Today we learned of a major security hole in Git, which could allow
remote code-execution in the Trove server appliance.
The last release of the Baserock reference systems contained Git 2.3.0,
which is vulnerable.
We have merged a patch to upgrade to Git 2.8.0-rc2, which is not
vulnerable, and we are in the process of testing and deploying this
update to our Trove instances.
We think that there are two ways to compromise the 'lorry' or 'git' user
accounts on a Trove:
1. a hostile push to a repo hosted on the Trove
2. compromising a public repo that the Trove pulls from
For (1), the attacker must have SSH or HTTPS write access. If only
trusted people have write access, and you didn't do anything to enable
anonymous pushes, then it's nothing to worry about. For (2), it's not
impossible that some open source project could turn hostile in this way.
To avoid any risk, you can disable the 'lorry controller' service on a
Trove until you deploy an update:
systemctl stop lighttpd-lorry-controller-webapp.service
If you want to avoid lots of harmless errors in the journal, disable
services with 'lorry-controller' in their name.
Updating a Trove doesn't require updating any infrastructure that uses
it, such as a distbuild network.
Please ask if you have any questions!
Sam Thursfield, Codethink Ltd.
Office telephone: +44 161 236 5575