A vulnerability was found where an authenticated client can send a malicious XML-RPC request to ``supervisord`` that will run arbitrary shell commands on the server. The commands will be run as the same user as ``supervisord``. Depending on how ``supervisord`` has been configured, this may be root. The issue is fixed in 3.1.4 and 3.3.3.
PR here: https://github.com/gentoo/gentoo/pull/5205
Vulnerable versions removed from the tree: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=820ed95555d025e4b0abb3f34a2e1cb95603b6de
*** Bug 628724 has been marked as a duplicate of this bug. ***
@maintainer(s), Thank you for your work. ping @Security, please follow procedure to close on report, thank you.
This issue was resolved and addressed in GLSA 201709-06 at https://security.gentoo.org/glsa/201709-06 by GLSA coordinator Aaron Bauman (b-man).
