Bug #1852825 “CVE-2019-14287: sudo: can bypass certain policy bl...” : Bugs : StarlingX

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2019-11-16:

#1

This CVE meets the fix criteria for StarlingX. Therefore, it needs to be fixed in master for stx.3.0 and then cherry-picked to r/stx.2.0.

information type:	Public → Private Security
tags:	added: stx.2.0 stx.3.0 stx.security
Changed in starlingx:
importance:	Undecided → High
status:	New → Triaged
assignee:	nobody → Cindy Xie (xxie1)

Lin Shuicheng (shuicheng) on 2019-11-18

Changed in starlingx:
assignee:	Cindy Xie (xxie1) → Lin Shuicheng (shuicheng)

Revision history for this message

Lin Shuicheng (shuicheng) wrote on 2019-11-18:

#2

For RedHat 7.6, it is fixed in below link with sudo-1.8.23-3.el7_6.1.src.rpm
https://access.redhat.com/errata/RHSA-2019:3205
But we cannot get this srpm for CentOS 7.6, since CentOS 7.6 is not maintained now.
So we will try to use sudo-1.8.23-3.el7_6.1.src.rpmfrom CentOS 7.7 to fix this CVE.
https://access.redhat.com/errata/RHSA-2019:3197

Robin Lu (robinlu) on 2019-11-18

Changed in starlingx:
assignee:	Lin Shuicheng (shuicheng) → Robin Lu (robinlu)

Ghada Khalil (gkhalil) on 2019-11-22

information type:

Private Security → Public Security

OpenStack Infra (hudson-openstack) on 2019-11-25

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-11-26: Fix merged to tools (master)

#3

Reviewed: https://review.opendev.org/695637
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=c75164899fb0d242022338d67144c06be7c5b32f
Submitter: Zuul
Branch: master

commit c75164899fb0d242022338d67144c06be7c5b32f
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 16:08:13 2019 +0800

Update sudo srpm for CVE bug

To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html

CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists

Closes-Bug: 1852825

Change-Id: Iaafc053fe6e3b58468b5fa7c47dbc0f61a2d3c44
Signed-off-by: Robin Lu <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-11-26: Fix merged to integ (master)

#4

Reviewed: https://review.opendev.org/695620
Committed: https://git.openstack.org/cgit/starlingx/integ/commit/?id=f30cb74fef4b97721010ca9bc6a6b6dde03c4add
Submitter: Zuul
Branch: master

commit f30cb74fef4b97721010ca9bc6a6b6dde03c4add
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 11:01:27 2019 +0800

Update sudo srpm patch for CVE bug

    To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
    And we have to update some patches according to new srpm.
    https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html

CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists

    Closes-Bug: 1852825
    Depends-On: https://review.opendev.org/#/c/695637/
    Change-Id: Ifc0a3423464fafce06cd504d9b427fc3433fb756
    Signed-off-by: Robin Lu <email address hidden>

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-11: Fix proposed to tools (f/centos8)

#5

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/698553

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-11: Fix proposed to integ (f/centos8)

#6

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/698561

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-12: Fix merged to integ (f/centos8)

#7

Download full text (7.1 KiB)

Reviewed: https://review.opendev.org/698561
Committed: https://git.openstack.org/cgit/starlingx/integ/commit/?id=9035cd1be8aa3138691c6c99219030dfbe77ebaf
Submitter: Zuul
Branch: f/centos8

commit 4aa661ce5666220d6beb2a3a3fac987cba4feb74
Author: Martin, Chen <email address hidden>
Date: Thu Nov 21 10:28:13 2019 +0800

    Build layering
    Rebase tarball for i40e Driver
    Rebase srpm for systemd 219-67.el7
    Rebase srpm for sudo
    Rebase srpm for ntp

    Depends-On: https://review.opendev.org/#/c/695061/
    Depends-On: https://review.opendev.org/#/c/695560/
    Depends-On: https://review.opendev.org/#/c/695637/
    Depends-On: https://review.opendev.org/#/c/695983/

