* kubectl cp now safely allows unpacking of symlinks that may point outside the destination directory ([#82384](https://github.com/kubernetes/kubernetes/pull/82384), [@tallclair](https://github.com/tallclair))

- Fixed NetworkPolicy validation that `Except` values are accepted when they are outside the CIDR range. ([#86578](https://github.com/kubernetes/kubernetes/pull/86578), [@tnqn](https://github.com/tnqn)) [SIG Network]

   * loading, or expired. Unlike {@link Segment#getLiveValue} this method does not attempt to clean
   * up stale entries. As such it should only be called outside a segment context, such as during
   * iteration.
   */
  @CheckForNull
  V getLiveValue(ReferenceEntry<K, V> entry, long now) {
    if (entry.getKey() == null) {
      return null;
    }

-outline-primary:not(:disabled):not(.disabled):active, .btn-outline-primary:not(:disabled):not(.disabled).active,\n.show > .btn-outline-primary.dropdown-toggle {\n  color: #fff;\n  background-color: #007bff;\n  border-color: #007bff;\n}\n\n.btn-outline-primary:not(:disabled):not(.disabled):active:focus, .btn-outline-primary:not(:disabled):not(.disabled).active:focus,\n.show > .btn-outline-primary.dropdown-toggle:focus {\n  box-shadow: 0 0 0 0.2rem rgba(0, 123, 255, 0.5);\n}\n\n.btn-outline-secondary...

### CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access

A security issue was discovered in Kubernetes where a user may be able to
create a container with subpath volume mounts to access files &
directories outside of the volume, including on the host filesystem.

**Affected Versions**:
  - kubelet v1.22.0 - v1.22.1
  - kubelet v1.21.0 - v1.21.4
  - kubelet v1.20.0 - v1.20.10
  - kubelet <= v1.19.14

// LTYPEI spec7	{ outcode($1, &$2); }
	IMULB	DX
	IMULW	DX, BX
	IMULL	R11, R12
	IMULQ	foo+4(SB), R11

// LTYPEXC spec8	{ outcode($1, &$2); }
	CMPPD	X1, X2, 4
	CMPPD	foo+4(SB), X2, 4

// LTYPEX spec9	{ outcode($1, &$2); }
	PINSRW	$4, AX, X2
	PINSRW	$4, foo+4(SB), X2

// LTYPERT spec10	{ outcode($1, &$2); }
	JCS	2(PC)
	RETFL	$4

// Was bug: LOOP is a branch instruction.
	JCS	2(PC)
loop:

### CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access

A security issue was discovered in Kubernetes where a user may be able to
create a container with subpath volume mounts to access files &
directories outside of the volume, including on the host filesystem.

**Affected Versions**:
  - kubelet v1.22.0 - v1.22.1
  - kubelet v1.21.0 - v1.21.4
  - kubelet v1.20.0 - v1.20.10
  - kubelet <= v1.19.14

                      type: object
                    tls:
                      description: Set of TLS related options that will enable TLS
                        termination on the sidecar for requests originating from outside
                        the mesh.
                      properties:
                        caCertificates:
                          description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.

	//
	//	LMOVW fpscr ',' freg
	//	{
	//		outcode(int($1), &$2, 0, &$4);
	//	}
	MOVW	FCR0, R1

	//	LMOVW freg ','  fpscr
	//	{
	//		outcode(int($1), &$2, 0, &$4);
	//	}
	MOVW	R1, FCR0

	//	LMOVW rreg ',' mreg
	//	{
	//		outcode(int($1), &$2, 0, &$4);
	//	}
	MOVW	R1, M1
	MOVW	R1, M1

	//	LMOVW mreg ',' rreg
	//	{
	//		outcode(int($1), &$2, 0, &$4);
	//	}
	MOVW	M1, R1

TEXT foo(SB), DUPOK|NOSPLIT, $0

// LTYPE1 nonrem	{ outcode(int($1), &$2); }
	SETCC	AX
	SETCC	foo+4(SB)

// LTYPE2 rimnon	{ outcode(int($1), &$2); }
	DIVB	AX
	DIVB	foo+4(SB)
	PUSHL	$foo+4(SB)
	POPL		AX

// LTYPE3 rimrem	{ outcode(int($1), &$2); }
	SUBB	$1, AX
	SUBB	$1, foo+4(SB)
	SUBB	BX, AX
	SUBB	BX, foo+4(SB)

// LTYPE4 remrim	{ outcode(int($1), &$2); }
	CMPB	AX, $1
	CMPB	foo+4(SB), $4