Uploaded image for project: 'Data Management'
  1. Data Management
  2. DM-13745

[lsst-sqre/git-lfs-s3-server] One of your dependencies may have a security vulnerability

    Details

      Description

      Email from github:

      sqreadmin,
       
      We found a potential security vulnerability in a repository for which you have been granted security alert access.
      @lsst-sqre 	lsst-sqre/git-lfs-s3-server
      Known moderate severity security vulnerability detected in rack-protection < 2.0.0 defined in Gemfile.lock.
      Gemfile.lock update suggested: rack-protection ~> 2.0.0.
      Always verify the validity and compatibility of suggestions with your codebase.
      

      CVE: https://nvd.nist.gov/vuln/detail/CVE-2018-1000119

        Attachments

          Issue Links

            Activity

            Hide
            jhoblitt Joshua Hoblitt added a comment -

            An updated docker image has been published as docker.io/lsstsqre/gitlfs-server:g719f696.

            Show
            jhoblitt Joshua Hoblitt added a comment - An updated docker image has been published as docker.io/lsstsqre/gitlfs-server:g719f696 .
            Hide
            jhoblitt Joshua Hoblitt added a comment -

            Summary of work to date:

            lsst-sqre/git-lfs-s3

            • changes were required to be compatible with sinatra >= 2
            • updated to take advantage of ruby 2.4 features
            • travis-ci/rubocop setup + github branch protection

            lsst-sqre/git-lfs-s3-server

            • add REDIS_SERVICE_HOST and REDIS_SERVICE_PORT env vars to allow usage of a remote redis instance
            • updated to take advantage of ruby 2.4 features
            • travis-ci/rubocop setup + github branch protection

            lsst-sqre/deploy-gitlfs

            • new terraform based deployment onto k8s
            • provisions a gke cluster
            • handles aws iam credentials
            • configures s3 buckets in multiple regions with cross region replication
            • handles route53 DNS
            • demonstrates usage of the terrraform-provider-helm plugin to deploy the stable/redis chart
            • includes a simple "acceptance" test to automate testing that an lfs server instance allows writing of objects

            A new deployment was made late this afternoon, the previous lsst-sqre-prod-git-lfs production s3 bucket was sync'd with the new production git-lfs.lsst.codes-us-east-1 bucket, DNS has been cut over, and the instance has been confirmed as working by running the acceptance test script and making clones of afwdata and validation_data_hsc.

            Pending work before closing this ticket:

            • basic deployment notes
            • releasing the resourced from the previous git-lfs production/test environments – presumably after the new deployment has proven itself stable for several days.
            Show
            jhoblitt Joshua Hoblitt added a comment - Summary of work to date: lsst-sqre/git-lfs-s3 changes were required to be compatible with sinatra >= 2 updated to take advantage of ruby 2.4 features travis-ci/rubocop setup + github branch protection lsst-sqre/git-lfs-s3-server add REDIS_SERVICE_HOST and REDIS_SERVICE_PORT env vars to allow usage of a remote redis instance updated to take advantage of ruby 2.4 features travis-ci/rubocop setup + github branch protection lsst-sqre/deploy-gitlfs new terraform based deployment onto k8s provisions a gke cluster handles aws iam credentials configures s3 buckets in multiple regions with cross region replication handles route53 DNS demonstrates usage of the terrraform-provider-helm plugin to deploy the stable/redis chart includes a simple "acceptance" test to automate testing that an lfs server instance allows writing of objects A new deployment was made late this afternoon, the previous lsst-sqre-prod-git-lfs production s3 bucket was sync'd with the new production git-lfs.lsst.codes-us-east-1 bucket, DNS has been cut over, and the instance has been confirmed as working by running the acceptance test script and making clones of afwdata and validation_data_hsc . Pending work before closing this ticket: basic deployment notes releasing the resourced from the previous git-lfs production/test environments – presumably after the new deployment has proven itself stable for several days.
            Hide
            jhoblitt Joshua Hoblitt added a comment -

            In addition, the nagios checks we updated to remove the ssh check, that is no long relevant.

            Show
            jhoblitt Joshua Hoblitt added a comment - In addition, the nagios checks we updated to remove the ssh check, that is no long relevant.
            Hide
            jhoblitt Joshua Hoblitt added a comment -

            The release/nightly-release, release/weekly-release, and science-pipelines/lsst-distrib jobs all had successful builds over the weekend. I think this is sufficient real world usage to consider the the new gke deployment reliable.

            Show
            jhoblitt Joshua Hoblitt added a comment - The release/nightly-release , release/weekly-release , and science-pipelines/lsst-distrib jobs all had successful builds over the weekend. I think this is sufficient real world usage to consider the the new gke deployment reliable.
            Hide
            jhoblitt Joshua Hoblitt added a comment -

            AWS EC2 + S3 resourced related to the previous git-lfs deployment were cleaned up yesterday morning. The only remaining task on this ticket is a README.

            Show
            jhoblitt Joshua Hoblitt added a comment - AWS EC2 + S3 resourced related to the previous git-lfs deployment were cleaned up yesterday morning. The only remaining task on this ticket is a README.

              People

              • Assignee:
                jhoblitt Joshua Hoblitt
                Reporter:
                jhoblitt Joshua Hoblitt
                Watchers:
                J Matt Peterson [X] (Inactive), Joshua Hoblitt
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: