Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 626100 (CVE-2017-11610)

Summary: <app-admin/supervisor-{3.1.4, 3.3.3}: command injection vulnerability
Product: Gentoo Security Reporter: Louis Sautier (sbraz) <sbraz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: flopwiki, proxy-maint, sbraz
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa cve]
Package list:
Runtime testing required: No

Description Louis Sautier (sbraz) gentoo-dev 2017-07-24 22:06:55 UTC
A vulnerability was found where an authenticated client can send a malicious XML-RPC request to ``supervisord`` that will run arbitrary shell commands on the server.  The commands will be run as the same user as ``supervisord``. Depending on how ``supervisord`` has been configured, this may be root.

The issue is fixed in 3.1.4 and 3.3.3.
Comment 1 Louis Sautier (sbraz) gentoo-dev 2017-07-24 22:50:06 UTC
PR here:
Comment 2 Louis Sautier (sbraz) gentoo-dev 2017-07-26 18:39:00 UTC
Vulnerable versions removed from the tree:
Comment 3 D'juan McDonald (domhnall) 2017-08-23 16:56:31 UTC
*** Bug 628724 has been marked as a duplicate of this bug. ***
Comment 4 D'juan McDonald (domhnall) 2017-08-23 17:58:50 UTC
@maintainer(s), Thank you for your work. ping @Security, please follow procedure to close on report, thank you.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 15:46:39 UTC
This issue was resolved and addressed in
 GLSA 201709-06 at
by GLSA coordinator Aaron Bauman (b-man).