systemroles March 2021

systemroles@lists.fedorahosted.org

3 participants
4 discussions

CVE warning for some repos - can be safely ignored
by Rich Megginson 01 Apr '21

01 Apr '21

Some repos may give a dependabot warning about a CVE in a PyYAML dependency: https://github.com/linux-system-roles/template/security/dependabot/ansible_… This is due to https://github.com/linux-system-roles/template/blob/master/ansible_pytest_e… PyYAML<5.1 ; python_version < "2.7" I believe the last time I looked at this there was no supported PyYAML >= version 5.4 for python 2.6. Note that this only affects CI on python 2.6, and only for those roles which have modules which require Ansible for unit testing. If you are seeing this warning on your repo, and you don't need unit testing using Ansible, just make this file an empty file. Otherwise, it is safe to ignore this warning.

2 2

Real role parameter specs with validation
by Rich Megginson 29 Mar '21

29 Mar '21

This is new for Ansible 2.11 https://docs.ansible.com/ansible/devel/user_guide/playbooks_reuse_roles.htm… it means we can define and document "real" role arguments in a structured, discoverable way - we don't have to rely on README.md being the sole source

1 0

Ongoing CI issues with posting test results
by Rich Megginson 25 Mar '21

25 Mar '21

There are ongoing CI issues - the problem is (probably) not your test, it is permission/ownership issues in fedorapeople.org preventing results from being uploaded. See https://pagure.io/fedora-infrastructure/issue/9768

2 2

GitHub Actions potential security breach
by Rich Megginson 22 Mar '21

22 Mar '21

There was some sort of potential GitHub Actions breach Feb. 4 - Feb. 5 2021. I have been checking what they suggested - I haven't found any problems. Please double check if you are the maintainer of one of the repos listed below. "We’re writing to let you know that an independent bug bounty researcher recently reported a GitHub Actions bug that, in theory, could have allowed an unauthorized user to fork a public repository which uses Actions and perform a series of steps to edit the main branch or use the GITHUB_TOKEN to perform other unauthorized actions. This bug existed in a very brief window from February 4 to February 5, 2021. You are receiving this email because you are an owner of one or more GitHub organizations or enterprises with a public repository using Actions, and you had protected and/or unprotected branches that were vulnerable to this bug. Repos and workflows with unprotected branches: linux-system-roles/network Repos and workflows with protected branches: linux-system-roles/logging linux-system-roles/metrics linux-system-roles/selinux linux-system-roles/tox-lsr There is currently no evidence to suggest this was the result of a compromise of GitHub or any of its systems; instead this was a recently introduced bug in GitHub Actions. Security, user privacy, and transparency are essential to maintain your trust; therefore, we are notifying you of this change, the steps we took, and additional steps we are taking to address this situation. Read on for more information. * What happened? * On February 4, 2021, an independent security researcher notified us of a bug in GitHub Actions that could allow an attacker to alter parent repository code or take certain actions using a GITHUB_TOKEN: https://docs.github.com/en/actions/reference/authentication-in-a-workflow#p… <https://docs.github.com/en/actions/reference/authentication-in-a-workflow#p…> The GITHUB_TOKEN is revoked after the job is completed, and they expire after a default 60 minute timeout. * Which repositories were involved? * Any parent repository with Actions between February 4, 2021 at 18:42 UTC and February 5, 2021 at 13:35 UTC could have had their unprotected main branches edited or experienced misuse of the GITHUB_TOKEN. * What GitHub is doing * After learning of this bug on February 5, 2021, GitHub immediately corrected it, and unauthorized users could no longer make changes to your repositories or abuse the GITHUB_TOKEN. GitHub identified any repositories vulnerable during the bug window and contacted all affected organization owners. We are also performing an internal assessment to determine how we can better prevent this sort of bug in the future. * What you can do * For repositories listed above without branch protection, we recommend that you audit for both unwanted pull requests and abuse by the GITHUB_TOKEN. 1. Assess commits made during the bug window, February 4,2021 18:42 UTC to February 5, 2021 13:35 UTC. 2. Assess workflow files for unauthorized injection during the bug window. 3. Assess pull_request_target and pull_request workflow runs, and examine those pull requests during the bug window to look for unauthorized activity. Ignore pull requests from known users with write permissions. 4. Assess release history for any that may have been deployed via unauthorized GITHUB_TOKEN activity during the bug window. 5. Assess package history for any that may have been deployed via unauthorized GITHUB_TOKEN activity during the bug window. For repositories listed above with branch protection, we recommend that you audit for abuse by the GITHUB_TOKEN. 1. Assess release history for any that may have been deployed via unauthorized GITHUB_TOKEN activity during the bug window. 2. Assess package history for any that may have been deployed via unauthorized GITHUB_TOKEN activity during the bug window. Feel free to reach out to us with any additional questions or concerns through this contact form: https://support.github.com/contact?subject=GH-0000941-4107-1&tags=GH-000094… <https://support.github.com/contact?subject=GH-0000941-4107-1&tags=GH-000094…>"

2 1

2025

2024

2023

2022

2021

2020

systemroles March 2021