1
0
mirror of https://github.com/projectacrn/acrn-hypervisor.git synced 2025-05-08 08:26:55 +00:00

doc: update asa.rst for v3.0.2 release

Update security advisory for v3.0.2 release.

Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
This commit is contained in:
Yonghua Huang 2022-11-21 16:57:45 +03:00 committed by David Kinder
parent f4f828f762
commit 37750a5a48

View File

@ -3,6 +3,45 @@
Security Advisory
#################
Addressed in ACRN v3.0.2
************************
We recommend that all developers using v3.0.1 or earlier upgrade to this v3.0.2
release (or later), which addresses the following security issue discovered in
previous releases. For v3.1 users, these issues are addressed in the v3.2
release:
-----
- Board_inspector: use executables found under system paths
Using partial executable paths in the board inspector may cause unintended
results when another executable has the same name and is also detectable in
the search paths.
Introduce a wrapper module (`external_tools`) which locates executables
only under system paths such as /usr/bin and /usr/sbin and converts partial
executable paths to absolute ones before executing them via the subprocess
module. All invocations to `subprocess.run` or `subprocess.Popen`
throughout the board inspector are replaced with `external_tools.run`, with
the only exception being the invocation to the legacy board parser which
already uses an absolute path to the current Python interpreter.
**Affected Release:** v3.1, v3.0.1 and earlier
- Add tarfile member sanitization to extractall()
A directory traversal vulnerability in the Python tarfile module extractall() functions
could allow user-assisted remote attackers to overwrite arbitrary files via
a ``..`` (dot dot) sequence in filenames in a tar archive, related to CVE-2001-1267.
(Addresses security issue tracked by CVE-2007-4559)
**Affected Release:** v3.1, v3.0.1 and earlier
- PMU (Performance Monitoring Unit) is passed through to an RTVM only for debug mode
Enabling Pass-through PMU counters to RTVM can cause workload interference
in a release build, so enable PMU passthrough only when building ACRN in
debug mode.
**Affected Release:** v3.1, v3.0.1 and earlier
Addressed in ACRN v3.0.1
************************
We recommend that all developers upgrade to this v3.0.1 release (or later), which