Skip to content
This repository has been archived by the owner on Jan 15, 2025. It is now read-only.

(PA-6507) Update gem rexml from default to 3.2.9 for CVE-2024-35176 #873

Merged
merged 1 commit into from
Jul 14, 2024
Merged

(PA-6507) Update gem rexml from default to 3.2.9 for CVE-2024-35176 #873

merged 1 commit into from
Jul 14, 2024

Conversation

shubhamshinde360
Copy link
Contributor

@shubhamshinde360 shubhamshinde360 commented Jul 11, 2024
edited
Loading

  • The CVE was fixed from rexml version 3.2.7.
  • Patching for the CVE wasn't getting applied cleanly and had a lot of conflicts. So updated the gem version to 3.2.9 in the rexml component file.
  • rexml 3.2.7 requires strscan >= 3.0.9 which contains native extensions. We would need a compiler to build the extensions and there are jruby incompatibilities. This requirement has been relaxed starting from rexml 3.2.9. Therefore we update to rexml 3.2.9 here.
  • Added the change to _shared-agent-components since the CVE impacts both agent-runtime-main (ruby 3.2.4 using rexml 3.2.6) and agent-runtime-7.x (ruby 2.7.8 using rexml 3.2.3)
  • For solaris-10-sparc and solaris-11-sparc, we ignore dependency when installing rexml since the ruby in these platforms tries to install strscan (rexml's dependency) but fails while building native extensions. We can ignore installing strscan since it is shipped with ruby 2.7.8 as its default gem.

@shubhamshinde360
Copy link
Contributor Author

Kept in draft as testing is pending for impacted projects and platforms.

@shubhamshinde360 shubhamshinde360 force-pushed the PA-6507-gem-update-rexml branch from 79bd29f to b5de92f Compare July 11, 2024 21:21
@shubhamshinde360 shubhamshinde360 force-pushed the PA-6507-gem-update-rexml branch from 7048c2b to e0582bd Compare July 12, 2024 17:46
@shubhamshinde360 shubhamshinde360 mentioned this pull request Jul 12, 2024
Closed
@shubhamshinde360 shubhamshinde360 changed the title (PA-6507) Update gem rexml from default to 3.2.7 for CVE-2024-35176 (PA-6507) Update gem rexml from default to 3.2.9 for CVE-2024-35176 Jul 12, 2024
@shubhamshinde360
Copy link
Contributor Author

Ran for impacted projects with all the supported platforms:

Looks like all the platforms pass except solaris platforms with sparc architectures which fails due to strscan dependency not being satisfied.
An example build for this: solaris-11-sparc, agent-runtime-7.x

agent-runtime-main:
https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3056/

Note: I had to abort this build since solaris-11-native-sparc was stuck due to resource allocation. Will re-trigger that laler on. It might fail given solaris sparc arch failures have been observed in 7.x.

agent-runtime-7.x
https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3057/

pe-bolt-server-runtime-main
https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3058/
All build succeeded.

@shubhamshinde360 shubhamshinde360 force-pushed the PA-6507-gem-update-rexml branch from e0582bd to 4b0e21d Compare July 13, 2024 20:46
@shubhamshinde360
Copy link
Contributor Author

Reran for all impacted projects with their supported platforms:

agent-runtime-main

agent-runtime-7.x

pe-bolt-server-runtime-main

Everything finished successfully.

All artifacts can be found at: https://builds.delivery.puppetlabs.net/puppet-runtime/4b0e21d59572b24d85b0ca888a697b08876c0b5a/artifacts/

@shubhamshinde360 shubhamshinde360 marked this pull request as ready for review July 14, 2024 00:00
@shubhamshinde360 shubhamshinde360 requested review from a team as code owners July 14, 2024 00:00
@shubhamshinde360
(PA-6507) Update gem rexml from default to 3.2.9 for CVE-2024-35176
f219191 
 - The CVE was fixed from rexml version 3.2.7.
 - Patching for the CVE wasn't getting applied cleanly and had a lot of conflicts. So updated the gem version to 3.2.9 in the rexml component file.
 - rexml 3.2.7 requires strscan >= 3.0.9 which contains native extensions. We would need a compiler to build the extensions and there are jruby incompatibilities. This requirement has been relaxed starting from rexml 3.2.9. Therefore we update to rexml 3.2.9 here.
 - Added the change to _shared-agent-components since the CVE impacts both agent-runtime-main (ruby 3.2.4 using rexml 3.2.6) and agent-runtime-7.x (ruby 2.7.8 using rexml 3.2.3)
 - For solaris-10-sparc and solaris-11-sparc, we ignore the dependencies when installing rexml since the ruby in these platforms tries to install strscan (rexml's dependency) but fails while building native extensions. We can ignore installing strscan since it is shipped with ruby 2.7.8 as its default gem.
@shubhamshinde360 shubhamshinde360 force-pushed the PA-6507-gem-update-rexml branch from 4b0e21d to f219191 Compare July 14, 2024 00:05
@shubhamshinde360 shubhamshinde360 merged commit 0358325 into puppetlabs-toy-chest:master Jul 14, 2024
3 checks passed
@shubhamshinde360 shubhamshinde360 deleted the PA-6507-gem-update-rexml branch July 14, 2024 00:09
@amitkarsale amitkarsale mentioned this pull request Jul 16, 2024
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@cthorn42 cthorn42 cthorn42 left review comments

@bastelfreak bastelfreak bastelfreak left review comments

@joshcooper joshcooper joshcooper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@shubhamshinde360 @bastelfreak @joshcooper @cthorn42