Story: 2006166
Task: 37570

Change-Id: I7f33e0fb1319df3421318c4927d2a5675a490273
Signed-off-by: Martin, Chen <email address hidden>

commit 5d854355d873702b78ff6aa8c6fddc025c45be2d
Author: Jim Somerville <email address hidden>
Date: Mon Nov 25 16:07:17 2019 -0500

Uprev ntp to version 4.2.6p5-29.el7

    This solves:
    ntp: Stack-based buffer overflow in ntpq and ntpdc allows
    denial of service or code execution (CVE-2018-12327)

See the announcement link:

https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006016.html

for more details.

    Here we refresh the meta patches and correct the crime of
    "name of patch file differs from git format-patch". We
    also clean up the commit short logs.

    Change-Id: I263465d85f06096296fdd478a302eb110ab1259c
    Closes-Bug: 1849197
    Depends-On: https://review.opendev.org/#/c/695983
    Signed-off-by: Jim Somerville <email address hidden>

commit 11fd5d9cd48a1539b9c7a4ebc8aaad69ed24ae5b
Author: Dan Voiculeasa <email address hidden>
Date: Thu Nov 21 15:01:36 2019 +0200

ceph-init-wrapper: Detect stuck peering OSDs and restart them

OSDs might become stuck peering.
Recover from such state.

Closes-bug: 1851287

Change-Id: I2ef1a0e93d38c3d041ee0c5c1e66a4ac42785a68
Signed-off-by: Dan Voiculeasa <email address hidden>

commit f30cb74fef4b97721010ca9bc6a6b6dde03c4add
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 11:01:27 2019 +0800

Update sudo srpm patch for CVE bug

    To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
    And we have to update some patches according to new srpm.
    https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html

CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists

    Closes-Bug: 1852825
    Depends-On: https://review.opendev.org/#/c/695637/
    Change-Id: Ifc0a3423464fafce06cd504d9b427fc3433fb756
    Signed-off-by: Robin Lu <email address hidden>

commit 0231aba5cdcb96b15106591acfff280159050366
Author: Jim Somerville <email address hidden>
Date: Thu Nov 21 15:54:15 2019 -0500

Uprev systemd to version 219-67.el7

    This solves:
    systemd: line splitting via fgets() allows for state injection
    during daemon-reexec (CVE-2018-15686)

along with some other less critical issues. See the security
announcement link:

...

Reviewed:  https://review.opendev.org/698561
Committed: https://git.openstack.org/cgit/starlingx/integ/commit/?id=9035cd1be8aa3138691c6c99219030dfbe77ebaf
Submitter: Zuul
Branch:    f/centos8

commit 4aa661ce5666220d6beb2a3a3fac987cba4feb74
Author: Martin, Chen <haochuan.z.chen@intel.com>
Date:   Thu Nov 21 10:28:13 2019 +0800

Build layering
    Rebase tarball for i40e Driver
    Rebase srpm for systemd 219-67.el7
    Rebase srpm for sudo
    Rebase srpm for ntp
    
    Depends-On: https://review.opendev.org/#/c/695061/
    Depends-On: https://review.opendev.org/#/c/695560/
    Depends-On: https://review.opendev.org/#/c/695637/
    Depends-On: https://review.opendev.org/#/c/695983/
    
    Story: 2006166
    Task: 37570
    
    Change-Id: I7f33e0fb1319df3421318c4927d2a5675a490273
    Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>

commit 5d854355d873702b78ff6aa8c6fddc025c45be2d
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Mon Nov 25 16:07:17 2019 -0500

Uprev ntp to version 4.2.6p5-29.el7
    
    This solves:
    ntp: Stack-based buffer overflow in ntpq and ntpdc allows
    denial of service or code execution (CVE-2018-12327)
    
    See the announcement link:
    
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006016.html
    
    for more details.
    
    Here we refresh the meta patches and correct the crime of
    "name of patch file differs from git format-patch".  We
    also clean up the commit short logs.
    
    Change-Id: I263465d85f06096296fdd478a302eb110ab1259c
    Closes-Bug: 1849197
    Depends-On: https://review.opendev.org/#/c/695983
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit 11fd5d9cd48a1539b9c7a4ebc8aaad69ed24ae5b
Author: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Date:   Thu Nov 21 15:01:36 2019 +0200

ceph-init-wrapper: Detect stuck peering OSDs and restart them
    
    OSDs might become stuck peering.
    Recover from such state.
    
    Closes-bug: 1851287
    
    Change-Id: I2ef1a0e93d38c3d041ee0c5c1e66a4ac42785a68
    Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>

commit f30cb74fef4b97721010ca9bc6a6b6dde03c4add
Author: Robin Lu <bin1.lu@intel.com>
Date:   Fri Nov 22 11:01:27 2019 +0800

Update sudo srpm patch for CVE bug
    
    To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
    And we have to update some patches according to new srpm.
    https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html
    
    CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists
    
    Closes-Bug: 1852825
    Depends-On: https://review.opendev.org/#/c/695637/
    Change-Id: Ifc0a3423464fafce06cd504d9b427fc3433fb756
    Signed-off-by: Robin Lu <bin1.lu@intel.com>

commit 0231aba5cdcb96b15106591acfff280159050366
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Thu Nov 21 15:54:15 2019 -0500

Uprev systemd to version 219-67.el7
    
    This solves:
    systemd: line splitting via fgets() allows for state injection
    during daemon-reexec (CVE-2018-15686)
    
    along with some other less critical issues.  See the security
    announcement link:
    
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006149.html
    
    for more details.
    
    Here we rebase the patches, and fix the atrocious crime of "name of patch file
    doesn't match what git format-patch generates".  We also squash down the
    meta patches which add the patches to the spec file as part of
    good housekeeping.
    
    Change-Id: I01a3fa329bbad541a063cb604d1756892139967f
    Closes-Bug: 1849200
    Depends-On: https://review.opendev.org/#/c/695560
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit 2718976ddc5c272a97cc60651fe5d63a9a037406
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Tue Oct 29 15:39:05 2019 -0400

i40e Driver Upgrade in support of N3000 on-board NICs
    
    Uprev i40e to version 2.10.19.30
    i40evf gets replaced by iavf version 3.7.61.20
    
    The iavf driver supports both fortville and columbiaville,
    so they decided to rename from i40evf to something more generic.
    
    We get to drop the patch which polls for coming out of
    reset as it was incorporated upstream.
    
    The Intel FPGA Programmable Acceleration Card N3000 contains
    dual Intel XL710 NICs and an FPGA for acceleration purposes.
    This driver upgrade is required to support those NICs.
    
    Change-Id: Ifbec94bcc00a8cce9fe97bf0eb41556b8bd3e592
    Story: 2006740
    Task: 37542
    Depends-On: https://review.opendev.org/#/c/695061
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit 8a3722089d821573ce6766e6fa40d78a0fdbaded
Author: Joseph Richard <joseph.richard@windriver.com>
Date:   Tue Oct 29 10:54:58 2019 -0400

Drop initscripts patch running ipv6 dhcp as daemon
    
    This commit rebases initscripts patch set, dropping
    run-dhclient-as-daemon-for-ipv6.patch
    
    Currently, ifup-eth tries running ipv6 dhclient with the one-shot
    option, and if that fails, then retries indefinitely in the background.
    That has the side-effect of causing the ifup-post script to not be run
    if the first dhclient attempt fails, which will prevent routes on that
    interface from being created.  This is especially problematic in the
    case of a DOR, where the compute nodes may come up before dnsmasq is up
    on the controller.
    This is different from upstream centos, which will only try running
    dhclient with the one-shot option for ipv6.
    By reverting the initscripts patch to run as a daemon, ipv6 dhclient now
    runs as one-shot only, and if it fails, ifup-eth script exits without
    getting an address, and then the node fails to come up and reboot.
    While this may result in the compute node having an extra reboot in a DOR,
    that is preferable to the compute coming up incorrectly and requiring a
    lock/unlock to recover.
    
