- Fixed NetworkPolicy validation that `Except` values are accepted when they are outside the CIDR range. ([#86578](https://github.com/kubernetes/kubernetes/pull/86578), [@tnqn](https://github.com/tnqn)) [SIG Network]

- Fixed bug which caused the status of Indexed Jobs to only be updated when there are newly completed indexes. The completed indexes are now updated if the .status.completedIndexes has values outside of the [0, .spec.completions> range ([#115462](https://github.com/kubernetes/kubernetes/pull/115462), [@danielvegamyhre](https://github.com/danielvegamyhre)) [SIG Apps]

- Added a flag to kubectl version to detect whether a client/server version mismatch was outside the officially supported range. ([#127365](https://github.com/kubernetes/kubernetes/pull/127365), [@omerap12](https://github.com/omerap12))

### CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access

A security issue was discovered in Kubernetes where a user may be able to
create a container with subpath volume mounts to access files &
directories outside of the volume, including on the host filesystem.

**Affected Versions**:
  - kubelet v1.22.0 - v1.22.1
  - kubelet v1.21.0 - v1.21.4
  - kubelet v1.20.0 - v1.20.10
  - kubelet <= v1.19.14

	//
	//	LMOVW fpscr ',' freg
	//	{
	//		outcode(int($1), &$2, 0, &$4);
	//	}
	MOVW	FCR0, R1

	//	LMOVW freg ','  fpscr
	//	{
	//		outcode(int($1), &$2, 0, &$4);
	//	}
	MOVW	R1, FCR0

	//	LMOVW rreg ',' mreg
	//	{
	//		outcode(int($1), &$2, 0, &$4);
	//	}
	MOVW	R1, M1
	MOVW	R1, M1

	//	LMOVW mreg ',' rreg
	//	{
	//		outcode(int($1), &$2, 0, &$4);
	//	}
	MOVW	M1, R1

### CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access

A security issue was discovered in Kubernetes where a user may be able to
create a container with subpath volume mounts to access files &
directories outside of the volume, including on the host filesystem.

**Affected Versions**:
  - kubelet v1.22.0 - v1.22.1
  - kubelet v1.21.0 - v1.21.4
  - kubelet v1.20.0 - v1.20.10
  - kubelet <= v1.19.14

// LTYPEI spec7	{ outcode($1, &$2); }
	IMULB	DX
	IMULW	DX, BX
	IMULL	R11, R12
	IMULQ	foo+4(SB), R11

// LTYPEXC spec8	{ outcode($1, &$2); }
	CMPPD	X1, X2, 4
	CMPPD	foo+4(SB), X2, 4

// LTYPEX spec9	{ outcode($1, &$2); }
	PINSRW	$4, AX, X2
	PINSRW	$4, foo+4(SB), X2

// LTYPERT spec10	{ outcode($1, &$2); }
	JCS	2(PC)
	RETFL	$4

// Was bug: LOOP is a branch instruction.
	JCS	2(PC)
loop:

TEXT foo(SB), DUPOK|NOSPLIT, $0

// LTYPE1 nonrem	{ outcode(int($1), &$2); }
	SETCC	AX
	SETCC	foo+4(SB)

// LTYPE2 rimnon	{ outcode(int($1), &$2); }
	DIVB	AX
	DIVB	foo+4(SB)
	PUSHL	$foo+4(SB)
	POPL		AX

// LTYPE3 rimrem	{ outcode(int($1), &$2); }
	SUBB	$1, AX
	SUBB	$1, foo+4(SB)
	SUBB	BX, AX
	SUBB	BX, foo+4(SB)

// LTYPE4 remrim	{ outcode(int($1), &$2); }
	CMPB	AX, $1
	CMPB	foo+4(SB), $4

//	LMOVH rreg ',' rreg
//	{
//		outcode(int($1), &$2, 0, &$4);
//	}
	MOVH	R16, R27	// 0010dc00001bdc03
	MOVHU	R1, R3		// 3023ffff

//	LMOVB rreg ',' rreg
//	{
//		outcode(int($1), &$2, 0, &$4);
//	}
	MOVB	R8, R9		// 00084e0000094e03
	MOVBU	R12, R17	// 319100ff

//	LMOVV addr ',' rreg
//	{
//		outcode(int($1), &$2, 0, &$4);
//	}
	MOVV	foo<>+3(SB), R2

                File outFile = fvd.relativePath.replaceLastName(newFileName).getFile(destDir)
                outFile.parentFile.mkdirs()

                execOps.javaexec {
                    mainClass.set(XslTransformer.name)
                    args(stylesheetFile.absolutePath)
                    args(fvd.file.absolutePath)
                    args(outFile.absolutePath)