Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2016-2788

Related Vulnerabilities: CVE-2016-2788   cve-2016-2788   CVE-2017-2292   CVE-2014-3251  

Source

Debian Bug report logs - #850968
CVE-2016-2788

version graph

Package: src:mcollective; Maintainer for src:mcollective is Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Wed, 11 Jan 2017 17:27:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in versions mcollective/2.6.0+dfsg-2.1, mcollective/2.0.0+dfsg-2

Fixed in version mcollective/2.12.0+dfsg-1

Done: Sebastien Badia <sbadia@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>:
Bug#850968; Package src:mcollective. (Wed, 11 Jan 2017 17:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>. (Wed, 11 Jan 2017 17:27:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2016-2788
Date: Wed, 11 Jan 2017 18:24:24 +0100
Source: mcollective
Severity: grave
Tags: security

Please see https://puppet.com/security/cve/cve-2016-2788

Cheers,
        Moritz

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 11 Jan 2017 18:57:06 GMT) (full text, mbox, link).

Marked as found in versions mcollective/2.0.0+dfsg-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 11 Jan 2017 18:57:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>:
Bug#850968; Package src:mcollective. (Sat, 21 Jan 2017 23:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to Christian Hofstaedtler <zeha@debian.org>:
Extra info received and forwarded to list. Copy sent to Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>. (Sat, 21 Jan 2017 23:21:05 GMT) (full text, mbox, link).

Message #14 received at 850968@bugs.debian.org (full text, mbox, reply):

From: Christian Hofstaedtler <zeha@debian.org>
To: 850968@bugs.debian.org
Subject: Re: Bug#850968: CVE-2016-2788
Date: Sun, 22 Jan 2017 00:17:09 +0100
* Moritz Muehlenhoff <jmm@debian.org> [170121 23:16]:
> Source: mcollective
> 
> Please see https://puppet.com/security/cve/cve-2016-2788

Looks like the fix is in this commit/merge:
https://github.com/puppetlabs/marionette-collective/commit/4918a0f136aea04452b48a1ba29eb9aabcf5c97d

I've checked the 2.6.x branch and it appears to have the vulnerable
code too.

-- 
christian hofstaedtler <zeha@debian.org>

Marked as found in versions mcollective/2.6.0+dfsg-2.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 22 Jan 2017 10:33:08 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from Adrian Bunk <bunk@debian.org> to control@bugs.debian.org. (Tue, 07 Feb 2017 19:03:02 GMT) (full text, mbox, link).

Reply sent to Sebastien Badia <sbadia@debian.org>:
You have taken responsibility. (Fri, 06 Apr 2018 10:09:13 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Fri, 06 Apr 2018 10:09:13 GMT) (full text, mbox, link).

Message #23 received at 850968-close@bugs.debian.org (full text, mbox, reply):

From: Sebastien Badia <sbadia@debian.org>
To: 850968-close@bugs.debian.org
Subject: Bug#850968: fixed in mcollective 2.12.0+dfsg-1
Date: Fri, 06 Apr 2018 10:06:33 +0000
Source: mcollective
Source-Version: 2.12.0+dfsg-1

