| Message ID | 20170907094459.10277-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | supervisor: security bump to version 3.1.4 | expand |
Hello, On Thu, 7 Sep 2017 11:44:59 +0200, Peter Korsgaard wrote: > Fixes CVE-2017-11610 - The XML-RPC server in supervisor before 3.0.1, 3.1.x > before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote > authenticated users to execute arbitrary commands via a crafted XML-RPC > request, related to nested supervisord namespace lookups. > > For more details, see > https://github.com/Supervisor/supervisor/issues/964 > > While we're at it, add hashes for the license files. > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > --- > package/supervisor/supervisor.hash | 4 +++- > package/supervisor/supervisor.mk | 4 ++-- > 2 files changed, 5 insertions(+), 3 deletions(-) Applied to master, thanks. Thomas
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes CVE-2017-11610 - The XML-RPC server in supervisor before 3.0.1, 3.1.x > before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote > authenticated users to execute arbitrary commands via a crafted XML-RPC > request, related to nested supervisord namespace lookups. > For more details, see > https://github.com/Supervisor/supervisor/issues/964 > While we're at it, add hashes for the license files. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2017.02.x, thanks.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes CVE-2017-11610 - The XML-RPC server in supervisor before 3.0.1, 3.1.x > before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote > authenticated users to execute arbitrary commands via a crafted XML-RPC > request, related to nested supervisord namespace lookups. > For more details, see > https://github.com/Supervisor/supervisor/issues/964 > While we're at it, add hashes for the license files. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2017.08.x, thanks.
diff --git a/package/supervisor/supervisor.hash b/package/supervisor/supervisor.hash index 03f337e7d0..0ebc663be9 100644 --- a/package/supervisor/supervisor.hash +++ b/package/supervisor/supervisor.hash @@ -1,2 +1,4 @@ # Locally calculated -sha256 e32c546fe8d2a6e079ec4819c49fd24534d4075a58af39118d04367918b3c282 supervisor-3.1.3.tar.gz +sha256 82f75089f719a7a3ca87f35c89a03c20fd3c0912552c96eb6fa40274ced6604e supervisor-3.1.4.tar.gz +sha256 a85a622378c6a892ead1ce5d0488e446e106bf014d3b763fdbc1ad1ae38ee491 COPYRIGHT.txt +sha256 27ba0b2357ed6974d755ed53232c5ab8595622b3111bb91682708ea188cc3696 LICENSES.txt diff --git a/package/supervisor/supervisor.mk b/package/supervisor/supervisor.mk index 4c62b66feb..9b93b449a7 100644 --- a/package/supervisor/supervisor.mk +++ b/package/supervisor/supervisor.mk @@ -4,8 +4,8 @@ # ################################################################################ -SUPERVISOR_VERSION = 3.1.3 -SUPERVISOR_SITE = http://pypi.python.org/packages/source/s/supervisor +SUPERVISOR_VERSION = 3.1.4 +SUPERVISOR_SITE = https://pypi.python.org/packages/12/50/cd330d1a0daffbbe54803cb0c4c1ada892b5d66db08befac385122858eee SUPERVISOR_LICENSE = BSD-like, rdflib (http_client.py), PSF (medusa), ZPL-2.1 SUPERVISOR_LICENSE_FILES = COPYRIGHT.txt LICENSES.txt SUPERVISOR_SETUP_TYPE = setuptools
Fixes CVE-2017-11610 - The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups. For more details, see https://github.com/Supervisor/supervisor/issues/964 While we're at it, add hashes for the license files. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/supervisor/supervisor.hash | 4 +++- package/supervisor/supervisor.mk | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-)