Source: mcollective Version: 2.6.0+dfsg-2.1 Severity: grave Tags: patch security upstream
Hi, the following vulnerability was published for mcollective. CVE-2017-2292[0]: | Versions of MCollective prior to 2.10.4 deserialized YAML from agents | without calling safe_load, allowing the potential for arbitrary code | execution on the server. The fix for this is to call YAML.safe_load on | input. This has been tested in all Puppet-supplied MCollective | plugins, but there is a chance that third-party plugins could rely on | this insecure behavior. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-2292 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2292 [1] https://puppet.com/security/cve/cve-2017-2292 [2] https://github.com/puppetlabs/marionette-collective/commit/e0e741889f5adeb8f75387037106b0d28a9099b0 Regards, Salvatore
