Headline

CVE-2020-15855: bodhi Changelog - pyup.io

Two cross-site scripting vulnerabilities were fixed in Bodhi 5.6.1.

2 years ago

CVE

Open in Source

#sql #xss #vulnerability #web #mac #apache #js #git #java #rpm #docker #sap

5.7.5

This is a feature release.

Features

- Prepare the Bodhi client to be compatible with an OIDC-enabled server. (4391).

Contributors

The following developers contributed to this release of Bodhi:

- Aurélien Bompard

5.7.4

25 Jan 2022`

This is a bugfix release that should help with several more problems after 5.7.3 release.

Features

- Automatic updates consumer can now identify new packages and mark updates with the appropriate type (4324).
- Detect stuck updates with builds that were never been sent to pending-signing and unstuck them (4307).

Bug fixes

- Bodhi will now retry to get a build changelog if Koji returns empty rpm headers. See also https://pagure.io/koji/issue/3178 (#4316).
- Fixed an issue about some bug title never fetched from Bugzilla (4317).

Contributors

The following developers contributed to this release of Bodhi:

- Adam Saleh
- Aurélien Bompard
- Adam Williamson
- Lenka Segura
- Mattia Verga

5.7.3

8 Dec 2021`

This is a bugfix release that should help with several more problems
after 5.7.2 release.

Bug fixes

- Fixed an issue where Bodhi was throwing 5xx “NoSuchColumnError testcases.id” errors because of a misconfigured table (4302).

5.7.2

26 Nov 2021`

This is a bugfix release that should help with several problems after 5.7.1 release.

Bug fixes

- Fixed an issue where JSON serialization of a TestCase object hangs
the server (4278).
- Fixed a possible call to Koji listTagged() passing an empty tag name
(4280).
- Bodhi will now try to resubmit a build to signing if it detects that
is stuck in pending signing for some time (4300).

Contributors

The following developers contributed to this release of Bodhi:

- Adam Saleh
- Mattia Verga

5.7.1

8 Nov 2021`

This is a bugfix release.

Server upgrade instructions

This release contains database migrations. To apply them, run:

$ sudo -u apache /usr/bin/alembic -c /etc/bodhi/alembic.ini upgrade head

Summary of the migrations:

- Add End of life (eol) field to the releases (`4241`).

Backwards incompatible changes

- Query on both relevant Greenwave decision contexts for critical-path updates. `Update.get_test_gating_info()` now returns a list of decision dictionaries, not a single decision dictionary. The API endpoint `/updates/{id}/get-test-results` similarly now returns a single-key dictionary whose value is a list of decisions, not a single decision dictionary. (4259).

Features

- Added support for release names ending with “N” such as EPEL next (4222).
- Set a `delta` parameter of 30 days when quering datagrepper for bodhi-related user activity (4255).
- Added support for setting flags in generated advisories to require logging out and logging back in for the update to take effect (4213).
- Replace Greenwave decision change message consumer with ResultsDB and WaiverDB message consumers (4230).

Bug fixes

- Fix an issue that caused the builds in a side-tag update to not be
tagged correctly when the build list of the update was modified (4161).
- Bodhi will now delete the side-tag in Koji when an update is pushed to stable. Builds that were tagged in the side-tag but were not pushed as part of the update will be untagged. This is required to make sure to not leave stale side-tags in the Koji database (4228).
- Updates for archived releases cannot be edited anymore (4236).
- Correctly mark automatic updates as critpath when appropriate (4177).
- Fixed an issue with validators that prevents inconsistent refusal of bodhi override with maximum duration (4182).
- Fixed an issue where the search result box was cutted off out of screen borders (4206).
- Fixed a javascript bug which prevented the “waive tests” button to be displayed in UI (4208).
- Fixed an issue with validators that prevented a side-tag update owner to edit their update after adding a build for which they don’t have commit access (4209).
- Avoid gating status ping-pong on update creation, assume status ‘waiting’ for 2 hours or until first failed test (4221).
- For new packages submitted to repositories, the changelog was not generated and attached to the automatic Update. This prevented the bugs mentioned in the changelog to be closed by Bodhi (4232).
- Staging Bodhi now uses staging Bugzilla URL for bug links (4238).
- Fixed an issue where editing Updates always caused to set the request to Testing (4263).

