Merge pull request #1191 from Fryguy/release_quinteros_2

Release quinteros-2
ManageIQ · Nov 14, 2024 · d577568 · d577568
2 parents f449a16 + 3ab5c73
commit d577568
Show file tree

Hide file tree

Showing 4 changed files with 162 additions and 3 deletions.
diff --git a/site/_data/releases.yaml b/site/_data/releases.yaml
@@ -1,8 +1,8 @@
 stable:
   type: stable
-  name: Quinteros-1
-  tag: quinteros-1
-  filename: quinteros-1
+  name: Quinteros-2
+  tag: quinteros-2.2
+  filename: quinteros-2.2
   branch: quinteros
 
 # prerelease:

diff --git a/site/_posts/2024-11-14-quinteros-2-cve-2024-43191-cve-2023-46715.md b/site/_posts/2024-11-14-quinteros-2-cve-2024-43191-cve-2023-46715.md
@@ -0,0 +1,42 @@
+---
+title: Quinteros-2, CVE-2024-43191, CVE-2023-46175
+author: Fryguy
+date: 2024-11-14
+comments: true
+published: true
+tags: releases announcements
+---
+
+ManageIQ Quinteros-2 is now available. This release includes security fixes, which will also be included in upcoming Radjabov-1 GA release.
+
+## Security Issues
+
+### High severity
+
+- [CVE-2024-43191 - OS Command Injection via Policy Import](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pgw4-pqv6-rfvx).
+
+  Thanks to [@divyesh-0x01](https://github.com/divyesh-0x01) for finding and reporting this issue.
+
+### Medium severity
+
+- [CVE-2023-46175 - Credentials logged in plaintext for some providers](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9).
+
+  Thanks to [@sigbjornaib](https://github.com/sigbjornaib) for finding and reporting this issue.
+
+## Upgrade Notes
+
+Due to the vaulting of CentOS Stream 8<sup>[[1]][[2]]</sup>, the existing RPM repo files are pointing to a mirrorlist that no longer exists. As such, when doing an RPM upgrade to quinteros-2, there are some manual steps that need to be done first. Run the following 2 commands before upgrading, which will point the CentOS repo files to the new vault location.
+
+```bash
+sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-*.repo
+sed -i 's/#baseurl=http:\/\/mirror/baseurl=http:\/\/vault/g' /etc/yum.repos.d/CentOS-*.repo
+```
+
+Note that for the upcoming Radjabov release we will be upgrading to CentOS Stream 9, so these changes are a one-time step for upgrading to Quinteros-2.
+
+---
+
+There are a handful of other smaller updates, including some package updates to resolve CVEs in those packages, and you can read through them all in the [full changelog](/changelog/quinteros-1-to-quinteros-2). Many thanks goes to all of the community members for their contributions!
+
+[1]: https://blog.centos.org/2023/04/end-dates-are-coming-for-centos-stream-8-and-centos-linux-7/
+[2]: https://lists.centos.org/hyperkitty/list/[email protected]/message/BQBYHVY55IIJCI2L6JIUQYMJ5BLLJOGE/
diff --git a/site/changelog/index.md b/site/changelog/index.md
@@ -3,4 +3,5 @@ layout: page
 title: Release changelogs
 ---
 
