ESB-2018.1849.2 - UPDATE [Linux][Debian] lava-server: Multiple vulnerabilities 2018-06-29

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.1849.2
                        lava-server security update
                               29 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           lava-server
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 8
                   Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Access Confidential Data        -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12565 CVE-2018-12564 

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4234
   https://lists.debian.org/debian-lts-announce/2018/06/msg00011.html

Comment: This bulletin contains two (2) Debian security advisories.

Revision History:  June 29 2018: Added Debian 8 advisory.
                   June 25 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4234-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 22, 2018                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : lava-server
CVE ID         : CVE-2018-12564 CVE-2018-12565

Two vulnerabilities were discovered in LAVA, a continuous integration
system for deploying operating systems for running tests, which could
result in information disclosure of files readable by the lavaserver
system user or the execution of arbitrary code via a XMLRPC call.

For the stable distribution (stretch), these problems have been fixed in
version 2016.12-3.

We recommend that you upgrade your lava-server packages.

For the detailed security status of lava-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lava-server

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlstVKcACgkQEMKTtsN8
TjadcQ//bGGsD9UwkEhA/fzziPny6WzdTDFT9UWZYaKVXW/CHk2K4NQdTjyQayWN
JtrfzHd4wOTw7fPIAGlNfE4ysXsBy7DpVrWk8cPLp21REGRnQsScEMrTwgSQvOjK
JS6HXQiZafbpJ+6qjrEdMJg0J9Tdm0kwmdro1urnKiqR7uEiwFiVBLOX1EspaVNw
2Ohp3OnNGyqPLLn4i/r15q81Wg3r4VNkbfPqNa/2fL8EhvBNXNu67ir+wXV94SsK
6lsO9BSYout79e+cJnrVdj25Rw9Dq3xRQDY+Ev8KyZPAWzGg3UlcltAERmp25CcJ
D1T73Rb2XiH9+fjAz8PJCXoia/dBSeKJCfB2SE1u4QIZpL/eolvJMJeI0FhZ+xAR
QYBa3bA13OCUgutNUXX1yTKUay9Hhc1a23yYqiNnAcseasoSfz9qujZG+js9y843
X9Pr96wZdyVwBaAScSDIO1EJCoL7OfWZ2yiPdCFQlXbLQBz7H44Tdud/ImkVB+bz
ULv8PaxphTh3l20wYKKbSXwLdfZYo8Zoz1kGgPV6QvFYR862x3oz0UQWNZLbyRz/
7h5EC47efkdkt7LhmGOxIuUYFfe5Gwkr4rQBjdEVVc5aVyviF4VZENNDGm9ZHnAP
Lm14jVUoNFV9k5deAA9CWhT2pxHEpifuWsQV/tyYOUSaCobPW7k=
=67tj
- -----END PGP SIGNATURE-----

- ----------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : lava-server
Version        : 2014.09.1-1+deb8u1
CVE ID         : CVE-2018-12564


CVE-2018-12564
      Using the feature to add URLs in the submit page, a user might be
      able to read any file on the server that is readable by lavaserver
      and consists of valid yaml.
      So with this patch the feature is disabled again.


For Debian 8 "Jessie", these problems have been fixed in version
2014.09.1-1+deb8u1.

We recommend that you upgrade your lava-server packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJbNT/uXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHErUP/2h6C5bKZZFJSrs0F8nzgcMI
iOrOXZ0v4PCJW/hnVPvTGfHI50kfUxZOh49AeBbhhtP2hbqtu+eEUBI53NDszNfm
sgVHxGwMUbJXMJsseklgU9ZC2Tp/+S4TkdGcNvNZEjHKqMtUq0578W6ERTjkC6sJ
C2D9N0XbQEtsJArDJN62CnkoBw2k+yfKYyfAx6F5LpsohwTdYWjsrKDE/dUZnpL0
iHCGWIJIe0ghrjdiPcLjd24pzeGhFelnRaVUIeBEMlIM2KqQ5HHXhJ+GBiJndeFG
sBW9xWpNVwTwEIa3rdLdCtq/apo1g0PoMa0QMaQDWkHTL1Ezmv3iBQ1dQhP0Rx4i
CUtVb2gwAikxNe41F5dIgS466fVSRLKaA/edIfOfVnbkkJq3LiAelkYE/k5rjZv/
V4zDUo8jOBBh1BwMXHtRbeK1hEvUIVMsio17jq2HCnFUXcXn/ERvFr0VsTCtIPOW
ptFduN0w6hKq4RlX+ftNjZ1tT0dSKUyR9wtNuiEGaKF+HNQy4BpJUWJXE2rFaMfQ
VBFl/7eMeBbeDwI2lsBxnHF+nE3bxyqQvXINDmsYKruKuy2opcpUwOWzEwc/Wfd/
cUkrbzPxf2QGa4l2cqIjcgRNXWpqvHWY8MUu12RdlgBvMsuQ+zSuYPA0YTejn++C
ciaAul0y1ouJ9wHDpi+U
=6CwH
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWzV/NGaOgq3Tt24GAQjWwhAApMVgYqwBRCxYa/tqr9PNNaAFMYtxYg4L
2pcKMZeGm1Uom1HdgASiugJm4FuPALeAGX21fl6MxqWFHLrA5evXBxUGaLnJ4rcj
5scpCvh3sO0YcR4VVVeLYujg0yuAXpXOBSd+QNqnoaE6w7dmjcTtmqM0OTLSyXfm
24hev+Y/KwxEaUbzk7C22qXvEQgF+OMzVuOzphzc8StUbEeFwojU1ChGhsR/w5eL
2oqlWSEdovuBTVu7aBND129juOJF5lH0zc2i+5wlqdYYg7AWTfUw/bgzW4o7hJfE
BbnRuOBWCA6Re48UrO0x4ZRXGf5jHUP48UX2AB7krUp9MjRQ4c0rXCOdYW7VPhv3
/f/RTU6bbb1Sb02l7cfHo143ZG3h1GsP1sxPSHXj1hXNOljA9oRXikhnBnmYCLxk
LY2PENzftbCxh84bs18YzvMXpHFavVVHhWsNYXgKKkwphVdqwtP9HVG2LZRV8CDm
2k/yQKQvAEItiyfhgyHccQFPJ2gYLUx54yGxC+8UFrgbSY0hOWHJLz4WmbHzckks
IZrtb0ARk20/Jy6oXV5iL87dPwZ4reFemUgk5HC4k7XQUNig6QrgGI3y76lYdTGi
52R9McJOpAnNB8moTBnhiy+QFVH+9Rec5Jv+yGTKlkSSkLkTbrQyQKXDJJl+lzNI
t9zjudjQx8s=
=Lldc
-----END PGP SIGNATURE-----

« Back to bulletins