Development improvements

- Add End of life (eol) field to the releases (:

5.7.0

===
This is a feature release.

Features
=======

* Query different Greenwave contexts for critical path updates, allowing for
stricter policies to apply (:pr:`4180`).
* Use Pagure’s `hascommit` new endpoint API to check user’s rights to
create/edit updates. This allow collaborators to push updates for releases
for which they have commit access. (:pr:`4181`).

Bug fixes
=======

* Fixed an error about handling bugs in automatic updates (:pr:`4170`).
* Side-tag wheren’t emptied when updates for current releases were pushed to
stable (:pr:`4173`).
* Bodhi will avoid sending both ‘update can now be pushed’ and ‘update has been
pushed’ notifications at the same time on updates pushed automatically
(:issue:`3846`).
* Clear request status when release goes EOL (:issue:`4039`).
* Allow bodhi to not operate automatically on bugs linked to in changelog for
specific releases (:issue:`4094`).
* Use the release git branch name to query PDC for critpath components
(:issue:`4177`).
* Avoid using datetime.utcnow() for updateinfo <updated_date> and <issued_date>
elements, use “date_submitted” instead. (:issue:`4189`).
* Updates which already had a comment that they can be pushed to stable were
not automatically pushed to stable when the `stable_days` threshold was
reached (:issue:`4042`).

Contributors
=========

The following developers contributed to this release of Bodhi:

* Adam Saleh
* Adam Williamson
* Clement Verna
* Daniel Alley
* Mattia Verga
* Andrea Misuraca

5.6.1

======
This is a bugfix release.

Bug fixes
=======
Fix two reflected XSS vulnerabilities - CVE: CVE-2020-15855

Contributors
=========

The following developers contributed to this release of Bodhi:

* Patrick Uiterwijk

5.6

====
This is a feature release.

Dependency changes
================

* Drop support for bleach 1.0 api (:pr:`3875`).
* Markdown >= 3.0 is now required (:pr:`4134`).

Server upgrade instructions
=====================

This release contains database migrations. To apply them, run::

$ sudo -u apache /usr/bin/alembic -c /etc/bodhi/alembic.ini upgrade head

Features
=======

* Added a `from_side_tag` bool search parameter for Updates and allow searching
for that and for gating status from WebUI (:pr:`4119`).
* Allow overriding `critpath.stable_after_days_without_negative_karma` based on
release status (:pr:`4135`).
* Users which owns a side-tag can now create updates from that side-tag even if
it contains builds for which they haven’t commit access (:issue:`4014`).

Bug fixes
=======

* Fix encoding of package and user names in search results (:pr:`4104`).
* Fix autotime display on update page (:pr:`4110`).
* Set update.stable_days to 0 for Releases not composed by Bodhi itself
(:pr:`4111`).
* Ignore builds in Unpushed updates when checking for duplicate builds
(:issue:`1809`).
* Make automatic updates obsolete older updates stuck in testing due to failing
gating tests (:issue:`3916`).
* Fix 404 pages for bot users with nonstandard characters in usernames
(:issue:`3993`).
* Fixed documentation build with Sphinx3 (:issue:`4020`).
* Serve the documentation directly from the WSGI application using WhiteNoise.
(:issue:`4066`).
* Updates from side-tag for non-rawhide releases were not pushed to testing
(:issue:`4087`).
* Side-tag updates builds were not editable in the WebUI (:issue:`4122`).
* Fixed “re-trigger tests” button not showed on update page (:issue:`4144`).
* Fixed a crash in automatic_updates handler due to `get_changelog()` returning
an unhandled exception (:issue:`4146`).
* Fixed a crash in automatic_updates handler due to trying access update.alias
after the session was closed (:issue:`4147`).
* Some comments orphaned from their update where causing internal server
errors. We now enforce a not null check so that a comment cannot be created
without associating it to an update. The orphaned comments are removed from
the database by the migration script. (:issue:`4155`).
* Dockerfile for pip CI tests has been fixed (:issue:`4158`).

Development improvements
=====================

* Rename `Release.get_testing_side_tag()` to `get_pending_testing_side_tag()`
to avoid confusion (:pr:`4109`).
* Added F33 to tests pipeline (:pr:`4132`).

Contributors
=========

The following developers contributed to this release of Bodhi:

* Adam Saleh
* Clement Verna
* Justin Caratzas
* Jonathan Wakely
* Karma Dolkar
* Mattia Verga
* Pierre-Yves Chibon
* Rayan Das
* Sebastian Wojciechowski

5.6.0

====
This is a bugfix release.
Features

* Added metrics endpoint for scraping by Prometheus.
* Allowed querying releases and updates using graphql endpoint.

Bug fixes

* Disable manual creation of updates for releases not composed by Bodhi and add
some bits in the docs on how to handle automatic updates not being created
(:issue:`4058`).
* Fix TestCase validation upon feedback submission (:issue:`4088`).
* Do not let update through when bodhi fails to talk to greenwave.
(:issue:`4089`).
* Fix package name encoding in URLs (:issue:`4095`).
* bodhi can’t be installed from pypi (:issue:`3919`).

Contributors

The following developers contributed to this release of Bodhi:

* Adam Saleh
* Clement Verna
* Karma Dolkar
* Mattia Verga
* Pierre-Yves Chibon

5.5.0

This is a minor release.

Server upgrade instructions

This release contains database migrations. To apply them, run::

$ sudo -u apache /usr/bin/alembic -c /etc/bodhi/alembic.ini upgrade head

Summary of the migrations:

* Migrate relationship between TestCase and Package to TestCase and Build. The migration script will take care of migrate existing data to the new relation.
* The user_id column in comments table has been set to be not nullable.
* The notes column in buildroot_overrides table has been converted to UnicodeText (from Unicode).

Bug fixes

* Associate TestCase to Build instead of Package, allowing to remove old
testcases from updates (:issue:`1794`).
* Replace koji krb_login with gssapi_login. (:issue:`4029`).
* Making sure that builds of side tag update for normal releases are marked as
signed. (:issue:`4032`).
* Handle Cornice 5.0 JSON error handling. (:issue:`4033`).
* Cap buildroot overrides notes to a maximum of 2k characters and convert the
database field to UnicodeText (:issue:`4044`).

Development improvements

* The user_id field in the comments table has been made not nullable. Some
database joins have been tweaked to get better performance (:pr:`4046`).
* Always use koji.multiCall for untag/unpush for better handle updates with a
lot of builds (:pr:`4052`).

Contributors

The following developers contributed to this release of Bodhi:

* Clement Verna
* Karma Dolkar
* Mattia Verga
* Miro Hrončok
* Sebastian Wojciechowski

5.3.0

This is a minor release.

Dependency changes

* Splitted handle_update task into two celery tasks for bugs and testcases.
These two new tasks will make use of Celery’s `autoretry_for` and
`retry_backoff` features to circumvent external services connection problems.
`retry_backoff` needs Celery >= 4.2 (:pr:`3989`).

Features

* Associate bugs mentioned in rpm changelog to automatically created Rawhide
updates; the bugs mentioned with the format `fix(es)|close(s)
(fedora|epel|rh|rhbz)BUG_ID` will be associated to the update and
automatically closed (:issue:`3925`).

Bug fixes

* Use jquery-typeahead for bodhi searchbar and always show the input field
(:issue:`1455`).
* Reset update.date_testing when editing builds (:issue:`3493`).
* Removed pending_testing tag when self.request is still in
UpdateRequest.testing (:issue:`3944`).
* Fix the broken privacy policy link for update’s comment box. (:issue:`3971`).
* Do not bound the database session created using TransactionalSessionMaker
class to the object created.
Since threads are sharing the memory binding to the session object, it makes
it possible for threads to
override a previous session leading to unexpected behaviours.
(:issue:`3979`).
* Editing builds in an update should not remove override tags (:issue:`3988`).
* Make Test Cases look clickable. (:issue:`4003`).
* If an update include no builds, use alias as title (:issue:`4012`).

Development improvements

* Revise display for update’s settings

Showed a ‘stable by karma: disabled’ and a ‘stable by time: disabled’ in
the UI when appropriate. Also added a ‘Autotime: <Bool>’ to the CLI output.
(:issue:`3957`).
* Avoid using a database session in the tag_update_builds_task.
(:issue:`3981`).
* Avoid using a database session in the handle side tag task. (:issue:`3983`).
* Ignore celery task’s results we don’t use. (:issue:`3995`).

Documentation improvements

* Reference the state that happens when an update is revoked (:issue:`2902`).
* Document the full set of bug trackers that can be reference in Bodhi’s
markdown.
Also added a section to Bodhi’s Sphinx docs about Bodhi markdown,
and listed the bug trackers there as well. (:issue:`3209`).
* Add information to Bodhi docs that Bodhi has frozen release state
(:issue:`3505`).

Contributors

The following developers contributed to this release of Bodhi:

* Clement Verna
* Karma Dolkar
* Mattia Verga
* Richard O. Gregory
* Tomas Kopecek

5.2.2

======
This is a bugfix release.

Bug fixes

* Only pass scalar argument to celery (part 2). Avoid the celery enqueuer
emitting SQL queries to resolve attributes, and therefore opening new
transactions. (:issue:`8b30a825`).

Contributors

The following developers contributed to this release of Bodhi:

* Clement Verna

5.2.1

======
This is a bugfix release.

Bug fixes

* Get the update object in the celery worker from the database.
(:issue:`3966`).

Contributors

The following developers contributed to this release of Bodhi:

* Clement Verna

This is a feature and bugfix release.

Features

* Added `__current__`, `__pending__` and `__archived__` macro filters to
quickly filter Updates by Release status (:pr:`3892`).
* Added search filtering capabilities to the Overrides page (:pr:`3903`).
* Output the update install command into the bugs comments. Also change the
`stable_bug_msg` and `testing_bug_msg` settings format to use placeholders in
place of `%s`: if you have customized these settings you will need to adjust
them to the new format. Here it is the list of the available placeholders:
`{update_title}, {update_beauty_title}, {update_alias}, {repo},
{install_instructions}, {update_url}` (:issue:`740`).
* Tag builds for updates asynchronously using Celery tasks. (:issue:`3061`).
* Add a Liveness and Readyness endpoints for OpenShift probes. (:issue:`3854`).
* Allow revoking the `push to stable` action (:issue:`3921`).

Bug fixes

* Place 404 Not Found in the middle of the website (:pr:`3835`).
* RPM changelog was not automatically added in the notes for Rawhide updates as
expected (:pr:`3931`).
* Add back the ability to add abitairy text as a build. (:issue:`3707`,
:issue:`3765`).
* Allow to comment on update that were pushed to stable. (:issue:`3748`).
* Make comments submission to use common code with other forms and avoid
clearing the spinner until the page refreshes (:issue:`3837`).
* Try to avoid timeout error when requesting latest_candidates with
`hide_existing=true` (:issue:`3841`).
* Allow task id to be null in the bodhi.update.status.testing message schema.
(:issue:`3852`).
* Sent UpdateReadyForTestingV1 only for rpm (:issue:`3855`).
* Prevent whitespaces string to be set as display name of an update
(:issue:`3877`).
* Fixed pagination issue when using multiple values for the same filter
(:issue:`3885`).
* Make sure we send the fedora-messaging messages before trigerring a celery
task. (:issue:`3904`).
* Prevent updates from sidetags being stuck in Testing (:issue:`3912`).
* Do not allow to push back to testing a stable update (:issue:`3936`).

