From 3ab5c738e52b08effd0509900039d86d6828409d Mon Sep 17 00:00:00 2001 From: Jason Frey Date: Thu, 14 Nov 2024 14:38:50 -0500 Subject: [PATCH] Release quinteros-2 --- site/_data/releases.yaml | 6 +- ...interos-2-cve-2024-43191-cve-2023-46715.md | 42 +++++++ site/changelog/index.md | 1 + site/changelog/quinteros-1-to-quinteros-2.md | 116 ++++++++++++++++++ 4 files changed, 162 insertions(+), 3 deletions(-) create mode 100644 site/_posts/2024-11-14-quinteros-2-cve-2024-43191-cve-2023-46715.md create mode 100644 site/changelog/quinteros-1-to-quinteros-2.md diff --git a/site/_data/releases.yaml b/site/_data/releases.yaml index 8becd4fe..936f4952 100644 --- a/site/_data/releases.yaml +++ b/site/_data/releases.yaml @@ -1,8 +1,8 @@ stable: type: stable - name: Quinteros-1 - tag: quinteros-1 - filename: quinteros-1 + name: Quinteros-2 + tag: quinteros-2.2 + filename: quinteros-2.2 branch: quinteros # prerelease: diff --git a/site/_posts/2024-11-14-quinteros-2-cve-2024-43191-cve-2023-46715.md b/site/_posts/2024-11-14-quinteros-2-cve-2024-43191-cve-2023-46715.md new file mode 100644 index 00000000..bb3abee7 --- /dev/null +++ b/site/_posts/2024-11-14-quinteros-2-cve-2024-43191-cve-2023-46715.md @@ -0,0 +1,42 @@ +--- +title: Quinteros-2, CVE-2024-43191, CVE-2023-46175 +author: Fryguy +date: 2024-11-14 +comments: true +published: true +tags: releases announcements +--- + +ManageIQ Quinteros-2 is now available. This release includes security fixes, which will also be included in upcoming Radjabov-1 GA release. + +## Security Issues + +### High severity + +- [CVE-2024-43191 - OS Command Injection via Policy Import](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pgw4-pqv6-rfvx). + + Thanks to [@divyesh-0x01](https://github.com/divyesh-0x01) for finding and reporting this issue. + +### Medium severity + +- [CVE-2023-46175 - Credentials logged in plaintext for some providers](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9). + + Thanks to [@sigbjornaib](https://github.com/sigbjornaib) for finding and reporting this issue. + +## Upgrade Notes + +Due to the vaulting of CentOS Stream 8[[1]][[2]], the existing RPM repo files are pointing to a mirrorlist that no longer exists. As such, when doing an RPM upgrade to quinteros-2, there are some manual steps that need to be done first. Run the following 2 commands before upgrading, which will point the CentOS repo files to the new vault location. + +```bash +sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-*.repo +sed -i 's/#baseurl=http:\/\/mirror/baseurl=http:\/\/vault/g' /etc/yum.repos.d/CentOS-*.repo +``` + +Note that for the upcoming Radjabov release we will be upgrading to CentOS Stream 9, so these changes are a one-time step for upgrading to Quinteros-2. + +--- + +There are a handful of other smaller updates, including some package updates to resolve CVEs in those packages, and you can read through them all in the [full changelog](/changelog/quinteros-1-to-quinteros-2). Many thanks goes to all of the community members for their contributions! + +[1]: https://blog.centos.org/2023/04/end-dates-are-coming-for-centos-stream-8-and-centos-linux-7/ +[2]: https://lists.centos.org/hyperkitty/list/devel@lists.centos.org/message/BQBYHVY55IIJCI2L6JIUQYMJ5BLLJOGE/ diff --git a/site/changelog/index.md b/site/changelog/index.md index 234ec1ef..156eb2fc 100644 --- a/site/changelog/index.md +++ b/site/changelog/index.md @@ -3,4 +3,5 @@ layout: page title: Release changelogs --- +- [Quinteros-1 to Quinteros-2](./quinteros-1-to-quinteros-2) - [Petrosian-1 to Quinteros-1](./petrosian-1-to-quinteros-1) diff --git a/site/changelog/quinteros-1-to-quinteros-2.md b/site/changelog/quinteros-1-to-quinteros-2.md new file mode 100644 index 00000000..28f7a74a --- /dev/null +++ b/site/changelog/quinteros-1-to-quinteros-2.md @@ -0,0 +1,116 @@ +--- +layout: page +title: Changelog from Quinteros-1 to Quinteros-2 +--- + +## [ManageIQ/manageiq](https://github.com/ManageIQ/manageiq/compare/quinteros-1...quinteros-2.2) + +### Bug (Security) + +* Encrypt verify_credentials params before MiqQueue [[CVE-2023-46175]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9) +* Extend wrapped_logger formatter if one is present [[CVE-2023-46175]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9) +* Filter out Basic Authorization tokens [[CVE-2023-46175]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9) +* Fix YAML imports to only accept specific types. [[CVE-2024-43191]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pgw4-pqv6-rfvx) + +### Enhancement + +* Add workflow_dispatch to allow manually triggering monolithic builds [[#22997]](https://github.com/ManageIQ/manageiq/pull/22997) + +### Other + +* [QUINTEROS] Update Gemfile.lock.release for various security issues [[#23223]](https://github.com/ManageIQ/manageiq/pull/23223) +* Remove CVE-2024-26143 