### CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

**Affected Versions**:
  - kubelet <= v1.28.0
  - kubelet <= v1.27.4

    - [Node Binaries](#node-binaries-16)
  - [Changelog since v1.18.0](#changelog-since-v1180)
  - [What’s New (Major Themes)](#whats-new-major-themes)
    - [Deprecation warnings](#deprecation-warnings)
    - [Avoiding permanent beta](#avoiding-permanent-beta)
    - [Expanded CLI support for debugging workloads and nodes](#expanded-cli-support-for-debugging-workloads-and-nodes)

  - Fix an error where existing nodes were not considered as destinations while finding place for pods in scale-down simulations
  - Remove redundant log lines and reduce severity around parsing kubeEnv
  - Don't treat nodes created by virtual kubelet as nodes from non-autoscaled node groups
  - Remove redundant logging around calculating node utilization
  - Add configurable `--network` and `--rm` flags for docker in `Makefile`

more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to be redirected to the API Server through its private network.

The merged fix enforces validation against the proxying address for a Node. In some cases, the fix can break clients that depend on the `nodes/proxy` subresource, specifically if a kubelet advertises a localhost...

    - [Workloads that saturate nodes with pods may see pods that fail due to node admission](#workloads-that-saturate-nodes-with-pods-may-see-pods-that-fail-due-to-node-admission)
    - [Etcd v3.5.[0-2] data corruption](#etcd-v350-2-data-corruption)
  - [Urgent Upgrade Notes](#urgent-upgrade-notes)

### CLI Improvements

### Node Binaries

filename | sha512 hash
-------- | -----------
[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.30.0/kubernetes-node-linux-amd64.tar.gz) | `e3e8f443a5397029a26a30852f47a9406dc17622638a7b03d37b384283880503af85d134d2a5dfdcfd7a0a5cb11eef8312b37dec77c90062e29d7e0ea1da6026`

    - [Client Binaries](#client-binaries-10)
    - [Server Binaries](#server-binaries-10)
    - [Node Binaries](#node-binaries-10)
- [Kubernetes v1.14 Release Notes](#kubernetes-v114-release-notes)
  - [1.14 What’s New](#114-whats-new)
  - [Known Issues](#known-issues-1)
  - [Urgent Upgrade Notes](#urgent-upgrade-notes)
    - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade)

[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.7.16/kubernetes-node-linux-arm64.tar.gz) | `87e768d59fd71a3a558ea5775bedec1f74f983af9a568ccec52f9394431db547`
[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.7.16/kubernetes-node-linux-ppc64le.tar.gz) | `cece0dddbe6cac79ccc5c490d3132a85f72a4da6daf3c88202ad864dff5c98aa`

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

**Affected Versions**:
  - kubelet >= v1.8.0

**Fixed Versions**: