Search...

[SECURITY] [DSA 4234-1] lava-server security update

2018-06-22T20:01:50

ID DEBIAN:DSA-4234-1:3F30E
Type debian
Reporter Debian
Modified 2018-06-22T20:01:50

Description

Debian Security Advisory DSA-4234-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 22, 2018 https://www.debian.org/security/faq

Package : lava-server CVE ID : CVE-2018-12564 CVE-2018-12565

Two vulnerabilities were discovered in LAVA, a continuous integration system for deploying operating systems for running tests, which could result in information disclosure of files readable by the lavaserver system user or the execution of arbitrary code via a XMLRPC call.

For the stable distribution (stretch), these problems have been fixed in version 2016.12-3.

We recommend that you upgrade your lava-server packages.

For the detailed security status of lava-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lava-server

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

JSON Vulners Source

Initial Source

{"id": "DEBIAN:DSA-4234-1:3F30E", "bulletinFamily": "unix", "title": "[SECURITY] [DSA 4234-1] lava-server security update", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4234-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJune 22, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : lava-server\nCVE ID : CVE-2018-12564 CVE-2018-12565\n\nTwo vulnerabilities were discovered in LAVA, a continuous integration\nsystem for deploying operating systems for running tests, which could\nresult in information disclosure of files readable by the lavaserver\nsystem user or the execution of arbitrary code via a XMLRPC call.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2016.12-3.\n\nWe recommend that you upgrade your lava-server packages.\n\nFor the detailed security status of lava-server please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/lava-server\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "published": "2018-06-22T20:01:50", "modified": "2018-06-22T20:01:50", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00163.html", "reporter": "Debian", "references": [], "cvelist": ["CVE-2018-12565", "CVE-2018-12564"], "type": "debian", "lastseen": "2021-01-09T01:15:08", "edition": 10, "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-12565", "CVE-2018-12564"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891404", "OPENVAS:1361412562310704234"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-1404.NASL", "DEBIAN_DSA-4234.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1404-1:35C7C"]}], "modified": "2021-01-09T01:15:08", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2021-01-09T01:15:08", "rev": 2}, "vulnersScore": 6.4}, "affectedPackage": [{"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "lava-dev_2016.12-3_all.deb", "packageName": "lava-dev", "packageVersion": "2016.12-3"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "lava_2016.12-3_all.deb", "packageName": "lava", "packageVersion": "2016.12-3"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "lava-server-doc_2016.12-3_all.deb", "packageName": "lava-server-doc", "packageVersion": "2016.12-3"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "lava-server_2016.12-3_all.deb", "packageName": "lava-server", "packageVersion": "2016.12-3"}], "scheme": null}

