Debian Bug report logs -
#828062
murano: CVE-2016-4972: RCE vulnerability in Openstack Murano using insecure YAML tags
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 24 Jun 2016 15:09:02 UTC
Severity: grave
Tags: security, upstream
Found in version murano/1:2.0.0-1
Fixed in version murano/1:2.0.1-1
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#828062; Package src:murano.
(Fri, 24 Jun 2016 15:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Fri, 24 Jun 2016 15:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: murano
Version: 1:2.0.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerability was published for murano.
CVE-2016-4972[0]:
RCE vulnerability in Openstack Murano using insecure YAML tags
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-4972
[1] http://seclists.org/oss-sec/2016/q2/593
Regards,
Salvatore
Bug 828062 cloned as bugs 828063, 828064
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 24 Jun 2016 15:15:04 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Mon, 27 Jun 2016 19:39:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 27 Jun 2016 19:39:07 GMT) (full text, mbox, link).
Message #12 received at 828062-close@bugs.debian.org (full text, mbox, reply):
Source: murano
Source-Version: 1:2.0.1-1
We believe that the bug you reported is fixed in the latest version of
murano, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 828062@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated murano package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 27 Jun 2016 19:19:58 +0000
Source: murano
Binary: python-murano murano-common murano-api murano-engine murano-cfapi murano-doc
Architecture: source all
Version: 1:2.0.1-1
Distribution: unstable
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
murano-api - cloud-ready application catalog - API server
murano-cfapi - cloud-ready application catalog - Cloud Foundry broker
murano-common - cloud-ready application catalog - common files
murano-doc - cloud-ready application catalog - doc
murano-engine - cloud-ready application catalog - Engine server
python-murano - cloud-ready application catalog - Python 2.x server code
Closes: 828062
Changes:
murano (1:2.0.1-1) unstable; urgency=medium
.
* New upstream release:
- Fixes CVE-2016-4972: RCE vulnerability in Openstack Murano using insecure
YAML tags (Closes: #828062).
* Fixed (build-)depends for this release.
Checksums-Sha1:
87dfee9f99dd5cc33cf306d3b7875a4fe1cbc8bb 3869 murano_2.0.1-1.dsc
e3c2890c44b2a49ba38be1f6285b74eb64dd15de 4270092 murano_2.0.1.orig.tar.xz
7baad584603d52ae0118f2d6ddc202f8d206b437 15912 murano_2.0.1-1.debian.tar.xz
e677ef122dc5ef54edd919db1690d6bc7b16961e 22892 murano-api_2.0.1-1_all.deb
555fd87b453edde57481cd775d5c094ec3a1293b 7074 murano-cfapi_2.0.1-1_all.deb
d81d7cca77a34dab3b17c6a0de3ba633003746c4 73710 murano-common_2.0.1-1_all.deb
3cd77b6aa6d5ba5a48cf7ae0f48c569ad6fa6469 3754168 murano-doc_2.0.1-1_all.deb
c0d1897ac7f5dbb5b0e7fa7315b0649219a1a6ef 7326 murano-engine_2.0.1-1_all.deb
8cea398dc1b041e435a1f4d7c4f6e298b708ab88 215106 python-murano_2.0.1-1_all.deb
Checksums-Sha256:
32f383077920eb1808e15d7123bea06a0ec252016606043f96225cb0c358c69a 3869 murano_2.0.1-1.dsc
000cbb0c958f909e5099da9be528005a5f6dec0a120fdaceadab58adccfb5b9d 4270092 murano_2.0.1.orig.tar.xz
ca2ec3f81f8ce0e7d1ed85f03fa38c1beaac8f76e47964d53dec4124d88cea11 15912 murano_2.0.1-1.debian.tar.xz
a395052cb6a694a79525a530d40b69723f33752c5c55ba91d075a80ee83554de 22892 murano-api_2.0.1-1_all.deb
3c535ea457e10e550b4b3da248f3aac2b79f2d7bdff6d900408b50d9e69e90bf 7074 murano-cfapi_2.0.1-1_all.deb
f7620a6d541d48075cb896f5fbe2c7a3ac8462c69d8a7a5a478d121d2beca2dd 73710 murano-common_2.0.1-1_all.deb
60e961b67b7cfd544779899fd259bb62151046aea9980d97632f422a7e5c485a 3754168 murano-doc_2.0.1-1_all.deb
6876d1ae2f0880b926630f1646b7880797a82438b0bebbbbb0505ec5cfc0a42a 7326 murano-engine_2.0.1-1_all.deb
955ee2a0dd837a9335b49faf4fe1d28741b61ce3aa5fb0613f9d1e5b9f705b4b 215106 python-murano_2.0.1-1_all.deb
Files:
7aab9ed1a72e77180d8a3555c3a33c9c 3869 net extra murano_2.0.1-1.dsc
4aa874b6583736d3109b1a9364624b1b 4270092 net extra murano_2.0.1.orig.tar.xz
1e7f28ecfaefd27bafa99414c91e8a31 15912 net extra murano_2.0.1-1.debian.tar.xz
9c5a34563cf84535ed3be03732ed84b6 22892 python extra murano-api_2.0.1-1_all.deb
a1764d36b45afd46d427a1ed8e273a47 7074 net extra murano-cfapi_2.0.1-1_all.deb
47746a3ea69a9d20d6e921b8597c1d77 73710 python extra murano-common_2.0.1-1_all.deb
ac25b5584b7d5fbb4544f6160f611f75 3754168 doc extra murano-doc_2.0.1-1_all.deb
be398d59fcc455730f28970d8980b6c9 7326 python extra murano-engine_2.0.1-1_all.deb
2fe502e6c79340be8005319741daee6b 215106 python extra python-murano_2.0.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXcX1iAAoJENQWrRWsa0P+e+sP/3NiN2JnQcHMbw0kAGQwiXyo
ZQUaZ93PBy8nUyD//d1yNp+zjPWPhVWgC1KV6v1tS/CQatxxTwGFCBJtpOyo3f9F
xV8Q7dHAcQZT1HJ3H64dUuRSjcjj2CfULHH78Gzm9vavxaLmwCi5SrWHNho2oR12
3VgRdKOK+spBcNUr6xs+nzUQDE3PUBDL4kNdy/C/omWMVjtw5/gpyMwVK6uGDfdI
tamUC8Y2vqUFKOvpznzTVBbFX42z82OypWx35cLxSEJ+XkbLjXP2JPVGhz6nu1hv
58WLvEAd2cM4H+aTx8uPqcYuXPwhBh+UImVqDzntl/b+nBlL9XnOAKQT6ANeA9h7
81e//kFDpgohntttdV+1mA/dKsX5se8KvxCNv9yJbQRUDxnqTlXTarpd0Bam7g85
+fCN8MCfZMnx6mZgQfNa4GgZ6syxHIxx21RYPT5H/sO2kNbwwVLT3vJYQU6wPK9l
zYoHBU82LCmd3p3myqeAel3t/VLck2tzr9ZFNSjzqDHt6Ih6qX/NyjcaGpdapAD3
/ApWGHFmysE1csKqpxGJRdezjH/uny8d/lXqKmzY22ATNf/jLtVxtSQ3nsO0dWf2
EK5/pEAeQxkhk/YV4vNbub0PWcC7gspjepuQX9+jsX1iQ3/Jvf9FVd1p+X22AHJy
KKSTnEkGkUAgwAn5FtZd
=caGM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 31 Jul 2016 07:34:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:13:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon