91c9a011f4
Closes-Bug: #1985784 Change-Id: I66476a2b396e2cbe41e68ac51f57aae1806b2ed8 (cherry picked from commit 5b1da017988c987fc68b55d1f45b5d2676474ce1)
17 lines
730 B
YAML
17 lines
730 B
YAML
---
|
|
security:
|
|
- |
|
|
Fixes CVE-2022-38060, a sudo privilege escalation vulnerability.
|
|
`LP#1985784 <https://launchpad.net/bugs/1889611>`__
|
|
upgrade:
|
|
- |
|
|
To fix CVE-2022-38060, support for KOLLA_CONFIG and KOLLA_CONFIG_FILE
|
|
environment variables in kolla-built containers has been dropped.
|
|
Now, only the single trusted path of
|
|
``/var/lib/kolla/config_files/config.json`` will be utilised for loading
|
|
container config.
|
|
We believe this is a reasonable tradeoff as these environment variables
|
|
were not used by any known downstream and potential users in the wild
|
|
can easily adapt as this does not limit the functionality per se, only
|
|
making it stricter as to where the config can come from.
|