Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 628724

Summary: app-admin/supervisor: RCE Vulnerability (CVE-2017-11610)
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: major    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/Supervisor/supervisor/issues/964
Whiteboard: B1 [ebuild]
Package list:
Runtime testing required: ---

Description D'juan McDonald (domhnall) 2017-08-23 16:36:46 UTC
From $URL:

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

CVE Details:https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11610
Comment 1 D'juan McDonald (domhnall) 2017-08-23 16:39:56 UTC
@security, I'm noting the possible fixed version in tree as 3.1.4, however it's unclear atm if same vulnerability applies to package or not, so im reporting because it's a new CVE.
Comment 2 D'juan McDonald (domhnall) 2017-08-23 16:49:35 UTC
$Update:

@security, fixes were applied for exact cve on (2017-07-24) as noted here:

https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt

Also, this report may be a duplicate of: https://bugs.gentoo.org/show_bug.cgi?id=626100

please follow procedure to close on report, thank you.

Daj'Uan (mbailey_j)
Gentoo Security Scout
Comment 3 D'juan McDonald (domhnall) 2017-08-23 16:56:31 UTC

*** This bug has been marked as a duplicate of bug 626100 ***