QID 982974
QID 982974: Python (pip) Security Update for easybuild-framework (GHSA-2wx6-wc87-rmjm)
Security update has been released for easybuild-framework to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
The GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--from-pr`, etc.) is shown in plain text in EasyBuild debug log files.
Scope:
* the log message only appears in the top-level log file, *not* in the individual software installation logs (see https://easybuild.readthedocs.io/en/latest/Logfiles.html);
- as a consequence, tokens are *not* included in the partial log files that are uploaded into a gist when using `--upload-test-report` in combination with `--from-pr`, nor in the installation logs that are copied to the software installation directories;
* the message is only logged when using `--debug`, so it will not appear when using the default EasyBuild configuration (only info messages are logged by default);
* the log message is triggered via `--from-pr`, but also via various other GitHub integration options like `--new-pr`, `--merge-pr`, `--close-pr`, etc., but usually only appears in the temporary log file that is cleaned up automatically as soon as eb completes successfully;
* you may have several debug log files that include your GitHub token in `/tmp` (or a different location if you've set the `--tmpdir` EasyBuild configuration option) on the systems where you use EasyBuild, but they are located in a subdirectory that is only accessible to your account (permissions set to 700);
* the only way that a log file that may include your token could have been made public is *if you shared it yourself*, for example by copying the contents of the log file into a gist manually, or by sending a log file to someone;
* for log files uploaded to GitHub, your token would be revoked automatically when GitHub notices it;
This fix is included in EasyBuild v4.1.2 (released on Mon Mar 16th 2020), and in the `master`+ `develop` branches of the `easybuild-framework` repository since Mon Mar 16th 2020 (see https://github.com/easybuilders/easybuild-framework/pull/3248 and https://github.com/easybuilders/easybuild-framework/pull/3249 resp.).
**Make sure you revoke the existing GitHub tokens you're using with EasyBuild** (via https://github.com/settings/tokens), and install new ones using "`eb --install-github-token --force`" (see also https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html#installing-a-github-token-install-github-token).Workaround:
* avoid using the GitHub integration features (see https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html) with EasyBuild versions older than version 4.1.2;
* don't share top-level EasyBuild (debug) log files with others, unless you are sure your GitHub token is not included in them;
* clean up temporary EasyBuild log files in `/tmp`on the system(s) where you`re using EasyBuild
- GHSA-2wx6-wc87-rmjm -
github.com/advisories/GHSA-2wx6-wc87-rmjm
CVEs related to QID 982974
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-2wx6-wc87-rmjm | easybuild-framework |
github.com/advisories/GHSA-2wx6-wc87-rmjm |