Dear users,
the corresponding CVEs has been assigned: * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12563 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12564 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12565
Regards
2018-06-15 23:29 GMT+02:00 Neil Williams neil.williams@linaro.org:
2018.5.post1
During routine development, a new security scanning tool (bandit) was used on the LAVA codebase. Three security problems were found relating to the Job Submit UI and the loading of YAML files through XMLRPC. The problems date back to 2013, possibly earlier, so all releases of LAVA are affected.
Fixes were developed and have now been released.
https://review.linaro.org/#/c/25917/ Remove the ability to paste URLs in the submit page
https://review.linaro.org/25918 Use requests instead of urlopen
https://review.linaro.org/25919 Use yaml.safe_load when parsing user data
Thanks to Remi Duraffort for identifying and fixing the issues.
Note: These changes are not trivial to backport to previous releases. It is possible but some familiarity with the codebase will be required. We have packed a lot of changes into the time since the end of the migration and we are hoping to have a more stable time ahead. The LAVA software team recommend that all instances look to upgrade to 2018.5.post1. Our apologies for these problems.
We are NOT aware of any exploits using these issues but now that the problems are public, it is prudent to apply the available fixes before anything happens.
We expect to make more use of bandit and similar tools in future.
CVE's have been requested but we don't have the CVE numbers back at this time.
The production repo now carries these changes as 2018.5.post1-1+stretch
An upload to Debian unstable will follow in due course. (The Debian security team were notified once we had a fix.) An upload to Debian Stretch to update 2016.12-1 is being prepared.
--
Neil Williams
neil.williams@linaro.org http://www.linux.codehelp.co.uk/
Lava-announce mailing list Lava-announce@lists.linaro.org https://lists.linaro.org/mailman/listinfo/lava-announce