Closed
Bug 1257614
Opened 8 years ago
Closed 8 years ago
Upgrade git version on TaskCluster workers to address CVE-2016-2324 and CVE‑2016‑2315
Categories
(Taskcluster :: General, defect)
Taskcluster
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: claudijd, Assigned: dustin)
Details
Attachments
(1 file)
MozReview Request: Bug 1257614: update git to a 2.8.0-rc3 for CVE-2016-2324, CVE-2016-2315; r?garndt
58 bytes,
text/x-review-board-request
|
garndt
:
review+
|
Details |
With the recent git RCE vulnerabilities (CVE-2016-2324 and CVE‑2016‑2315) it would be a good idea to think about upgrading git client on the work images that are allowed by TaskCluster. At the time of creating this bug, the fixed official packages for CentOS/Ubuntu are not available. However, it seems that we build our git repo from source in this setup file (https://dxr.mozilla.org/mozilla-central/source/testing/docker/centos6-build/system-setup.sh#332), so it might be as easy as pointing the build toward the latest RC release of git (https://github.com/git/git/releases/tag/v2.8.0-rc3). With all that said, based on the TC strategy of putting workers in containers, this isn't an immediate risk item, but a good thing to do.
Updated•8 years ago
|
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → dustin
Assignee | ||
Comment 1•8 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=9f68e61f7c29
Assignee | ||
Comment 2•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/40893/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/40893/
Attachment #8731878 -
Flags: review?(garndt)
Comment 3•8 years ago
|
||
Comment on attachment 8731878 [details] MozReview Request: Bug 1257614: update git to a 2.8.0-rc3 for CVE-2016-2324, CVE-2016-2315; r?garndt https://reviewboard.mozilla.org/r/40893/#review37445 Looks good to me. Image built successfully on treeherder it seems.
Attachment #8731878 -
Flags: review?(garndt) → review+
Reporter | ||
Comment 5•8 years ago
|
||
dustin: just an FYI, git released 2.7.4 last night as a backport of the fixes that were previously only available in 2.8.0-rc3. Not sure if it's worth redoing, but wanted to let you know either way.
Assignee | ||
Comment 6•8 years ago
|
||
Until/unless we see issues with 2.8.0, I'm happy to leave this as-is.
Comment 7•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/3f0499738b89
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•