    Closes-bug: 1844579
    Change-Id: I5b7f6b7c878dc4e4737d986f11fae3301585fb1c
    Signed-off-by: Joseph Richard <joseph.richard@windriver.com>

commit 5afd5f90b29f6e097824f7c6f2fe7762597d9ad6
Author: Andy Ning <andy.ning@windriver.com>
Date:   Tue Nov 5 00:12:26 2019 -0500

update Barbican admin secret's user/project IDs during bootstrap
    
    In a DC system when subcloud is managed, keystone user/project IDs are
    synced with Central Cloud, including admin user and project. But the
    admin's secrets in Barbian still use the original user/project IDs,
    causing docker registry access failure when platform-integ-apps is
    reapplied.
    
    This change added a patch to keystone puppet manifest, that updates
    keystone admin user/project IDs to be the same as Central Cloud right
    after keystone is bootstrapped during subcloud deployment. This way any
    referece to admin user/project IDs after bootstrap will be using the
    IDs same as Central Cloud, including the ones in Barbican. This will
    solve the problem of retrieving central registry credential failure
    when platform-integ-apps is reapplied.
    
    Change-Id: I509a06b4b810620a1b3648837726f7f2771162a5
    Closes-Bug: 1851247
    Signed-off-by: Andy Ning <andy.ning@windriver.com>

tags:

added: in-f-centos8

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-12: Fix merged to tools (f/centos8)

#8

Download full text (8.7 KiB)

Reviewed: https://review.opendev.org/698553
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=202776a187184e536adce99b3b0f0ce1ce04fdee
Submitter: Zuul
Branch: f/centos8

commit 063e29fe2e12a306be51755e994d8eb10b2d3614
Author: VictorRodriguez <email address hidden>
Date: Wed Nov 27 17:39:51 2019 -0600

Add feature to check if a CVE has an open launchpad

This change enables the capability to track if a CVE to be fixed already
has an open launchpad in starlingx: https://bugs.launchpad.net/starlingx/

    This will help the security team to focus on the CVEs that do not
    have a launchpad already open, reducing the overhead of analysis of CVEs
    already presented to the development team.

Story:2006971

Change-Id: I494f0221cb52a4bf7ace20d75e067b17c719d749
Signed-off-by: VictorRodriguez <email address hidden>

commit 1d33f5ae60201a6d1baba026a6503ea43843b3ab
Author: Robin Lu <email address hidden>
Date: Mon Nov 11 16:47:49 2019 +0800

Update OVMF rpm, due to CVE bug.

    CVE bug: CVE-2019-0160
    The updated rpm is selected from the below link.
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006035.html

Tests:
simplex, duplex, multi-node

Closes-Bug: 1849205

Change-Id: Ifdbbd82de912488af201f028a65c679acc204ed9
Signed-off-by: Robin Lu <email address hidden>

commit d964e258beb0c75b5a23ec7db1b523f263db7c9f
Author: Jim Somerville <email address hidden>
Date: Mon Nov 25 15:51:29 2019 -0500

Uprev ntp to version 4.2.6p5-29.el7

    This solves:
    ntp: Stack-based buffer overflow in ntpq and ntpdc allows
    denial of service or code execution (CVE-2018-12327)

See the announcement link:

https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006016.html

for more details.

    Change-Id: Ic92fd6af30bf05c6f40cb6a6c60e0bc3811ff22a
    Partial-Bug: 1849197
    Signed-off-by: Jim Somerville <email address hidden>

commit c75164899fb0d242022338d67144c06be7c5b32f
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 16:08:13 2019 +0800

Update sudo srpm for CVE bug

To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html

CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists

Closes-Bug: 1852825

Change-Id: Iaafc053fe6e3b58468b5fa7c47dbc0f61a2d3c44
Signed-off-by: Robin Lu <email address hidden>

commit ea25ae6f265f6a9531dd72a8576462a71c3074dc
Author: Jim Somerville <email address hidden>
Date: Fri Nov 22 16:35:45 2019 -0500

Uprev ruby and associated gems to subminor ver 36

All affected packages are moved forward to their -36 version.

