A vulnerability was found where an authenticated client can send a malicious XML-RPC request to ``supervisord`` that will run arbitrary shell commands on the server. The commands will be run as the same user as ``supervisord``. Depending on how ``supervisord`` has been configured, this may be root.
The issue is fixed in 3.1.4 and 3.3.3.
PR here: https://github.com/gentoo/gentoo/pull/5205
Vulnerable versions removed from the tree:
*** Bug 628724 has been marked as a duplicate of this bug. ***
@maintainer(s), Thank you for your work. ping @Security, please follow procedure to close on report, thank you.
This issue was resolved and addressed in
GLSA 201709-06 at https://security.gentoo.org/glsa/201709-06
by GLSA coordinator Aaron Bauman (b-man).