🚨 Open Build Service 2.10.13 Released
Hey People, this release is fixing 4 security problems with 2.10 and you should update your installations as fast as possible. ## Fixed Issues 1. Fix XML external entity (XXE) injection with xmlhash gem (CVE-2022-21949) One of the Ruby gems we are using to parse XML was susceptible to this kind of attack. https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Pr... This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. 2. Fix a privilege escalation issue in ProjectDoProjectReleaseJob. https://github.com/openSUSE/open-build-service/pull/12407 This has only minor impact as an attacker would have to time job scheduling, which is next to impossible. 3. Fix heap memory corruption in the yajl-ruby gem For details see https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-m... 4. Fix excessive backtracking in the nokogiri gem For details see https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5... ## Ruby 2.7 We have changed the ruby interpreter which requires a manual step when updating from a previous OBS version via packages: 1) Change Passenger to use ruby2.7 edit /etc/apache2/conf.d/mod_passenger.conf: PassengerRuby "/usr/bin/ruby.ruby2.7" 2) Setup the rake alternative if you have multiple rake versions installed update-alternatives --set rake /usr/bin/rake.ruby.ruby2.7 3) Restart apache2 service systemctl restart apache2 ## How to Update Package updates are available from the 2.10 repositories https://build.opensuse.org/project/show/OBS:Server:2.10 Fixed appliances can be downloaded from http://openbuildservice.org/download Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson
Hey Kai, On 26.04.22 15:41, Kai Liu wrote:
After updated to this version, all my projects no longer use preinstallimage. Is this a known issue, or how can I debug it?
There have been some commits on top of 2.10 about zstd compressed preinstall images. Other than that we have no reports about preinstallimage. Please open an issue on github https://openbuildservice.org/support/ Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson
On 26.04.22 15:46, Henne Vogelsang wrote:
RTFMailinglist. https://lists.opensuse.org/archives/list/buildservice@lists.opensuse.org/thr... -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
https://github.com/openSUSE/open-build-service/commit/cb954ad61a97757fb6c56a... -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
On 26.04.22 15:41, Kai Liu wrote:
https://lists.opensuse.org/archives/list/buildservice@lists.opensuse.org/thr... Known. Workaround on all worker hosts: rpm -e --nodeps zstd zypper al zstd IF the workers are running Tumbleweed, then check the "dracut -f" output that it says something like dracut: dracut: cannot execute compression command 'zstd -3 -T0 -q', falling back to default dracut: dracut: using auto-determined compression method 'pigz' to make sure that the initramfs is still generated. Then trigger a rebuild of all your preinstallimages. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
Hey Kai, On 26.04.22 15:41, Kai Liu wrote:
After updated to this version, all my projects no longer use preinstallimage. Is this a known issue, or how can I debug it?
There have been some commits on top of 2.10 about zstd compressed preinstall images. Other than that we have no reports about preinstallimage. Please open an issue on github https://openbuildservice.org/support/ Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson
On 26.04.22 15:46, Henne Vogelsang wrote:
RTFMailinglist. https://lists.opensuse.org/archives/list/buildservice@lists.opensuse.org/thr... -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
https://github.com/openSUSE/open-build-service/commit/cb954ad61a97757fb6c56a... -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
On 26.04.22 15:41, Kai Liu wrote:
https://lists.opensuse.org/archives/list/buildservice@lists.opensuse.org/thr... Known. Workaround on all worker hosts: rpm -e --nodeps zstd zypper al zstd IF the workers are running Tumbleweed, then check the "dracut -f" output that it says something like dracut: dracut: cannot execute compression command 'zstd -3 -T0 -q', falling back to default dracut: dracut: using auto-determined compression method 'pigz' to make sure that the initramfs is still generated. Then trigger a rebuild of all your preinstallimages. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
participants (4)
-
Andreas Schwab -
Henne Vogelsang -
Kai Liu -
Stefan Seyfried