Bugzilla – Bug 1152987
VUL-0: CVE-2019-16328: python-rpyc: a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code
Last modified: 2020-10-27 16:01:29 UTC
CVE-2019-16328 In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings. Factory only, can't select that above. Played changelog bingo since no maintainer is assigned References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16328 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16328 http://www.cvedetails.com/cve/CVE-2019-16328/ https://rpyc.readthedocs.io/en/latest/docs/security.html https://github.com/tomerfiliba/rpyc
Fixed version sent to Leap 15.1 and the fix is already in 15.2 and TW (i just updated changelog to reflect it).
This is an autogenerated message for OBS integration: This bug (1152987) was mentioned in https://build.opensuse.org/request/show/805821 Factory / python-rpyc https://build.opensuse.org/request/show/805822 15.2 / python-rpyc https://build.opensuse.org/request/show/805823 15.1 / python-rpyc
openSUSE-SU-2020:0685-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1152987 CVE References: CVE-2019-16328 Sources used: openSUSE Leap 15.1 (src): python-rpyc-4.1.5-lp151.3.3.1, python-rpyc-test-4.1.5-lp151.3.3.1
openSUSE-SU-2020:0763-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1152987 CVE References: CVE-2019-16328 Sources used: openSUSE Backports SLE-15-SP1 (src): python-rpyc-4.1.5-bp151.2.3.1, python-rpyc-test-4.1.5-bp151.2.3.1
Done