    This solves:
    ruby: Unintentional directory traversal by poisoned NULL byte
    in Dir (CVE-2018-8780)
    rubygems: Improper verification of signatures in tarball
    allows to install mis-signed gem (CVE-2018-1000076)

along with numerous other issues.

See the announcement link:

https://lists.centos.org/pipermail/centos-cr-announce/2019-Augu...

Reviewed:  https://review.opendev.org/698553
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=202776a187184e536adce99b3b0f0ce1ce04fdee
Submitter: Zuul
Branch:    f/centos8

commit 063e29fe2e12a306be51755e994d8eb10b2d3614
Author: VictorRodriguez <vm.rod25@gmail.com>
Date:   Wed Nov 27 17:39:51 2019 -0600

Add feature to check if a CVE has an open launchpad
    
    This change enables the capability to track if a CVE to be fixed already
    has an open launchpad in starlingx: https://bugs.launchpad.net/starlingx/
    
    This will help the security team to focus on the CVEs that do not
    have a launchpad already open, reducing the overhead of analysis of CVEs
    already presented to the development team.
    
    Story:2006971
    
    Change-Id: I494f0221cb52a4bf7ace20d75e067b17c719d749
    Signed-off-by: VictorRodriguez <vm.rod25@gmail.com>

commit 1d33f5ae60201a6d1baba026a6503ea43843b3ab
Author: Robin Lu <bin1.lu@intel.com>
Date:   Mon Nov 11 16:47:49 2019 +0800

Update OVMF rpm, due to CVE bug.
    
    CVE bug: CVE-2019-0160
    The updated rpm is selected from the below link.
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006035.html
    
    Tests:
    simplex, duplex, multi-node
    
    Closes-Bug: 1849205
    
    Change-Id: Ifdbbd82de912488af201f028a65c679acc204ed9
    Signed-off-by: Robin Lu <bin1.lu@intel.com>

commit d964e258beb0c75b5a23ec7db1b523f263db7c9f
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Mon Nov 25 15:51:29 2019 -0500

Uprev ntp to version 4.2.6p5-29.el7
    
    This solves:
    ntp: Stack-based buffer overflow in ntpq and ntpdc allows
    denial of service or code execution (CVE-2018-12327)
    
    See the announcement link:
    
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006016.html
    
    for more details.
    
    Change-Id: Ic92fd6af30bf05c6f40cb6a6c60e0bc3811ff22a
    Partial-Bug: 1849197
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit c75164899fb0d242022338d67144c06be7c5b32f
Author: Robin Lu <bin1.lu@intel.com>
Date:   Fri Nov 22 16:08:13 2019 +0800

Update sudo srpm for CVE bug
    
    To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
    https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html
    
    CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists
    
    Closes-Bug: 1852825
    
    Change-Id: Iaafc053fe6e3b58468b5fa7c47dbc0f61a2d3c44
    Signed-off-by: Robin Lu <bin1.lu@intel.com>

commit ea25ae6f265f6a9531dd72a8576462a71c3074dc
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Fri Nov 22 16:35:45 2019 -0500

Uprev ruby and associated gems to subminor ver 36
    
    All affected packages are moved forward to their -36 version.
    
    This solves:
    ruby: Unintentional directory traversal by poisoned NULL byte
    in Dir (CVE-2018-8780)
    rubygems: Improper verification of signatures in tarball
    allows to install mis-signed gem (CVE-2018-1000076)
    
    along with numerous other issues.
    
    See the announcement link:
    
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006124.html
    
    for more details.
    
    Note that rubygem-json is moved back to version 1.7.7-36 as it
    should never have been moved to 2.0.2-2 in the first place. That
    appears to have occurred accidentally, taking the package from
    opstools instead of os when moving to CentOS 7.6.
    
    Change-Id: I732a0ddba6e2aa5ebda0e10f6e633f60c162890c
    Closes-Bug: 1849195
    Closes-Bug: 1849203
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit badc87aec310748399164c4f4d610ad4b39c8056
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Fri Nov 22 11:55:56 2019 -0500

Uprev wget to version 1.14-18.el7_6.1
    
    This solves:
    wget: do_conversion() heap-based buffer overflow
    vulnerability (CVE-2019-5953)
    
    See the announcement link:
    
    https://lists.centos.org/pipermail/centos-announce/2019-May/023316.html
    
    for more details.
    
    Change-Id: I0e1c47f95b0cb643703d71367d1e9aa10870859b
    Closes-Bug: 1849210
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit 855ef14c832c88ee41d4cae05fdd0f6bbf8e38c7
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Thu Nov 21 18:44:38 2019 -0500

Uprev elfutils to version 0.176-2.el7
    
    This solves:
    elfutils: Double-free due to double decompression of sections in
    crafted ELF causes crash (CVE-2018-16402)
    
    along with quite a few other issues.
    
    See the announcement link:
    
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/005856.html
    
    for more details.
    
    Change-Id: Ia328b6043c1815a023ab45ea6f8142dcef91864b
    Closes-Bug: 1849201
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit 647676c202022175a331c29a79dba20ef88e9f74
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Thu Nov 21 18:23:21 2019 -0500

Uprev polkit to version 0.112-22.el7
    
    This solves:
    polkit: Improper handling of user with uid > INT_MAX leading
    to authentication bypass (CVE-2018-19788)
    
    See the announcement link:
    
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006051.html
    
    for more details.
    
    Change-Id: I6eb69cd129b2b6d0e115f65b42f997d2b3f69d9a
    Closes-Bug: 1849202
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit e4ea643e3cfbf3303e49b36915d3eb87b7fb4033
Author: blu <bin1.lu@intel.com>
Date:   Thu Nov 7 14:32:01 2019 +0800

Update libX11 related rpms, due to CVE bugs
    
    CVE bugs: CVE-2018-14599, CVE-2018-14600
    
    Extra CVE bugs: CVE-2018-14598, CVE-2018-15853, CVE-2018-15854,
    CVE-2018-15855, CVE-2018-15856, CVE-2018-15857, CVE-2018-15859,
    CVE-2018-15861, CVE-2018-15862, CVE-2018-15863, CVE-2018-15864
    These extra CVE bugs are fixed together. Although libxkbcommon
    has a low score, we are including it here anyway just to stay
    consistent with RedHat's bundling decision.
    
    The updated rpms are selected from the link provided by RedHat.
    (https://access.redhat.com/errata/RHSA-2019:2079)
    
    Tests:
    simplex, duplex, multi-node
    
    Closes-Bug: 1849198
    Closes-Bug: 1849199
    
    Change-Id: I184ff40d855c60d4824e28f2fe701230191d62b0
    Signed-off-by: Robin Lu <bin1.lu@intel.com>

commit 391b7d5e3485d9bc04e642889da7fc1166dbfdec
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Thu Nov 21 14:29:44 2019 -0500

Uprev systemd to version 219-67.el7
    
    This solves:
    systemd: line splitting via fgets() allows for state injection
    during daemon-reexec (CVE-2018-15686)
    
    along with some other less critical issues.  See the security
    announcement link:
    
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006149.html
    
    for more details.
    
    Change-Id: Ia0fcc7184efea5b31408d7514921b58377beb329
    Partial-Bug: 1849200
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit e47f347e9fd9be6707ed35b812f45f2138bb622b
Author: Angie Wang <angie.wang@windriver.com>
Date:   Tue Nov 19 13:46:43 2019 -0500

Upgrade botocore package
    
    Upgrade botocore package from 1.6.0 to 1.12.75.
    The new version fixed the ipv6 proxy management issue.
    
