GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sun Sep 17, 2017 8:26 pm Post subject: [ GLSA 201709-06 ] Supervisor |
 |
|
Gentoo Linux Security Advisory
Title: Supervisor: command injection vulnerability (GLSA 201709-06)
Severity: high
Exploitable: remote
Date: 2017-09-17
Bug(s): #626100
ID: 201709-06
Synopsis
A vulnerability in Supervisor might allow remote attackers to
execute arbitrary code.
Background
Supervisor is a client/server system that allows its users to monitor
and control a number of processes on UNIX-like operating systems.
Affected Packages
Package: app-admin/supervisor
Vulnerable: < 3.1.4
Unaffected: >= 3.1.4
Architectures: All supported architectures
Description
A vulnerability in Supervisor was discovered in which an authenticated
client could send malicious XML-RPC requests and supervidord will run
them as shell commands with process privileges. In some cases,
supervisord is configured with root permissions.
Impact
A remote attacker could execute arbitrary code with the privileges of
the process.
Workaround
There is no known workaround at this time.
Resolution
All Supervisor users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose "=app-admin/supervisor-3.1.4"
|
References
CVE-2017-11610
|
|
News & Announcements
