On 11/3/18 8:26 AM, Salvatore Bonaccorso wrote: > Source: mistral > Version: 7.0.0-1 > Severity: grave > Tags: patch security upstream > Forwarded: https://bugs.launchpad.net/mistral/+bug/1783708 > > Hi, > > The following vulnerability was published for mistral. > > CVE-2018-16849[0]: > | A flaw was found in openstack-mistral. By manipulating the SSH private > | key filename, the std.ssh action can be used to disclose the presence > | of arbitrary files within the filesystem of the executor running the > | action. Since std.ssh private_key_filename can take an absolute path, > | it can be used to assess whether or not a file exists on the > | executor's filesystem. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-16849 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16849 > [1] https://bugs.launchpad.net/mistral/+bug/1783708 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore
Hi Salvatore, I have fixed the package in Sid, and uploaded a fixed version at: http://sid.gplhost.com/stretch-proposed-updates/mistral/ The debdiff is here: http://sid.gplhost.com/stretch-proposed-updates/mistral/mistral_3.0.0-4+deb9u1.debdiff It's basically a one liner that is outputing on the log instead of stdout, so trivial to review. Let me know if I should upload (in which case, I'll need to rebuild with --force-orig-source, I believe). Cheers, Thomas Goirand (zigo)
