CVE-2016-4972

Name	CVE-2016-4972
Description	OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	828062, 828063, 828064

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
murano (PTS)	buster	1:6.0.0-2	fixed
	bullseye	1:10.0.0-1	fixed
	bookworm	1:14.0.0-3	fixed
	sid, trixie	1:16.0.0-1	fixed
murano-dashboard (PTS)	buster	1:6.0.0-3	fixed
	bullseye	1:10.0.0-2	fixed
	bookworm	1:14.0.0-1	fixed
	sid, trixie	1:16.0.0-1	fixed
python-muranoclient (PTS)	buster	1.1.1-2	fixed
	bullseye	2.1.1-2	fixed
	bookworm	2.5.0-2	fixed
	sid, trixie	2.8.0-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
murano	source	(unstable)	1:2.0.1-1	828062
murano-dashboard	source	(unstable)	1:2.0.0-5	828064
python-muranoclient	source	(unstable)	0.8.3-4	828063

Notes

Affects: Murano: <=2015.1.1; <=1.0.2; ==2.0.0
Affects: Murano-dashboard: <=2015.1.1; <=1.0.2; ==2.0.0
Affects: Python-muranoclient: <=0.7.2; >=0.8.0<=0.8.4