Candidate: CVE-2016-4972
PublicDate: 2016-09-26 16:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4972
 https://marc.info/?l=oss-security&m=146670562610827&w=2
Description:
 OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka),
 Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and
 python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka)
 improperly use loaders inherited from yaml.Loader when parsing MuranoPL and
 UI files, which allows remote attackers to create arbitrary Python objects
 and execute arbitrary code via crafted extended YAML tags in UI definitions
 in packages.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828062
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828063
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828064
Priority: medium
Discovered-by: Kirill Zaitsev
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_murano:
upstream_murano: needed
precise_murano: DNE
precise/esm_murano: DNE
trusty_murano: DNE
trusty/esm_murano: DNE
vivid/stable-phone-overlay_murano: DNE
vivid/ubuntu-core_murano: DNE
wily_murano: ignored (reached end-of-life)
xenial_murano: ignored (end of standard support, was needed)
yakkety_murano: ignored (reached end-of-life)
zesty_murano: ignored (reached end-of-life)
artful_murano: ignored (reached end-of-life)
bionic_murano: not-affected (1:3.0.0~b1-2)
cosmic_murano: not-affected (1:3.0.0~b1-2)
disco_murano: not-affected (1:3.0.0~b1-2)
eoan_murano: not-affected (1:3.0.0~b1-2)
focal_murano: not-affected (1:3.0.0~b1-2)
groovy_murano: not-affected (1:3.0.0~b1-2)
hirsute_murano: not-affected (1:3.0.0~b1-2)
impish_murano: not-affected (1:3.0.0~b1-2)
jammy_murano: not-affected (1:3.0.0~b1-2)
devel_murano: not-affected (1:3.0.0~b1-2)

Patches_python-muranoclient:
upstream_python-muranoclient: needed
precise_python-muranoclient: DNE
precise/esm_python-muranoclient: DNE
trusty_python-muranoclient: DNE
trusty/esm_python-muranoclient: DNE
vivid/stable-phone-overlay_python-muranoclient: DNE
vivid/ubuntu-core_python-muranoclient: DNE
wily_python-muranoclient: ignored (reached end-of-life)
xenial_python-muranoclient: ignored (end of standard support, was needed)
yakkety_python-muranoclient: ignored (reached end-of-life)
zesty_python-muranoclient: ignored (reached end-of-life)
artful_python-muranoclient: ignored (reached end-of-life)
bionic_python-muranoclient: not-affected (0.8.4-1)
cosmic_python-muranoclient: not-affected (0.8.4-1)
disco_python-muranoclient: not-affected (0.8.4-1)
eoan_python-muranoclient: not-affected (0.8.4-1)
focal_python-muranoclient: not-affected (0.8.4-1)
groovy_python-muranoclient: not-affected (0.8.4-1)
hirsute_python-muranoclient: not-affected (0.8.4-1)
impish_python-muranoclient: not-affected (0.8.4-1)
jammy_python-muranoclient: not-affected (0.8.4-1)
devel_python-muranoclient: not-affected (0.8.4-1)

Patches_murano-dashboard:
upstream_murano-dashboard: needed
precise_murano-dashboard: DNE
precise/esm_murano-dashboard: DNE
trusty_murano-dashboard: DNE
trusty/esm_murano-dashboard: DNE
vivid/stable-phone-overlay_murano-dashboard: DNE
vivid/ubuntu-core_murano-dashboard: DNE
wily_murano-dashboard: ignored (reached end-of-life)
xenial_murano-dashboard: ignored (end of standard support, was needed)
yakkety_murano-dashboard: ignored (reached end-of-life)
zesty_murano-dashboard: ignored (reached end-of-life)
artful_murano-dashboard: ignored (reached end-of-life)
bionic_murano-dashboard: not-affected (1:2.0.0-5)
cosmic_murano-dashboard: not-affected (1:2.0.0-5)
disco_murano-dashboard: not-affected (1:2.0.0-5)
eoan_murano-dashboard: not-affected (1:2.0.0-5)
focal_murano-dashboard: not-affected (1:2.0.0-5)
groovy_murano-dashboard: not-affected (1:2.0.0-5)
hirsute_murano-dashboard: not-affected (1:2.0.0-5)
impish_murano-dashboard: not-affected (1:2.0.0-5)
jammy_murano-dashboard: not-affected (1:2.0.0-5)
devel_murano-dashboard: not-affected (1:2.0.0-5)