Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 653590 - <www-servers/gunicorn-19.7.1 - Incomplete privileges drop
Summary: <www-servers/gunicorn-19.7.1 - Incomplete privileges drop
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/benoitc/gunicorn/i...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-20 08:50 UTC by Hector Martin
Modified: 2019-03-21 22:24 UTC (History)
1 user (show)

See Also:
Package list:
=www-servers/gunicorn-19.8.1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hector Martin 2018-04-20 08:50:31 UTC 
Can we get a version bump? 19.7.1 was released over a year ago, and includes important fixes over 19.6.0. In particular, 19.6.0 does not support setting supplementary groups for worker processes, which is a security issue (they wind up with root's group list).
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2018-04-20 09:05:55 UTC 
Better be safe...
Comment 2 Hector Martin 2018-04-20 13:05:24 UTC 
To add to the security impact info:

- Affected versions are <www-servers/gunicorn-19.7.0 (.1 came later)
- To properly drop privileges, gunicorn needs to be started with --initgroups (or initgroups = True in the config file). I don't know why they don't just do the right thing by default... I guess it *technically* would be backwards incompatible (with broken setups).
Comment 3 Rafael Martins (RETIRED) gentoo-dev 2018-04-20 15:51:59 UTC 
bumped to 19.7.1
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2018-12-02 17:10:27 UTC 
@arches, please stabilize.
Comment 5 Agostino Sarubbo gentoo-dev 2018-12-04 11:57:19 UTC 
amd64 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-07 02:42:18 UTC 
x86 stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2019-03-10 04:09:11 UTC 
@maintainer, please drop vulnerable versions.