mirror of
https://github.com/projectacrn/acrn-hypervisor.git
synced 2025-05-08 08:26:55 +00:00
doc: update asa.rst for v3.0.2 release
Update security advisory for v3.0.2 release. Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
This commit is contained in:
parent
f4f828f762
commit
37750a5a48
39
doc/asa.rst
39
doc/asa.rst
@ -3,6 +3,45 @@
|
||||
Security Advisory
|
||||
#################
|
||||
|
||||
Addressed in ACRN v3.0.2
|
||||
************************
|
||||
We recommend that all developers using v3.0.1 or earlier upgrade to this v3.0.2
|
||||
release (or later), which addresses the following security issue discovered in
|
||||
previous releases. For v3.1 users, these issues are addressed in the v3.2
|
||||
release:
|
||||
|
||||
-----
|
||||
|
||||
- Board_inspector: use executables found under system paths
|
||||
Using partial executable paths in the board inspector may cause unintended
|
||||
results when another executable has the same name and is also detectable in
|
||||
the search paths.
|
||||
|
||||
Introduce a wrapper module (`external_tools`) which locates executables
|
||||
only under system paths such as /usr/bin and /usr/sbin and converts partial
|
||||
executable paths to absolute ones before executing them via the subprocess
|
||||
module. All invocations to `subprocess.run` or `subprocess.Popen`
|
||||
throughout the board inspector are replaced with `external_tools.run`, with
|
||||
the only exception being the invocation to the legacy board parser which
|
||||
already uses an absolute path to the current Python interpreter.
|
||||
|
||||
**Affected Release:** v3.1, v3.0.1 and earlier
|
||||
|
||||
- Add tarfile member sanitization to extractall()
|
||||
A directory traversal vulnerability in the Python tarfile module extractall() functions
|
||||
could allow user-assisted remote attackers to overwrite arbitrary files via
|
||||
a ``..`` (dot dot) sequence in filenames in a tar archive, related to CVE-2001-1267.
|
||||
(Addresses security issue tracked by CVE-2007-4559)
|
||||
|
||||
**Affected Release:** v3.1, v3.0.1 and earlier
|
||||
|
||||
- PMU (Performance Monitoring Unit) is passed through to an RTVM only for debug mode
|
||||
Enabling Pass-through PMU counters to RTVM can cause workload interference
|
||||
in a release build, so enable PMU passthrough only when building ACRN in
|
||||
debug mode.
|
||||
|
||||
**Affected Release:** v3.1, v3.0.1 and earlier
|
||||
|
||||
Addressed in ACRN v3.0.1
|
||||
************************
|
||||
We recommend that all developers upgrade to this v3.0.1 release (or later), which
|
||||
|
Loading…
Reference in New Issue
Block a user