The put command now discards the entire job body before returning JOB_TOO_BIG. Previously, it interpreted the job body as commands. This was a potential security hole, where malicious users could craft job payload data to inject commands without cooperation from the beanstalk client application.
See version bump request at bug #310033
Ebuilds for 1.4.6 commited
Thanks for the report.
What is meant by "remote command injection" here? Is this arbitrary shell code i.e. "remote execution of arbitray code" or just commands for the tool itself?
this command injection was only within beanstalkd, so users could for example do stuff in style with:
put <magic data that will enable execution> <insert beanstalkd command here>
closing without GLSA as this is not stable on any arch
The put command functionality in beanstalkd 1.4.5 and earlier allows
remote attackers to execute arbitrary Beanstalk commands via the body
in a job that is too big, which is not properly handled by the
dispatch_cmd function in prot.c.
Reopening as bug 288103 has made 1.3 stable meanwhile.
Patrick, can 1.4.6 go stable?
I think this version is suitable for stablereq
GLSA Vote: Yes.
GLSA request filed. Why did it get just get a serverity of B4?!
This issue was resolved and addressed in
GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).