On 17/11/2020 00:43, Luca Milanesio wrote:
Dear Gerrit Administrator,
This is an early warning of a recent security problem discovered on Gerrit Code Review and documented at [1].
You have been selected to receive very early notification about the problem because at least one of your Gerrit setups are available to the general public on the internet.
We want to give you a few days before the general public is informed so that you can put in place the mitigation procedure before anyone can exploit it against your site.Please respect the confidentiality of this early notification, according to the embargo process documented at [2].
We have also released a security fix for all the most recent versions of Gerrit impacted. See below the corresponding downloadable links:
v2.15.21 [3] (SHA256=0ef970a4aec3c40e85d8fe806974967fc728e61697175fc3cf48d20777ae9040)
v2.16.25 [4] (SHA256=15e0eb6fca0f64b909fc3cf732712c498fcdfa40c9338378ea7f582012899d05)
v3.0.15 [5] (SHA256=9579a076b718f362c1c41bd7e8746ac9304e7bc54ccca09b37c04ae18d8af185)
v3.1.10 [6] (SHA256=36e43b73de21b275b3991f4245a8155db83d0a4d33b98fa49eb80be4c6c9fc41)
v3.2.5 [7] (SHA256=34f0205f556bffe9f770b7c3fe65bad4e5781c543ccc0f9d0aabb0ecf6e66dd9)Gerrit v2.14 is also impacted, but it hasn't been possible to develop a software fix yet. You can still mitigate the problem by adjusting the Gerrit ACLs, as documented at [1].
Note: Gerrit can be protected against this security issue by adjusting the ACLs. The upgrade is therefore not mandatory but strongly recommended. We do always suggest to go through a careful analysis of the release notes and a testing phase in staging, before applying any upgrade.
The issue is going to be published officially by Tuesday the 17th of November, together with releases announcements and release notes.
Please let us know in case of any questions on this matter.
Gerrit Code Review Maintainers.
- * ---
References:
[1] https://bugs.chromium.org/p/gerrit/issues/detail?id=13621
[2] https://gerrit-review.googlesource.com/Documentation/dev-processes.html#embargo
[3] https://gerrit-releases.storage.googleapis.com/gerrit-2.15.21.war
[4] https://gerrit-releases.storage.googleapis.com/gerrit-2.16.25.war
[5] https://gerrit-releases.storage.googleapis.com/gerrit-3.0.15.war
[6] https://gerrit-releases.storage.googleapis.com/gerrit-3.1.10.war
[7] https://gerrit-releases.storage.googleapis.com/gerrit-3.2.5.war