Source: mistral Version: 7.0.0-1 Severity: grave Tags: patch security upstream Forwarded: https://bugs.launchpad.net/mistral/+bug/1783708
Hi, The following vulnerability was published for mistral. CVE-2018-16849[0]: | A flaw was found in openstack-mistral. By manipulating the SSH private | key filename, the std.ssh action can be used to disclose the presence | of arbitrary files within the filesystem of the executor running the | action. Since std.ssh private_key_filename can take an absolute path, | it can be used to assess whether or not a file exists on the | executor's filesystem. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-16849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16849 [1] https://bugs.launchpad.net/mistral/+bug/1783708 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