+- [Quinteros-1 to Quinteros-2](./quinteros-1-to-quinteros-2)
 - [Petrosian-1 to Quinteros-1](./petrosian-1-to-quinteros-1)
diff --git a/site/changelog/quinteros-1-to-quinteros-2.md b/site/changelog/quinteros-1-to-quinteros-2.md
@@ -0,0 +1,116 @@
+---
+layout: page
+title: Changelog from Quinteros-1 to Quinteros-2
+---
+
+## <i class="fa fa-github"></i> [ManageIQ/manageiq](https://github.com/ManageIQ/manageiq/compare/quinteros-1...quinteros-2.2)
+
+### Bug (Security)
+
+* Encrypt verify_credentials params before MiqQueue [[CVE-2023-46175]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9)
+* Extend wrapped_logger formatter if one is present [[CVE-2023-46175]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9)
+* Filter out Basic Authorization tokens [[CVE-2023-46175]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9)
+* Fix YAML imports to only accept specific types. [[CVE-2024-43191]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pgw4-pqv6-rfvx)
+
+### Enhancement
+
+* Add workflow_dispatch to allow manually triggering monolithic builds [[#22997]](https://github.com/ManageIQ/manageiq/pull/22997)
+
+### Other
+
+* [QUINTEROS] Update Gemfile.lock.release for various security issues [[#23223]](https://github.com/ManageIQ/manageiq/pull/23223)
+* Remove CVE-2024-26143 as rails 6.1 is not vulnerable [[#22913]](https://github.com/ManageIQ/manageiq/pull/22913)
+* Force rails 6.1.7.7 minimum version [[#22910]](https://github.com/ManageIQ/manageiq/pull/22910)
+* Temporarily ignore non-critical CVE as we upgrade to rails 7 [[#22909]](https://github.com/ManageIQ/manageiq/pull/22909)
+
+## <i class="fa fa-github"></i> [ManageIQ/manageiq-api](https://github.com/ManageIQ/manageiq-api/compare/quinteros-1...quinteros-2.2)
+
+### Bug
+
+* [QUINTEROS] Fix Host verify_credentials_task password expectation [[#1272]](https://github.com/ManageIQ/manageiq-api/pull/1272)
+* Fix Host verify_credentials_task password expectation [[#1271]](https://github.com/ManageIQ/manageiq-api/pull/1271)
+* Fix CloudNetworks spec with empty including() [[#1267]](https://github.com/ManageIQ/manageiq-api/pull/1267)
+
+## <i class="fa fa-github"></i> [ManageIQ/manageiq-appliance-build](https://github.com/ManageIQ/manageiq-appliance-build/compare/quinteros-1...quinteros-2.2)
+
+### Bug
+
+* [quinteros] Lock down to ruby 3.0.4 from Appstream [[#579]](https://github.com/ManageIQ/manageiq-appliance-build/pull/579)
+* [quinteros] Update CentOS Stream 8 repos [[#575]](https://github.com/ManageIQ/manageiq-appliance-build/pull/575)
+
+## <i class="fa fa-github"></i> [ManageIQ/manageiq-documentation](https://github.com/ManageIQ/manageiq-documentation/compare/quinteros-1...quinteros-2.2)
+
+### Bug
+
+* QA Updated KubeVirt references [[#1797]](https://github.com/ManageIQ/manageiq-documentation/pull/1797)
+* QA Updated images. [[#1785]](https://github.com/ManageIQ/manageiq-documentation/pull/1785)
+
+### Enhancement
+
+* LVM guidelines for ISCSI/FC SmartState Analysis [[#1782]](https://github.com/ManageIQ/manageiq-documentation/pull/1782)
+
+### Other
+
+* QA Removed SCVMM provider [[#1816]](https://github.com/ManageIQ/manageiq-documentation/pull/1816)
+
+## <i class="fa fa-github"></i> [ManageIQ/manageiq-gems-pending](https://github.com/ManageIQ/manageiq-gems-pending/compare/quinteros-1...quinteros-2.2)
+
+### Bug
+
+* Fix MiqXml handling of BOM + handle CVE-2024-39908 [[#581]](https://github.com/ManageIQ/manageiq-gems-pending/pull/581)
+
+### Other
+
+* [QUINTEROS] Fix rspec version used to match core's version [[#594]](https://github.com/ManageIQ/manageiq-gems-pending/pull/594)
+* Bump rexml to 3.3.6 for CVE-2024-43398 [[#589]](https://github.com/ManageIQ/manageiq-gems-pending/pull/589)
+* Upgrade rexml to 3.3.3+ for CVE-2024-41123 and CVE-2024-41946 [[#582]](https://github.com/ManageIQ/manageiq-gems-pending/pull/582)
+
+## <i class="fa fa-github"></i> [ManageIQ/manageiq-pods](https://github.com/ManageIQ/manageiq-pods/compare/quinteros-1...quinteros-2.2)
+
+### Bug
+
+* [quinteros] Lock down to ruby 3.0.4 from Appstream [[#1186]](https://github.com/ManageIQ/manageiq-pods/pull/1186)
+
+## <i class="fa fa-github"></i> [ManageIQ/manageiq-providers-ansible_tower](https://github.com/ManageIQ/manageiq-providers-ansible_tower/compare/quinteros-1...quinteros-2.2)
+
+### Bug (Security)
+
+* Use ProviderSdkLogger as the class for ansible_tower_log [[CVE-2023-46175]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9)
+
+## <i class="fa fa-github"></i> [ManageIQ/manageiq-providers-autosde](https://github.com/ManageIQ/manageiq-providers-autosde/compare/quinteros-1...quinteros-2.2)
+
+### Bug (Security)
+
+* Don't log the token during re-auth [[CVE-2023-46175]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9)
+
+## <i class="fa fa-github"></i> [ManageIQ/manageiq-providers-awx](https://github.com/ManageIQ/manageiq-providers-awx/compare/quinteros-1...quinteros-2.2)
+
+### Bug (Security)
+
+* Use ProviderSdkLogger as the class for awx_log [[CVE-2023-46175]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9)
+
+## <i class="fa fa-github"></i> [ManageIQ/manageiq-providers-kubernetes](https://github.com/ManageIQ/manageiq-providers-kubernetes/compare/quinteros-1...quinteros-2.2)
+
+### Bug
+
+* [QUINTEROS] JSON parse prometheus_alert client responses [[#541]](https://github.com/ManageIQ/manageiq-providers-kubernetes/pull/541)
+
+## <i class="fa fa-github"></i> [ManageIQ/manageiq-providers-lenovo](https://github.com/ManageIQ/manageiq-providers-lenovo/compare/quinteros-1...quinteros-2.2)
+
+### Bug (Security)
+
+* Use ProviderSdkLogger as the class for xclarity_log [[CVE-2023-46175]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9)
+
+## <i class="fa fa-github"></i> [ManageIQ/manageiq-rpm_build](https://github.com/ManageIQ/manageiq-rpm_build/compare/quinteros-1...quinteros-2.2)
+
+### Bug
+
+* [quinteros] Allow timestamped release builds [[#482]](https://github.com/ManageIQ/manageiq-rpm_build/pull/482)
+* [quinteros] Lock down to ruby 3.0.4 from Appstream [[#521]](https://github.com/ManageIQ/manageiq-rpm_build/pull/521)
+
+## <i class="fa fa-github"></i> [ManageIQ/manageiq-ui-classic](https://github.com/ManageIQ/manageiq-ui-classic/compare/quinteros-1...quinteros-2.2)
+
+### Bug
+
+* Fix automate specs [[#9226]](https://github.com/ManageIQ/manageiq-ui-classic/pull/9226)
+* Fix the VM Infra button checking EmsCloud providers [[#9249]](https://github.com/ManageIQ/manageiq-ui-classic/pull/9249)