as rails 6.1 is not vulnerable [[#22913]](https://github.com/ManageIQ/manageiq/pull/22913) +* Force rails 6.1.7.7 minimum version [[#22910]](https://github.com/ManageIQ/manageiq/pull/22910) +* Temporarily ignore non-critical CVE as we upgrade to rails 7 [[#22909]](https://github.com/ManageIQ/manageiq/pull/22909) + +## [ManageIQ/manageiq-api](https://github.com/ManageIQ/manageiq-api/compare/quinteros-1...quinteros-2.2) + +### Bug + +* [QUINTEROS] Fix Host verify_credentials_task password expectation [[#1272]](https://github.com/ManageIQ/manageiq-api/pull/1272) +* Fix Host verify_credentials_task password expectation [[#1271]](https://github.com/ManageIQ/manageiq-api/pull/1271) +* Fix CloudNetworks spec with empty including() [[#1267]](https://github.com/ManageIQ/manageiq-api/pull/1267) + +## [ManageIQ/manageiq-appliance-build](https://github.com/ManageIQ/manageiq-appliance-build/compare/quinteros-1...quinteros-2.2) + +### Bug + +* [quinteros] Lock down to ruby 3.0.4 from Appstream [[#579]](https://github.com/ManageIQ/manageiq-appliance-build/pull/579) +* [quinteros] Update CentOS Stream 8 repos [[#575]](https://github.com/ManageIQ/manageiq-appliance-build/pull/575) + +## [ManageIQ/manageiq-documentation](https://github.com/ManageIQ/manageiq-documentation/compare/quinteros-1...quinteros-2.2) + +### Bug + +* QA Updated KubeVirt references [[#1797]](https://github.com/ManageIQ/manageiq-documentation/pull/1797) +* QA Updated images. [[#1785]](https://github.com/ManageIQ/manageiq-documentation/pull/1785) + +### Enhancement + +* LVM guidelines for ISCSI/FC SmartState Analysis [[#1782]](https://github.com/ManageIQ/manageiq-documentation/pull/1782) + +### Other + +* QA Removed SCVMM provider [[#1816]](https://github.com/ManageIQ/manageiq-documentation/pull/1816) + +## [ManageIQ/manageiq-gems-pending](https://github.com/ManageIQ/manageiq-gems-pending/compare/quinteros-1...quinteros-2.2) + +### Bug + +* Fix MiqXml handling of BOM + handle CVE-2024-39908 [[#581]](https://github.com/ManageIQ/manageiq-gems-pending/pull/581) + +### Other + +* [QUINTEROS] Fix rspec version used to match core's version [[#594]](https://github.com/ManageIQ/manageiq-gems-pending/pull/594) +* Bump rexml to 3.3.6 for CVE-2024-43398 [[#589]](https://github.com/ManageIQ/manageiq-gems-pending/pull/589) +* Upgrade rexml to 3.3.3+ for CVE-2024-41123 and CVE-2024-41946 [[#582]](https://github.com/ManageIQ/manageiq-gems-pending/pull/582) + +## [ManageIQ/manageiq-pods](https://github.com/ManageIQ/manageiq-pods/compare/quinteros-1...quinteros-2.2) + +### Bug + +* [quinteros] Lock down to ruby 3.0.4 from Appstream [[#1186]](https://github.com/ManageIQ/manageiq-pods/pull/1186) + +## [ManageIQ/manageiq-providers-ansible_tower](https://github.com/ManageIQ/manageiq-providers-ansible_tower/compare/quinteros-1...quinteros-2.2) + +### Bug (Security) + +* Use ProviderSdkLogger as the class for ansible_tower_log [[CVE-2023-46175]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9) + +## [ManageIQ/manageiq-providers-autosde](https://github.com/ManageIQ/manageiq-providers-autosde/compare/quinteros-1...quinteros-2.2) + +### Bug (Security) + +* Don't log the token during re-auth [[CVE-2023-46175]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9) + +## [ManageIQ/manageiq-providers-awx](https://github.com/ManageIQ/manageiq-providers-awx/compare/quinteros-1...quinteros-2.2) + +### Bug (Security) + +* Use ProviderSdkLogger as the class for awx_log [[CVE-2023-46175]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9) + +## [ManageIQ/manageiq-providers-kubernetes](https://github.com/ManageIQ/manageiq-providers-kubernetes/compare/quinteros-1...quinteros-2.2) + +### Bug + +* [QUINTEROS] JSON parse prometheus_alert client responses [[#541]](https://github.com/ManageIQ/manageiq-providers-kubernetes/pull/541) + +## [ManageIQ/manageiq-providers-lenovo](https://github.com/ManageIQ/manageiq-providers-lenovo/compare/quinteros-1...quinteros-2.2) + +### Bug (Security) + +* Use ProviderSdkLogger as the class for xclarity_log [[CVE-2023-46175]](https://github.com/ManageIQ/manageiq/security/advisories/GHSA-pfh3-vj6p-89h9) + +## [ManageIQ/manageiq-rpm_build](https://github.com/ManageIQ/manageiq-rpm_build/compare/quinteros-1...quinteros-2.2) + +### Bug + +* [quinteros] Allow timestamped release builds [[#482]](https://github.com/ManageIQ/manageiq-rpm_build/pull/482) +* [quinteros] Lock down to ruby 3.0.4 from Appstream [[#521]](https://github.com/ManageIQ/manageiq-rpm_build/pull/521) + +## [ManageIQ/manageiq-ui-classic](https://github.com/ManageIQ/manageiq-ui-classic/compare/quinteros-1...quinteros-2.2) + +### Bug + +* Fix automate specs [[#9226]](https://github.com/ManageIQ/manageiq-ui-classic/pull/9226) +* Fix the VM Infra button checking EmsCloud providers [[#9249]](https://github.com/ManageIQ/manageiq-ui-classic/pull/9249)