Debian Bug report logs -
#866711
mcollective: CVE-2017-2292: Remote code execution via YAML deserialization
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 1 Jul 2017 06:51:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version mcollective/2.6.0+dfsg-2.1
Fixed in version mcollective/2.12.0+dfsg-1
Done: Sebastien Badia <sbadia@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>:
Bug#866711; Package src:mcollective.
(Sat, 01 Jul 2017 06:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>.
(Sat, 01 Jul 2017 06:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mcollective
Version: 2.6.0+dfsg-2.1
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerability was published for mcollective.
CVE-2017-2292[0]:
| Versions of MCollective prior to 2.10.4 deserialized YAML from agents
| without calling safe_load, allowing the potential for arbitrary code
| execution on the server. The fix for this is to call YAML.safe_load on
| input. This has been tested in all Puppet-supplied MCollective
| plugins, but there is a chance that third-party plugins could rely on
| this insecure behavior.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2292
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2292
[1] https://puppet.com/security/cve/cve-2017-2292
[2] https://github.com/puppetlabs/marionette-collective/commit/e0e741889f5adeb8f75387037106b0d28a9099b0
Regards,
Salvatore
Reply sent
to Sebastien Badia <sbadia@debian.org>:
You have taken responsibility.
(Fri, 06 Apr 2018 10:09:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 06 Apr 2018 10:09:15 GMT) (full text, mbox, link).
Message #10 received at 866711-close@bugs.debian.org (full text, mbox, reply):
Source: mcollective
Source-Version: 2.12.0+dfsg-1
We believe that the bug you reported is fixed in the latest version of
mcollective, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 866711@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Badia <sbadia@debian.org> (supplier of updated mcollective package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 06 Apr 2018 11:43:02 +0200
Source: mcollective
Binary: mcollective mcollective-client mcollective-common mcollective-doc
Architecture: source
Version: 2.12.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>
Changed-By: Sebastien Badia <sbadia@debian.org>
Description:
mcollective - Marionette Collective clustering framework - server
mcollective-client - Marionette Collective clustering framework - clients
mcollective-common - Marionette Collective clustering framework - common files
mcollective-doc - Marionette Collective clustering framework - documentation
Closes: 709417 758701 850968 866711
Changes:
mcollective (2.12.0+dfsg-1) unstable; urgency=medium
.
* New upstream version 2.12.0+dfsg
+ Upstream fix for CVE-2017-2292 (Closes: #866711)
+ Upstream fix for CVE-2016-2788 (Closes: #850968)
+ Upstream fix for CVE-2014-3251 (Closes: #758701)
* d/compat: Bump compat version to 11
* d/control:
+ Bump to Standards-Version 4.1.3 (no changes needed)
+ Use salsa.debian.org in Vcs-* fields
+ Added myself as Uploader
+ Remove dh-systemd and gem2deb fixed version
* d/upstream: Added Upstream metadata
* d/copyright:
+ Fix license name and update upstream url
+ Use Files-Excluded target for dfsg repack
+ Remove section about ext/action_helpers (repack)
* d/examples: Remove un-used mcollective-common.examples
* d/rules: Remove deprecated dh-systemd rules
* d/changelog: Added upstream changelog
* d/watch:
+ Bump to version 4 switch to https and test pgpmode
+ Fixes watch file (opts=pgpmode=auto)
* d/init:
+ Remove default (init.d-script-should-always-start-service)
+ Update systemd unit (refs upstream changes) (Closes: #709417)
* d/man: Added manpages for mco and mcollectived
* d/patches: Fix lintian issue with documentation (privacy-breach-generic)
* d/tests: Added dep8 autopkgtest testsuite (Closes: LP1679336)
Checksums-Sha1:
da651663a241f95deda6a840c8cc149a9440e6d4 2384 mcollective_2.12.0+dfsg-1.dsc
ab54d17004ae5055714fe645c73481dea91958a2 753485 mcollective_2.12.0+dfsg.orig.tar.gz
3ce0501e877dc0cb71aee98d57032026d8ed3839 35372 mcollective_2.12.0+dfsg-1.debian.tar.xz
766f0b1c80fd7bac06abb0e98b540447c45371e8 6819 mcollective_2.12.0+dfsg-1_source.buildinfo
Checksums-Sha256:
54c4c09a097030454518d875e509e4af6f18ad73b74c833dcc9024d91788f02c 2384 mcollective_2.12.0+dfsg-1.dsc
3dfd8dfc0a7d0d7084b388cc29bf57b41b882c259acf43f8ae4105fdb6babefd 753485 mcollective_2.12.0+dfsg.orig.tar.gz
4e260a9566b1dd506415336b4e66f41d91cca84f5bda64c27e79dced55362d48 35372 mcollective_2.12.0+dfsg-1.debian.tar.xz
4680e33ca6475de2109676bd8bd964de6ab29617517021f5d23f7c64a9e84381 6819 mcollective_2.12.0+dfsg-1_source.buildinfo
Files:
094e8e18141b38af5ec4760e19ca13c7 2384 utils optional mcollective_2.12.0+dfsg-1.dsc
85952a5a56f2f281934748315d4a0d98 753485 utils optional mcollective_2.12.0+dfsg.orig.tar.gz
5658e5c935b2416e8a9fcc76eb902d80 35372 utils optional mcollective_2.12.0+dfsg-1.debian.tar.xz
ed89ca3861fc042bbf3708fe62f65699 6819 utils optional mcollective_2.12.0+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfkPprL9yerPPCIUzhxbORhSkUtgFAlrHQiIACgkQhxbORhSk
Utjfdg//dPeGVpkUvFIzlBkJgII6CoU2jQTN7PpKegdVM8RNY9QXjn1qVuRfWhvC
++yUU3KlBBovkJMmYst0dnevUZw5GbqsVSlwk5CdC7wsKxjesT7FMjXG3BzbBL3B
GwfVV0TTSYBcV9ASpR0VTfcVaAMdEGrX0F7PftecRN2k20UeN8BdFzZ+aQf0ce8l
Cm0cIGQNr0EQImTaKtOo+L2Ri5duJOVxK6NqinAk/Z0Cx+TYjahWcKla16Dj3Jeg
kTGSvcF2Yo9uQdlK/fbTvzXTgrAxP3pB/gR2YlDGCYN/WdX2WnvAp6nLmJRR2x5r
yOKyK7hJXXdOsEjvJMuvhYjlSUUXOBoGNFfEwQE8CVgQl1QTLfh7EEm0ssWVbpLq
rUSy6pSyVjdwVNYa0snHQ76hxzDhdej++40ONnDioUgfWpD3rTnQSJ6f2Bet70fc
w8IDeCYYsu9FZ1g0uCLOc0IEdlcIsWu+OhAu2rCv3Z60nCuEmB0R8/xhjcaaePAR
NeqqJgaDC+drWvLAWk8IojkLvUTD5FUu+TMdbpzYO0KNt1vTKH2BnyzXNxEynyqP
aaKcyFtmev4uVJ0C+W+sm6SwSJmSn1DUIiZNXbPWbVpR35WLnFHMVUQx9t1ybroc
KhLaO9/SKG9HrvP4G2M6sMxeyhndgHmBxVq4+6SzuWQPVkYK/Yc=
=R6yJ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 31 May 2018 07:25:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:47:06 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon