Hello folks,

The software factory deployments we manage have been updated with zuul's 4.6 security release [1].
This security fix addresses a vulnerability that could potentially expose secrets stored in Zuul, at job execution time.
It is strongly advised to rotate your secrets to circumvent potential leaks.

With this upgrade, the config playbooks/base/post.yaml should be adapted for each zuul tenant by replacing:

-- hosts: "{{ site_sflogs.fqdn }}"
+- hosts: https://sf.hosted.upshift.rdu2.redhat.com/zuul/

Regards,
Matthieu, on behalf of the Software Factory Operation Team

[1] http://lists.zuul-ci.org/pipermail/zuul-announce/2021-June/000096.html

On Wed, Jun 23, 2021 at 4:37 PM <mhuin@redhat.com> wrote:

Hello folks,

We plan to upgrade the software factory deployment on 2021-06-24 from 14:00 to 16:00 UTC to the next zuul 4.6 security release [1].

Service interruption is expected, including:
- Zuul CI not running jobs for gerrit, github or opendev.

We expect that the interruption of services will be less than 2 hours.

Regards,
Matthieu, on behalf of the Software Factory Operation Team

[1] http://lists.zuul-ci.org/pipermail/zuul-announce/2021-June/000094.html

Matthieu Huin

Senior Software Developer

Red Hat