Source: pcp Version: 6.2.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for pcp. CVE-2024-3019[0]: | A flaw was found in PCP. The default pmproxy configuration exposes | the Redis server backend to the local network, allowing remote | command execution with the privileges of the Redis user. This issue | can only be exploited when pmproxy is running. By default, pmproxy | is not running and needs to be started manually. The pmproxy service | is usually started from the 'Metrics settings' page of the Cockpit | web interface. This flaw affects PCP versions 4.3.4 and newer. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3019 https://www.cve.org/CVERecord?id=CVE-2024-3019 [1] https://bugzilla.redhat.com/show_bug.cgi?id=2271898 [2] https://github.com/performancecopilot/pcp/commit/3bde240a2acc85e63e2f7813330713dd9b59386e Please adjust the affected versions in the BTS as needed. Regards, Salvatore