Bug 1247732 (CVE-2015-5164) - CVE-2015-5164 Satellite6: python pickle() processing problem in pulp
Summary: CVE-2015-5164 Satellite6: python pickle() processing problem in pulp
Keywords:
Status: POST
Alias: CVE-2015-5164
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1246263
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-28 17:10 UTC by Kurt Seifried
Modified: 2023-07-07 08:30 UTC (History)
14 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Pulp Redmine 23 0 Normal CLOSED - CURRENTRELEASE As a user, I can rest easy in the knowledge that Pulp's Celery tasks are not serialized dangerously 2016-03-23 18:32:13 UTC

Description Kurt Seifried 2015-07-28 17:10:26 UTC
Brian Bouterse of Red Hat reports:

The Qpid server on Satellite6 does not properly restrict message types that can
be sent from managed content hosts. An attacker with administrative access to a
managed content host could send arbitrary messages containing pickle() encoded
data which would then be processed on the Satellite6 server.

Comment 1 pulp-infra@redhat.com 2015-09-11 16:30:58 UTC
The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.

Comment 2 pulp-infra@redhat.com 2015-09-11 16:31:00 UTC
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Comment 3 Kurt Seifried 2015-11-06 05:44:31 UTC
Acknowledgement:

This issue was discovered by Brian Bouterse of Red Hat.

Comment 5 pulp-infra@redhat.com 2015-12-09 15:31:40 UTC
The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.

Comment 6 pulp-infra@redhat.com 2015-12-11 16:31:28 UTC
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.

Comment 7 pulp-infra@redhat.com 2016-02-23 21:01:43 UTC
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.

Comment 8 pulp-infra@redhat.com 2016-03-23 18:32:14 UTC
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.

Comment 9 pulp-infra@redhat.com 2016-11-21 21:04:22 UTC
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.


Note You need to log in before you can comment on or make changes to this bug.