Gentoo Archives: gentoo-announce

From: Aaron Bauman <bman@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201709-06 ] Supervisor: command injection vulnerability
Date: Sun, 17 Sep 2017 15:49:50
Message-Id: 71705103.WXi7g43Gmp@localhost.localdomain
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201709-06
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Supervisor: command injection vulnerability
9 Date: September 17, 2017
10 Bugs: #626100
11 ID: 201709-06
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A vulnerability in Supervisor might allow remote attackers to execute
19 arbitrary code.
20
21
22
23 Background
24 ==========
25
26 Supervisor is a client/server system that allows its users to monitor
27 and control a number of processes on UNIX-like operating systems.
28
29 Affected packages
30 =================
31
32 -------------------------------------------------------------------
33 Package / Vulnerable / Unaffected
34 -------------------------------------------------------------------
35 1 app-admin/supervisor < 3.1.4 >= 3.1.4
36
37 Description
38 ===========
39
40 A vulnerability in Supervisor was discovered in which an authenticated
41 client could send malicious XML-RPC requests and supervidord will run
42 them as shell commands with process privileges. In some cases,
43 supervisord is configured with root permissions.
44
45 Impact
46 ======
47
48 A remote attacker could execute arbitrary code with the privileges of
49 the process.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All Supervisor users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose "=app-admin/supervisor-3.1.4"
63
64 References
65 ==========
66
67 [ 1 ] CVE-2017-11610
68 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11610
69
70 Availability
71 ============
72
73 This GLSA and any updates to it are available for viewing at
74 the Gentoo Security Website:
75
76 https://security.gentoo.org/glsa/201709-06
77
78 Concerns?
79 =========
80
81 Security is a primary focus of Gentoo Linux and ensuring the
82 confidentiality and security of our users' machines is of utmost
83 importance to us. Any security concerns should be addressed to
84 security@g.o or alternatively, you may file a bug at
85 https://bugs.gentoo.org.
86
87 License
88 =======
89
90 Copyright 2017 Gentoo Foundation, Inc; referenced text
91 belongs to its owner(s).
92
93 The contents of this document are licensed under the
94 Creative Commons - Attribution / Share Alike license.
95
96 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature