Skip to content

v6.7.0
Compare
Choose a tag to compare
@DrJosh9000 DrJosh9000 released this 14 Sep 06:25
· 351 commits to main since this release
v6.7.0
f9ab0e0
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

v6.7.0 (2023-09-14)

Full Changelog

Security

⚠️ This release partially fixes a medium-severity security vulnerability. We recommend upgrading to v6.7.1 or v5.22.5.

  • Affected versions: All prior versions of Elastic CI Stack
  • Impact: Privilege escalation to root on Linux agent instances
  • Required privileges: Users that can run user-controlled commands on agents (e.g. by pushing a branch to a repo that triggers a build with those changes)
  • Attack vector: A specially crafted build can abuse the fix-buildkite-agent-builds-permissions script to run commands as root on subsequent builds
  • Fix: Improved input validation in fix-buildkite-agent-builds-permissions #1212 (@DrJosh9000)
  • Alternative workarounds: Deploy a pre-bootstrap hook to prevent execution of fix-buildkite-agent-builds-permissions during a build

Thanks to Nick Nam of Atredis Partners for reporting the vulnerability.

Changed

Internal

Upgrading

Perform a CloudFormation stack update with the following URL:
https://s3.amazonaws.com/buildkite-aws-stack/v6.7.0/aws-stack.yml

If you want to launch a new stack, you can use this link (make sure not to use your production AWS account, create a new one for CI):

Launch Buildkite AWS Stack

Documentation

See the README for this release.

Contributors

DrJosh9000
Assets 2
Loading