Bug#828063: marked as done (python-muranoclient: CVE-2016-4972: RCE vulnerability in Openstack Murano using insecure YAML tags)

[Debian Bug Tracking System]

Your message dated Mon, 27 Jun 2016 19:24:34 +0000
with message-id <e1bhc94-0007db...@franck.debian.org>
and subject line Bug#828063: fixed in python-muranoclient 0.8.4-2
has caused the Debian Bug report #828063,
regarding python-muranoclient: CVE-2016-4972: RCE vulnerability in Openstack 
Murano using insecure YAML tags
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
828063: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828063
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: murano
Version: 1:2.0.0-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

the following vulnerability was published for murano.

CVE-2016-4972[0]:
RCE vulnerability in Openstack Murano using insecure YAML tags

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-4972
[1] http://seclists.org/oss-sec/2016/q2/593

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: python-muranoclient
Source-Version: 0.8.4-2

We believe that the bug you reported is fixed in the latest version of
python-muranoclient, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 828...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated python-muranoclient 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 27 Jun 2016 19:12:11 +0000
Source: python-muranoclient
Binary: python-muranoclient python3-muranoclient python-muranoclient-doc
Architecture: source all
Version: 0.8.4-2
Distribution: experimental
Urgency: medium
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
 python-muranoclient - cloud-ready application catalog - Python 2.7 client 
module
 python-muranoclient-doc - cloud-ready application catalog - client doc
 python3-muranoclient - cloud-ready application catalog - Python 3.x client 
module
Closes: 828063
Changes:
 python-muranoclient (0.8.4-2) experimental; urgency=medium
 .
   * CVE-2016-4972: RCE vulnerability in Openstack Murano using insecure YAML
     tags. Adds upstream patch: Use yaml.SafeLoader instead of yaml.Loader.
     (Closes: #828063).
Checksums-Sha1:
 ef98cf67af6353ac25549d3451f2725c77669122 3646 python-muranoclient_0.8.4-2.dsc
 a1b0b17de53d86741b20417beea841d3c5b4f03f 5824 
python-muranoclient_0.8.4-2.debian.tar.xz
 b69a66fd9820a58eb6fa05a4961648471ea7db78 17492 
python-muranoclient-doc_0.8.4-2_all.deb
 c5d1872e0cf57304f415d997b840238230d622fa 68106 
python-muranoclient_0.8.4-2_all.deb
 3c1fdf93420900d7b08a33f4be38d36f6e6551ad 66964 
python3-muranoclient_0.8.4-2_all.deb
Checksums-Sha256:
 ac0a6ab6717ecb9c9741baf14e8335cf444cce89aeee390a9227ab80c3c6a29b 3646 
python-muranoclient_0.8.4-2.dsc
 65b8d7e94886dc88c5dc3527cfc908fa9c3063a99f2a78c0da8a803bdefdbd64 5824 
python-muranoclient_0.8.4-2.debian.tar.xz
 e4ee04afab4b9b616ca73088f3b63e2636eba6ae56207a9c2018208f7b1aaba8 17492 
python-muranoclient-doc_0.8.4-2_all.deb
 8b4e62962361b219a6fc4c635f66dbe186ee6841b8568890a7e0c89fe8262f01 68106 
python-muranoclient_0.8.4-2_all.deb
 cd670875fe6894d9908f577ba85175de49cf2552490d5e306cdbaa6bc1a83f5c 66964 
python3-muranoclient_0.8.4-2_all.deb
Files:
 9a9a3150e1d371dbd429db19950cc0ca 3646 python extra 
python-muranoclient_0.8.4-2.dsc
 be32b824cfcfdebdf3b8ef703b3dd8c0 5824 python extra 
python-muranoclient_0.8.4-2.debian.tar.xz
 fb460cfc594dbfcae8636f73b490c211 17492 doc extra 
python-muranoclient-doc_0.8.4-2_all.deb
 7ff9ffe8da320b0368e7fa8afe899234 68106 python extra 
python-muranoclient_0.8.4-2_all.deb
 083ea620e3389a0ad37aa37d0af2f067 66964 python extra 
python3-muranoclient_0.8.4-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXcXu/AAoJENQWrRWsa0P+6E0P/0xusMfrsFR5WF/9ee0YE1FW
9j8GDvziCQFj+Ulqg0d+sTjyxLoUdnNmideo4oYQ2ZxFplYgnx5ntSosqvV55jSy
pXO4KEeCKrHtQG/39M/hQj7WxbGF+hlvKCjhexTdnfU8UbnqV/Un3lGVH8gUCKuI
4aiJmASGDwbKno9ucdTcLXhxATJwGIYJb4vV3fAttjvbvfZNX4ToZZLwieqNY/wg
oEIXty23z+5GGHByJBTfm5AnZJAJ1ZguuJ+cEI9Q40ZPXKEWdGGZa7poCfNM08XX
BK4EgPHNHEG8X/w+UfHp0HTwWFpkZmyoNS6VUbqF5ZmUIK4YVi6bqsKz51WbrRxf
VErQhvJX4jcH5VJy1V7wIWS2BgfW2ARCCib51Arf70WblohG8b4ACJWKiR3TbGrc
BRawhgIrzGo6i0VuTnYhZzch9KlJH6JxwgO7V7gWWBl/voGjbulDC1cxAwqaHbHS
qSRWquSkMMnWk2raFyGAVUK2r9p6hOy5KWCdtmMlRfcc50R4ZfBMgHFg6csuxfyk
2M4/za3E8k8Ghfw01LhWVA2inK5HdaaWBkneuvWYnXqQimdXvkIpADXr1Uorc7Kd
5c4ue5lCrnDgg65HPNq2Q8coxQ+vLvaN01xQJ3CPYf0pgpzWXYGrGlAFLV3YWTwG
8DmyD1Ro608FU+gGhyVu
=42eF
-----END PGP SIGNATURE-----

--- End Message ---