diff options
| author | James E. Blair <jeblair@redhat.com> | 2020-07-22 09:05:37 -0700 |
|---|---|---|
| committer | James E. Blair <jeblair@redhat.com> | 2020-07-22 09:05:37 -0700 |
| commit | 8ff7ff70c736a91db5f7672dbde04afb56ace400 (patch) | |
| tree | bd41b25c2388e70d91b0ab2daaff2e3dabc92219 | |
| parent | a1c2f5b962232e4ed2828580d84d272bc7d2ff6a (diff) | |
| download | zuul-stable/3.x.tar.gz | |
Add 3.19.1 release notes3.19.1stable/3.x
Change-Id: Ie3de887d3cf32d958bf4e686c040133bae796c33
| -rw-r--r-- | releasenotes/notes/3.19.1-omnibus-ef4b9449dccc1997.yaml | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/releasenotes/notes/3.19.1-omnibus-ef4b9449dccc1997.yaml b/releasenotes/notes/3.19.1-omnibus-ef4b9449dccc1997.yaml new file mode 100644 index 000000000..efbbf18df --- /dev/null +++ b/releasenotes/notes/3.19.1-omnibus-ef4b9449dccc1997.yaml @@ -0,0 +1,42 @@ +--- +security: + - | + A long-standing security vulnerability regarding executing code on + the executor was corrected. + + The Zuul executor was designed to prohibit executing command or + shell tasks on the executor itself (i.e., localhost in Ansible) + from untrusted playbooks. Tobias Henkel discovered that this + check has been broken for some time, likely since June of 2018. + + The use of bubblewrap means that any commands executed via this + vulnerability would still be contained within the restricted + environment, meaning that they can not access files outside of the + build directory or continue running longer than the job. However, + by executing arbitrary commands, users may have been able to + connect to unprotected internal network services. + + Because this bug is so long-standing, it is possible, even likely, + that users may have accidentally come to rely on it. We + discovered two jobs in the zuul-jobs library which did so: + dco-license and promote-docker-image. The promote-docker-image + job has been altered so it no longer needs to run a command on the + executor. The dco-license job has been altered to run on a node. + If you would prefer to run it on the exceutor, you can create a + new job in a config-project that uses the validate-dco-license + role. + + You may want to look for other jobs in your system which may be + affected by this. To aid in that, we have created a script which + will examine the job-output.json files created by previous builds + and output any tasks it finds which are now (once again) + prohibited. This script is available here: + + https://opendev.org/zuul/zuul/src/branch/master/tools/find-untrusted-exec.py +fixes: + - | + The dependency on kazoo has been upgraded to 2.8.0 which has an important + fix for using Zookeeper over TLS. + - | + The Github access token URL has been updated in order to remove a + deprecation warning. |