Skip to content

2.3.8

Choose a tag to compare

View all tags
@dmulder dmulder released this 11 Mar 00:07
· 831 commits to main since this release
2.3.8
dec3693

Himmelblau 2.3.8

Release type: Security patch release
Himmelblau 2.3.8 is a targeted security update for the 2.3.x series.
This release addresses one vulnerability and contains no additional feature changes.

Security fix

GHSA-44wm-q286-ghq3 (High, CVSS 8.8) (CVE-2026-31979)

Issue: himmelblaud-tasks could be exploited via a /tmp symlink attack path while handling Kerberos ccache files.
Risk: Local privilege escalation to root through unintended file/directory ownership changes or file overwrite behavior.
Fixed in: 2.3.8
Affected versions: Prior vulnerable releases (fixed releases are 2.3.8 and 3.1.0)

Action required

  1. Upgrade all Himmelblau 2.3.x deployments to 2.3.8 immediately.
  2. Restart services after upgrade: 
    sudo systemctl restart himmelblaud himmelblaud-tasks
  3. For potentially exposed systems, review for signs of abuse:
    • Suspicious /tmp/krb5cc_* symlinks
    • Unexpected ownership changes on sensitive paths (for example /etc, /usr, /var/lib)

Credits
Thanks to @khronosd for responsibly reporting this issue.

GHSA-44wm-q286-ghq3
Full Changelog: 2.3.7...2.3.8

Contributors

khronosd
Assets 2
Loading