2018.5.post1

============

During routine development, a new security scanning tool (bandit) was used on the LAVA codebase. Three security problems were found relating to the Job Submit UI and the loading of YAML files through XMLRPC. The problems date back to 2013, possibly earlier, so all releases of LAVA are affected.

Fixes were developed and have now been released.

​https://review.linaro.org/#/c/25917/  Remove the ability to paste 

                                      URLs in the submit page

https://review.linaro.org/25918       Use requests instead of urlopen

https://review.linaro.org/25919       Use yaml.safe_load when parsing 

                                      user data

Thanks to Remi Duraffort for identifying and fixing the issues.

​Note: These changes are not trivial to backport to previous releases. It is possible but some familiarity with the codebase will be required. We have packed a lot of changes into the time since the end of the migration and we are hoping to have a more stable time ahead. The LAVA software team recommend that all instances look to upgrade to 2018.5.post1. Our apologies for these problems.

​We are NOT aware of any exploits using these issues but now that the problems are public, it is prudent to apply the available fixes before anything happens.

We expect to make more use of bandit and similar tools in future.

​CVE's have been requested but we don't have the CVE numbers back at this time.

The production repo now carries these changes as 2018.5.post1-1+stretch​

​An upload to Debian unstable will follow in due course. (The Debian security team were notified once we had a fix.)​ ​An upload to Debian Stretch to update 2016.12-1 is being prepared.

--

Neil Williams
=============
neil.williams@linaro.org
http://www.linux.codehelp.co.uk/