Your message dated Tue, 18 Oct 2022 22:56:45 +0000
with message-id <[email protected]>
and subject line Bug#1021737: fixed in lava 2022.10-1
has caused the Debian Bug report #1021737,
regarding lava: CVE-2022-42902
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1021737: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021737
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: lava
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for lava.
CVE-2022-42902[0]:
| In Linaro Automated Validation Architecture (LAVA) before 2022.10,
| there is dynamic code execution in lava_server/lavatable.py. Due to
| improper input sanitization, an anonymous user can force the lava-
| server-gunicorn service to execute user-provided code on the server.
https://git.lavasoftware.org/lava/lava/-/merge_requests/1834
https://git.lavasoftware.org/lava/lava/-/commit/e66b74cd6c175ff8826b8f3431740963be228b52?merge_request_iid=1834
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-42902
https://www.cve.org/CVERecord?id=CVE-2022-42902
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: lava
Source-Version: 2022.10-1
Done: Rémi Duraffort <[email protected]>
We believe that the bug you reported is fixed in the latest version of
lava, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rémi Duraffort <[email protected]> (supplier of updated lava package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 11 Oct 2022 11:44:37 +0200
Source: lava
Architecture: source
Version: 2022.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian LAVA team <[email protected]>
Changed-By: Rémi Duraffort <[email protected]>
Closes: 994258 1021737
Changes:
lava (2022.10-1) unstable; urgency=medium
.
[ Rémi Duraffort ]
* LAVA Software 2022.10 release
- Fixes remote code execution [CVE-2022-42902] (Closes: #1021737)
- Fixes startup with Django 3.2 (Closes: #994258)
.
[ Antonio Terceiro ]
* Drop patches, already applied upstream.
Checksums-Sha1:
0b037d7ba4869daf1a59cce52325af93d9711130 2973 lava_2022.10-1.dsc
379432c1b1d745170581eaa9347a3eaa610f299a 7374268 lava_2022.10.orig.tar.gz
b4655eef73f75b9a13f8e50409ab4ec203f6f7a8 92340 lava_2022.10-1.debian.tar.xz
31c2fdd4058c9ae3d4a2b4b5a5549e9948cf3ac3 10095 lava_2022.10-1_source.buildinfo
Checksums-Sha256:
c1e4eb65daf41598bdf60d3d68a3271add918aa5d61167a2be09ac34218ee856 2973
lava_2022.10-1.dsc
6d613c60c65f892b7e52a72ee793a4c5a65af6b356fe989275c6c05bbf2c75b5 7374268
lava_2022.10.orig.tar.gz
9bd2960549628703e51ece8bd5e6adcae03e43f9b2681dec4e73540e7d8c5f93 92340
lava_2022.10-1.debian.tar.xz
f71cd2891c07c67fdad2b0f275d507a8ef1184d61d28b31e9a310edfe2d910ba 10095
lava_2022.10-1_source.buildinfo
Files:
774d1ec1da146528f7f3e5f1d2083b6c 2973 net optional lava_2022.10-1.dsc
48d7d869b7f761fa974ef36ea3090332 7374268 net optional lava_2022.10.orig.tar.gz
38837bd68c13bacf7ecad19209ae3e9e 92340 net optional
lava_2022.10-1.debian.tar.xz
b233babf7e43d43cd80522c2ee87ede0 10095 net optional
lava_2022.10-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmNPCmIACgkQ/A2xu81G
C95PQxAA8d9NhdR16E9uJ5LKGWQlCq+PJfQCR1+gxFkuOPistP5bUuybp723aiOQ
3S2UD9xfZHuc5MvRnRdeq9Owq6p4sJNRZjLHnLJ51UbDjDRrRQpYatQDgMbh90jB
5jgucovUhA2t7GotsNsEZ3PHUeXOIKfmS1a/Um79lTCIXA94wIqmC05IVIZi1FuM
IXZJB2lSCdkuZck8qOXenMX8qNgqovHk4MSxGfONXHVPNbGSNJFG2/sDqEv6WWmV
ZuXFAf3fo349Qq6j2wXW+Mt5CAEwg/sPwEtLIdHrpC0MzuIdp2i8O+t2W19VEmVu
8ZJOCARmfnP5ozi7Rq6lP7x2S0SH5/YNyIQ9i3RDi/ZpmFR84t0btLFa9omAysMN
3Oh1wHFn2eyll5tYLkBx4OuIZXHWeh0bq7ePqC/zvBpJ+agmUD18WyibC298T202
3oStMWpAdmdQ83NiuGaMM4ooiGLANO7PyD+SLjLldWATYeL6U2ePeAlQeVzYq0oy
Ly2GRry6CqoCJzc2lcpnyMuLssaXiz1gDE8R3bnmVPNSXk0Dgt7Ojadc/vz792W+
FjWPVZkrV8WRqmeELvaaOingeigxszzGbufeYPYjaYhiIWp04WfgmDsn8kr3Esv3
Zw4rPsdiysgFzZXCnrpZ5u/S4qutmbmoGEOoZUN/vcokmizKTZA=
=Cj4D
-----END PGP SIGNATURE-----
--- End Message ---
