Tag 3.19.1
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEav0UZz9C9kl8CAvd/mVGjtf7MTcFAl8Yo+QACgkQ/mVGjtf7 MTePhw/8CmIO2EN/L/QpbwpBVDwWGnZLwfE/KfJWlcPY9AAzHYXUK2I49L+nIXvT VTWl4CFCT4uWHtxlboQpIW40wLyOT3R6A16h87CkMRKleTaaa2UvLEBF6ZApLTPA OzRnsK9gMh709P3PO/wo4gsjqGEuS2e5yDYW9rPdhA3lxWmu0sNc3HhQEWHe3+UT xg75D8LGzXbbFpoAgGAcyATdW84ZDerCmW+ZBmLbWBpOcw7mFFbq/2FppKf0xCBA FlH6lpf0oD/TuMv++WjAzwFVOxWc6fTO50N1wSMiMV5hQzQSMUWUKMDvBoJ2iWxL O8d+uLNUEIve0AoEimv0byVNBzu4A7a5WwDryoFIs47/7rxl4UW41O7znuJEbRj6 LnMkyURCMEaHFQ0J5ZSfdw/QCWEZN3FM/H+fbjo4JIzdt7E2H3oznsybiq79Lq55 T35zbCEGN/XpN2l9sXZPEcvKYFvUgZAFo5DARb7AcomLMWKxxGmLvYIomK3ELkNW YVdVaQ/loPxHm6smNEA+dWOI+URkzMWbOsRSLnEyFdkOpna0Qiw9T6q84TE2fFXs wUKjEuoj6H3j/nEN0B9E+t717J9bOIr7Y+bNoftHZAxCvr6AuctOaKb1btvE+Dkg bXktnYe/L33UXfmP6+E2ekmzLXsCOzqaWLrEODKZJsw2zb2n7og= =IUXN -----END PGP SIGNATURE----- Merge tag '3.19.1' Tag 3.19.1 Change-Id: I868905ac23b17c4644ec2195ad9a0423d252f213
This commit is contained in:
commit
7b6473b4ca
|
@ -0,0 +1,42 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
A long-standing security vulnerability regarding executing code on
|
||||
the executor was corrected.
|
||||
|
||||
The Zuul executor was designed to prohibit executing command or
|
||||
shell tasks on the executor itself (i.e., localhost in Ansible)
|
||||
from untrusted playbooks. Tobias Henkel discovered that this
|
||||
check has been broken for some time, likely since June of 2018.
|
||||
|
||||
The use of bubblewrap means that any commands executed via this
|
||||
vulnerability would still be contained within the restricted
|
||||
environment, meaning that they can not access files outside of the
|
||||
build directory or continue running longer than the job. However,
|
||||
by executing arbitrary commands, users may have been able to
|
||||
connect to unprotected internal network services.
|
||||
|
||||
Because this bug is so long-standing, it is possible, even likely,
|
||||
that users may have accidentally come to rely on it. We
|
||||
discovered two jobs in the zuul-jobs library which did so:
|
||||
dco-license and promote-docker-image. The promote-docker-image
|
||||
job has been altered so it no longer needs to run a command on the
|
||||
executor. The dco-license job has been altered to run on a node.
|
||||
If you would prefer to run it on the exceutor, you can create a
|
||||
new job in a config-project that uses the validate-dco-license
|
||||
role.
|
||||
|
||||
You may want to look for other jobs in your system which may be
|
||||
affected by this. To aid in that, we have created a script which
|
||||
will examine the job-output.json files created by previous builds
|
||||
and output any tasks it finds which are now (once again)
|
||||
prohibited. This script is available here:
|
||||
|
||||
https://opendev.org/zuul/zuul/src/branch/master/tools/find-untrusted-exec.py
|
||||
fixes:
|
||||
- |
|
||||
The dependency on kazoo has been upgraded to 2.8.0 which has an important
|
||||
fix for using Zookeeper over TLS.
|
||||
- |
|
||||
The Github access token URL has been updated in order to remove a
|
||||
deprecation warning.
|
Loading…
Reference in New Issue