- Leaked File descriptors ([#275](https://github.com/docker/containerd/issues/275))
    - Additional memory overhead per container ([#21737]((https://github.com/docker/docker/issues/21737))
  * Docker version 1.12.1 [has been validated](https://github.com/kubernetes/kubernetes/issues/28698) through the Kubernetes docker automated validation framework as has Docker version 1.12.3

pkg crypto/rsa, func VerifyPKCS1v15(*PublicKey, crypto.Hash, []uint8, []uint8) error
pkg crypto/rsa, method (*PrivateKey) Precompute()
pkg crypto/rsa, method (*PrivateKey) Validate() error
pkg crypto/rsa, type CRTValue struct
pkg crypto/rsa, type CRTValue struct, Coeff *big.Int
pkg crypto/rsa, type CRTValue struct, Exp *big.Int
pkg crypto/rsa, type CRTValue struct, R *big.Int

hash.Write(label) lHash := hash.Sum(nil) firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0) seed := em[1 : hash.Size()+1] db := em[hash.Size()+1:] mgf1XOR(seed, mgfHash, db) mgf1XOR(db, mgfHash, seed) lHash2 := db[0:hash.Size()] // We have to validate the plaintext in constant time in order to avoid // attacks like: J. Manger. A Chosen Ciphertext Attack on RSA Optimal // Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 // v2.0. In J. Kilian, editor, Advances in Cryptology. lHash2Good...

Boolean(SAFE_URL_PATTERN.test(attr.nodeValue) || DATA_URL_PATTERN.test(attr.nodeValue))\n    }\n\n    return true\n  }\n\n  const regExp = allowedAttributeList.filter(attrRegex => attrRegex instanceof RegExp)\n\n  // Check if a regular expression validates the attribute.\n  for (let i = 0, len = regExp.length; i < len; i++) {\n    if (regExp[i].test(attrName)) {\n      return true\n    }\n  }\n\n  return false\n}\n\nexport function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) {\n  if (unsafeHtml.length...

- `ValidateVolumeAttributesClassUpdate` also validates new VolumeAttributesClass object. ([#122449](https://github.com/kubernetes/kubernetes/pull/122449), [@carlory](https://github.com/carlory))

### Other (Cleanup or Flake)

rCase()\n\n  if (allowedAttributeList.includes(attributeName)) {\n    if (uriAttributes.has(attributeName)) {\n      return Boolean(SAFE_URL_PATTERN.test(attribute.nodeValue))\n    }\n\n    return true\n  }\n\n  // Check if a regular expression validates the attribute.\n  return allowedAttributeList.filter(attributeRegex => attributeRegex instanceof RegExp)\n    .some(regex => regex.test(attributeName))\n}\n\nexport function sanitizeHtml(unsafeHtml, allowList, sanitizeFunction) {\n  if (!unsafeHtml.length)...

    e.g., setting the environment variable `TF_ENABLE_MKL_NATIVE_FORMAT` will
    not have any effect.

*   TensorFlow has been validated on Windows Subsystem for Linux 2 (aka WSL 2)
    for both GPUs and CPUs.

*   Due to security issues (see section below), all boosted trees code has been
    deprecated. Users should switch to

- The list of validated docker versions remains unchanged.
  - The current list is 1.13.1, 17.03, 17.06, 17.09, 18.06, 18.09. ([#72823](https://github.com/kubernetes/kubernetes/pull/72823), [#72831](https://github.com/kubernetes/kubernetes/pull/72831))

## External Dependencies
* The supported etcd server version is 3.1.12, as compared to 3.1.10 in v1.9 ([#60998](https://github.com/kubernetes/kubernetes/pull/60998))
* The validated docker versions are the same as for v1.9: 1.11.2 to 1.13.1 and 17.03.x ([ref](https://github.com/kubernetes/kubernetes/blob/release-1.10/test/e2e_node/system/docker_validator_test.go))

Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to be redirected to the API Server through its private network.