[USN-7465-1] Mistral vulnerabilities

Hlib Korzhynskyy hlib.korzhynskyy at canonical.com
Mon Apr 28 17:38:28 UTC 2025 

==========================================================================
Ubuntu Security Notice USN-7465-1
April 28, 2025

mistral, python-mistral-lib vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Mistral.

Software Description:
- mistral: OpenStack Workflow service - API
- python-mistral-lib: Mistral shared routines and utilities

Details:

It was discovered that Mistral incorrectly handled nested anchors in YAML
files. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-16848)

Pierre Gaxatte discovered that Mistral incorrectly handled erroneous SSH
private key filename commands. An attacker could possibly use this issue to
expose sensitive information. (CVE-2018-16849)

It was discovered that Mistral incorrectly handled the permissions of
sensitive log files. An attacker could possibly use this issue to expose
sensitive information. This issue only affected Ubuntu 18.04 LTS.
(CVE-2019-3866)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
   mistral-api                     6.0.0-0ubuntu1.1+esm1
                                   Available with Ubuntu Pro
   python-mistral                  6.0.0-0ubuntu1.1+esm1
                                   Available with Ubuntu Pro
   python-mistral-lib              0.4.0-0ubuntu1+esm1
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS
   mistral-api                     2.0.0-1ubuntu2+esm1
                                   Available with Ubuntu Pro
   python-mistral                  2.0.0-1ubuntu2+esm1
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7465-1
   CVE-2018-16848, CVE-2018-16849, CVE-2019-3866

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20250428/336b65a6/attachment.sig>

More information about the ubuntu-security-announce mailing list