Your message dated Thu, 19 Jan 2023 23:50:30 +0000 with message-id <e1piefu-00gfbc...@fasolo.debian.org> and subject line Bug#1024428: fixed in lava 2023.01-1 has caused the Debian Bug report #1024428, regarding lava: CVE-2022-45132: Code execution in jinja templates to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1024428: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024428 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: lava Version: 2022.10-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for lava. CVE-2022-45132[0]: | In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, | remote code execution can be achieved through user-submitted Jinja2 | template. The REST API endpoint for validating device configuration | files in lava-server loads input as a Jinja2 template in a way that | can be used to trigger remote code execution in the LAVA server. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-45132 https://www.cve.org/CVERecord?id=CVE-2022-45132 [1] https://lists.lavasoftware.org/archives/list/lava-annou...@lists.lavasoftware.org/thread/WHXGQMIZAPW3GCQEXYHC32N2ZAAAIYCY/ [2] https://git.lavasoftware.org/lava/lava/-/commit/ab17e8304f10c7c0fe912067f2ed85a4753241c7 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: lava Source-Version: 2023.01-1 Done: Rémi Duraffort <remi.duraff...@linaro.org> We believe that the bug you reported is fixed in the latest version of lava, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1024...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Rémi Duraffort <remi.duraff...@linaro.org> (supplier of updated lava package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 19 Jan 2023 10:23:15 +0100 Source: lava Architecture: source Version: 2023.01-1 Distribution: unstable Urgency: medium Maintainer: Debian LAVA team <pkg-linaro-lava-de...@lists.alioth.debian.org> Changed-By: Rémi Duraffort <remi.duraff...@linaro.org> Closes: 1016849 1024428 1024429 Changes: lava (2023.01-1) unstable; urgency=medium . * LAVA Software 2023.01 release - Adds alternative dependency on telnet-client (Closes: #1016849) - Includes fix for Code execution in jinja templates [CVE-2022-45132] (Closes: #1024428) - Includes fix for Recursive XML entity expansion [CVE-2022-44641] (Closes: #1024429) . [ Antonio Terceiro ] * [c3eb0b19e] debian/tests/management: fix device management command Checksums-Sha1: 2a65ce6f1ba3f96dcb452fa7c9164f4ccd78e313 2946 lava_2023.01-1.dsc 9646714ca2f5b020461fe2a5820f7f40e0524fae 7564634 lava_2023.01.orig.tar.gz cb5511ed8dae7ac6e37e17bc8d183ece03bf1f1a 92456 lava_2023.01-1.debian.tar.xz de860bde34441609acc554879c414041657cde88 10160 lava_2023.01-1_source.buildinfo Checksums-Sha256: 3904cfe7d2c87dabf65bf768af83c11c70143f97b4415532f1a1215b4d449fc7 2946 lava_2023.01-1.dsc a57c7859af44e23694d2026636dff91b10cab1dade32e7815e7d59a03877899e 7564634 lava_2023.01.orig.tar.gz c76dd479ee4e43b798b56b475915128ab595df7f43da163de4258a3741bbe7b9 92456 lava_2023.01-1.debian.tar.xz aad4575854d9a7a3f9eb4670ebeb7ceb9c2a69fe4d6d4a3ba61728974566f5b3 10160 lava_2023.01-1_source.buildinfo Files: c4b026af17fdff3d7abf87f352f1b24d 2946 net optional lava_2023.01-1.dsc e307355a5abaa03ffbc4a28ea8dfc3e8 7564634 net optional lava_2023.01.orig.tar.gz 5de37c3ef61f5b624d80220e7a3f10a4 92456 net optional lava_2023.01-1.debian.tar.xz 5c5facb425c527407907f47152ef90af 10160 net optional lava_2023.01-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmPJ0doACgkQ/A2xu81G C94SFw/9Hu4PgeaYtIXouwo8/yaSRD5M1asSyLGTlzyVCUN3/WtW7V3JId6W/Bjl PtqduxZdjKG9Iftx4QYrP7TNog4vSTDy9lmnqwcbXirbeht/R11h0COWevYNBe9K 48Mzll9hIOShHxSC94WDh6cdnCszF8LE/noRw+RpT95oUS6e9SGv0fvnb3XmKDp2 iJNljKoGXsF72nuvOoDQSczXCVacF1htxCOIAX4TEUgrJN11SK9CIUui26CJslQr yCzHrPWCGL/I4M9U62wLFJDc1Etyfiybu4ELrLv/mRDK4Dy8fhlLd53XNSQ+O/t+ WcSGJ2RjAVOGQKye16i4WkOY6M4YiUIW20oHUJCeDqNLWuH+34reB4hTMRMw1TRW ISbPVJ+kQ/mgkvvwI/2fvPFCi/BcbC12OqpRsoLMgBvGNY6huMWZz9jxX56w41LS /mVVLKGm+Pee3aU+z92kQeaCuZuMDrvXBZxHGqsW1MwhPhvQcBzDUVRYfi/dobiw ih80oEUwyJ9gD/0JH+9tWHfg01oCfpITvd28ty5PBrdpxgbN/XnH0KM4hrfuVg2J JGkouFQHZWseOqcKTjKOpvyCACko3EERE3bU/1bzEjDnnuUSiqa1dOn167Pv+FhO zbqaX1By3wgFup3T5kT0XFewHQV2ieQis6uK/75ojSw+C8tEMw0= =sU7Q -----END PGP SIGNATURE-----
--- End Message ---