We believe that the bug you reported is fixed in the latest version of
mcollective, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 850968@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Badia <sbadia@debian.org> (supplier of updated mcollective package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Apr 2018 11:43:02 +0200
Source: mcollective
Binary: mcollective mcollective-client mcollective-common mcollective-doc
Architecture: source
Version: 2.12.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>
Changed-By: Sebastien Badia <sbadia@debian.org>
Description:
 mcollective - Marionette Collective clustering framework - server
 mcollective-client - Marionette Collective clustering framework - clients
 mcollective-common - Marionette Collective clustering framework - common files
 mcollective-doc - Marionette Collective clustering framework - documentation
Closes: 709417 758701 850968 866711
Changes:
 mcollective (2.12.0+dfsg-1) unstable; urgency=medium
 .
   * New upstream version 2.12.0+dfsg
     + Upstream fix for CVE-2017-2292 (Closes: #866711)
     + Upstream fix for CVE-2016-2788 (Closes: #850968)
     + Upstream fix for CVE-2014-3251 (Closes: #758701)
   * d/compat: Bump compat version to 11
   * d/control:
     + Bump to Standards-Version 4.1.3 (no changes needed)
     + Use salsa.debian.org in Vcs-* fields
     + Added myself as Uploader
     + Remove dh-systemd and gem2deb fixed version
   * d/upstream: Added Upstream metadata
   * d/copyright:
     + Fix license name and update upstream url
     + Use Files-Excluded target for dfsg repack
     + Remove section about ext/action_helpers (repack)
   * d/examples: Remove un-used mcollective-common.examples
   * d/rules: Remove deprecated dh-systemd rules
   * d/changelog: Added upstream changelog
   * d/watch:
     + Bump to version 4 switch to https and test pgpmode
     + Fixes watch file (opts=pgpmode=auto)
   * d/init:
     + Remove default (init.d-script-should-always-start-service)
     + Update systemd unit (refs upstream changes) (Closes: #709417)
   * d/man: Added manpages for mco and mcollectived
   * d/patches: Fix lintian issue with documentation (privacy-breach-generic)
   * d/tests: Added dep8 autopkgtest testsuite (Closes: LP1679336)
Checksums-Sha1:
 da651663a241f95deda6a840c8cc149a9440e6d4 2384 mcollective_2.12.0+dfsg-1.dsc
 ab54d17004ae5055714fe645c73481dea91958a2 753485 mcollective_2.12.0+dfsg.orig.tar.gz
 3ce0501e877dc0cb71aee98d57032026d8ed3839 35372 mcollective_2.12.0+dfsg-1.debian.tar.xz
 766f0b1c80fd7bac06abb0e98b540447c45371e8 6819 mcollective_2.12.0+dfsg-1_source.buildinfo
Checksums-Sha256:
 54c4c09a097030454518d875e509e4af6f18ad73b74c833dcc9024d91788f02c 2384 mcollective_2.12.0+dfsg-1.dsc
 3dfd8dfc0a7d0d7084b388cc29bf57b41b882c259acf43f8ae4105fdb6babefd 753485 mcollective_2.12.0+dfsg.orig.tar.gz
 4e260a9566b1dd506415336b4e66f41d91cca84f5bda64c27e79dced55362d48 35372 mcollective_2.12.0+dfsg-1.debian.tar.xz
 4680e33ca6475de2109676bd8bd964de6ab29617517021f5d23f7c64a9e84381 6819 mcollective_2.12.0+dfsg-1_source.buildinfo
Files:
 094e8e18141b38af5ec4760e19ca13c7 2384 utils optional mcollective_2.12.0+dfsg-1.dsc
 85952a5a56f2f281934748315d4a0d98 753485 utils optional mcollective_2.12.0+dfsg.orig.tar.gz
 5658e5c935b2416e8a9fcc76eb902d80 35372 utils optional mcollective_2.12.0+dfsg-1.debian.tar.xz
 ed89ca3861fc042bbf3708fe62f65699 6819 utils optional mcollective_2.12.0+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfkPprL9yerPPCIUzhxbORhSkUtgFAlrHQiIACgkQhxbORhSk
Utjfdg//dPeGVpkUvFIzlBkJgII6CoU2jQTN7PpKegdVM8RNY9QXjn1qVuRfWhvC
++yUU3KlBBovkJMmYst0dnevUZw5GbqsVSlwk5CdC7wsKxjesT7FMjXG3BzbBL3B
GwfVV0TTSYBcV9ASpR0VTfcVaAMdEGrX0F7PftecRN2k20UeN8BdFzZ+aQf0ce8l
Cm0cIGQNr0EQImTaKtOo+L2Ri5duJOVxK6NqinAk/Z0Cx+TYjahWcKla16Dj3Jeg
kTGSvcF2Yo9uQdlK/fbTvzXTgrAxP3pB/gR2YlDGCYN/WdX2WnvAp6nLmJRR2x5r
yOKyK7hJXXdOsEjvJMuvhYjlSUUXOBoGNFfEwQE8CVgQl1QTLfh7EEm0ssWVbpLq
rUSy6pSyVjdwVNYa0snHQ76hxzDhdej++40ONnDioUgfWpD3rTnQSJ6f2Bet70fc
w8IDeCYYsu9FZ1g0uCLOc0IEdlcIsWu+OhAu2rCv3Z60nCuEmB0R8/xhjcaaePAR
NeqqJgaDC+drWvLAWk8IojkLvUTD5FUu+TMdbpzYO0KNt1vTKH2BnyzXNxEynyqP
aaKcyFtmev4uVJ0C+W+sm6SwSJmSn1DUIiZNXbPWbVpR35WLnFHMVUQx9t1ybroc
KhLaO9/SKG9HrvP4G2M6sMxeyhndgHmBxVq4+6SzuWQPVkYK/Yc=
=R6yJ
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 31 May 2018 07:28:33 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:47:46 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started