CVE-2019-11324

Advisory

Rucio 1.20.0 has updated its urllib3 dependency, moving from the previous version range of >=1.23,<1.24 to a new range of 2.20.0,<2.22.0. This change is a response to the security vulnerability identified as CVE-2019-11324.
https://github.com/rucio/rucio/pull/2506/commits/15b73d85776c07e51ecc4fd0481638228532fc2b

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Long Term Support (LTS)

This release marks the start of the 1.20 **Long Term Support (LTS)** release line. This release line will be supported with security and critical patches until at least **June 2021**.

Upgrade Instructions

This feature release requires a database schema upgrade. Please consult the [documentation](https://rucio.readthedocs.io/en/latest/database.html) about upgrading your database schema.

The following changes are necessary and are covered by the `alembic upgrade head` command:

1. Changing size of `extended_attributes` column in `rse_protocols` table (Alembic revision `8523998e2e76`)

2. Adding `comments` column to `subscriptions_history` table (Alembic revision `b8caac94d7f0`)

3. Removal of replica state `SOURCE (S)` since it is not used (Alembic revision `b7d287de34fd`)

- Adapting `REPLICAS_STATE_CHK` constraint in `replicas` table
- Adapting `COLLECTION_REPLICAS_STATE_CHK` constraint in `collection_replicas` table

4. Adding new column to `heartbeats` table (Alembic revision `cebad904c4dd`)

- Adding `payload` column
- Dropping `HEARTBEATS_UPDATED_AT` index

5. Adding `volume` column to `rse_transfer_limits` table (Alembic revision `2cbee484dcf9`)

The following change is only executed on PostgreSQL databases:

1. Changing all ENUM column types to varchar and adding the respective constraint checks (Alembic revision `f1b14a8c2ac1`)

General

Features

- Core & Internals: Size of the "extended_attributes" field of the "rse_protocols" table 1543
- Core & Internals: Bring S3 and Swift signature support in line with rest of code 1787
- Core & Internals: Changing sql-alchemy enginge to create PostgreSQL check_constraints instead of ENUMS 2436
- Core & Internals: Include payload functionality in heartbeats 2443
- Deletion: Use signed URLs when deleting from object stores 2411
- Recovery: Automatic recovery of suspicious files that have more than one replica 403
- Release management: Alembic script for comments column in subscription_history table needed 2238
- Release management: Security vulnerability with Jinja2 CVE-2019-10906 2493
- Release management: Security vulnerability with SQLAlchemy CVE-2019-7164 2494
- Transfers: Throttler mechanic to release transfers based on a strategy (FIFO) 2220

Enhancements

- Core & Internals: ReplicaState.SOURCE is not used and should be removed 1874
- Core & Internals: Upgrade of CHECK_CONSTRAINT of replicas table missing in alembic revision b96a1c7e1cc4 2166
- Dataset deletion: Pause dids in the undertaker which raise nowait errors 2355
- Probes & Alarms: Migrate Nagios probes to a separate repository 1638
- Recovery: Optimize the update of the final states in the necromancer 2601
- Release management: Adress security in pycrpyto 1475
- Release management: Dependency upgrade for 1.20.0 2460
- Release management: Security vulnerability with urllib3 CVE-2019-11324 2501

Bugs

- Infrastructure: wrong configuration docker dev 2576
- Infrastructure: double requirement definition 2579
- Rebalancing: File size not returned in decomission mode 2591
- Testing: Test error with python3.6.3 2154
- Testing: Fix Python 3.6 syntax test 2496
- Testing: wrong python version in python3 travis test 2541

Clients

Features

- Clients: Implement pcaches into clients. 2039

Enhancements

- Clients: Client: expose replicalocks to client 2112

Bugs

- Clients: Compiling issues with Python 3 (3.6.8) and hash sum calculation 2480

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324