Gentoo Linux Security Advisory GLSA 201709-06

https://security.gentoo.org/

Severity: High

Title: Supervisor: command injection vulnerability

Date: September 17, 2017

Bugs: #626100

ID: 201709-06



Synopsis

A vulnerability in Supervisor might allow remote attackers to execute

arbitrary code.







Background

Supervisor is a client/server system that allows its users to monitor

and control a number of processes on UNIX-like operating systems.



Affected packages

Package / Vulnerable / Unaffected

1 app-admin/supervisor < 3.1.4 >= 3.1.4



Description

A vulnerability in Supervisor was discovered in which an authenticated

client could send malicious XML-RPC requests and supervidord will run

them as shell commands with process privileges. In some cases,

supervisord is configured with root permissions.



Impact

A remote attacker could execute arbitrary code with the privileges of

the process.



Workaround

There is no known workaround at this time.



Resolution

All Supervisor users should upgrade to the latest version:



# emerge --sync

# emerge --ask --oneshot --verbose "=app-admin/supervisor-3.1.4"



References

[ 1 ] CVE-2017-11610

https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11610



Availability