Development improvements

* Use existing db session when creating a package: `Package.get_or_create()`
now requires a session object in input (:pr:`3860`).
* Use koji’s multicall in `tag_update_builds` task (:pr:`3958`).

Other changes

* Use Celery Beat instead of cron jobs. The corresponding CLIs have been
adjusted
to trigger the task. They will still block until the task is done, but it may
not be running on the host that the CLI was called on. The affected CLIs are:
``bodhi-clean-old-composes``, ``bodhi-expire-overrides``,
``bodhi-approve-testing``, and ``bodhi-check-policies`` (:issue:`2867`).

Contributors

The following developers contributed to this release of Bodhi:

* Adam Saleh
* Aurélien Bompard
* Adam Williamson
* Clement Verna
* Eli Young
* Karma Dolkar
* Mattia Verga
* Michal Konečný
* Nils Philippsen
* Pierre-Yves Chibon
* Elliott Sales de Andrade
* Richard O. Gregory
* Rick Elrod
* Ryan Lerch
* Stephen Coady
* subhamkrai
* Sebastian Wojciechowski

This is a feature and bugfix release.

Features
========

* Include the task id for each build when notifying that an update is ready to
be tested (3724).
* Linkify update aliases in comments (776).

Bug fixes
=========

* Fix BuildrootOverrides editing/expiring from the UI (3710).
* Fix the traceback when builds are being signed without being included in an
update (3720).
* Increase the size of the update alias column (3779).
* Fix JS error when removing a bug from the list in the update form
(3796).
* Disable warnings when adding `Security Response` bugs to an update
(3789).
* Manage single build update conflicting builds. (3828).

Contributors
============

The following developers contributed to this release of Bodhi:

* Aurélien Bompard
* Clement Verna
* Mattia Verga
* Pierre-Yves Chibon
* Rick Elrod
* Ryan Lerch

* Anatoli Babenia
* Aurélien Bompard
* Randy Barlow
* Clement Verna
* David Fan
* dimitraz
* Lukas Holecek
* Mattia Verga
* Michal Konečný
* Nils Philippsen
* Ondrej Nosek
* Pierre-Yves Chibon
* Rick Elrod
* Ryan Lerch
* Robert Scheck
* Rob Shelly
* Sam Robbins
* Stephen Coady
* siddharthvipul
* subhamkrai
* Sebastian Wojciechowski

* Aurélien Bompard
* Clement Verna
* Nils Philippsen
* Pierre-Yves Chibon

* Aurélien Bompard
* Clement Verna
* Mattia Verga
* Michal Konečný
* Nils Philippsen
* Patrick Uiterwijk
* Randy Barlow
* Sebastian Wojciechowski
* Troy Dawson
* Pierre-Yves Chibon

4.0.2

* Randy Barlow
* Patrick Uiterwijk

* Adam Williamson
* Anatoli Babenia
* Aurélien Bompard
* Clement Verna
* Jeremy Cline
* Jonathan Dieter
* Josh Soref
* Mattia Verga
* Miro Hrončok
* Nils Philippsen
* Owen W. Taylor
* Patrick Uiterwijk
* Sebastian Wojciechowski
* Troy Dawson
* Randy Barlow

This is a feature release.

Features
--------

* Use ``flatpaks/`` namespace for Flatpaks, and make it configurable.
(2924, 3052).
* Add json response handler for server internal errors (3035).

Bug fixes
---------

* Fix HTTP 500 errors when viewing composes (2826).
* Set log level to ERROR in bodhi-approve-testing (3021).

Development improvements
------------------------

* Log why buildroot overrides are expired (3060).

3.13.3

This is a bugfix release.

Server upgrade instructions

This release contains database migrations. To apply them, run::

$ sudo -u apache /usr/bin/alembic -c /etc/bodhi/alembic.ini upgrade head