}

	pr, pw := xioutil.WaitPipe()
	go func() {
		pw.CloseWithError(er.getObjectWithFileInfo(ctx, bucket, object, off, length, pw, fi, metaArr, onlineDisks))
	}()

	// Cleanup function to cause the go routine above to exit, in
	// case of incomplete read.
	pipeCloser := func() {
		pr.CloseWithError(nil)
	}

	if !unlockOnDefer {
		return fn(pr, h, pipeCloser, nsUnlocker)
	}

popper's position offsets rounded\n *\n * The tale of pixel-perfect positioning. It's still not 100% perfect, but as\n * good as it can be within reason.\n * Discussion here: https://github.com/FezVrasta/popper.js/pull/715\n *\n * Low DPI screens cause a popper to be blurry if not using full pixels (Safari\n * as well on High DPI screens).\n *\n * Firefox prefers no rounding for positioning and does not have blurriness on\n * high DPI screens.\n *\n * Only horizontal placement and left/right values...

* fixes spurious "meaningful conflict" error encountered by nodes attempting to update status, which could cause them to be considered unready ([#66171](https://github.com/kubernetes/kubernetes/pull/66171), [@liggitt](https://github.com/liggitt))

  - [Changelog since v1.25.0](#changelog-since-v1250)
  - [Important Security Information](#important-security-information-4)
    - [CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF)](#cve-2022-3172-aggregated-api-server-can-cause-clients-to-be-redirected-ssrf)
  - [Changes by Kind](#changes-by-kind-14)
    - [API Change](#api-change-3)
    - [Feature](#feature-13)
    - [Bug or Regression](#bug-or-regression-14)

			cancelCause(nil)
		}()
		send := func(oi ObjectInfo) bool {
			select {
			case results <- itemOrErr[ObjectInfo]{Item: oi}:
				return true
			case <-ctx.Done():
				sendErr(context.Cause(ctx))
				return false
			}
		}
		for entry := range merged {
			if opts.LatestOnly {
				fi, err := entry.fileInfo(bucket)
				if err != nil {
					sendErr(err)
					return
				}

		userType = svcUser
	} else if cred.IsTemp() {
		userType = stsUser
	}
	ui := newUserIdentity(cred)
	// Overwrite the user identity here. As store should be
	// atomic, it shouldn't cause any corruption.
	if err := store.saveUserIdentity(ctx, cred.AccessKey, userType, ui); err != nil {
		return err
	}

	return cache.updateUserWithClaims(cred.AccessKey, ui)
}

### CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.

**Affected Versions**:
  - kubelet kubelet v1.30.0 to v1.30.9
  - kubelet v1.31.0 to v1.31.5
  - kubelet v1.32.0 to v1.32.1

**Fixed Versions**:

## Changes by Kind

### API Change

- Fixes a 1.33 regression that can cause a nil panic in kube-scheduler when aggregating resource requests across container's spec and status. ([#133285](https://github.com/kubernetes/kubernetes/pull/133285), [@yue9944882](https://github.com/yue9944882)) [SIG Node and Scheduling]

- The pause image upgraded to `v3.4.1` in kubelet and kubeadm for both Linux and Windows. ([#98205](https://github.com/kubernetes/kubernetes/pull/98205), [@pacoxu](https://github.com/pacoxu))

          assertThat(bytes.read()).isEqualTo('a'.code)
          assertThat(bytes.read()).isEqualTo('b'.code)
          assertThat(bytes.read()).isEqualTo('c'.code)

          // This request will share a connection with 'A' cause it's all done.
          client.newCall(Request.Builder().url(server.url("/b")).build()).enqueue(callback)
        }
      },
    )
    callback.await(server.url("/b")).assertCode(200).assertBody("def")