Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tobiasb/CVE 2023 28155 reaper #5560

Closed
wants to merge 25 commits into from
Closed

Tobiasb/CVE 2023 28155 reaper #5560

wants to merge 25 commits into from

Conversation

tobiasb-ms
Copy link
Contributor

@tobiasb-ms tobiasb-ms commented May 23, 2023
edited
Loading

DRAFT--IGNORE

Merge Checklist
  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./SPECS/LICENSES-AND-NOTICES/data/licenses.json, ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md, ./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

Patch reaper to fix CVE-2023-28155, which is a vulnerability in the request npm module, upon which reaper depends. This is somewhat complicated by the fact that request has been deprecated and is no longer taking updates. The patch is actually adapted from a pull request that was never and will never be merged.

Change Log

Patch CVE-2023-28155

Does this affect the toolchain?

NO

Links to CVEs
Test Methodology

trungams and others added 25 commits May 18, 2023 15:30
@trungams
Add nopatch for CVE-2023-2513, CVE-2023-32233, CVE-2023-32269 (micros…
10b2c55 
…oft#5534)
@PawelWMS
Restored executable permissions for 'squid' scripts. (microsoft#5521)
0777429
@PawelWMS
Updated PR checks (microsoft#5539)
2ba9618
@Redent0r
Upgrade cloud-hypervisor to 31.1, kernel-mshv to 5-15-110, and kernel… (
1f172f0 
microsoft#5529)

* Upgrade cloud-hypervisor to 31.1, kernel-mshv to 5-15-110, and kernel-uvm to 5-15-110 as part of LSG release v2305.11.1

* update manifest

* install bzImage
@miz060
Add rootfs partition name in gen2 market place image (microsoft#5505)
455608b 
Add rootfs partition name in gen2 market place image
@oliviacrain
Fix python-pbr tests by pinning sphinx version used (microsoft#5542)
9c25531
@oliviacrain
Fix ocaml-ppxlib tests failing due to ocaml-sexplib0-0.15.0 (microsof…
0923e30 
…t#5541)
@CBL-Mariner-Bot
kernel-hci: Add CVE-2023-2248 CVE-2023-2177 CVE-2023-2008 CVE-2023-0458
e7eba85 
CVE-2023-1382 CVE-2023-23005 CVE-2023-2006 CVE-2023-1998 CVE-2023-28327 CVE-2023-2235 CVE-2023-30772 CVE-2023-28328 CVE-2023-2019 CVE-2023-2162 CVE-2023-22997 CVE-2023-2166 CVE-2023-31436 CVE-2023-1872 CVE-2023-2194 (microsoft#5526)
@oliviacrain
Remove zstd from package test exclusion list (microsoft#5545)
82b8009
@dallasd1
Upgrade moby-containerd-cc to 1.7.1 (microsoft#5546)
f9d9e09 
* Update moby-containerd-cc to 1.7.1 to fix unit test TestSnapshotterFromPodSandboxConfig
@AZaugg
Add ldap backend support into sudo (microsoft#5476)
7505eb5 
* Add ldap support to sudo

ALlow ldap to be used to configure sudo

* Updated 1.8.15-4 of commit in change log

rpmlint was failing as date and day did not match up, correcting
day to pass rpmlint

* Address PR commnts

- Removing ldap path and defauting to default config path
- Changing openldap to openldap-devel
@oliviacrain
Fix dnf-plugins-core tests by using unittests runner (microsoft#5551)
16936a8
@Adub17030MS
Upgrade cert-manager to v1.11.2 (microsoft#5513)
bd0d0dc 
* updating to v1.11.2

* Fixing bogus date warning

* Removing patch for CVE-2023-25165 as it is patched in the upgrade

* Removing patch for CVE-2023-25165 as it is patched in the upgrade

* Updating prep section to work withouth patch

* Fixing linting error
@CBL-Mariner-Bot
kernel-hci: Add CVE-2023-32233 CVE-2023-32269 CVE-2023-2513 (microsof…
f79039f 
…t#5552)
@tobiasb-ms
Remove umask handling from bash.spec and change it in filesystem.spec (
33106ca 
…microsoft#5528)
@0xba1a
Upgrade lua to 5.4.4 to fix CVE-2021-44964 (microsoft#5478)
b9b5742 
* Upgrade lua to 5.4.4 to fix CVE-2021-44964

* Update signature file manually

* Update toolchain build scripts for lua

* Remove patches that were already merged to lua-5.4.4

* Fix typo in changelog
@oliviacrain
Pin version of hypothesis used in numpy tests to avoid test breakage (m…
b992bf8 
…icrosoft#5548)
@oliviacrain
Remove python2 test exclusion (microsoft#5553)
bfba5a8
@BettyRain
Provide k8s-cni in cni-plugins rpm (microsoft#5543)
58ad13d 
Provide k8s-cni in cni-plugins

---------

Co-authored-by: Betty Lakes <bettylakes@microsoft.com>
@gjswalling
Remove x86 console params from ARM-specific grub config file
ab0e564
@suresh-thelkar
Patch frr with CVE-2023-31490 (microsoft#5564)
63aa504
@0xba1a
Fix CVE-2023-29194 by upgrading vitess to 16.0.2 (microsoft#5498)
4554031 
* Fix CVE-2023-29194 by upgrading vitess to version 16.0.2

* Updage cgmanifest.json with correct version
@0xba1a
Update CVE-2022-37601.patch to fix multiple occurrences (microsoft#5563)
4860181 
* Update CVE-2022-37601.patch to fix multiple occurances

loader-utils module is used by multiple other modules which reaper is
depending upon. Instead of reusing already downloaded code, npm
redownloades the same module at different subtree level of node_modules.
So the same CVE has to be fixed in other two places as well.

* Addressed review comments
@tobiasb-ms
fix: add setuid bit to necessary binaries so regular users can run th…
d80ac59 
…em (microsoft#5573)
@tobiasb-ms
Fix tobiasb/CVE-2023-28155 by patch request module in reaper
35d2f6a
@tobiasb-ms tobiasb-ms force-pushed the tobiasb/CVE-2023-28155-reaper branch from c28f407 to 35d2f6a Compare May 24, 2023 20:17
@tobiasb-ms tobiasb-ms closed this May 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet