From ${URL} : Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior. External References: https://puppet.com/security/cve/cve-2017-2292 Upstream patch: https://github.com/puppetlabs/marionette-collective/commit/e0e741889f5adeb8f75387037106b0d28a9099b0 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
ya, 2.11.0 can be stablized, it's just amd64/x86 so shouldn't be too bad
Stable on alpha.
(In reply to Tobias Klausmann from comment #2) > Stable on alpha. Bullshit. Amd64 stable.
ping: Keywords for app-admin/mcollective: | | u | | a a p s a n r | n | | l m h i p p r m m i i s | e u s | r | p d a p a p c a x m i 6 o s 3 | a s l | e | h 6 r p 6 p 6 r 8 6 p 8 s c 9 s | p e o | p | a 4 m a 4 c 4 c 6 4 s k 2 v 0 h | i d t | o -------+---------------------------------+-------+------- 2.10.5 | o + o o o o o o + o o o o o o o | 5 # 0 | gentoo 2.11.1 | o + o o o o o o + o o o o o o o | 5 o | gentoo @x86: Could you please confirm that package is stable for x86 and if we need to cleanup or there are no fulnerable ebuilds. Thanks, Gentoo Security Padawan ChrisADR
Already stable.
glsa request is filed
This issue was resolved and addressed in GLSA 201709-01 at https://security.gentoo.org/glsa/201709-01 by GLSA coordinator Aaron Bauman (b-man).
