Hi Thomas, On Mon, Nov 05, 2018 at 03:52:57PM +0100, Thomas Goirand wrote: > On 11/3/18 8:26 AM, Salvatore Bonaccorso wrote: > > Source: mistral > > Version: 7.0.0-1 > > Severity: grave > > Tags: patch security upstream > > Forwarded: https://bugs.launchpad.net/mistral/+bug/1783708 > > > > Hi, > > > > The following vulnerability was published for mistral. > > > > CVE-2018-16849[0]: > > | A flaw was found in openstack-mistral. By manipulating the SSH private > > | key filename, the std.ssh action can be used to disclose the presence > > | of arbitrary files within the filesystem of the executor running the > > | action. Since std.ssh private_key_filename can take an absolute path, > > | it can be used to assess whether or not a file exists on the > > | executor's filesystem. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2018-16849 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16849 > > [1] https://bugs.launchpad.net/mistral/+bug/1783708 > > > > Please adjust the affected versions in the BTS as needed. > > > > Regards, > > Salvatore > > Hi Salvatore, > > I have fixed the package in Sid, and uploaded a fixed version at: > http://sid.gplhost.com/stretch-proposed-updates/mistral/
Thanks, I have updated the tracker information. > The debdiff is here: > http://sid.gplhost.com/stretch-proposed-updates/mistral/mistral_3.0.0-4+deb9u1.debdiff > > It's basically a one liner that is outputing on the log instead of > stdout, so trivial to review. Let me know if I should upload (in which > case, I'll need to rebuild with --force-orig-source, I believe). The issue was determined to be not severe enough to warrant a DSA (on its own). Might you reschedule an update for the next (9.6 is now to late) point release of stretch? Thanks already! Regards, Salvatore
