Bug 824460 (CVE-2012-2395)
Summary: | CVE-2012-2395 cobbler: command injection flaw in the power management XML-RPC API | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | awood, cperry, dgoodwin, jimi, jpazdziora, rcvalle, scott, sherr, vanmeeuwen+fedora |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-09-20 02:11:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 824461, 824462, 830662 | ||
Bug Blocks: | 811959 |
Description
Jan Lieskovsky
2012-05-23 14:02:28 UTC
This issue affects the versions of the cobbler package, as shipped with Fedora release of 15 and 16. Please schedule an update. -- This issue affects the versions of the cobbler package, as shipped with Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update. Created cobbler tracking bugs for this issue Affects: fedora-all [bug 824461] Affects: epel-all [bug 824462] Reproducer from Ubuntu bugzilla above ([4]): [1] To verify that this is the case you test it out --> >>> import subprocess >>> subprocess.Popen(["/bin/sh", "-c", "echo lol && /bin/sh"], shell=False) <subprocess.Popen object at 0x7f0ecaa92b50> >>> lol (In reply to comment #1) > This issue affects the versions of the cobbler package, as shipped with > Fedora release of 15 and 16. Please schedule an update. > > -- > > This issue affects the versions of the cobbler package, as shipped with > Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update. Which cobbler version(s?) are these exactly? (In reply to comment #5) > Which cobbler version(s?) are these exactly? Fedora-15: cobbler-2.2.2-1.fc15 Fedora-16: cobbler-2.2.2-1.fc16 Fedora-17: cobbler-2.2.2-1.fc17 Fedora-Rawhide: cobbler-2.2.2-1.fc18 EPEL-5: cobbler-2.2.2-1.el5 EPEL-6: cobbler-2.2.2-1.el6 Assigned CVE as per http://www.openwall.com/lists/oss-security/2012/05/23/18 Statement: This issue did not affect the version of cobbler as shipped with Red Hat Network Satellite Server 5.3.0, as it did not include the upstream commit 0e5f6f2d50d460f4c6b0c9f62cfed0ff5c546906 that introduced this flaw. This issue affects the version of cobbler as shipped with Red Hat Network Satellite Server 5.4.0. This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Via RHSA-2012:1060 https://rhn.redhat.com/errata/RHSA-2012-1060.html |