pkg syscall (netbsd-arm64-cgo), const EFTYPE = 79
pkg syscall (netbsd-arm64-cgo), const EFTYPE Errno
pkg syscall (netbsd-arm64-cgo), const EHOSTDOWN = 64
pkg syscall (netbsd-arm64-cgo), const EHOSTUNREACH = 65
pkg syscall (netbsd-arm64-cgo), const EIDRM = 82
pkg syscall (netbsd-arm64-cgo), const EILSEQ = 85
pkg syscall (netbsd-arm64-cgo), const EINPROGRESS = 36
pkg syscall (netbsd-arm64-cgo), const EINTR = 4

### Cloud Providers

* Azure: Container permissions for provisioned volumes have changed to private. If you have existing Azure volumes that were created by Kubernetes v1.6.0-v1.6.5, you should change the permissions on them manually. ([#47605](https://github.com/kubernetes/kubernetes/pull/47605), [@brendandburns](https://github.com/brendandburns))

}

func testAPIPutObjectStreamSigV4Handler(obj ObjectLayer, instanceType, bucketName string, apiRouter http.Handler,
	credentials auth.Credentials, t *testing.T,
) {
	objectName := "test-object"
	bytesDataLen := 65 * humanize.KiByte
	bytesData := bytes.Repeat([]byte{'a'}, bytesDataLen)
	oneKData := bytes.Repeat([]byte("a"), 1*humanize.KiByte)

	var err error

	type streamFault int
	const (
		None streamFault = iota

  - kube-apiserver v1.24.8
  - kube-apiserver v1.23.14
  - kube-apiserver v1.22.16

This vulnerability was reported by Richard Turnbull of NCC Group as part of the Kubernetes Audit


**CVSS Rating:** Medium (6.5) [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

### CVE-2022-3294: Node address isn't always verified when proxying

  - kube-apiserver v1.24.8
  - kube-apiserver v1.23.14
  - kube-apiserver v1.22.16

This vulnerability was reported by Richard Turnbull of NCC Group as part of the Kubernetes Audit


**CVSS Rating:** Medium (6.5) [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

### CVE-2022-3294: Node address isn't always verified when proxying

  - kube-apiserver <= v1.24.14

**Fixed Versions**:
  - kube-apiserver v1.27.3
  - kube-apiserver v1.26.6
  - kube-apiserver v1.25.11
  - kube-apiserver v1.24.15


**CVSS Rating:** Medium (6.5) [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)

## Changes by Kind

### Feature

- Updates the following images to pick up CVE fixes:
  - `debian` to v1.8.0
  - `debian-iptables` to v1.6.5
  - `setcap` to v2.0.3 ([#103235](https://github.com/kubernetes/kubernetes/pull/103235), [@thejoycekung](https://github.com/thejoycekung)) [SIG API Machinery, Release and Testing]

### Bug or Regression

  - kube-apiserver <= v1.24.14

**Fixed Versions**:
  - kube-apiserver v1.27.3
  - kube-apiserver v1.26.6
  - kube-apiserver v1.25.11
  - kube-apiserver v1.24.15


**CVSS Rating:** Medium (6.5) [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)

## Changes by Kind

### Feature

  - kube-apiserver v1.20.6
  - kube-apiserver v1.19.10
  - kube-apiserver v1.18.18

This vulnerability was reported by Rogerio Bastos & Ari Lima from RedHat


**CVSS Rating:** Medium (6.5) [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H)

## Changes by Kind

### API Change

*testing.B) { // IG 10.3.A says "ML-DSA digital signature generation CASTs should cover // all applicable rejection sampling loop paths". For ML-DSA-44, there are // four paths. For ML-DSA-65 and ML-DSA-87, only three. This benchmark helps // us figure out which is faster: four rejections of ML-DSA-44, or three of // ML-DSA-65. (It's the former, but only barely.) b.Run("ML-DSA-44", func(b *testing.B) { // Same as TestACVPRejectionKAT/Test/Path/ML-DSA-44/1. seed := fromHex("5C624FCC1862452452D0") μ := fro...