USN-3438-1: Git vulnerability

Question

USN-3438-1: Git vulnerability

Bregor opened this issue 7 years ago · 8 comments

Bregor commented 7 years ago

Package git-core should be upgraded in quay.io/deis/slugrunner image due to USN-3438-1

Answer 1 · 2017-10-05T15:58:21.000Z

I kicked off CI since heroku/cedar:14 was recently rebuilt. We are no longer vulnerable.

Answer 2 · 2017-10-10T19:56:55.000Z

Hi. I'm not so sure about this fix.

$ docker run --entrypoint=dpkg deis/slugrunner:v2.4.0 --list git
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                               Version                             Architecture Description
+++-==================================-===================================-============-===========================================================================================
ii  git                                1:1.9.1-1ubuntu0.5                  amd64        fast, scalable, distributed revision control system

In deis/slugrunner:v2.4.0 there is a git package in 1:1.9.1-1ubuntu0.5 version installed. In the last relase of heroku/cedar there is 1:1.9.1-1ubuntu0.6 version, but according to usn-3438-1 we need 1:1.9.1-1ubuntu0.7(changelog) to fix CVE-2017-14867.

It's also related to deis/slugbuilder#144

Answer 3 · 2017-10-10T20:26:15.000Z

Thank you @stuszynski. Would you mind filing a ticket upstream at https://github.com/heroku/stack-images to bump git? It does indeed appear that this has not been resolved. Thank you for double-checking.

Answer 4 · 2017-10-10T20:36:46.000Z

filed at heroku/base-images#83

Answer 5 · 2017-10-18T04:59:08.000Z

Git was updated in the latest cedar.

Answer 6 · 2017-10-23T08:27:19.000Z

@bacongobbler Would you kick off CI again? I can see the last build was pushed 5 days ago but it still has git - 1:1.9.1-1ubuntu0.5.

Answer 7 · 2017-10-24T19:06:53.000Z

fixed for slugrunner v2.4.0. I'm kicking off the pipeline for slugbuilder and will close this once that's done. Sorry for the delay!

><> docker run --entrypoint=dpkg deis/slugrunner:v2.4.0 --list git
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                               Version                             Architecture Description
+++-==================================-===================================-============-===========================================================================================
ii  git                                1:1.9.1-1ubuntu0.7                  amd64        fast, scalable, distributed revision control system

Answer 8 · 2017-10-24T19:07:39.000Z

actually I'll close this and close deis/slugbuilder#144 once slugbuilder's been fixed.