Your message dated Thu, 27 Oct 2022 06:17:08 +0000
with message-id <e1onwcs-000mxm...@fasolo.debian.org>
and subject line Bug#1021737: fixed in lava 2020.12-5+deb11u1
has caused the Debian Bug report #1021737,
regarding lava: CVE-2022-42902
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1021737: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021737
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: lava
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for lava.
CVE-2022-42902[0]:
| In Linaro Automated Validation Architecture (LAVA) before 2022.10,
| there is dynamic code execution in lava_server/lavatable.py. Due to
| improper input sanitization, an anonymous user can force the lava-
| server-gunicorn service to execute user-provided code on the server.
https://git.lavasoftware.org/lava/lava/-/merge_requests/1834
https://git.lavasoftware.org/lava/lava/-/commit/e66b74cd6c175ff8826b8f3431740963be228b52?merge_request_iid=1834
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-42902
https://www.cve.org/CVERecord?id=CVE-2022-42902
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: lava
Source-Version: 2020.12-5+deb11u1
Done: Antonio Terceiro <terce...@debian.org>
We believe that the bug you reported is fixed in the latest version of
lava, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1021...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Terceiro <terce...@debian.org> (supplier of updated lava package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 18 Oct 2022 17:24:50 -0300
Source: lava
Architecture: source
Version: 2020.12-5+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian LAVA team <pkg-linaro-lava-de...@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terce...@debian.org>
Closes: 1021737
Changes:
lava (2020.12-5+deb11u1) bullseye-security; urgency=high
.
* Fix remote code execution [CVE-2022-42902] (Closes: #1021737)
* Add patch to fix building the package for -security
Checksums-Sha1:
9651672658ba3d7eaba250a15f75f2f0dd963454 2982 lava_2020.12-5+deb11u1.dsc
2c31916f826a655fd091e8431246e12b5b5b1859 7318009 lava_2020.12.orig.tar.gz
e10c82a4cf6f25e733d894dc38d4d6566a91c117 94784
lava_2020.12-5+deb11u1.debian.tar.xz
ea7eb872ad0686568c5f3f413fc8d413eea8e46f 10127
lava_2020.12-5+deb11u1_source.buildinfo
Checksums-Sha256:
1480c7fd0ddaebc33f0d5a653a7d6e7fc0594dd1fe11ed70b744957ea9d5f768 2982
lava_2020.12-5+deb11u1.dsc
db6068a6870f5295c77574ab1f9917321d728d508e8605748f54c2904c450ef5 7318009
lava_2020.12.orig.tar.gz
c2744a34542f630dab5f21947ba7b4c923829128bf9aa201705217f591cd601c 94784
lava_2020.12-5+deb11u1.debian.tar.xz
8e66c1b2fa8fecbeefcc888989bbf02537ca2c9ac5dd899e2ba27f14de76c53a 10127
lava_2020.12-5+deb11u1_source.buildinfo
Files:
b4bc00ebe824bd1e5eac526aa1927c34 2982 net optional lava_2020.12-5+deb11u1.dsc
6355b4c22a0339574b7e1286613b6cc8 7318009 net optional lava_2020.12.orig.tar.gz
dadacc088a224cfb8d59fc29636230d9 94784 net optional
lava_2020.12-5+deb11u1.debian.tar.xz
3653c8217935d74ad455f27489f8c66c 10127 net optional
lava_2020.12-5+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmNSz7IACgkQ/A2xu81G
C944+hAAkRkPY+Sm1MrpAjnRuq0du+hKQUBtN6nwcYgh2+ohYeyYjY88g3FcNFNw
JAcgrO7MZ6zVCneZwEVKPqnL0pmBxUvsqbUFudXHeIHWebYpY7UDjD51MReMd8z+
o9cF7EbldJIVqz5TkV1xHq05U8puqJWnfT4bTy8m3mFuXvEi6B6sn7W3qvLHURbS
Lmp/vOT7sCZlTMdJW/YDsC5ma0DfD1XJRw9/B2t5wVYnbSZC3/0c5B4famioPOop
KMYsEI7xI/m3prYfVRFWspMJodAmic+M05lA9VcF6gxRZZtD7Nzcb0qTOC2Ral/z
/CHxheri+ifcAy4G//2WyMJTVqxzMlm5F/vhKLkR6WEEf/wu2Fje2+MfVnHm/W3z
yJ2g8E5Az2/GuYIg/SOJspsA+tyQyN6dleUJQuy/oxbiBa19+FqJCTPiK9McjJMW
QJ/VPFROnafz9qUPBQANOTTufHuLBs7aQCGlro7n9DmALxLJah8UNnVb/VAaXcYa
yqw1+2ZEGsVkKmWYOpkuDzrBksxvHzx0pdTGUU0rojAj3skpZY/9TWDbNOZU+Yuo
cDk9Dxh0rdguFXA4iSwMwhl6nb9uPO0Tu+tRqxcKSP8WTOKpx4lEuqm8EMuWbBhF
u97lYxWRysZ/6oO8snWTDt1st68QYQS/LiiecTcH9nUk72L9Pqk=
=AdFs
-----END PGP SIGNATURE-----
--- End Message ---
