Debian Security Advisory
DSA-2503-1 bcfg2 -- shell command injection
- Date Reported:
- 28 Jun 2012
- Affected Packages:
- bcfg2
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 679272.
In Mitre's CVE dictionary: CVE-2012-3366. - More information:
-
It was discovered that malicious clients can trick the server component of the Bcfg2 configuration management system to execute commands with root privileges.
For the stable distribution (squeeze), this problem has been fixed in version 1.0.1-3+squeeze2.
For the unstable distribution (sid), this problem has been fixed in version 1.2.2-2.
We recommend that you upgrade your bcfg2 packages.