2.7 Release: Freeze Week - security items for 2.7

Joseph Reynolds jrey at linux.ibm.com
Tue Jul 16 09:19:03 AEST 2019

On 7/8/19 2:00 PM, krtaylor wrote:
> Soon we will branch a 2.7 release candidate. <UPDATE: done, see email 
> from Brad> Here are some things to prepare for:
> 1) Start testing the release candidate as soon as possible - please 
> post results to IRC or email, openly discuss any problems that you 
> find on your system.
> 2) Clean up documentation, bring old docs current, add documentation 
> for new functionality.
> 3) Send me any input for release notes that did not make it in a 
> release feature (github issue)

My comments below are not meant as release note candidates.  Perhaps 
they could be further summarized and merged with input from other emails.

> 4)Bug cleanup/feature (issue) cleanup, add comments, indicate state - 
> if something didn't make it in the release, please let me know first 
> and/or come to a release planning meeting and we'll take care of it.

I have one config change and two test cases in my notes below.

> 5) Master will not be frozen, so new functionality can continue to 
> make progress, but please take some time in the next couple of weeks 
> to test or contribute docs, etc
> Remember: communicate outside your organization MUCH more than you 
> think you need to - use IRC, send email, share what you are doing and 
> where you are with it!

Here are some of the interesting security developments from the OpenBMC 
2.7 timeframe (1/2019 to 7/2019):
- BMCWeb became the default HTTP and Web server in the meta-ibm layer.  
It replaced the nginx server.
- The phosphor-user-manager interface unified REST API and IPMI 
authentication and user management.
- BMCWeb changed to accept the Mozilla Modern transport layer security 
(TLS) ciphers.
- BMCWeb improved the security of HTTP response headers it sends.
- The SSH server (dropbear) removed some less-secure transport layer 
security (TLS) ciphers.  These changes are needed to achieve parity with 
the 2.6 release, (and the change go beyond that).  The change was 
adopted by Yocto and is in openbmc master, but did not make it into the 
2.7 release; the fix is pending.
- Note that due to the TLS cipher changes, older web and ssh clients may 
no longer be able to connect.  Modern supported clients should be able 
to connect.
- Added certificate management functions to Redfish: upload, and 
generate via Certificate Signing Requests (CSR).  Some of these 
functions are being debugged.
- Added support for LDAP.
- Added support for virtual media.
- Added support for IP-KVM.
- Added API to change the IPMI root user password.
- An API to reset BMC authentication was replaced with factory reset, in 
the openpower layer.
- Added security test cases for SSH and Redfish interfaces.
- Closed interfaces affected by CVE 2019-6260 (ASPEED BMC interfaces).  
I believe this is not yet integrated into the test suite.
- Addressed webpack-dev-server security in response to CVE 2018-14732.
- Added a network security considerations guide.

- Joseph

> Happy 2.7 release month!
> Kurt Taylor (krtaylor)

More information about the openbmc mailing list