Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.03] graylog: 3.3.2 -> 3.3.3 #94309

Merged
merged 2 commits into from Jul 31, 2020
Merged

[20.03] graylog: 3.3.2 -> 3.3.3 #94309

merged 2 commits into from Jul 31, 2020

Conversation

fadenb
Copy link
Contributor

@fadenb fadenb commented Jul 31, 2020

Backport of #94253 due to security fixes.

When all the following conditions are met this change might break an existing setup:

  • Graylog LDAP authentication is used
  • LDAP communication is SSL/TLS secured
  • Allow self-signed certificates is not enabled (this toggle had no effect before and self-signed certs were always accepted)
  • The used certificate can not be validated with the information available from the local keystore

Graylog release info notes:

To avoid this, please ensure that all certificates used are valid, their common name matches the host part of your configured LDAP server and your local keystore contains all CA/intermediate certs required for validation.

How to deal with this issue was discussed between @Ma27 and me.
We decided to backport this to 20.03 due to the very specific circumstances required to run into this issue, the fact that upstream is aware of the breaking change in a patch release and the infeasibility of creating a robust check for this

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Tristan Helmich (omniIT) added 2 commits July 31, 2020 08:19
graylog: 3.3.2 -> 3.3.3
3de1ba0 
Bumps Graylog and integrations plugins to 3.3.3 which fixes CVE-2020-15813

(cherry picked from commit 1bb1b67)

Reason: Security fix for CVE-2020-15813 (closes NixOS#94001)
doc/rl-2003: Add warning on Graylog changes in version 3.3.3
6a6cbf0
@fadenb fadenb requested a review from Ma27 July 31, 2020 08:55
@Ma27 Ma27 self-assigned this Jul 31, 2020
@fadenb
Copy link
Contributor Author

fadenb commented Jul 31, 2020

@GrahamcOfBorg test graylog

@Ma27 Ma27 merged commit 5f646ea into NixOS:release-20.03 Jul 31, 2020
@Ma27
Copy link
Member

Ma27 commented Jul 31, 2020

@fadenb thanks!

@fadenb fadenb deleted the graylog_3.3.3_backport branch September 18, 2020 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ma27 Ma27 Ma27 approved these changes

Assignees

@Ma27 Ma27

Labels
6.topic: nixos 8.has: changelog 8.has: documentation 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@fadenb @Ma27