- github.com/moby/docker-image-spec: [v1.3.1](https://github.com/moby/docker-image-spec/tree/v1.3.1)
- github.com/moby/sys/user: [v0.3.0](https://github.com/moby/sys/tree/user/v0.3.0)
- github.com/moby/sys/userns: [v0.1.0](https://github.com/moby/sys/tree/userns/v0.1.0)
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: v1.27.0

### Changed
- cel.dev/expr: v0.15.0 → v0.18.0

 *  **OkHttp no longer attempts a direct connection if the system's HTTP proxy fails.** This
    behavior was surprising because OkHttp was disregarding the user's specified configuration. If
    you need to customize proxy fallback behavior, implement your own `java.net.ProxySelector`.

 *  Fix: Support TLSv1.3 on devices that support it.

- **Node**
  - [alpha] Added ability to preserve access to host userns when userns remapping is enabled in container runtime ([kubernetes/features#127](https://github.com/kubernetes/enhancements/issues/127))

			if _, ok := cleanQ.Users[user]; !ok {
				cleanQ.Users[user] = nil
			}
		}

		// Validate and normalize groups.
		for _, group := range q.Groups {
			lookupRes, underDN, _ := sys.LDAPConfig.GetValidatedGroupDN(nil, group)
			if lookupRes != nil && underDN {
				cleanQ.Groups.Add(lookupRes.NormDN)
			}
		}
	} else {
		for _, user := range q.Users {
			info, err := sys.store.GetUserInfo(user)

        .url(server.url("/"))
        .head()
        .header("User-Agent", "SyncApiTest")
        .build()
    executeSynchronously(request)
      .assertCode(200)
      .assertHeader("Content-Type", "text/plain")
    val recordedRequest = server.takeRequest()
    assertThat(recordedRequest.method).isEqualTo("HEAD")
    assertThat(recordedRequest.headers["User-Agent"]).isEqualTo("SyncApiTest")

- Missing directories listed in a user's PATH are no longer considered errors and are instead logged by the `kubectl plugin list` command when listing available plugins. ([#73542](https://github.com/kubernetes/kubernetes/pull/73542), [@juanvallejo](https://github.com/juanvallejo))
- Now users can get object info like:

  ```bash

        </field>
        <field>
          <name>notifiers</name>
          <version>4.0.0+</version>
          <description>Configuration for notifying developers/users when a build is unsuccessful,
            including user information and notification mode.</description>
          <association>
            <multiplicity>*</multiplicity>
            <type>Notifier</type>
          </association>

Some notable changes in kubeadm since Kubernetes 1.12:

* `kubectl create rolebinding` and `kubectl create clusterrolebinding` invocations must be updated to  specify multiple subjects as repeated  `--user`, `--group`, or `--serviceaccount` arguments instead of comma-separated arguments to a single `--user`, `--group`, or `--serviceaccount`.  E.g. `--user=x,y` must become `--user x --user y`  ([#43903](https://github.com/kubernetes/kubernetes/pull/43903), [@xilabao](https://github.com/xilabao))


### kubeadm

### CVE-2024-5321: Incorrect permissions on Windows containers logs

A security issue was discovered in Kubernetes clusters with Windows nodes
where BUILTIN\Users may be able to read container logs and NT
AUTHORITY\Authenticated Users may be able to modify container logs.

**Affected Versions**:
  - kubelet <= 1.27.15
  - kubelet <= 1.28.11
  - kubelet <= 1.29.6
  - kubelet <= 1.30.2