Hi Henne, After updated to this version, all my projects no longer use preinstallimage. Is this a known issue, or how can I debug it? Regards, Kai On 2022/04/20 Wed 14:12, Henne Vogelsang wrote:
Hey People,
this release is fixing 4 security problems with 2.10 and you should update your installations as fast as possible.
## Fixed Issues
1. Fix XML external entity (XXE) injection with xmlhash gem (CVE-2022-21949)
One of the Ruby gems we are using to parse XML was susceptible to this kind of attack.
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Pr...
This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
2. Fix a privilege escalation issue in ProjectDoProjectReleaseJob.
https://github.com/openSUSE/open-build-service/pull/12407
This has only minor impact as an attacker would have to time job scheduling, which is next to impossible.
3. Fix heap memory corruption in the yajl-ruby gem
For details see https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-m...
4. Fix excessive backtracking in the nokogiri gem
For details see https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5...
## Ruby 2.7
We have changed the ruby interpreter which requires a manual step when updating from a previous OBS version via packages:
1) Change Passenger to use ruby2.7
edit /etc/apache2/conf.d/mod_passenger.conf:
PassengerRuby "/usr/bin/ruby.ruby2.7"
2) Setup the rake alternative if you have multiple rake versions installed
update-alternatives --set rake /usr/bin/rake.ruby.ruby2.7
3) Restart apache2 service
systemctl restart apache2
## How to Update
Package updates are available from the 2.10 repositories
https://build.opensuse.org/project/show/OBS:Server:2.10
Fixed appliances can be downloaded from
http://openbuildservice.org/download
Henne
-- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson