Open renovate[bot] opened 1 month ago
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below:
Command failed: pip-compile requirements-unit.in --upgrade-package=ops==2.15.0
ERROR: Cannot install ops and ops==2.14.1 because these package versions have conflicting dependencies.
Traceback (most recent call last):
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/lib/python3.8/site-packages/pip/_vendor/resolvelib/resolvers.py", line 397, in resolve
self._add_to_criteria(self.state.criteria, r, parent=None)
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/lib/python3.8/site-packages/pip/_vendor/resolvelib/resolvers.py", line 174, in _add_to_criteria
raise RequirementsConflicted(criterion)
pip._vendor.resolvelib.resolvers.RequirementsConflicted: Requirements conflict: SpecifierRequirement('ops'), SpecifierRequirement('ops==2.14.1')
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/lib/python3.8/site-packages/pip/_internal/resolution/resolvelib/resolver.py", line 95, in resolve
result = self._result = resolver.resolve(
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/lib/python3.8/site-packages/pip/_vendor/resolvelib/resolvers.py", line 546, in resolve
state = resolution.resolve(requirements, max_rounds=max_rounds)
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/lib/python3.8/site-packages/pip/_vendor/resolvelib/resolvers.py", line 399, in resolve
raise ResolutionImpossible(e.criterion.information)
pip._vendor.resolvelib.resolvers.ResolutionImpossible: [RequirementInformation(requirement=SpecifierRequirement('ops'), parent=None), RequirementInformation(requirement=SpecifierRequirement('ops==2.14.1'), parent=None)]
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/bin/pip-compile", line 8, in <module>
sys.exit(cli())
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/lib/python3.8/site-packages/click/core.py", line 1157, in __call__
return self.main(*args, **kwargs)
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/lib/python3.8/site-packages/click/core.py", line 1078, in main
rv = self.invoke(ctx)
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/lib/python3.8/site-packages/click/core.py", line 1434, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/lib/python3.8/site-packages/click/core.py", line 783, in invoke
return __callback(*args, **kwargs)
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/lib/python3.8/site-packages/click/decorators.py", line 33, in new_func
return f(get_current_context(), *args, **kwargs)
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/lib/python3.8/site-packages/piptools/scripts/compile.py", line 470, in cli
results = resolver.resolve(max_rounds=max_rounds)
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/lib/python3.8/site-packages/piptools/resolver.py", line 604, in resolve
is_resolved = self._do_resolve(
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/lib/python3.8/site-packages/piptools/resolver.py", line 636, in _do_resolve
resolver.resolve(
File "/opt/containerbase/tools/pip-tools/7.4.1/3.8.10/lib/python3.8/site-packages/pip/_internal/resolution/resolvelib/resolver.py", line 104, in resolve
raise error from e
pip._internal.exceptions.DistributionNotFound: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts
This PR contains the following updates:
2.14.1
->2.15.0
GitHub Vulnerability Alerts
CVE-2024-41129
Summary
The issue here is that we pass the secret content as one of the args via CLI. This issue may affect any of our charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing
subprocess.CalledProcessError
.There are two points that may log this command, in different files:
First, if there is an error during a secret handling, there will be a
subprocess.CalledProcessError
, which will contain the CLI comand + all its args. This is going to be logged in any logging level. This exception, if not caught by the charm, will bubble up to the/var/log/juju/
logs and syslog journal. Now, on Ubuntu 22.04, these logs are protected with:Second, certain audit setups may log terminal commands, which would result in this command being logged with its secrets. It is unknown if this is done on ubuntu security benchmarks, such as CIS hardening.
Keep in mind these logs may be copied or even backed up. Which exposes it to more services in the user's environment (e.g. CI runs in GH - although these are dummy password generated per test only).
Passing secrets straight via CLI is not advised. Here are some ways out: 1) Redacting: which commands and which args represent secrets are known, so they can be redacted. It would also mean capturing a
subprocess.CalledProcessError
, redacting its content and reissuing the same type of exception; this will not cover the caseauditd
is set to log CLI commands, if that is a risk 2) Temp files: secret-add, for example, can use a secret file instead, as can be seen here. However, if ops uses a file, ops will need to be sure to correctly remove it later 3) stdin: not sure it is accepted by secret-* commands, but generally, secrets are not shown on CLI whilst typing them; auditd may not capture that stdinSeverity Rationale
This is a CWE-532. Potentially, these secrets can lead to privilege escalation but Ubuntu default is to have logs only accessible to
adm
group users.Marking this issue as "Moderate", as this report is not presenting a clear way on how to get access to the logs themselves: either getting local access to an
adm
group user (e.g. ubuntu) or recovering logs stored on a 3rd party service.Details
From CI: https://github.com/canonical/opensearch-operator/actions/runs/9908987369/job/27376377521?pr=364
PoC
1) Deploy anything with juju 2) Run a dummy secret-add call that will fail 3) See the uncaught subprocess error
Impact
Juju secrets are generally composed of private keys, passwords, etc; generally valuable credentials that, if leaked, will likely allow an attacker to get privileged access to its target or other targets in the environment.
Release Notes
canonical/operator (ops)
### [`v2.15.0`](https://togithub.com/canonical/operator/blob/HEAD/CHANGES.md#2150---22-Jul-2024) [Compare Source](https://togithub.com/canonical/operator/compare/2.14.1...2.15.0) #### Features - Add support for Pebble check-failed and check-recovered events ([#1281](https://togithub.com/canonical/operator/issues/1281)) #### Fixes - Pass secret data to Juju via files, rather than as command-line values ([#1290](https://togithub.com/canonical/operator/issues/1290)) fixing CVE-2024-41129 - Include checks and log targets when merging layers in ops.testing ([#1268](https://togithub.com/canonical/operator/issues/1268)) #### Documentation - Clarify distinction between maintenance and waiting status ([#1148](https://togithub.com/canonical/operator/issues/1148)) #### CI - Bump the Go version to match Pebble ([#1285](https://togithub.com/canonical/operator/issues/1285)) - Run ruff format over charm pin update code ([#1278](https://togithub.com/canonical/operator/issues/1278)) - Bump certifi from 2024.2.2 to 2024.7.4 in /docs ([#1282](https://togithub.com/canonical/operator/issues/1282)) - Update charm pins ([#1269](https://togithub.com/canonical/operator/issues/1269))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.