2018.5.post1============During routine development, a new security scanning tool (bandit) was used on the LAVA codebase. Three security problems were found relating to the Job Submit UI and the loading of YAML files through XMLRPC. The problems date back to 2013, possibly earlier, so all releases of LAVA are affected.Fixes were developed and have now been released.https://review.linaro.org/#/c/25917/ Remove the ability to pasteURLs in the submit pagehttps://review.linaro.org/25918 Use requests instead of urlopenhttps://review.linaro.org/25919 Use yaml.safe_load when parsinguser dataThanks to Remi Duraffort for identifying and fixing the issues.
Note: These changes are not trivial to backport to previous releases. It is possible but some familiarity with the codebase will be required. We have packed a lot of changes into the time since the end of the migration and we are hoping to have a more stable time ahead. The LAVA software team recommend that all instances look to upgrade to 2018.5.post1. Our apologies for these problems.We are NOT aware of any exploits using these issues but now that the problems are public, it is prudent to apply the available fixes before anything happens.We expect to make more use of bandit and similar tools in future.CVE's have been requested but we don't have the CVE numbers back at this time.The production repo now carries these changes as 2018.5.post1-1+stretchAn upload to Debian unstable will follow in due course. (The Debian security team were notified once we had a fix.) An upload to Debian Stretch to update 2016.12-1 is being prepared.--
_______________________________________________
Lava-announce mailing list
Lava-announce@lists.linaro.org
https://lists.linaro.org/mailman/listinfo/lava-announce