* [Buildroot] [PATCH] supervisor: security bump to version 3.1.4
@ 2017-09-07 9:44 Peter Korsgaard
2017-09-09 20:49 ` Thomas Petazzoni
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Peter Korsgaard @ 2017-09-07 9:44 UTC (permalink / raw)
To: buildroot
Fixes CVE-2017-11610 - The XML-RPC server in supervisor before 3.0.1, 3.1.x
before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote
authenticated users to execute arbitrary commands via a crafted XML-RPC
request, related to nested supervisord namespace lookups.
For more details, see
https://github.com/Supervisor/supervisor/issues/964
While we're at it, add hashes for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/supervisor/supervisor.hash | 4 +++-
package/supervisor/supervisor.mk | 4 ++--
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/package/supervisor/supervisor.hash b/package/supervisor/supervisor.hash
index 03f337e7d0..0ebc663be9 100644
--- a/package/supervisor/supervisor.hash
+++ b/package/supervisor/supervisor.hash
@@ -1,2 +1,4 @@
# Locally calculated
-sha256 e32c546fe8d2a6e079ec4819c49fd24534d4075a58af39118d04367918b3c282 supervisor-3.1.3.tar.gz
+sha256 82f75089f719a7a3ca87f35c89a03c20fd3c0912552c96eb6fa40274ced6604e supervisor-3.1.4.tar.gz
+sha256 a85a622378c6a892ead1ce5d0488e446e106bf014d3b763fdbc1ad1ae38ee491 COPYRIGHT.txt
+sha256 27ba0b2357ed6974d755ed53232c5ab8595622b3111bb91682708ea188cc3696 LICENSES.txt
diff --git a/package/supervisor/supervisor.mk b/package/supervisor/supervisor.mk
index 4c62b66feb..9b93b449a7 100644
--- a/package/supervisor/supervisor.mk
+++ b/package/supervisor/supervisor.mk
@@ -4,8 +4,8 @@
#
################################################################################
-SUPERVISOR_VERSION = 3.1.3
-SUPERVISOR_SITE = http://pypi.python.org/packages/source/s/supervisor
+SUPERVISOR_VERSION = 3.1.4
+SUPERVISOR_SITE = https://pypi.python.org/packages/12/50/cd330d1a0daffbbe54803cb0c4c1ada892b5d66db08befac385122858eee
SUPERVISOR_LICENSE = BSD-like, rdflib (http_client.py), PSF (medusa), ZPL-2.1
SUPERVISOR_LICENSE_FILES = COPYRIGHT.txt LICENSES.txt
SUPERVISOR_SETUP_TYPE = setuptools
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] supervisor: security bump to version 3.1.4
2017-09-07 9:44 [Buildroot] [PATCH] supervisor: security bump to version 3.1.4 Peter Korsgaard
@ 2017-09-09 20:49 ` Thomas Petazzoni
2017-09-21 11:18 ` Peter Korsgaard
2017-10-16 21:53 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Petazzoni @ 2017-09-09 20:49 UTC (permalink / raw)
To: buildroot
Hello,
On Thu, 7 Sep 2017 11:44:59 +0200, Peter Korsgaard wrote:
> Fixes CVE-2017-11610 - The XML-RPC server in supervisor before 3.0.1, 3.1.x
> before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote
> authenticated users to execute arbitrary commands via a crafted XML-RPC
> request, related to nested supervisord namespace lookups.
>
> For more details, see
> https://github.com/Supervisor/supervisor/issues/964
>
> While we're at it, add hashes for the license files.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/supervisor/supervisor.hash | 4 +++-
> package/supervisor/supervisor.mk | 4 ++--
> 2 files changed, 5 insertions(+), 3 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] supervisor: security bump to version 3.1.4
2017-09-07 9:44 [Buildroot] [PATCH] supervisor: security bump to version 3.1.4 Peter Korsgaard
2017-09-09 20:49 ` Thomas Petazzoni
@ 2017-09-21 11:18 ` Peter Korsgaard
2017-10-16 21:53 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2017-09-21 11:18 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes CVE-2017-11610 - The XML-RPC server in supervisor before 3.0.1, 3.1.x
> before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote
> authenticated users to execute arbitrary commands via a crafted XML-RPC
> request, related to nested supervisord namespace lookups.
> For more details, see
> https://github.com/Supervisor/supervisor/issues/964
> While we're at it, add hashes for the license files.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] supervisor: security bump to version 3.1.4
2017-09-07 9:44 [Buildroot] [PATCH] supervisor: security bump to version 3.1.4 Peter Korsgaard
2017-09-09 20:49 ` Thomas Petazzoni
2017-09-21 11:18 ` Peter Korsgaard
@ 2017-10-16 21:53 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2017-10-16 21:53 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes CVE-2017-11610 - The XML-RPC server in supervisor before 3.0.1, 3.1.x
> before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote
> authenticated users to execute arbitrary commands via a crafted XML-RPC
> request, related to nested supervisord namespace lookups.
> For more details, see
> https://github.com/Supervisor/supervisor/issues/964
> While we're at it, add hashes for the license files.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2017.08.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-10-16 21:53 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-07 9:44 [Buildroot] [PATCH] supervisor: security bump to version 3.1.4 Peter Korsgaard
2017-09-09 20:49 ` Thomas Petazzoni
2017-09-21 11:18 ` Peter Korsgaard
2017-10-16 21:53 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox