-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency ops to v2.15.0 [SECURITY] #163
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we avoid update to ops 2.15 everywhere (where ops <=2.9 is still in use)? |
just on router |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for the version bump after canonical/mysql-router-k8s-operator#273 is merged.
a758fdb
to
e81d4bc
Compare
d62bfa1
to
890f2f4
Compare
617f35a
to
446b631
Compare
446b631
to
d045f05
Compare
This PR contains the following updates:
2.9.0
->2.15.0
^2.9.0, <2.10
-><2.16
GitHub Vulnerability Alerts
CVE-2024-41129
Summary
The issue here is that we pass the secret content as one of the args via CLI. This issue may affect any of our charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing
subprocess.CalledProcessError
.There are two points that may log this command, in different files:
First, if there is an error during a secret handling, there will be a
subprocess.CalledProcessError
, which will contain the CLI comand + all its args. This is going to be logged in any logging level. This exception, if not caught by the charm, will bubble up to the/var/log/juju/
logs and syslog journal. Now, on Ubuntu 22.04, these logs are protected with:Second, certain audit setups may log terminal commands, which would result in this command being logged with its secrets. It is unknown if this is done on ubuntu security benchmarks, such as CIS hardening.
Keep in mind these logs may be copied or even backed up. Which exposes it to more services in the user's environment (e.g. CI runs in GH - although these are dummy password generated per test only).
Passing secrets straight via CLI is not advised. Here are some ways out:
subprocess.CalledProcessError
, redacting its content and reissuing the same type of exception; this will not cover the caseauditd
is set to log CLI commands, if that is a riskSeverity Rationale
This is a CWE-532. Potentially, these secrets can lead to privilege escalation but Ubuntu default is to have logs only accessible to
adm
group users.Marking this issue as "Moderate", as this report is not presenting a clear way on how to get access to the logs themselves: either getting local access to an
adm
group user (e.g. ubuntu) or recovering logs stored on a 3rd party service.Details
From CI: https://github.com/canonical/opensearch-operator/actions/runs/9908987369/job/27376377521?pr=364
PoC
Impact
Juju secrets are generally composed of private keys, passwords, etc; generally valuable credentials that, if leaked, will likely allow an attacker to get privileged access to its target or other targets in the environment.
Release Notes
canonical/operator (ops)
v2.15.0
Compare Source
Features
Fixes
Documentation
CI
v2.14.1
Compare Source
Fixes
Tests
Documentation
CI
v2.14.0
Compare Source
Features
__str__
to ActionFailed, for better unexpected failure output (#1209)Fixes
other
argument toRelatationDataContent.update(...)
should be optional (#1226)Documentation
Refactoring
ruff
formatter and reformat all code (#1224)v2.13.0
Compare Source
Features
Fixes
Documentation
tox -e docs-deps
to compile requirements.txt (#1172)Tests
pebble.CheckInfo.change_id
field (#1197)v2.12.0
Compare Source
Features
Model.get_cloud_spec
which uses thecredential-get
hook tool to get details of the cloud where the model is deployed (#1152)Fixes
get_notices
parameter name tousers=all
(previouslyselect=all
) (#1146)Model.relation.app
type fromApplication|None
toApplication
(#1151)begin
(#1150)pebble.Client.exec
might leak asocket.timeout
(builtins.TimeoutError
) exception (#1155)add_relation
(#1138)get_relation
behaviour inleader-elected
(#1156)type: secret
for config options (#1167)Refactoring
_Manager
class (#1085)Documentation
ops.testing
from unittest to pytest style (#1157)Harness.add_relation
docstring (#1168)v2.11.0
Compare Source
Features
StopEvent
,RemoveEvent
, and allLifeCycleEvent
s are no longer deferrable, and will raise aRuntimeError
ifdefer()
is called on the event object (#1122)ActionEvent.id
, exposing the JUJU_ACTION_UUID environment variable (#1124)pebble.Plan
objects by passing in apebble.PlanDict
, theability to compare two
Plan
objects with==
, and the ability to create an empty Plan withPlan()
(#1134)Fixes
Documentation
can_connect()
API documentation (#1123)Tooling
v2.10.0
Compare Source
Features
PebbleCustomNoticeEvent
,get_notices
, and so on) (#1086, #1100)Relation.active
, and excluded inactive relations fromModel.relations
(#1091)ContainerMeta
,and various info links in
CharmMeta
) (#1106)ModelError
in Harness if an invalid status is set (#1107)Fixes
Documentation
Tooling
Configuration
📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.