New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please update the Heroku-16 images to include the fix for git CVE-2017-1000117 #69
Comments
These fixes are also missing: Judging from the timestamps in the image, I don't think it's been updated at all since 24th Feb 2017, which is slightly concerning. Is there a process in place for generating regular updates (a) every N months, (b) in response to new CVE announcements? |
We release new stack images mostly based on advisories from our own security team. The timeline for patching varies by severity. Some of the factors that contribute is how the vulnerability would be exploited, the likelihood for an exploit and if workarounds exist. In the case of CVE-2017-1000117, we updated our own Git service within hours as that was a high-risk target. It's much less likely that apps running on Heroku clones repositories and even less likely that they do so based on arbitrary user input so testing for regressions became more important than rolling out a fix immediately. Apps that might be affected could set Testing for regressions is particularly important. We've seen a number of odd cases such as this EGLIBC bug and this OpenSSL bug. Sometimes these errors affect many apps and are easy to spot but sometimes they only manifest due to our scale and makes them almost impossible to detect to anyone but the affected customer. Better tooling for building stack images is definitely part of the answer. We should catch regressions like the changed dependency tree (and now will thanks to #73) and we should make it possible to introduce urgent updates to specific packages without touching anything else. These are things we'll continue to work on. Anyway, the Heroku-16 stack image was updated early last week and the Cedar-14 stack image is now finally updated based on latest packages. Thank you for reporting this issue. |
That makes sense - thank you for the image update & the extra context :-) |
Currently the Heroku-16 images are using version
1:2.7.4-0ubuntu1
of the Ubuntu git package:This is missing:
(From http://changelogs.ubuntu.com/changelogs/pool/main/g/git/git_2.7.4-0ubuntu1.2/changelog)
The text was updated successfully, but these errors were encountered: