Other then that, this release contains no other changes from 1.5.4.

The vulnerability is tracked in http://issue.k8s.io/43459.

**Who is affected?**

Only Kubernetes 1.5.0-1.5.4 installations that do all of the following:
* Enable the PodSecurityPolicy API (which is not enabled by default):

- Changed the API server so that for admission webhooks that have a URL matching the hostname 'localhost' or a loopback IP address, the connection supports HTTP/2 where it could be negotiated.
   ([#122558](https://github.com/kubernetes/kubernetes/pull/122558), [@linxiulei](https://github.com/linxiulei))

version kubectl's rolling update against a 1.4 cluster, it will fail, usually with an error message that will direct you here. If you saw that error, then don't worry, the operation succeeded except for the part where the new replication controller is renamed back to the old name. You can just do another rolling update using kubectl 1.4 or higher to change the name back: look for a replication controller that has the original name plus a random suffix.

Unfortunately, there is a much rarer second...