Page MenuHomePhabricator
Create Task
Maniphest T304226

Gerrit security release 3.3.10
Closed, ResolvedPublicSecurity
Actions

Description

https://groups.google.com/g/repo-discuss/c/JGx3G_KKi9Y

Gerrit version 3.3.10 is now available.

This release includes a fix to prevent DoS by anonymous users performing unlimited changes queries. See the release notes for more details.

Release Notes: https://www.gerritcodereview.com/3.3.html#3310

Log of changes since 3.3.9: https://gerrit.googlesource.com/gerrit/+log/v3.3.9..v3.3.10?no-merges

Security updates:

  • Change 333304: Ignore --no-limit query changes option for anonymous users
  • Prevent the use of no-limit option with query changes REST API. The option can result in excessive resources usage make Gerrit subject to DoS and DDoS by any remote endpoint without the need to have any Gerrit account or signing in.

Details

SubjectRepoBranchLines +/-
Update Gerrit to v3.3.10operations/software/gerritdeploy/wmf/stable-3.3+2 -2
Merge tag 'v3.3.10' into wmf/stable-3.3operations/software/gerritwmf/stable-3.3+0 -0
Customize query in gerrit

Event Timeline

hashar created this task.Mar 20 2022, 10:24 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 20 2022, 10:24 AM
hashar added projects: Gerrit, Release-Engineering-Team.Mar 20 2022, 10:24 AM
Reedy edited projects, added SecTeam-Processed; removed Security-Team.Mar 20 2022, 12:10 PM
hashar claimed this task.Mar 22 2022, 2:37 PM
hashar changed the visibility from "Custom Policy" to "Public (No Login Required)".
hashar changed the edit policy from "Custom Policy" to "All Users".
gerritbot added a comment.Mar 22 2022, 2:37 PM

Change 772838 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/software/gerrit@wmf/stable-3.3] Merge tag 'v3.3.10' into wmf/stable-3.3

https://gerrit.wikimedia.org/r/772838

gerritbot added a project: Patch-For-Review.Mar 22 2022, 2:37 PM
Stashbot added a comment.Mar 22 2022, 2:44 PM

Mentioned in SAL (#wikimedia-releng) [2022-03-22T14:44:37Z] <hashar> gerrit: ./deploy_artifacts.py --version=3.3.10 gerrit.war T304226

gerritbot added a comment.Mar 22 2022, 2:48 PM

Change 772838 merged by jenkins-bot:

[operations/software/gerrit@wmf/stable-3.3] Merge tag 'v3.3.10' into wmf/stable-3.3

https://gerrit.wikimedia.org/r/772838

gerritbot added a comment.Mar 22 2022, 3:01 PM

Change 772846 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/software/gerrit@deploy/wmf/stable-3.3] Update Gerrit to v3.3.10

https://gerrit.wikimedia.org/r/772846

gerritbot added a comment.Mar 22 2022, 3:02 PM

Change 772846 merged by jenkins-bot:

[operations/software/gerrit@deploy/wmf/stable-3.3] Update Gerrit to v3.3.10

https://gerrit.wikimedia.org/r/772846

Stashbot added a comment.Mar 22 2022, 3:06 PM

Mentioned in SAL (#wikimedia-operations) [2022-03-22T15:06:22Z] <hashar@deploy1002> Started deploy [gerrit/gerrit@967b0d7]: Gerrit to 3.3.10 on gerrit2001 T304226

Stashbot added a comment.Mar 22 2022, 3:06 PM

Mentioned in SAL (#wikimedia-operations) [2022-03-22T15:06:35Z] <hashar@deploy1002> Finished deploy [gerrit/gerrit@967b0d7]: Gerrit to 3.3.10 on gerrit2001 T304226 (duration: 00m 12s)

Maintenance_bot removed a project: Patch-For-Review.Mar 22 2022, 3:10 PM
Stashbot added a comment.Mar 22 2022, 3:13 PM

Mentioned in SAL (#wikimedia-operations) [2022-03-22T15:13:46Z] <hashar@deploy1002> Started deploy [gerrit/gerrit@967b0d7]: Gerrit to 3.3.10 on gerrit1001 T304226

Stashbot added a comment.Mar 22 2022, 3:13 PM

Mentioned in SAL (#wikimedia-operations) [2022-03-22T15:13:56Z] <hashar@deploy1002> Finished deploy [gerrit/gerrit@967b0d7]: Gerrit to 3.3.10 on gerrit1001 T304226 (duration: 00m 10s)

Stashbot added a comment.Mar 22 2022, 3:14 PM

Mentioned in SAL (#wikimedia-operations) [2022-03-22T15:14:31Z] <hashar> Stopping Gerrit for security update T304226

Stashbot added a comment.Mar 22 2022, 3:17 PM

Mentioned in SAL (#wikimedia-operations) [2022-03-22T15:17:04Z] <hashar> Gerrit 3.3.10 up and running T304226

hashar closed this task as Resolved.Mar 22 2022, 3:20 PM

Both Gerrit instances are running 3.3.10.

The plugins are all set.

I tested CI by reopening a change for test/gerrit-ping https://gerrit.wikimedia.org/r/c/test/gerrit-ping/+/226272 which confirms Zuul reconnected properly.

No errors in the logs https://logstash.wikimedia.org/app/dashboards#/view/AW1f-0k0ZKA7RpirlnKV

Success!

DannyS712 subscribed.Mar 25 2022, 12:03 AM

This seems to have broken the ability to page between search results for repositories, there is no option to see a page 2 at https://gerrit.wikimedia.org/r/admin/repos/q/filter:mediawiki

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL