-
Notifications
You must be signed in to change notification settings - Fork 88
(PA-6881) Adding rexml gem to agent-runtime-main for CVE-2024-41123 and CVE-2024-41946 #901
Conversation
Is it expected that are leaving the older version of Rexml installed? From using the EL-7 artifact you built
|
We're already including REXML in agent-runtime-7.x as well: https://github.com/puppetlabs/puppet-runtime/blob/38fc20bfbe8025e06645db2eab087b48a052b9ec/configs/projects/agent-runtime-7.x.rb#L64-L67 Would it make more sense to include REXML in _shared-agent-components than each agent runtime separately? |
I didn't notice any changes in 7.x to remove the older REXML version that comes as the default, so I believe it should be fine with the main version as well. |
I believe that we do not do anything in 7.x to clean up older REXML gems because REXML is packaged differently in different Ruby versions; it's a default gem in Ruby 2.7, but became a bundled gem in Ruby >= 3.1. Having multiple versions of REXML available has caused issues in CI in the past, see this thread in our private Slack channel: https://perforce.slack.com/archives/G047N5B7KK5/p1721074588851319. It looks like @shubhamshinde360 worked on this last time and may have guidance on how to proceed. |
@imaqsood, |
I see that you've updated your PR, could you generated updated artifacts? I looked at the Vanagon generic builder and didn't see anything. |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, built an el-7-x86_64 agent-runtime-7.x and then the puppet-agent out of that. Installed the agent and then ran this to confirm that the 3.3.4 rexml gem is updated for the agent:
/opt/puppetlabs/puppet/bin/gem list rexml
*** LOCAL GEMS ***
rexml (3.3.4, default: 3.2.3.1)
With the addition logic in puppetlabs-toy-chest#901 for deduplicating rexml gems an inadvertant requirement was imposed on projects to define a `gem_uninstall` command. This command should be ubiquitous (especially with impending ruby 3 only streams) so instead of requiring all projects to configure it a default is added. This setting is still configurable at a project level, but is not required.
This appears to have resulted in a new "required" configuration for all projects. I dont believe we should make requirements like that as it encourages even more copy paste here. I propose we add a default as i believe it should be a pretty stable command. #910 In the future @imaqsood can you please check this view https://jenkins-platform.delivery.puppetlabs.net/view/puppet-runtime/ when you are making changes that affect everybodies runtimes to make sure there are not widespread failures? |
Testing Done for el7 and ubuntu
Agent-runtime-main build
vanagon-generic-builder (generic) Generic Builder Step 03 -- Vanagon Project Packaging #3181 Console [Jenkins]
Agent-runtime-main artifacts
Index of /puppet-runtime/63d6a583a1e69661d6795bd48f92074d119ef7e1/artifacts/
Puppet-Agent Build
vanagon-generic-builder (generic) Generic Builder Step 03 -- Vanagon Project Packaging #3182 Console [Jenkins]
Puppet-Artifacts
Index of /puppet-agent/eb37c609e51f1b8c94d7634d71ac206867eedbd7/artifacts/deb/bionic/puppet8/
Index of /puppet-agent/eb37c609e51f1b8c94d7634d71ac206867eedbd7/artifacts/el/7/puppet8/x86_64/