Debian Bug report logs -
#929332
ironic-inspector: CVE-2019-10141: SQL Injection vulnerability when receiving introspection data
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 21 May 2019 19:42:02 UTC
Severity: grave
Tags: security, upstream
Found in version ironic-inspector/8.0.0-2
Fixed in version ironic-inspector/8.0.0-3
Done: Thomas Goirand <zigo@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#929332; Package src:ironic-inspector.
(Tue, 21 May 2019 19:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>.
(Tue, 21 May 2019 19:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ironic-inspector
Version: 8.0.0-2
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for ironic-inspector.
CVE-2019-10141[0]:
SQL Injection vulnerability when receiving introspection data
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10141
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10141
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1711722
[2] https://review.opendev.org/#/c/660234/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#929332.
(Wed, 22 May 2019 07:33:08 GMT) (full text, mbox, link).
Message #8 received at 929332-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #929332 in ironic-inspector reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/services/ironic-inspector/commit/07b571df2e84514751146e89a6671c73a0b55e0c
------------------------------------------------------------------------
* CVE-2019-10141: SQL Injection vulnerability when receiving introspection
data. Applied upstream fix: Eliminate SQL injection vulnerability in
node_cache (Closes: #929332).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/929332
Added tag(s) pending.
Request was from Thomas Goirand <zigo@debian.org>
to 929332-submitter@bugs.debian.org.
(Wed, 22 May 2019 07:33:08 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Wed, 22 May 2019 07:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 22 May 2019 07:51:05 GMT) (full text, mbox, link).
Message #15 received at 929332-close@bugs.debian.org (full text, mbox, reply):
Source: ironic-inspector
Source-Version: 8.0.0-3
We believe that the bug you reported is fixed in the latest version of
ironic-inspector, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929332@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ironic-inspector package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 22 May 2019 09:20:30 +0200
Source: ironic-inspector
Binary: ironic-inspector python3-ironic-inspector
Architecture: source all
Version: 8.0.0-3
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
ironic-inspector - discovering hardware properties for OpenStack Ironic - Daemon
python3-ironic-inspector - discovering hardware properties for OpenStack Ironic - Python 2.7
Closes: 929332
Changes:
ironic-inspector (8.0.0-3) unstable; urgency=high
.
* CVE-2019-10141: SQL Injection vulnerability when receiving introspection
data. Applied upstream fix: Eliminate SQL injection vulnerability in
node_cache (Closes: #929332).
Checksums-Sha1:
1e027abad1b3935a684ee58f99b7f4a2b3cd9546 3376 ironic-inspector_8.0.0-3.dsc
b37910abfe0cbcddce0f02d1629d30c9b928150b 8064 ironic-inspector_8.0.0-3.debian.tar.xz
4c9c0066df7a59213e207b2e9bd4922a9cdfbad5 36696 ironic-inspector_8.0.0-3_all.deb
d82962177a8d29d80db7594b87806f49413d8d98 13830 ironic-inspector_8.0.0-3_amd64.buildinfo
75e9a09e1d14aa1672ff735809cf8cf58b0b56ec 110688 python3-ironic-inspector_8.0.0-3_all.deb
Checksums-Sha256:
5fe39181f0d03d0bd95260b72019be0c124fcacb0079945538ba12ff4315b54c 3376 ironic-inspector_8.0.0-3.dsc
69cc07db88cbf14ec43b6ecadd849d08d4e71e66273132e4e461f4422582b288 8064 ironic-inspector_8.0.0-3.debian.tar.xz
a257d34974a3c2237dea8a213bdae72d6d644f41b7b6bda4345923c8e58fed1e 36696 ironic-inspector_8.0.0-3_all.deb
9293ee9dfe83d1b611a39f4dcce1e87a1eba1df044e8c335584c2659a996dda5 13830 ironic-inspector_8.0.0-3_amd64.buildinfo
5fd03311854e5df3354100c9081e2653c0651f5c887f1cebfb43379fb55a7bcf 110688 python3-ironic-inspector_8.0.0-3_all.deb
Files:
badb303748ace3baef903dd6f9ba1c07 3376 python optional ironic-inspector_8.0.0-3.dsc
88173ab7635893eb2e2476de61eaf33c 8064 python optional ironic-inspector_8.0.0-3.debian.tar.xz
f81e2dc1cfc0dfeb9be43d11a307811d 36696 python optional ironic-inspector_8.0.0-3_all.deb
6c4d49676788a5650862b27acdebc8a8 13830 python optional ironic-inspector_8.0.0-3_amd64.buildinfo
7b318a170c3540e58692fff4bd96942b 110688 python optional python3-ironic-inspector_8.0.0-3_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlzk+XsACgkQq1PlA1ho
d6Z2og//fcCFWVXlJ1O/bzYMtLppGPThRiqtiAi0BYdgfNU0YLXxhT8uyy1G1ktu
5pTL6oB3Gt2C7Wr4e4k5MSgk+q5bFqFN5FG/xFivkmMpW+jgFzJGBwvohINFMMVJ
LmTWRN3KRW7X69OVdiveYNA1vT6j4txDE5RIv62Y7zpg+BdF7CHRYYRlCZ5ecj1p
zFS+nW/foSnU4BE+Zve0JuasqDVL3PfaKTbmjs5ZSRAY1m5P97AsA/2o9vVPTBfG
VD3gY4Dz8E1XYImScgWqHidxrk6P7l95T+13aLazuUE4RdFZRJNUxNc0Qsa7ifOV
FK6LvXPT5haPL+2A3LEE0xHmVbDCtGXwBaokx6MPE8IDXyl0ejhTA6OTbOqsBCX/
1VCUbR9OssQHDbzILytCnvizxy1fCxFu27SgQ/OtXNVXuI33VVnD1qIr8YQodIak
B8pgcRkGtya8XI9YlKnfh+jnUJq5RrmT8bkVw6OICUD2waLaQ5GSa1RAJdg3wbhH
LLISPiXhTU3yO3tiGg80Qki0H9mtUYXf50UocK0DDdNqsKJSKd7jah7lz3bMMeIs
SQfSAMA4MShKukywflIRKNbZbIS+TQYvMyRbqA5yyhtsVibv1RReTbvK7G6aj52S
LNKgxdB0MOCCkCdHfAzc9VswVBBPWF8/w53gb3uJwMqMf4JQVME=
=J3d6
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:20:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon