Cobbler command injection vulnerability (CVE-2017-1000469)
Bug #1742098 reported by
Adam Heczko
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Fuel for OpenStack |
Fix Released
|
Medium
|
MOS Maintenance | ||
| 7.0.x |
New
|
Medium
|
MOS Maintenance | ||
| 8.0.x |
New
|
Medium
|
MOS Maintenance | ||
Bug Description
Detailed bug description:
Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user.
Fuel node ships with Cobbler used for cloud deployment purposes. Although Cobber API is not intended to use over the network in Fuel use case we need to provide updated Cobbler packages.
| description: | updated |
| description: | updated |
| description: | updated |
| Changed in fuel: | |
| assignee: | nobody → MOS Maintenance (mos-maintenance) |
Revision history for this message
| Alexander Rubtsov (arubtsov) wrote | #1 |
| tags: | added: customer-found sla2 |
| Changed in fuel: | |
| milestone: | 9.x-updates → 9.2-mu-5 |
| status: | New → Confirmed |
Revision history for this message
| Fuel Devops McRobotson (fuel-devops-robot) wrote Fix proposed to packages/centos7/cobbler (9.0) | #2 |
Revision history for this message
| Fuel Devops McRobotson (fuel-devops-robot) wrote Fix merged to packages/centos7/cobbler (9.0) | #3 |
| Changed in fuel: | |
| status: | Confirmed → Fix Committed |
Revision history for this message
| Vladimir Jigulin (vjigulin) wrote | #4 |
| Changed in fuel: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
sla2 for 9.0-updates