From cab46a867f32a2bb8bb123d90d70233640844e11 Mon Sep 17 00:00:00 2001 From: Ellis Clayton Date: Thu, 12 Oct 2023 09:24:30 +1100 Subject: [PATCH 01/11] Ignore CVE-2023-29007 It affects git. Specifically through crafting a `.gitmodules` file in a particular way. This is not something that happens in the build process for the docs site. --- .buildkite/pipeline.deploy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.buildkite/pipeline.deploy.yml b/.buildkite/pipeline.deploy.yml index 58a5d8cbbf..35320ce3e7 100644 --- a/.buildkite/pipeline.deploy.yml +++ b/.buildkite/pipeline.deploy.yml @@ -21,6 +21,8 @@ steps: plugins: - buildkite/ecr-scan-results#v1.2.0: image-name: "${ECR_REPO}:${BUILDKITE_BUILD_NUMBER}" + ignore: + - CVE-2023-29007 # git 1:2.39.2-1.1 # If the current user is part of the deploy team, then wait for everything to # finish before deploying From 2e1ae9aba54e7ea5f13f4b1f04011124a65fa72d Mon Sep 17 00:00:00 2001 From: Ellis Clayton Date: Thu, 12 Oct 2023 09:25:00 +1100 Subject: [PATCH 02/11] Ignore CVE-2023-25652 It affects git. Specifically through using `git apply --reject` in a particular way. This is not something that happens in the build process for the docs site. --- .buildkite/pipeline.deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.buildkite/pipeline.deploy.yml b/.buildkite/pipeline.deploy.yml index 35320ce3e7..9afb7bba72 100644 --- a/.buildkite/pipeline.deploy.yml +++ b/.buildkite/pipeline.deploy.yml @@ -23,6 +23,7 @@ steps: image-name: "${ECR_REPO}:${BUILDKITE_BUILD_NUMBER}" ignore: - CVE-2023-29007 # git 1:2.39.2-1.1 + - CVE-2023-25652 # git 1:2.39.2-1.1 # If the current user is part of the deploy team, then wait for everything to # finish before deploying From 708fa17f01f3fa70e6b4a876f6f7d855e6b585b4 Mon Sep 17 00:00:00 2001 From: Ellis Clayton Date: Thu, 12 Oct 2023 10:07:39 +1100 Subject: [PATCH 03/11] Ignore CVE-2021-3864 It relates to using SUID binaries. We run our containers as root, which maybe isn't the best thing, but it also makes using SUID stuff irrelevant. --- .buildkite/pipeline.deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.buildkite/pipeline.deploy.yml b/.buildkite/pipeline.deploy.yml index 9afb7bba72..0af181a548 100644 --- a/.buildkite/pipeline.deploy.yml +++ b/.buildkite/pipeline.deploy.yml @@ -24,6 +24,7 @@ steps: ignore: - CVE-2023-29007 # git 1:2.39.2-1.1 - CVE-2023-25652 # git 1:2.39.2-1.1 + - CVE-2021-3864 # linux 6.1.55-1 # If the current user is part of the deploy team, then wait for everything to # finish before deploying From d34ce723cacf70d5a2408b470d65c76c1b45e659 Mon Sep 17 00:00:00 2001 From: Ellis Clayton Date: Thu, 12 Oct 2023 10:13:13 +1100 Subject: [PATCH 04/11] Ignore CVE-2013-7445 It concerns Direct Rendering Manager, which is relevant for applications processing graphics data. We're building a static site, nothing to see here. --- .buildkite/pipeline.deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.buildkite/pipeline.deploy.yml b/.buildkite/pipeline.deploy.yml index 0af181a548..59fa50a289 100644 --- a/.buildkite/pipeline.deploy.yml +++ b/.buildkite/pipeline.deploy.yml @@ -25,6 +25,7 @@ steps: - CVE-2023-29007 # git 1:2.39.2-1.1 - CVE-2023-25652 # git 1:2.39.2-1.1 - CVE-2021-3864 # linux 6.1.55-1 + - CVE-2013-7445 # linux 6.1.55-1 # If the current user is part of the deploy team, then wait for everything to # finish before deploying From 82a6a30da57c3b2be97c9f66adf094a7566259f7 Mon Sep 17 00:00:00 2001 From: Ellis Clayton Date: Thu, 12 Oct 2023 10:14:49 +1100 Subject: [PATCH 05/11] Ignore CVE-2019-19814 and CVE-2019-19449 These relate to mounting f2fs filesystem images. We don't use f2fs. --- .buildkite/pipeline.deploy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.buildkite/pipeline.deploy.yml b/.buildkite/pipeline.deploy.yml index 59fa50a289..0f27ae5c70 100644 --- a/.buildkite/pipeline.deploy.yml +++ b/.buildkite/pipeline.deploy.yml @@ -26,6 +26,8 @@ steps: - CVE-2023-25652 # git 1:2.39.2-1.1 - CVE-2021-3864 # linux 6.1.55-1 - CVE-2013-7445 # linux 6.1.55-1 + - CVE-2019-19814 # linux 6.1.55-1 + - CVE-2019-19449 # linux 6.1.55-1 # If the current user is part of the deploy team, then wait for everything to # finish before deploying From f3c0efb80c17bd45f87d96278b17f8ad5a31ddeb Mon Sep 17 00:00:00 2001 From: Ellis Clayton Date: Thu, 12 Oct 2023 10:31:07 +1100 Subject: [PATCH 06/11] Ignore CVE-2021-3847 It relates to OverlayFS. This is, admittedly, what Docker uses by default for volume mounting. Fortunately we don't do any volume mounting for this service in Production or build time. --- .buildkite/pipeline.deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.buildkite/pipeline.deploy.yml b/.buildkite/pipeline.deploy.yml index 0f27ae5c70..2734156ce8 100644 --- a/.buildkite/pipeline.deploy.yml +++ b/.buildkite/pipeline.deploy.yml @@ -28,6 +28,7 @@ steps: - CVE-2013-7445 # linux 6.1.55-1 - CVE-2019-19814 # linux 6.1.55-1 - CVE-2019-19449 # linux 6.1.55-1 + - CVE-2021-3847 # linux 6.1.55-1 # If the current user is part of the deploy team, then wait for everything to # finish before deploying From 67d8ce0a4aafe32a33c33918973d89803a895287 Mon Sep 17 00:00:00 2001 From: Ellis Clayton Date: Thu, 12 Oct 2023 10:33:06 +1100 Subject: [PATCH 07/11] Ignore CVE-2023-35827 It relates to an ethernet driver. That's a kernel thing, not relevant to us when we're using containers, where they don't have any concern over drivers. --- .buildkite/pipeline.deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.buildkite/pipeline.deploy.yml b/.buildkite/pipeline.deploy.yml index 2734156ce8..e2e8b89af7 100644 --- a/.buildkite/pipeline.deploy.yml +++ b/.buildkite/pipeline.deploy.yml @@ -29,6 +29,7 @@ steps: - CVE-2019-19814 # linux 6.1.55-1 - CVE-2019-19449 # linux 6.1.55-1 - CVE-2021-3847 # linux 6.1.55-1 + - CVE-2023-35827 # linux 6.1.55-1 # If the current user is part of the deploy team, then wait for everything to # finish before deploying From fc22a5215d43278d6dd117535d5ed49a54b64b29 Mon Sep 17 00:00:00 2001 From: Ellis Clayton Date: Thu, 12 Oct 2023 10:44:53 +1100 Subject: [PATCH 08/11] Ignore CVE-2023-2953 We don't use openldap --- .buildkite/pipeline.deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.buildkite/pipeline.deploy.yml b/.buildkite/pipeline.deploy.yml index e2e8b89af7..50730712c3 100644 --- a/.buildkite/pipeline.deploy.yml +++ b/.buildkite/pipeline.deploy.yml @@ -30,6 +30,7 @@ steps: - CVE-2019-19449 # linux 6.1.55-1 - CVE-2021-3847 # linux 6.1.55-1 - CVE-2023-35827 # linux 6.1.55-1 + - CVE-2023-2953 # openldap 2.5.13+dfsg-5 # If the current user is part of the deploy team, then wait for everything to # finish before deploying From 01e86a962cee3fe8d3a79de00e564fa40ce2a11d Mon Sep 17 00:00:00 2001 From: Ellis Clayton Date: Thu, 12 Oct 2023 10:45:26 +1100 Subject: [PATCH 09/11] Ignore CVE-2023-31484 We don't use Perl, and even if we do inadvertently through some package depending on it, we certainly don't use the CPAN.pm package manager. --- .buildkite/pipeline.deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.buildkite/pipeline.deploy.yml b/.buildkite/pipeline.deploy.yml index 50730712c3..62720dccea 100644 --- a/.buildkite/pipeline.deploy.yml +++ b/.buildkite/pipeline.deploy.yml @@ -31,6 +31,7 @@ steps: - CVE-2021-3847 # linux 6.1.55-1 - CVE-2023-35827 # linux 6.1.55-1 - CVE-2023-2953 # openldap 2.5.13+dfsg-5 + - CVE-2023-31484 # perl 5.36.0-7 # If the current user is part of the deploy team, then wait for everything to # finish before deploying From 1f203810731c41bdaf75003b9218a079709aea13 Mon Sep 17 00:00:00 2001 From: Ellis Clayton Date: Thu, 12 Oct 2023 10:46:30 +1100 Subject: [PATCH 10/11] Ignore CVE-2023-24329 We don't use Python. At least not directly. But assuming we do use Python unexpectedtly, the nature of the Docs site is such that we aren't attempting to parse URLs supplied by end-users anywhere. Therefore the likelihood of a malicious string to urllib.parse is extremely low. --- .buildkite/pipeline.deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.buildkite/pipeline.deploy.yml b/.buildkite/pipeline.deploy.yml index 62720dccea..63d78f4cf8 100644 --- a/.buildkite/pipeline.deploy.yml +++ b/.buildkite/pipeline.deploy.yml @@ -32,6 +32,7 @@ steps: - CVE-2023-35827 # linux 6.1.55-1 - CVE-2023-2953 # openldap 2.5.13+dfsg-5 - CVE-2023-31484 # perl 5.36.0-7 + - CVE-2023-24329 # python3.11 3.11.2-6 # If the current user is part of the deploy team, then wait for everything to # finish before deploying From caeab8f3f785eb2a2cb21e73caf9e19949260d02 Mon Sep 17 00:00:00 2001 From: Ellis Clayton Date: Thu, 12 Oct 2023 11:22:51 +1100 Subject: [PATCH 11/11] Ignore CVE-2023-3640 This is quite an edge case CVE. Its risk is further reduced by the fact our container runs as root (meaning no privilege escalation in the first place). It's also a kernel-level thing, so not really relevant in a container. --- .buildkite/pipeline.deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.buildkite/pipeline.deploy.yml b/.buildkite/pipeline.deploy.yml index 63d78f4cf8..0f71330644 100644 --- a/.buildkite/pipeline.deploy.yml +++ b/.buildkite/pipeline.deploy.yml @@ -33,6 +33,7 @@ steps: - CVE-2023-2953 # openldap 2.5.13+dfsg-5 - CVE-2023-31484 # perl 5.36.0-7 - CVE-2023-24329 # python3.11 3.11.2-6 + - CVE-2023-3640 # linux 6.1.55-1 # If the current user is part of the deploy team, then wait for everything to # finish before deploying