userType = svcUser
	} else if cred.IsTemp() {
		userType = stsUser
	}
	ui := newUserIdentity(cred)
	// Overwrite the user identity here. As store should be
	// atomic, it shouldn't cause any corruption.
	if err := store.saveUserIdentity(ctx, cred.AccessKey, userType, ui); err != nil {
		return err
	}

	return cache.updateUserWithClaims(cred.AccessKey, ui)
}

popper's position offsets rounded\n *\n * The tale of pixel-perfect positioning. It's still not 100% perfect, but as\n * good as it can be within reason.\n * Discussion here: https://github.com/FezVrasta/popper.js/pull/715\n *\n * Low DPI screens cause a popper to be blurry if not using full pixels (Safari\n * as well on High DPI screens).\n *\n * Firefox prefers no rounding for positioning and does not have blurriness on\n * high DPI screens.\n *\n * Only horizontal placement and left/right values...

### CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.

**Affected Versions**:
  - kubelet kubelet v1.30.0 to v1.30.9
  - kubelet v1.31.0 to v1.31.5
  - kubelet v1.32.0 to v1.32.1

**Fixed Versions**:

pkg runtime/debug, type GCStats struct
pkg runtime/debug, type GCStats struct, LastGC time.Time
pkg runtime/debug, type GCStats struct, NumGC int64
pkg runtime/debug, type GCStats struct, Pause []time.Duration
pkg runtime/debug, type GCStats struct, PauseQuantiles []time.Duration
pkg runtime/debug, type GCStats struct, PauseTotal time.Duration
pkg sort, func Reverse(Interface) Interface

## Changes by Kind

### API Change

- Fixes a 1.33 regression that can cause a nil panic in kube-scheduler when aggregating resource requests across container's spec and status. ([#133285](https://github.com/kubernetes/kubernetes/pull/133285), [@yue9944882](https://github.com/yue9944882)) [SIG Node and Scheduling]

          assertThat(bytes.read()).isEqualTo('a'.code)
          assertThat(bytes.read()).isEqualTo('b'.code)
          assertThat(bytes.read()).isEqualTo('c'.code)

          // This request will share a connection with 'A' cause it's all done.
          client.newCall(Request.Builder().url(server.url("/b")).build()).enqueue(callback)
        }
      },
    )
    callback.await(server.url("/b")).assertCode(200).assertBody("def")

* Fixes issue where if the audit log is enabled and anonymous authentication is disabled, then an unauthenticated user request will cause a panic and crash the `kube-apiserver`. ([#38717](https://github.com/kubernetes/kubernetes/pull/38717), [@deads2k](https://github.com/deads2k))

## Known Issues for v1.5.1

- Fixed an EndpointSlice Controller hashing bug that could cause EndpointSlices to incorrectly handle Pods with duplicate IP addresses. For example this could happen when a new Pod reused an IP that was also assigned to a Pod in a completed state. ([#115907](https://github.com/kubernetes/kubernetes/pull/115907),...

- Fix 1.28.0 regression where adding aggregated APIService objects could cause apiserver to panic and affect the health check ([#121040](https://github.com/kubernetes/kubernetes/pull/121040), [@Jefftree](https://github.com/Jefftree)) [SIG API Machinery and Testing]

of reading swaths of global memory in fips140/check. // One option would be to expose runtime.asanunpoison through // crypto/internal/fips140deps and then call it to unpoison the range // before reading it, but it is unclear whether that would then cause // false negatives. For now, FIPS+ASAN doesn't need to work. if asanEnabled { return errors.New("FIPS 140-3 mode is incompatible with ASAN") } // See EnableFIPS in cmd/internal/obj/fips.go for commentary. switch { case runtime.GOARCH == "wasm", runtime.GOOS...