mailing list archives
CVE request for bcfg2 (remote root)
From: Jonathan Wiltshire <jmw () debian org>
Date: Thu, 1 Sep 2011 22:00:26 +0100
A bug report in Debian has come to light for which I can find no other
information, and therefore I do not believe it has a CVE - but probably
From http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640028 :
"All released stable versions of the bcfg2-server contain several cases
where data from the client is used in a shell command without properly
escaping it first. The 1.2 prerelease series has been fixed.
"At least the SSHbase plugin has been confirmed as being exploitable.
This is a remote root hole, which requires that the SSHbase plugin is
enabled and that the attacker has control of a bcfg2 client machine."
A patch for the problem has been commited  upstream and backported  to
the 1.1 series.
Please CC me, I am not subscribed.
Jonathan Wiltshire jmw () debian org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Description: Digital signature
- CVE request for bcfg2 (remote root) Jonathan Wiltshire (Sep 01)