### CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API

A security vulnerability has been discovered in Kubernetes windows nodes
that could allow a user with the ability to query a node's '/logs' endpoint
to execute arbitrary commands on the host.

**Affected Versions**:
  - kubelet <= v1.29.12
  - kubelet <= v1.30.8
  - kubelet <= v1.31.4
  - kubelet = v1.32.0

    - `extensions/v1beta1/daemonsets=true,extensions/v1beta1/deployments=true,extensions/v1beta1/replicasets=true,extensions/v1beta1/networkpolicies=true,extensions/v1beta1/podsecuritypolicies=true`

    The ability to serve these resources will be completely removed in v1.18. ([#70672](https://github.com/kubernetes/kubernetes/pull/70672), [@liggitt](https://github.com/liggitt))

### Bug or Regression

- Add `/sys/devices/virtual/powercap` to default masked paths. It avoids the potential security risk that the ability to read these files may offer a power-based sidechannel attack against any workloads running on the same kernel. ([#125970](https://github.com/kubernetes/kubernetes/pull/125970), [@carlory](https://github.com/carlory)) [SIG Node]

- Adds the ability to pass --strict-transport-security-directives to the kube-apiserver to set the HSTS header appropriately.  Be sure you understand the consequences to browsers before setting this field. ([#96502](https://github.com/kubernetes/kubernetes/pull/96502),...

   * its capacity threshold.
   *
   * The Least Recently Used page replacement algorithm was chosen due to its simplicity, high hit
   * rate, and ability to be implemented with O(1) time complexity. The initial LRU implementation
   * operates per-segment rather than globally for increased implementation simplicity. We expect

## Changelog since v1.32.0

## Urgent Upgrade Notes 

### (No, really, you MUST read this before you upgrade)

### CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API

A security vulnerability has been discovered in Kubernetes windows nodes
that could allow a user with the ability to query a node's '/logs' endpoint
to execute arbitrary commands on the host.

**Affected Versions**:
  - kubelet <= v1.29.12
  - kubelet <= v1.30.8
  - kubelet <= v1.31.4
  - kubelet = v1.32.0

### Documentation

- Kubectl describe, get, drain and events have the ability to set chunk-size using --chunk-size flag, which is now officially stable. ([#134481](https://github.com/kubernetes/kubernetes/pull/134481), [@soltysh](https://github.com/soltysh)) [SIG CLI]

### Bug or Regression

{\n    font-size: 16px;\n    font-weight: 600;\n    margin: 0;\n    padding: 0;\n  }\n\n  > .description-text {\n    text-transform: uppercase;\n  }\n\n  // Description Block Extension\n  .description-icon {\n    font-size: 16px;\n  }\n}\n\n// List utility classes\n.list-group-unbordered {\n  > .list-group-item {\n    border-left: 0;\n    border-radius: 0;\n    border-right: 0;\n    padding-left: 0;\n    padding-right: 0;\n  }\n}\n\n.list-header {\n  color: $gray-600;\n  font-size: 15px;\n  font-weight:...

the compatibility guarantee ensures that a Go program that works with a
specific Go language version will continue to work with any subsequent version.
</p>

<p>
For instance, the ability to use the prefix <code>0b</code> for binary
integer literals was introduced with Go 1.13, indicated
by [<a href="#Go_1.13">Go 1.13</a>] in the section on
<a href="#Integer_literals">integer literals</a>.