Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1849.2 lava-server security update 29 June 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: lava-server Publisher: Debian Operating System: Debian GNU/Linux 9 Debian GNU/Linux 8 Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-12565 CVE-2018-12564 Original Bulletin: http://www.debian.org/security/2018/dsa-4234 https://lists.debian.org/debian-lts-announce/2018/06/msg00011.html Comment: This bulletin contains two (2) Debian security advisories. Revision History: June 29 2018: Added Debian 8 advisory. June 25 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4234-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 22, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : lava-server CVE ID : CVE-2018-12564 CVE-2018-12565 Two vulnerabilities were discovered in LAVA, a continuous integration system for deploying operating systems for running tests, which could result in information disclosure of files readable by the lavaserver system user or the execution of arbitrary code via a XMLRPC call. For the stable distribution (stretch), these problems have been fixed in version 2016.12-3. We recommend that you upgrade your lava-server packages. For the detailed security status of lava-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lava-server Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlstVKcACgkQEMKTtsN8 TjadcQ//bGGsD9UwkEhA/fzziPny6WzdTDFT9UWZYaKVXW/CHk2K4NQdTjyQayWN JtrfzHd4wOTw7fPIAGlNfE4ysXsBy7DpVrWk8cPLp21REGRnQsScEMrTwgSQvOjK JS6HXQiZafbpJ+6qjrEdMJg0J9Tdm0kwmdro1urnKiqR7uEiwFiVBLOX1EspaVNw 2Ohp3OnNGyqPLLn4i/r15q81Wg3r4VNkbfPqNa/2fL8EhvBNXNu67ir+wXV94SsK 6lsO9BSYout79e+cJnrVdj25Rw9Dq3xRQDY+Ev8KyZPAWzGg3UlcltAERmp25CcJ D1T73Rb2XiH9+fjAz8PJCXoia/dBSeKJCfB2SE1u4QIZpL/eolvJMJeI0FhZ+xAR QYBa3bA13OCUgutNUXX1yTKUay9Hhc1a23yYqiNnAcseasoSfz9qujZG+js9y843 X9Pr96wZdyVwBaAScSDIO1EJCoL7OfWZ2yiPdCFQlXbLQBz7H44Tdud/ImkVB+bz ULv8PaxphTh3l20wYKKbSXwLdfZYo8Zoz1kGgPV6QvFYR862x3oz0UQWNZLbyRz/ 7h5EC47efkdkt7LhmGOxIuUYFfe5Gwkr4rQBjdEVVc5aVyviF4VZENNDGm9ZHnAP Lm14jVUoNFV9k5deAA9CWhT2pxHEpifuWsQV/tyYOUSaCobPW7k= =67tj - -----END PGP SIGNATURE----- - ---------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : lava-server Version : 2014.09.1-1+deb8u1 CVE ID : CVE-2018-12564 CVE-2018-12564 Using the feature to add URLs in the submit page, a user might be able to read any file on the server that is readable by lavaserver and consists of valid yaml. So with this patch the feature is disabled again. For Debian 8 "Jessie", these problems have been fixed in version 2014.09.1-1+deb8u1. We recommend that you upgrade your lava-server packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJbNT/uXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHErUP/2h6C5bKZZFJSrs0F8nzgcMI iOrOXZ0v4PCJW/hnVPvTGfHI50kfUxZOh49AeBbhhtP2hbqtu+eEUBI53NDszNfm sgVHxGwMUbJXMJsseklgU9ZC2Tp/+S4TkdGcNvNZEjHKqMtUq0578W6ERTjkC6sJ C2D9N0XbQEtsJArDJN62CnkoBw2k+yfKYyfAx6F5LpsohwTdYWjsrKDE/dUZnpL0 iHCGWIJIe0ghrjdiPcLjd24pzeGhFelnRaVUIeBEMlIM2KqQ5HHXhJ+GBiJndeFG sBW9xWpNVwTwEIa3rdLdCtq/apo1g0PoMa0QMaQDWkHTL1Ezmv3iBQ1dQhP0Rx4i CUtVb2gwAikxNe41F5dIgS466fVSRLKaA/edIfOfVnbkkJq3LiAelkYE/k5rjZv/ V4zDUo8jOBBh1BwMXHtRbeK1hEvUIVMsio17jq2HCnFUXcXn/ERvFr0VsTCtIPOW ptFduN0w6hKq4RlX+ftNjZ1tT0dSKUyR9wtNuiEGaKF+HNQy4BpJUWJXE2rFaMfQ VBFl/7eMeBbeDwI2lsBxnHF+nE3bxyqQvXINDmsYKruKuy2opcpUwOWzEwc/Wfd/ cUkrbzPxf2QGa4l2cqIjcgRNXWpqvHWY8MUu12RdlgBvMsuQ+zSuYPA0YTejn++C ciaAul0y1ouJ9wHDpi+U =6CwH - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWzV/NGaOgq3Tt24GAQjWwhAApMVgYqwBRCxYa/tqr9PNNaAFMYtxYg4L 2pcKMZeGm1Uom1HdgASiugJm4FuPALeAGX21fl6MxqWFHLrA5evXBxUGaLnJ4rcj 5scpCvh3sO0YcR4VVVeLYujg0yuAXpXOBSd+QNqnoaE6w7dmjcTtmqM0OTLSyXfm 24hev+Y/KwxEaUbzk7C22qXvEQgF+OMzVuOzphzc8StUbEeFwojU1ChGhsR/w5eL 2oqlWSEdovuBTVu7aBND129juOJF5lH0zc2i+5wlqdYYg7AWTfUw/bgzW4o7hJfE BbnRuOBWCA6Re48UrO0x4ZRXGf5jHUP48UX2AB7krUp9MjRQ4c0rXCOdYW7VPhv3 /f/RTU6bbb1Sb02l7cfHo143ZG3h1GsP1sxPSHXj1hXNOljA9oRXikhnBnmYCLxk LY2PENzftbCxh84bs18YzvMXpHFavVVHhWsNYXgKKkwphVdqwtP9HVG2LZRV8CDm 2k/yQKQvAEItiyfhgyHccQFPJ2gYLUx54yGxC+8UFrgbSY0hOWHJLz4WmbHzckks IZrtb0ARk20/Jy6oXV5iL87dPwZ4reFemUgk5HC4k7XQUNig6QrgGI3y76lYdTGi 52R9McJOpAnNB8moTBnhiy+QFVH+9Rec5Jv+yGTKlkSSkLkTbrQyQKXDJJl+lzNI t9zjudjQx8s= =Lldc -----END PGP SIGNATURE-----