1247732 – (CVE-2015-5164) CVE-2015-5164 Satellite6: python pickle() processing problem in pulp

Bug 1247732 (CVE-2015-5164) - CVE-2015-5164 Satellite6: python pickle() processing problem in pulp

Summary: CVE-2015-5164 Satellite6: python pickle() processing problem in pulp

Keywords:
Status:	POST
Alias:	CVE-2015-5164
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1246263
Blocks:
TreeView+	depends on / blocked

Reported:	2015-07-28 17:10 UTC by Kurt Seifried
Modified:	2023-07-07 08:30 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Pulp Redmine	23	0	Normal	CLOSED - CURRENTRELEASE	As a user, I can rest easy in the knowledge that Pulp's Celery tasks are not serialized dangerously	2016-03-23 18:32:13 UTC

Description Kurt Seifried 2015-07-28 17:10:26 UTC

Brian Bouterse of Red Hat reports:

The Qpid server on Satellite6 does not properly restrict message types that can
be sent from managed content hosts. An attacker with administrative access to a
managed content host could send arbitrary messages containing pickle() encoded
data which would then be processed on the Satellite6 server.

Comment 1 pulp-infra@redhat.com 2015-09-11 16:30:58 UTC

The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.

Comment 2 pulp-infra@redhat.com 2015-09-11 16:31:00 UTC

The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Comment 3 Kurt Seifried 2015-11-06 05:44:31 UTC

Acknowledgement:

This issue was discovered by Brian Bouterse of Red Hat.

Comment 5 pulp-infra@redhat.com 2015-12-09 15:31:40 UTC

The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.

Comment 6 pulp-infra@redhat.com 2015-12-11 16:31:28 UTC

The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.

Comment 7 pulp-infra@redhat.com 2016-02-23 21:01:43 UTC

The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.

Comment 8 pulp-infra@redhat.com 2016-03-23 18:32:14 UTC

The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.

Comment 9 pulp-infra@redhat.com 2016-11-21 21:04:22 UTC

All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.

Note You need to log in before you can comment on or make changes to this bug.