Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Dear release team,
The security team doesn't wish to do a DSA for this CVE, and asked me to
deal with it with the release team. Here's the CVE description:
CVE-2018-16849: std.ssh action may disclose presence of arbitrary files,
applied upstream patch: remove extra information from std.ssh action.
(Closes: #912714).
Debdiff is attached. Please allow me to upload the fix to Stretch.
Cheers,
Thomas Goirand (zigo)
diff --git a/debian/changelog b/debian/changelog
index b2ce8602..06234034 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+mistral (3.0.0-4+deb9u1) stretch-security; urgency=medium
+
+ * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files,
+applied upstream patch: remove extra information from std.ssh action.
+(Closes: #912714).
+
+ -- Thomas Goirand Mon, 05 Nov 2018 14:38:44 +0100
+
mistral (3.0.0-4) unstable; urgency=medium
* Add allow-sqla-1.1.patch to allow SQLA transition.
diff --git
a/debian/patches/CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch
b/debian/patches/CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch
new file mode 100644
index ..af601bbf
--- /dev/null
+++
b/debian/patches/CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch
@@ -0,0 +1,29 @@
+Description: CVE-2018-16849: Remove extra information from std.ssh action
+ The ssh error message can lead to information leak.
+ Removing the extra ssh message effects only the CLI call,
+ the full message is still being logged
+Author: apetrich
+Date: Mon, 3 Sep 2018 14:00:22 +0200
+Change-Id: I0b28e1cb17d4ce3ae711a25b6eaffb4ebf00ccd6
+Bug-Ubuntu: https://launchpad.net/bugs/1783708
+Bug-Debian: https://bugs.debian.org/912714
+Origin: upstream, https://review.openstack.org/601214
+Last-Update: 2018-11-05
+
+Index: mistral/mistral/actions/std_actions.py
+===
+--- mistral.orig/mistral/actions/std_actions.py
mistral/mistral/actions/std_actions.py
+@@ -358,8 +358,11 @@ class SSHAction(base.Action):
+ def raise_exc(parent_exc=None):
+ message = ("Failed to execute ssh cmd "
+"'%s' on %s" % (self.cmd, self.host))
++# We suppress the actual parent error messages in favor of
++# more generic ones as we might be leaking information to the CLI
+ if parent_exc:
+-message += "\nException: %s" % str(parent_exc)
++# The full error message needs to be logged regardless
++LOG.exception(message + " Exception: %s", str(parent_exc))
+ raise exc.ActionException(message)
+
+ try:
diff --git a/debian/patches/series b/debian/patches/series
index 7f9d7ed2..5017dfe7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
allow-sqla-1.1.patch
+CVE-2018-16849_Remove_extra_information_from_std.ssh_action.patch