v6.7.0 (2023-09-14)
Security
⚠️ This release partially fixes a medium-severity security vulnerability. We recommend upgrading to v6.7.1 or v5.22.5.
- Affected versions: All prior versions of Elastic CI Stack
- Impact: Privilege escalation to root on Linux agent instances
- Required privileges: Users that can run user-controlled commands on agents (e.g. by pushing a branch to a repo that triggers a build with those changes)
- Attack vector: A specially crafted build can abuse the
fix-buildkite-agent-builds-permissions
script to run commands as root on subsequent builds - Fix: Improved input validation in
fix-buildkite-agent-builds-permissions
#1212 (@DrJosh9000) - Alternative workarounds: Deploy a pre-bootstrap hook to prevent execution of
fix-buildkite-agent-builds-permissions
during a build
Thanks to Nick Nam of Atredis Partners for reporting the vulnerability.
Changed
- Update to scaler v1.6.0 #1213 (@DrJosh9000)
- Bump buildkite-agent to v3.55.0 #1214 (@DrJosh9000)
Internal
- Fix ami_source_filter #1211 (@DrJosh9000)
Upgrading
Perform a CloudFormation stack update with the following URL:
https://s3.amazonaws.com/buildkite-aws-stack/v6.7.0/aws-stack.yml
If you want to launch a new stack, you can use this link (make sure not to use your production AWS account, create a new one for CI):