lava-announce November 2022

lava-announce@lists.lavasoftware.org

2 participants
3 discussions

Two security vulnerabilities in LAVA server

by Antonio Terceiro

We have recently fixed some serious security issues on LAVA server. CVE-2022-44641: Recursive XML entity expansion Users with valid accounts can submit a specially crafted XML document via the XMLRPC that causes a recursive XML entity expansion, consuming large amounts of resources and eventually cause a Denial of Service on the LAVA server. This problem was found, and the fix provided, by Igor Ponomarev from Collabora. The fix has been released in 2022.11, with the following patch: https://git.lavasoftware.org/lava/lava/-/commit/1bee0f8957741582c2bed800974… CVE-2022-45132: Code execution in jinja templates A specially crafted jinja2 template can be submitted to a publicly accessible REST API endpoint without any authentication and cause a remote command execution as the same user that is running the LAVA server web application. This problem was found, and the fix provided, by Igor Ponomarev from Collabora. The fix has been released in 2022.11.1, with the following patch: https://git.lavasoftware.org/lava/lava/-/commit/ab17e8304f10c7c0fe912067f2e… We strongly recommend that administrators upgrade to the 2022.11.1 release immediately, or failing that, at least apply the patches linked above locally to their lava server.

2 years

LAVA 2022.11.1 hotfix release

by Stevan Radaković

Hi folks, The 2022.11.1 tag has been pushed to master on git.lavasoftware.org <http://git.lavasoftware.org/>. .deb packages have been built in GitLab CI and are published at https://apt.lavasoftware.org/release Docker images for amd64 and arm64 have been built in GitLab CI and are available from https://hub.lavasoftware.org/ and https://hub.docker.com/u/lavasoftware Changes in this release ============== # Bug fixes * lava_rest_app: use sandbox jinja2 environment for user provided template Thanks, -- Stevan Radaković | Senior Engineer Linaro.org <www.linaro.org> │ Open source software for ARM SoCs

2 years

LAVA 2022.11 release

by Stevan Radaković

Hi folks, The 2022.11 tag has been pushed to master on git.lavasoftware.org <http://git.lavasoftware.org/>. .deb packages have been built in GitLab CI and are published at https://apt.lavasoftware.org/release Docker images for amd64 and arm64 have been built in GitLab CI and are available from https://hub.lavasoftware.org/ and https://hub.docker.com/u/lavasoftware Changes in this release ================== # Device-types ## New device-types New supported devices: * kv260 * sm8350-hdk * asus-CM1400CXA-dalboz ## imx8 * separate common configure of 8u series to imx8u-common and add new device type imx8ulp-9x9-evk # LAVA dispatcher * Modifying sparse rootfs is now fully supported. * Add ava and base-edk2 device types * schema.deploy.fvp: add the optional uniquify param # Bug fixes * Fix filenames when overlaying tar files * Add missing OIDC setting keys to common settings * share/requires.py: fix building for debian -backports and -security suites * reprepro-release: don't trigger on debian/* tags * Fix a huge performance issue when parsing kernel boot log * schema: allow to use auto_login in depthcharge boot action * kernel messages: fix match for login prompts * device-type: add bcu_board_name for some missed imx boards * fvp: raise a JobError when escaping is required Thanks, -- Stevan Radaković | Senior Engineer Linaro.org <www.linaro.org> │ Open source software for ARM SoCs

2 years

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

lava-announce November 2022