    Change-Id: Ib82df18ed9ea72fcff9f029289dac2491fe80e81
    Partial-Bug: 1853024
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit b1660fe4a352e1c5ee190e5dc62f4a95c9089b30
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Fri Nov 15 16:21:52 2019 -0500

i40e Driver Upgrade in support of N3000 on-board NICs
    
    Uprev i40e to version 2.10.19.30
    i40evf gets replaced by iavf version 3.7.61.20
    
    The iavf driver supports both fortville and columbiaville,
    so they decided to rename from i40evf to something more generic.
    
    The Intel FPGA Programmable Acceleration Card N3000 contains
    dual Intel XL710 NICs and an FPGA for acceleration purposes.
    This driver upgrade is required to support those NICs.
    
    Story: 2006740
    Task: 37542
    Change-Id: I53c731c1b519b1412acda5f5e2ee7dc33729d40d
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit bc125699793b97e7dd14d05b2b6b620fed03d5f1
Author: zhipengl <zhipengs.liu@intel.com>
Date:   Tue Oct 8 18:40:33 2019 +0800

Update download list for openstack-helm upgrade
    
    Uprade openstack-helm to
    Commit-id:82c72367c85ca94270f702661c7b984899c1ae38
    Upgrade openstack-helm-infra to
    Commit-id:c9d6676bf9a5aceb311dc31dadd07cba6a3d6392
    
    Story: 2006544
    Task: 36623
    
    Change-Id: I991512ef3b0bd9869aa795e4a50a41d5ca187148
    Signed-off-by: zhipengl <zhipengs.liu@intel.com>

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2019-12-16:

#9

@Robin, please cherry-pick/port the equivalent change to the r/stx.2.0 branch.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-17: Fix proposed to tools (r/stx.2.0)

#10

Fix proposed to branch: r/stx.2.0
Review: https://review.opendev.org/699320

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-17: Fix proposed to integ (r/stx.2.0)

#11

Fix proposed to branch: r/stx.2.0
Review: https://review.opendev.org/699321

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-02: Fix merged to tools (r/stx.2.0)

#12

Reviewed: https://review.opendev.org/699320
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=8f446f3fed55736b2958c69ce6c580d39a9d9647
Submitter: Zuul
Branch: r/stx.2.0

commit 8f446f3fed55736b2958c69ce6c580d39a9d9647
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 16:08:13 2019 +0800

Upgrade sudo to version 1.8.23-4.el7_7.1

To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html

CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists

Closes-Bug: 1852825

    Change-Id: Iaafc053fe6e3b58468b5fa7c47dbc0f61a2d3c44
    Signed-off-by: Robin Lu <email address hidden>
    (cherry picked from commit c75164899fb0d242022338d67144c06be7c5b32f)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-02: Fix merged to integ (r/stx.2.0)

#13

Reviewed: https://review.opendev.org/699321
Committed: https://git.openstack.org/cgit/starlingx/integ/commit/?id=17f6919d14c9eed9821232f3b6f4bb334d712c37
Submitter: Zuul
Branch: r/stx.2.0

commit 17f6919d14c9eed9821232f3b6f4bb334d712c37
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 11:01:27 2019 +0800

Upgrade sudo to version 1.8.23-4.el7_7.1

    To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
    And we have to update some patches according to new srpm.
    https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html

CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists

    Closes-Bug: 1852825
    Depends-On: https://review.opendev.org/#/c/699320/
    Change-Id: Ifc0a3423464fafce06cd504d9b427fc3433fb756
    Signed-off-by: Robin Lu <email address hidden>

Ghada Khalil (gkhalil) on 2020-01-13

tags:

added: in-r-stx20

StarlingX

CVE-2019-14287: sudo: can bypass certain policy blacklists

Bug Description

CVE References

Other bug subscribers

Remote bug watches