Skip to content
This repository has been archived by the owner on May 6, 2022. It is now read-only.

update jekyll & ffi to address CVE-2018-17567 & CVE-2018-1000201 #2607

Merged
merged 1 commit into from
Apr 15, 2019
Merged

update jekyll & ffi to address CVE-2018-17567 & CVE-2018-1000201 #2607

merged 1 commit into from
Apr 15, 2019

Conversation

jboyd01
Copy link
Contributor

@jboyd01 jboyd01 commented Apr 11, 2019

address 2 CVEs

CVE-2018-17567
moderate severity
Vulnerable versions: < 3.6.3
Patched version: 3.6.3
Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the "include" key in the "_config.yml" file.

CVE-2018-1000201
moderate severity
Vulnerable versions: < 1.9.24
Patched version: 1.9.24
ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 11, 2019
@jboyd01
Copy link
Contributor Author

jboyd01 commented Apr 11, 2019

flake?

I0411 20:21:20.185] The following additional packages will be installed:
I0411 20:21:20.188] libssl1.1 openssl
I0411 20:21:20.529] The following NEW packages will be installed:
I0411 20:21:20.535] ca-certificates libssl1.1 openssl
I0411 20:21:20.782] 0 upgraded, 3 newly installed, 0 to remove and 17 not upgraded.
..........
I0411 20:21:23.793] Selecting previously unselected package openssl.
I0411 20:21:23.803] Preparing to unpack .../openssl_1.1.0j-1~deb9u1_arm64.deb ...
...............
I0411 20:22:18.075] WARNING: Skipping duplicate certificate thawte_Primary_Root_CA_-_G3.pem
I0411 20:22:18.094] /usr/sbin/update-ca-certificates: 183: /usr/sbin/update-ca-certificates: chmod: Exec format error
I0411 20:22:18.100] /usr/sbin/update-ca-certificates: 75: /usr/sbin/update-ca-certificates: rm: Exec format error
I0411 20:22:18.161] dpkg: error processing package ca-certificates (--configure):
I0411 20:22:18.161] subprocess installed post-installation script returned error exit status 2
I0411 20:22:18.162] Processing triggers for libc-bin (2.24-11+deb9u1) ...
I0411 20:22:18.195] dpkg (subprocess): unable to execute installed post-installation script (/var/lib/dpkg/info/libc-bin.postinst): Exec format error
I0411 20:22:18.199] dpkg: error processing package libc-bin (--configure):
I0411 20:22:18.199] subprocess installed post-installation script returned error exit status 2
I0411 20:22:18.228] Errors were encountered while processing:
I0411 20:22:18.229] ca-certificates
I0411 20:22:18.229] libc-bin
I0411 20:22:18.260] E: Sub-process /usr/bin/dpkg returned an error code (1)
I0411 20:22:18.261] E: Problem executing scripts DPkg::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
I0411 20:22:18.261] E: Sub-process returned an error code
I0411 20:22:18.583] Makefile:381: recipe for target 'service-catalog-image' failed
I0411 20:22:18.583] make[1]: Leaving directory '/workspace/github.com/kubernetes-incubator/service-catalog'
I0411 20:22:18.584] Makefile:346: recipe for target 'arch-image-arm64' failed
W0411 20:22:18.591] The command '/bin/sh -c export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install ca-certificates -y && rm -rf /var/lib/apt/lists/*' returned a non-zero code: 100
W0411 20:22:18.592] make[1]: *** [service-catalog-image] Error 100
W0411 20:22:18.592] make: *** [arch-image-arm64] Error 2

/retest

@jberkhahn
Copy link
Contributor

/retest

@jberkhahn
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 11, 2019
@jberkhahn
Copy link
Contributor

cc @mhbaur could you take a look at this ASAP?

MHBauer
MHBauer approved these changes Apr 12, 2019
View reviewed changes
Copy link
Contributor

@MHBauer MHBauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems fine
/lgtm

I think upstream uses hugo now.

@jberkhahn
Copy link
Contributor

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jberkhahn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 15, 2019
@jboyd01
Copy link
Contributor Author

jboyd01 commented Apr 15, 2019

crazy build errors...

I0415 17:53:00.295] Updating certificates in /etc/ssl/certs...
I0415 17:53:13.665] /usr/sbin/update-ca-certificates: 92: /usr/sbin/update-ca-certificates: basename: Exec format error
I0415 17:53:13.669] /usr/sbin/update-ca-certificates: 92: /usr/sbin/update-ca-certificates: sed: Exec format error
I0415 17:53:13.684] /usr/sbin/update-ca-certificates: 75: /usr/sbin/update-ca-certificates: rm: Exec format error
I0415 17:53:13.799] dpkg: error processing package ca-certificates (--configure):
I0415 17:53:13.799]  subprocess installed post-installation script returned error exit status 2
I0415 17:53:13.799] Processing triggers for libc-bin (2.24-11+deb9u1) ...
I0415 17:53:13.839] dpkg (subprocess): unable to execute installed post-installation script (/var/lib/dpkg/info/libc-bin.postinst): Exec format error
I0415 17:53:13.843] dpkg: error processing package libc-bin (--configure):
I0415 17:53:13.843]  subprocess installed post-installation script returned error exit status 2
I0415 17:53:13.894] Errors were encountered while processing:
I0415 17:53:13.894]  ca-certificates
I0415 17:53:13.895]  libc-bin
I0415 17:53:13.932] �[91mE�[0m�[91m: Sub-process /usr/bin/dpkg returned an error code (1)
I0415 17:53:13.933] �[0m�[91mE: Problem executing scripts DPkg::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
I0415 17:53:13.933] �[0m�[91mE: Sub-process returned an error code
I0415 17:53:20.534] �[0mMakefile:381: recipe for target 'service-catalog-image' failed
I0415 17:53:20.534] make[1]: Leaving directory '/workspace/github.com/kubernetes-incubator/service-catalog'
I0415 17:53:20.535] Makefile:346: recipe for target 'arch-image-arm64' failed
W0415 17:53:20.544] The command '/bin/sh -c export DEBIAN_FRONTEND=noninteractive &&     apt-get update &&     apt-get install ca-certificates -y &&     rm -rf /var/lib/apt/lists/*' returned a non-zero code: 100
W0415 17:53:20.544] make[1]: *** [service-catalog-image] Error 100

/retest

@MHBauer
Copy link
Contributor

MHBauer commented Apr 15, 2019

are we getting ARCHs crossed? arm64 in amd64 or something.

@k8s-ci-robot k8s-ci-robot merged commit a50d6ea into kubernetes-retired:master Apr 15, 2019
viviyww pushed a commit to viviyww/service-catalog that referenced this pull request May 10, 2019
update jekyll & ffi to address CVE-2018-17567 & CVE-2018-1000201 (kub…
bc1a88c 
…ernetes-retired#2607)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@MHBauer MHBauer MHBauer approved these changes

@jberkhahn jberkhahn Awaiting requested review from jberkhahn

Assignees

@jberkhahn jberkhahn

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jboyd01 @jberkhahn @k8s-ci-robot @MHBauer