### CVE-2022-3162: Unauthorized read of Custom Resources

A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.

**Affected Versions**:
  - kube-apiserver v1.25.0 - v1.25.3

    - [Container Images](#container-images-15)
  - [Changelog since v1.32.0-alpha.3](#changelog-since-v1320-alpha3)
  - [Urgent Upgrade Notes](#urgent-upgrade-notes-1)
    - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade)
  - [Changes by Kind](#changes-by-kind-14)
    - [Deprecation](#deprecation-1)
    - [API Change](#api-change-5)
    - [Feature](#feature-10)

- Fixed a bug in the JSON frame reader that could cause it to retain a reference to the underlying array of the byte slice passed to read. ([#123620](https://github.com/kubernetes/kubernetes/pull/123620), [@benluddy](https://github.com/benluddy))

### CVE-2022-3162: Unauthorized read of Custom Resources

A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.

**Affected Versions**:
  - kube-apiserver v1.25.0 - v1.25.3

pkg debug/dwarf, const TagSkeletonUnit Tag
pkg debug/dwarf, method (*Data) AddSection(string, []uint8) error
pkg debug/dwarf, method (*LineReader) Files() []*LineFile
pkg debug/dwarf, method (*Reader) ByteOrder() binary.ByteOrder
pkg encoding/asn1, const TagBMPString = 30
pkg encoding/asn1, const TagBMPString ideal-int
pkg encoding/json, method (*Decoder) InputOffset() int64
pkg go/build, type Context struct, Dir string

- Containers which specify a `startupProbe` but not a `readinessProbe` were previously considered "ready" before the `startupProbe` completed, but are now considered "not-ready". ([#92196](https://github.com/kubernetes/kubernetes/pull/92196), [@thockin](https://github.com/thockin)) [SIG Node]

    - [Additional Notable Feature Updates](#additional-notable-feature-updates)
  - [Known Issues](#known-issues)
  - [Urgent Upgrade Notes](#urgent-upgrade-notes)
    - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade)
      - [API Machinery](#api-machinery)
      - [Apps](#apps)
      - [Auth](#auth)
      - [AWS](#aws)
      - [Azure](#azure)
      - [CLI](#cli)

  <mime-type type="application/vnd.nokia.pcd+wbxml"/>
  <mime-type type="application/vnd.nokia.pcd+xml"/>
  <mime-type type="application/vnd.nokia.radio-preset">
    <glob pattern="*.rpst"/>
  </mime-type>
  <mime-type type="application/vnd.nokia.radio-presets">
    <glob pattern="*.rpss"/>
  </mime-type>
  <mime-type type="application/vnd.novadigm.edm">
    <glob pattern="*.edm"/>
  </mime-type>

*   Taint key `unreachable` is now in GA.
*   Taint key `notReady` is changed to `not-ready`, and is also now in GA.
*   These changes are automatically updated for taints. Tolerations for these taints must be updated manually. Specifically, you must:
    *   Change `node.alpha.kubernetes.io/notReady` to `node.kubernetes.io/not-ready`
    *   Change `node.alpha.kubernetes.io/unreachable` to  `node.kubernetes.io/unreachable`

pkg bufio, const MaxScanTokenSize ideal-int
pkg bufio, func NewScanner(io.Reader) *Scanner
pkg bufio, func ScanBytes([]uint8, bool) (int, []uint8, error)
pkg bufio, func ScanLines([]uint8, bool) (int, []uint8, error)
pkg bufio, func ScanRunes([]uint8, bool) (int, []uint8, error)
pkg bufio, func ScanWords([]uint8, bool) (int, []uint8, error)
pkg bufio, method (*Reader) WriteTo(io.Writer) (int64, error)
pkg bufio, method (*Scanner) Bytes() []uint8