Security Information / 2012 / Security Information -- DSA-2503-1 bcfg2

Debian Security Advisory

DSA-2503-1 bcfg2 -- shell command injection

Date Reported:

28 Jun 2012

Affected Packages:

bcfg2

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 679272.
In Mitre's CVE dictionary: CVE-2012-3366.

More information:

It was discovered that malicious clients can trick the server component of the Bcfg2 configuration management system to execute commands with root privileges.

For the stable distribution (squeeze), this problem has been fixed in version 1.0.1-3+squeeze2.

For the unstable distribution (sid), this problem has been fixed in version 1.2.2-2.

We recommend that you upgrade your bcfg2 packages.