Your message dated Mon, 05 Nov 2018 14:57:56 +0000 with message-id <e1gjgkc-0002hz...@fasolo.debian.org> and subject line Bug#912714: fixed in mistral 7.0.0-2 has caused the Debian Bug report #912714, regarding mistral: CVE-2018-16849: std.ssh action may disclose presence of arbitrary files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 912714: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912714 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mistral Version: 7.0.0-1 Severity: grave Tags: patch security upstream Forwarded: https://bugs.launchpad.net/mistral/+bug/1783708 Hi, The following vulnerability was published for mistral. CVE-2018-16849[0]: | A flaw was found in openstack-mistral. By manipulating the SSH private | key filename, the std.ssh action can be used to disclose the presence | of arbitrary files within the filesystem of the executor running the | action. Since std.ssh private_key_filename can take an absolute path, | it can be used to assess whether or not a file exists on the | executor's filesystem. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-16849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16849 [1] https://bugs.launchpad.net/mistral/+bug/1783708 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mistral Source-Version: 7.0.0-2 We believe that the bug you reported is fixed in the latest version of mistral, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 912...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated mistral package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 05 Nov 2018 15:32:27 +0100 Source: mistral Binary: mistral-api mistral-common mistral-engine mistral-event-engine mistral-executor python3-mistral Architecture: source all Version: 7.0.0-2 Distribution: unstable Urgency: high Maintainer: Debian OpenStack <team+openst...@tracker.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Description: mistral-api - OpenStack Workflow service - API mistral-common - OpenStack Workflow service - common files mistral-engine - OpenStack Workflow service - Engine mistral-event-engine - OpenStack Workflow service - Event Engine mistral-executor - OpenStack Workflow service - Executor python3-mistral - OpenStack Workflow Service - Python libraries Closes: 912714 Changes: mistral (7.0.0-2) unstable; urgency=high . * CVE-2018-16849: add upstream patch "remove extra information from std.ssh action" (Closes: #912714). Checksums-Sha1: 690b36aaef4d1ea65208fbcee8438161023450e0 4599 mistral_7.0.0-2.dsc 9ad0f4e39fc710978bef6938aaef6ecc88c237f9 7372 mistral_7.0.0-2.debian.tar.xz a9a0c15b7d9e20753b99aee25a1a8f78cb3d2823 20672 mistral-api_7.0.0-2_all.deb 76ae067852d749165dd3806de171a49f8cc284ca 38984 mistral-common_7.0.0-2_all.deb 7164356359e3b5974ef1c82f59d7a905eb8340ab 7288 mistral-engine_7.0.0-2_all.deb 90534926575e6215630e74eb097d12764e8c6093 7328 mistral-event-engine_7.0.0-2_all.deb 4495271f8be9e83b44cab0ce6a299c8c69e0da9f 7284 mistral-executor_7.0.0-2_all.deb ee8166f3282c875094999c4dca7bfbdf185958f7 17272 mistral_7.0.0-2_amd64.buildinfo bf296a24275b67dca154314bcfbead0e3317491e 280060 python3-mistral_7.0.0-2_all.deb Checksums-Sha256: d673e99a12949ce23a87a4628e739be91e8b6ea1983686f669a1b6734bb20218 4599 mistral_7.0.0-2.dsc 83ddd3dcfa9ba068da4427a8b045a9ba8adea7eac06489832f81b388d174cbdd 7372 mistral_7.0.0-2.debian.tar.xz aef0f6aa27543d2167aff15350b3d506ba286e33d478c54f83d9e95a0617f14d 20672 mistral-api_7.0.0-2_all.deb 73f8d636b351d91ae437deca711f822a61dbfbda64fb58349d2e7706d44bb148 38984 mistral-common_7.0.0-2_all.deb d50a38f7a04652b9d6b493eaebb6524f530db5616e0163e9c1514aa426ceab90 7288 mistral-engine_7.0.0-2_all.deb ac7cdcd697bc927a4ead0796fb0e65aea2d811ef2f8c73ee1b0dfe8cbbf3483b 7328 mistral-event-engine_7.0.0-2_all.deb dad5b3d88ce6b943aae9cb28aea655fcffd23c95945c353282fee2eb2ed2afd2 7284 mistral-executor_7.0.0-2_all.deb 21bc2d509adea1ec84751421e449130387f25eb55e3347343ba04b556813aad6 17272 mistral_7.0.0-2_amd64.buildinfo b6e483b43316131fe5e6fe2452a07b5a9b86ca1054437f0dc36bbc1879bccfc4 280060 python3-mistral_7.0.0-2_all.deb Files: 2ab36b8064b8df62ebef536abee60278 4599 net optional mistral_7.0.0-2.dsc a0bd1164770871a40ec23c5af10730f3 7372 net optional mistral_7.0.0-2.debian.tar.xz da79c8e8ff70f8f7919992045422a599 20672 net optional mistral-api_7.0.0-2_all.deb 684948e8ec80c9e6e977299cf5643f84 38984 net optional mistral-common_7.0.0-2_all.deb 79d156043dc501d5d9e8c58f1d44868d 7288 net optional mistral-engine_7.0.0-2_all.deb e6de3e4c4c35bbe60cb8979ded8a720d 7328 net optional mistral-event-engine_7.0.0-2_all.deb 10becfc8bc27b7a5c4b2c29bbf1d4b2e 7284 net optional mistral-executor_7.0.0-2_all.deb 2278f52aab03b21e3c63301f35ab4f4c 17272 net optional mistral_7.0.0-2_amd64.buildinfo a34a63cbafdf0f21428a80840a63ef4e 280060 python optional python3-mistral_7.0.0-2_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlvgVWMACgkQq1PlA1ho d6YQvA/+NEpHcB8G0Ok1ElI931EuvwLzFiqBl2QNEJLozOyeZMfnM7N0KZvzbDzW CC+XzEGj09cUmAP9dQXeOi8u7DX1GWI+9E9aTOrpdXlpAxzx8IRCnW8xzRplZl1y zsNDhjMdgfP6Ix15xcU69jspDMutbXby2DxIzO0NQ+UOmvZ7U6JUDkmYMAIYTnLm zGfjOpcwUCvuyUsXbIZImvJF0Lq9AhnqF56RNrJY96EdGYpsT7d8mEe0PtPTvtEJ RTwlPlc/z1V2Pv589sacoCylxXYwRPLaoBdwWLLtzmSESu17B01hTtyystzBFDXt 8di0UnXGr8Y1NM+LQADTtCeOiIH1fArdgpIAcFuXRolFJyvZcY5UVDdMLN636AcI Tkx4pHRXpCHTTxRltsJUXxHFCIE10EYmyzlAwhzuGoHN4iXkMR/Z2ZsYC+L9zqqQ fVA8iEzxnHUsaKUrE+oXtx2IIH2mmn3GFcfXI5u8whYURdYArl2MhzEny4GttnlF Ua67b2ILeWbdsqP/hOWkGSHZIwuXqkEHDD9D93HiZZJVPHzAw8yEdmVt8Pn3JzVP 4DJQXWIeWj4LQqiYbyUvQ1U1NKGvkqijNGh5kDphc3Sc8VJK8WTbs7ONFCSZbJwc WqI3v7utthBGOhuIleKV0/YeYoTzzR2jmuv86pJjFvxrMvuE/o4= =p1w1 -----END PGP SIGNATURE-----
--- End Message ---
