- [Server Binaries](#server-binaries-4)
    - [Node Binaries](#node-binaries-4)
    - [Container Images](#container-images-4)
  - [Changelog since v1.30.9](#changelog-since-v1309)
  - [Important Security Information](#important-security-information)
    - [CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API](#cve-2025-0426-node-denial-of-service-via-kubelet-checkpoint-api)
  - [Changes by Kind](#changes-by-kind-4)

			// Do not need to send any internal metadata
			// values to client.
			toRemove = append(toRemove, k)
			continue
		}

		// https://github.com/google/security-research/security/advisories/GHSA-76wf-9vgp-pj7w
		if equals(k, xhttp.AmzMetaUnencryptedContentLength, xhttp.AmzMetaUnencryptedContentMD5) {
			toRemove = append(toRemove, k)
			continue
		}
	}

if the work module's `go.mod` or the workspace's `go.work`
says `go` `1.20`, then the program defaults to `panicnil=1`,
matching Go 1.20 instead of Go 1.21.

As an exception, GODEBUGs introduced for security releases
will have the new behavior apply to all versions.

Because this method of setting GODEBUG defaults was introduced only in Go 1.21,
programs listing versions of Go earlier than Go 1.20 are configured to match Go 1.20,

    - [Server Binaries](#server-binaries-5)
    - [Node Binaries](#node-binaries-5)
    - [Container Images](#container-images-5)
  - [Changelog since v1.32.7](#changelog-since-v1327)
  - [Important Security Information](#important-security-information)
    - [CVE-2025-5187: Nodes can delete themselves by adding an OwnerReference](#cve-2025-5187-nodes-can-delete-themselves-by-adding-an-ownerreference)
  - [Changes by Kind](#changes-by-kind-5)

- Pod Security admission: the pod-security `warn` level will now default to the `enforce` level. ([#113491](https://github.com/kubernetes/kubernetes/pull/113491), [@tallclair](https://github.com/tallclair)) [SIG Auth and Security]

    private int signSeq;
    private boolean verifyFailed;
    /**
     * Path associated with this SMB message.
     */
    protected String path;
    /**
     * Message signing digest for SMB1 security.
     */
    protected SMB1SigningDigest digest = null;
    private ServerMessageBlock response;

    private final Configuration config;

    private Long expiration;

    - [Server Binaries](#server-binaries)
    - [Node Binaries](#node-binaries)
    - [Container Images](#container-images)
  - [Changelog since v1.24.16](#changelog-since-v12416)
  - [Important Security Information](#important-security-information)
    - [CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation](#cve-2023-3676-insufficient-input-sanitization-on-windows-nodes-leads-to-privilege-escalation)

      Header("range", ""),
      Header("referer", ""),
      Header("refresh", ""),
      Header("retry-after", ""),
      Header("server", ""),
      Header("set-cookie", ""),
      Header("strict-transport-security", ""),
      Header("transfer-encoding", ""),
      Header("user-agent", ""),
      Header("vary", ""),
      Header("via", ""),
      Header("www-authenticate", ""),
    )

                    "DH2Q", // Durable handle request V2
                    "DH2C", // Durable handle reconnect V2
                    "ExtA", // Extended attributes
                    "SecD", // Security descriptor
                    "AppI" // App instance ID
            };

            for (String name : contextNames) {
                MockCreateContextRequest context = new MockCreateContextRequest(name);

        options.addOption(Option.builder(ENCRYPT_MASTER_PASSWORD)
                .longOpt("encrypt-master-password")
                .hasArg()
                .optionalArg(true)
                .desc("Encrypt master security password")
                .build());
        options.addOption(Option.builder(ENCRYPT_PASSWORD)
                .longOpt("encrypt-password")
                .hasArg()
                .optionalArg(true)