Advisories » MGASA-2017-0263

Updated supervisor packages fix security vulnerability

Publication date: 13 Aug 2017
Modification date: 13 Aug 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-11610

Description

A vulnerability has been found where an authenticated client can send a
malicious XML-RPC request to supervisord that will run arbitrary shell
commands on the server. The commands will be run as the same user as
supervisord. Depending on how supervisord has been configured, this may
be root (CVE-2017-11610).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=21477
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11610

SRPMS

5/core

• supervisor-3.0.1-1.mga5

6/core

• supervisor-3.1.4-1.mga6