Debian Bug report logs -
#1021737
lava: CVE-2022-42902
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian LAVA team <pkg-linaro-lava-devel@lists.alioth.debian.org>
:
Bug#1021737
; Package src:lava
.
(Thu, 13 Oct 2022 19:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian LAVA team <pkg-linaro-lava-devel@lists.alioth.debian.org>
.
(Thu, 13 Oct 2022 19:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lava
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for lava.
CVE-2022-42902[0]:
| In Linaro Automated Validation Architecture (LAVA) before 2022.10,
| there is dynamic code execution in lava_server/lavatable.py. Due to
| improper input sanitization, an anonymous user can force the lava-
| server-gunicorn service to execute user-provided code on the server.
https://git.lavasoftware.org/lava/lava/-/merge_requests/1834
https://git.lavasoftware.org/lava/lava/-/commit/e66b74cd6c175ff8826b8f3431740963be228b52?merge_request_iid=1834
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-42902
https://www.cve.org/CVERecord?id=CVE-2022-42902
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 13 Oct 2022 20:51:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Oct 14 13:22:31 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.