v6.7.1 (2023-09-20)
Security
⚠️ This release fixes a medium-severity security vulnerability. We recommend upgrading to v6.7.1 or v5.22.5.
- Affected versions: All prior versions of Elastic CI Stack (except v5.22.5). v6.7.0 and v5.22.4 contained a partial fix.
- Impact: Privilege escalation to root on Linux agent instances
- Required privileges: Users that can run user-controlled commands on agents (e.g. by pushing a branch to a repo that triggers a build with those changes)
- Attack vector: A specially crafted build can abuse the
fix-buildkite-agent-builds-permissionsscript to run commands as root on subsequent builds - Fix: Improved input validation and file handling #1219, #1221 (@DrJosh9000)
- Alternative workarounds: Deploy a pre-bootstrap hook to prevent execution of
fix-buildkite-agent-builds-permissionsduring a build
Thanks to Nick Nam of Atredis Partners for reporting the vulnerability.
Upgrading
Perform a CloudFormation stack update with the following URL:
https://s3.amazonaws.com/buildkite-aws-stack/v6.7.1/aws-stack.yml
If you want to launch a new stack, you can use this link (make sure not to use your production AWS account, create a new one for CI):