{"cve": [{"lastseen": "2020-12-09T20:25:33", "description": "An issue was discovered in Linaro LAVA before 2018.5.post1. Because of use of yaml.load() instead of yaml.safe_load() when parsing user data, remote code execution can occur.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-06-19T05:29:00", "title": "CVE-2018-12565", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12565"], "modified": "2019-09-18T21:00:00", "cpe": ["cpe:/o:debian:debian_linux:9.0", "cpe:/a:linaro:lava:2018.4"], "id": "CVE-2018-12565", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12565", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:linaro:lava:2018.4:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:25:33", "description": "An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for URLs in the submit page, a user can forge an HTTP request that will force lava-server-gunicorn to return any file on the server that is readable by lavaserver and valid yaml.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-06-19T05:29:00", "title": "CVE-2018-12564", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12564"], "modified": "2018-08-10T15:04:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-12564", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12564", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-07-04T18:56:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12565", "CVE-2018-12564"], "description": "Two vulnerabilities were discovered in LAVA, a continuous integration\nsystem for deploying operating systems for running tests, which could\nresult in information disclosure of files readable by the lavaserver\nsystem user or the execution of arbitrary code via a XMLRPC call.", "modified": "2019-07-04T00:00:00", "published": "2018-06-22T00:00:00", "id": "OPENVAS:1361412562310704234", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704234", "type": "openvas", "title": "Debian Security Advisory DSA 4234-1 (lava-server - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4234-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704234\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-12564\", \"CVE-2018-12565\");\n script_name(\"Debian Security Advisory DSA 4234-1 (lava-server - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-22 00:00:00 +0200 (Fri, 22 Jun 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4234.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"lava-server on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 2016.12-3.\n\nWe recommend that you upgrade your lava-server packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/lava-server\");\n script_tag(name:\"summary\", value:\"Two vulnerabilities were discovered in LAVA, a continuous integration\nsystem for deploying operating systems for running tests, which could\nresult in information disclosure of files readable by the lavaserver\nsystem user or the execution of arbitrary code via a XMLRPC call.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"lava\", ver:\"2016.12-3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lava-dev\", ver:\"2016.12-3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lava-server\", ver:\"2016.12-3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lava-server-doc\", ver:\"2016.12-3\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T20:11:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12564"], "description": "CVE-2018-12564\nUsing the feature to add URLs in the submit page, a user might be\nable to read any file on the server that is readable by lavaserver\nand consists of valid yaml.\nSo with this patch the feature is disabled again.", "modified": "2020-01-29T00:00:00", "published": "2018-07-10T00:00:00", "id": "OPENVAS:1361412562310891404", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891404", "type": "openvas", "title": "Debian LTS: Security Advisory for lava-server (DLA-1404-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891404\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2018-12564\");\n script_name(\"Debian LTS: Security Advisory for lava-server (DLA-1404-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-07-10 00:00:00 +0200 (Tue, 10 Jul 2018)\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/06/msg00011.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"lava-server on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n2014.09.1-1+deb8u1.\n\nWe recommend that you upgrade your lava-server packages.\");\n\n script_tag(name:\"summary\", value:\"CVE-2018-12564\nUsing the feature to add URLs in the submit page, a user might be\nable to read any file on the server that is readable by lavaserver\nand consists of valid yaml.\nSo with this patch the feature is disabled again.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"lava\", ver:\"2014.09.1-1+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lava-dev\", ver:\"2014.09.1-1+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lava-server\", ver:\"2014.09.1-1+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lava-server-doc\", ver:\"2014.09.1-1+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2021-01-01T01:47:31", "description": "Two vulnerabilities were discovered in LAVA, a continuous integration\nsystem for deploying operating systems for running tests, which could\nresult in information disclosure of files readable by the lavaserver\nsystem user or the execution of arbitrary code via a XMLRPC call.", "edition": 25, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-06-25T00:00:00", "title": "Debian DSA-4234-1 : lava-server - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12565", "CVE-2018-12564"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:lava-server", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4234.NASL", "href": "https://www.tenable.com/plugins/nessus/110666", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4234. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110666);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/13 12:30:47\");\n\n script_cve_id(\"CVE-2018-12564\", \"CVE-2018-12565\");\n script_xref(name:\"DSA\", value:\"4234\");\n\n script_name(english:\"Debian DSA-4234-1 : lava-server - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two vulnerabilities were discovered in LAVA, a continuous integration\nsystem for deploying operating systems for running tests, which could\nresult in information disclosure of files readable by the lavaserver\nsystem user or the execution of arbitrary code via a XMLRPC call.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/lava-server\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/lava-server\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4234\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the lava-server packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 2016.12-3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lava-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"lava\", reference:\"2016.12-3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lava-dev\", reference:\"2016.12-3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lava-server\", reference:\"2016.12-3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lava-server-doc\", reference:\"2016.12-3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:39:23", "description": "CVE-2018-12564 Using the feature to add URLs in the submit page, a\nuser might be able to read any file on the server that is readable by\nlavaserver and consists of valid yaml. So with this patch the feature\nis disabled again.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2014.09.1-1+deb8u1.\n\nWe recommend that you upgrade your lava-server packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 22, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2018-06-29T00:00:00", "title": "Debian DLA-1404-1 : lava-server security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12564"], "modified": "2018-06-29T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:lava", "cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:lava-server-doc", "p-cpe:/a:debian:debian_linux:lava-server", "p-cpe:/a:debian:debian_linux:lava-dev"], "id": "DEBIAN_DLA-1404.NASL", "href": "https://www.tenable.com/plugins/nessus/110786", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1404-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(110786);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2018-12564\");\n\n script_name(english:\"Debian DLA-1404-1 : lava-server security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2018-12564 Using the feature to add URLs in the submit page, a\nuser might be able to read any file on the server that is readable by\nlavaserver and consists of valid yaml. So with this patch the feature\nis disabled again.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2014.09.1-1+deb8u1.\n\nWe recommend that you upgrade your lava-server packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/06/msg00011.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/lava-server\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lava\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lava-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lava-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lava-server-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"lava\", reference:\"2014.09.1-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"lava-dev\", reference:\"2014.09.1-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"lava-server\", reference:\"2014.09.1-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"lava-server-doc\", reference:\"2014.09.1-1+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2020-08-12T01:04:09", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12564"], "description": "Package : lava-server\nVersion : 2014.09.1-1+deb8u1\nCVE ID : CVE-2018-12564\n\n\nCVE-2018-12564\n Using the feature to add URLs in the submit page, a user might be\n able to read any file on the server that is readable by lavaserver\n and consists of valid yaml.\n So with this patch the feature is disabled again.\n\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n2014.09.1-1+deb8u1.\n\nWe recommend that you upgrade your lava-server packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 18, "modified": "2018-06-28T20:10:30", "published": "2018-06-28T20:10:30", "id": "DEBIAN:DLA-1404-1:35C7C", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201806/msg00011.html", "title": "[SECURITY] [DLA 1404-1] lava-server security update", "type": "debian", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}]}