After the security hotfix, a number of other security changes are being
One which will affect developers running unit tests involves the
permissions of /etc/lava-server/instance.conf
Each installation of lava-server will set the permissions of this file to
0o640 and the owner to the LAVA_DB_USER configuration value (by default,
named lavaserver). This is to protect production instances as this file
contains the database password.
-rw-r----- 1 lavaserver lavaserver 181 Jun 25 08:59
Developers need to ensure that the user running the unit tests is now part
of this group, e.g.
$ sudo adduser <username> lavaserver
Otherwise, a permission error will be raised when trying to create the
devel database used by the lava-server unit tests:
PermissionError: [Errno 13] Permission denied:
See also https://review.linaro.org/#/c/26068/
During routine development, a new security scanning tool (bandit) was used
on the LAVA codebase. Three security problems were found relating to the
Job Submit UI and the loading of YAML files through XMLRPC. The problems
date back to 2013, possibly earlier, so all releases of LAVA are affected.
Fixes were developed and have now been released.
https://review.linaro.org/#/c/25917/ Remove the ability to paste
URLs in the submit page
https://review.linaro.org/25918 Use requests instead of urlopen
https://review.linaro.org/25919 Use yaml.safe_load when parsing
Thanks to Remi Duraffort for identifying and fixing the issues.
Note: These changes are not trivial to backport to previous releases. It
is possible but some familiarity with the codebase will be required. We
have packed a lot of changes into the time since the end of the migration
and we are hoping to have a more stable time ahead. The LAVA software team
recommend that all instances look to upgrade to 2018.5.post1. Our apologies
for these problems.
We are NOT aware of any exploits using these issues but now that the
problems are public, it is prudent to apply the available fixes before
We expect to make more use of bandit and similar tools in future.
CVE's have been requested but we don't have the CVE numbers back at this
The production repo now carries these changes as 2018.5.post1-1+stretch
An upload to Debian unstable will follow in due course. (The Debian
security team were notified once we had a fix.) An upload to Debian
Stretch to update 2016.12-1 is being prepared.