github buildkite/elastic-ci-stack-for-aws v6.7.0

latest releases: v6.30.0, v6.29.1, v6.29.0...
14 months ago

v6.7.0 (2023-09-14)

Full Changelog

Security

⚠️ This release partially fixes a medium-severity security vulnerability. We recommend upgrading to v6.7.1 or v5.22.5.

  • Affected versions: All prior versions of Elastic CI Stack
  • Impact: Privilege escalation to root on Linux agent instances
  • Required privileges: Users that can run user-controlled commands on agents (e.g. by pushing a branch to a repo that triggers a build with those changes)
  • Attack vector: A specially crafted build can abuse the fix-buildkite-agent-builds-permissions script to run commands as root on subsequent builds
  • Fix: Improved input validation in fix-buildkite-agent-builds-permissions #1212 (@DrJosh9000)
  • Alternative workarounds: Deploy a pre-bootstrap hook to prevent execution of fix-buildkite-agent-builds-permissions during a build

Thanks to Nick Nam of Atredis Partners for reporting the vulnerability.

Changed

Internal

Upgrading

Perform a CloudFormation stack update with the following URL:
https://s3.amazonaws.com/buildkite-aws-stack/v6.7.0/aws-stack.yml

If you want to launch a new stack, you can use this link (make sure not to use your production AWS account, create a new one for CI):

Launch Buildkite AWS Stack

Documentation

See the README for this release.

Don't miss a new elastic-ci-stack-for-aws release

NewReleases is sending notifications on new releases.