- update to 3.3.3 (bsc#1051136):
  - Fixed CVE-2017-11610.  A vulnerability was found where an authenticated
    client can send a malicious XML-RPC request to ``supervisord`` that will
    run arbitrary shell commands on the server.  The commands will be run as
    the same user as ``supervisord``.  Depending on how ``supervisord`` has been
    configured, this may be root.  See
    https://github.com/Supervisor/supervisor/issues/964 for details.
  - Fixed a bug introduced in 3.3.0 where the ``supervisorctl reload`` command
    would crash ``supervisord`` with the error ``OSError: [Errno 9] Bad file
    descriptor`` if the ``kqueue`` poller was used.  Patch by Jared Suttles.
  - Fixed a bug introduced in 3.3.0 where ``supervisord`` could get stuck in a
    polling loop after the web interface was used, causing high CPU usage.
    Patch by Jared Suttles.
  - Fixed a bug where if ``supervisord`` attempted to start but aborted due to
    another running instance of ``supervisord`` with the same config, the
    pidfile of the running instance would be deleted.  Patch by coldnight.
  - Fixed a bug where ``supervisorctl fg`` would swallow most XML-RPC faults.
    ``fg`` now prints the fault and exits.
  - Parsing the config file will now fail with an error message if a process
    or group name contains a forward slash character (``/``) since it would
    break the URLs used by the web interface.
  - ``supervisorctl reload`` now shows an error message if an argument is
    given.  Patch by Joel Krauska.
  - ``supervisorctl`` commands ``avail``, ``reread``, and ``version`` now show
    an error message if an argument is given.

• Files Changed
• Browse Source