Your message dated Mon, 03 Dec 2018 21:47:09 +0000 with message-id <e1gtw3z-0003gc...@fasolo.debian.org> and subject line Bug#912714: fixed in mistral 3.0.0-4+deb9u1 has caused the Debian Bug report #912714, regarding mistral: CVE-2018-16849: std.ssh action may disclose presence of arbitrary files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 912714: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912714 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mistral Version: 7.0.0-1 Severity: grave Tags: patch security upstream Forwarded: https://bugs.launchpad.net/mistral/+bug/1783708 Hi, The following vulnerability was published for mistral. CVE-2018-16849[0]: | A flaw was found in openstack-mistral. By manipulating the SSH private | key filename, the std.ssh action can be used to disclose the presence | of arbitrary files within the filesystem of the executor running the | action. Since std.ssh private_key_filename can take an absolute path, | it can be used to assess whether or not a file exists on the | executor's filesystem. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-16849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16849 [1] https://bugs.launchpad.net/mistral/+bug/1783708 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mistral Source-Version: 3.0.0-4+deb9u1 We believe that the bug you reported is fixed in the latest version of mistral, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 912...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated mistral package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 05 Nov 2018 14:38:44 +0100 Source: mistral Binary: python-mistral mistral-common mistral-engine mistral-executor mistral-api Architecture: source all Version: 3.0.0-4+deb9u1 Distribution: stretch Urgency: medium Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Description: mistral-api - OpenStack Workflow service - API mistral-common - OpenStack Workflow service - common files mistral-engine - OpenStack Workflow service - Engine mistral-executor - OpenStack Workflow service - Executor python-mistral - OpenStack Workflow Service - Python libraries Closes: 912714 Changes: mistral (3.0.0-4+deb9u1) stretch; urgency=medium . * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files, applied upstream patch: remove extra information from std.ssh action. (Closes: #912714). Checksums-Sha1: 741d733e1377fc5dff95660ba3d460f5d4894bf2 4150 mistral_3.0.0-4+deb9u1.dsc cdf093a7dcbb9a884c5189368fde7977f161eade 28544 mistral_3.0.0-4+deb9u1.debian.tar.xz 3d68e566416118cc006b2b8cc1238a032be7afc3 27530 mistral-api_3.0.0-4+deb9u1_all.deb 86f8fa3cf4923239c2f1ec08c42bcdac00dfde17 38760 mistral-common_3.0.0-4+deb9u1_all.deb d959bc676bbf6f8a55146a85a045d27a74c30c46 6480 mistral-engine_3.0.0-4+deb9u1_all.deb 1852242531ee91b08880a80b0ed85bbfd651a88d 6492 mistral-executor_3.0.0-4+deb9u1_all.deb d0c9e8bbc938db5b4d65d3b21deba553bd39c3d7 15730 mistral_3.0.0-4+deb9u1_amd64.buildinfo 8885f7e338326d2e1ba6248cc83be1a6ed494a47 217596 python-mistral_3.0.0-4+deb9u1_all.deb Checksums-Sha256: 9b3555def899fd5c4f8385ea530958534f0bb079902ef8ba4cab161a44a2478b 4150 mistral_3.0.0-4+deb9u1.dsc ec14c52108a1f18d16b6d6c4e122c2a79ab632410e661adb65ba58d23efa75cd 28544 mistral_3.0.0-4+deb9u1.debian.tar.xz de7b27bfbd835626c25757b2f7965503e6f4ffba04894ac212728de5eb27f593 27530 mistral-api_3.0.0-4+deb9u1_all.deb 6a25778a8b14e5f3e40b7cb0d8f9a2269f01fc7f23b39fe649d8121bd1ae8cce 38760 mistral-common_3.0.0-4+deb9u1_all.deb 392d9482505ce3fd31d9a840adb960c09d1f358237a34c70db4ab08f86c53d9b 6480 mistral-engine_3.0.0-4+deb9u1_all.deb 55591519805f70b16af32ac28672f6c0ceabeca3bb3abab3f7cfb261674d7323 6492 mistral-executor_3.0.0-4+deb9u1_all.deb a7f2f12f9b784307f50af5a8dd6b1013cb58020ffc0742ebb8f5251f8f075077 15730 mistral_3.0.0-4+deb9u1_amd64.buildinfo 4a444ba60fde7b37dd4da08187c93977260a596fbf707b67a46d474cee74a7b4 217596 python-mistral_3.0.0-4+deb9u1_all.deb Files: a4c689a6c4dfd45e09c001288ef43715 4150 net extra mistral_3.0.0-4+deb9u1.dsc e0a757ab0d8d057a376f8cd0c06e6928 28544 net extra mistral_3.0.0-4+deb9u1.debian.tar.xz f588ae8d8688e7d666fe8c641af41a1a 27530 net extra mistral-api_3.0.0-4+deb9u1_all.deb ccb0ca88802e43b68e6d0d1dc9248b84 38760 net extra mistral-common_3.0.0-4+deb9u1_all.deb 0eb591f55700a448fcf549a5117b2566 6480 net extra mistral-engine_3.0.0-4+deb9u1_all.deb d93dc4e3c3ce384e1d6a9e2a37447281 6492 net extra mistral-executor_3.0.0-4+deb9u1_all.deb ebb0edfcb90e660d5c55ce31af39d3f3 15730 net extra mistral_3.0.0-4+deb9u1_amd64.buildinfo 0a0fcc854df44313e811d5706f5ca6b5 217596 python extra python-mistral_3.0.0-4+deb9u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlwE428ACgkQq1PlA1ho d6a1QhAAjOjcYEUr4xzpK0+lPKx6WvQ1MnXJ3Lt9LZvXdu/O2WlgAp6b+RYUe4H8 mpzTrOSPSdpBw6yWM3tsWa55m6H21Kp1lP59m14CuxOLD9vJ2mux1zqqqVUrTjIG F+2JuM5tqTitaSBGmGt0CfQcXdJ9FuR4Svyh4CZ2B4pT/NnH/U2gQPr0FJ7Eaox4 YKjD5LoQ7VV0pgewlAgKEaB0J06MYOzt5Dy4GuKnXSIE5cLZm0hFjLfHoGnKoinh dDb2NtOxP7voe4qtrggbzjxuOjtjn9pshCMRasyWVkac1zDN1SEwsq6sSXRyjsrP S7pzvnohVYYih4fO2GGlzhgcgRci/Z0U6CHWcGrJd2j/0cMUZVB1Cxx3MqT7G0D7 /KyMgY0TYn2BGjlFHCrpxPa2ntLEwjvRzToVgAPsp/HZFK5Mg9ygUQjwzHRfwfzN Dr98U1ykazwD6/8ZF6KoF912b0SwzzHEGOWw5JcJPX/1tlrwfeIqJUqgrOqaP4+u 0H6QKUBa9D1qXMMmx+ivt24GawrJfUdrbRwY9j2f8KpJe637vvzD2GjTM50Knu4X 0pupNuLr4iT+8zd7bWQFcFRJlaP1bG9+gUCsmjn306oSpDYOh0xnyhUIBQjcwQVK u1RY7WglHUhrZPQ1bEkUGy7mVIBGlZE9Uy+kTo+rlea4FWmz+JQ= =qCHL -----END PGP SIGNATURE-----
--- End Message ---
