🚨 Open Build Service 2.10.13 Released
Hey People, this release is fixing 4 security problems with 2.10 and you should update your installations as fast as possible. ## Fixed Issues 1. Fix XML external entity (XXE) injection with xmlhash gem (CVE-2022-21949) One of the Ruby gems we are using to parse XML was susceptible to this kind of attack. https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Pr... This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. 2. Fix a privilege escalation issue in ProjectDoProjectReleaseJob. https://github.com/openSUSE/open-build-service/pull/12407 This has only minor impact as an attacker would have to time job scheduling, which is next to impossible. 3. Fix heap memory corruption in the yajl-ruby gem For details see https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-m... 4. Fix excessive backtracking in the nokogiri gem For details see https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5... ## Ruby 2.7 We have changed the ruby interpreter which requires a manual step when updating from a previous OBS version via packages: 1) Change Passenger to use ruby2.7 edit /etc/apache2/conf.d/mod_passenger.conf: PassengerRuby "/usr/bin/ruby.ruby2.7" 2) Setup the rake alternative if you have multiple rake versions installed update-alternatives --set rake /usr/bin/rake.ruby.ruby2.7 3) Restart apache2 service systemctl restart apache2 ## How to Update Package updates are available from the 2.10 repositories https://build.opensuse.org/project/show/OBS:Server:2.10 Fixed appliances can be downloaded from http://openbuildservice.org/download Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson
Hi Henne, After updated to this version, all my projects no longer use preinstallimage. Is this a known issue, or how can I debug it? Regards, Kai On 2022/04/20 Wed 14:12, Henne Vogelsang wrote:
Hey People,
this release is fixing 4 security problems with 2.10 and you should update your installations as fast as possible.
## Fixed Issues
1. Fix XML external entity (XXE) injection with xmlhash gem (CVE-2022-21949)
One of the Ruby gems we are using to parse XML was susceptible to this kind of attack.
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Pr...
This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
2. Fix a privilege escalation issue in ProjectDoProjectReleaseJob.
https://github.com/openSUSE/open-build-service/pull/12407
This has only minor impact as an attacker would have to time job scheduling, which is next to impossible.
3. Fix heap memory corruption in the yajl-ruby gem
For details see https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-m...
4. Fix excessive backtracking in the nokogiri gem
For details see https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5...
## Ruby 2.7
We have changed the ruby interpreter which requires a manual step when updating from a previous OBS version via packages:
1) Change Passenger to use ruby2.7
edit /etc/apache2/conf.d/mod_passenger.conf:
PassengerRuby "/usr/bin/ruby.ruby2.7"
2) Setup the rake alternative if you have multiple rake versions installed
update-alternatives --set rake /usr/bin/rake.ruby.ruby2.7
3) Restart apache2 service
systemctl restart apache2
## How to Update
Package updates are available from the 2.10 repositories
https://build.opensuse.org/project/show/OBS:Server:2.10
Fixed appliances can be downloaded from
http://openbuildservice.org/download
Henne
-- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson
Hey Kai, On 26.04.22 15:41, Kai Liu wrote:
After updated to this version, all my projects no longer use preinstallimage. Is this a known issue, or how can I debug it?
There have been some commits on top of 2.10 about zstd compressed preinstall images. Other than that we have no reports about preinstallimage. Please open an issue on github https://openbuildservice.org/support/ Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson
On 26.04.22 15:46, Henne Vogelsang wrote:
Hey Kai,
On 26.04.22 15:41, Kai Liu wrote:
After updated to this version, all my projects no longer use preinstallimage. Is this a known issue, or how can I debug it?
There have been some commits on top of 2.10 about zstd compressed preinstall images. Other than that we have no reports about preinstallimage.
RTFMailinglist. https://lists.opensuse.org/archives/list/buildservice@lists.opensuse.org/thr... -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
On 2022/04/27 Wed 09:57, Stefan Seyfried wrote:
On 26.04.22 15:46, Henne Vogelsang wrote:
Hey Kai,
On 26.04.22 15:41, Kai Liu wrote:
After updated to this version, all my projects no longer use preinstallimage. Is this a known issue, or how can I debug it?
There have been some commits on top of 2.10 about zstd compressed preinstall images. Other than that we have no reports about preinstallimage.
RTFMailinglist.
https://lists.opensuse.org/archives/list/buildservice@lists.opensuse.org/thr...
Thanks... didn't link that with the issue I had... Regards, Kai
https://github.com/openSUSE/open-build-service/commit/cb954ad61a97757fb6c56a... -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
On 26.04.22 15:41, Kai Liu wrote:
Hi Henne,
After updated to this version, all my projects no longer use preinstallimage. Is this a known issue, or how can I debug it?
https://lists.opensuse.org/archives/list/buildservice@lists.opensuse.org/thr... Known. Workaround on all worker hosts: rpm -e --nodeps zstd zypper al zstd IF the workers are running Tumbleweed, then check the "dracut -f" output that it says something like dracut: dracut: cannot execute compression command 'zstd -3 -T0 -q', falling back to default dracut: dracut: using auto-determined compression method 'pigz' to make sure that the initramfs is still generated. Then trigger a rebuild of all your preinstallimages. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
participants (4)
-
Andreas Schwab -
Henne Vogelsang -
Kai Liu -
Stefan Seyfried