` reports only `bootstrap is not available yet` with no obvious cause. | ||
| {{% /alert %}} | ||
|
|
||
| 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Clarify the nested-virtualization default.
This alert still says nested virtualization stays enabled and that dependent workloads keep working, but the PR intent is to document the Cozystack Talos image default-disablement and the rebuild/re-enable path. Please reword it so readers don't miss the mitigation.
🤖 Prompt for AI Agents