[ANNOUNCE] CVE-2015-5350: Garden Nstar vulnerability

Chip Childers <cchilders@...>

CVE-2015-5350: Garden Nstar vulnerabilitySeverity:


Cloud Foundry Foundation
Versions Affected:

Garden versions 0.22.0-0.329.0

A vulnerability has been discovered in the garden-linux nstar executable
that allows access to files on the host system. By staging an application
on Cloud Foundry using Diego and Garden installations with a malicious
custom buildpack an end user could read files on the host system that the
BOSH-created vcap user has permissions to read and then package them into
their app droplet.
Affected Cloud Foundry Products and Versions:


All Garden versions prior to v0.330.0



The Cloud Foundry project recommends that Cloud Foundry Deployments
using Diego and Garden upgrade to Garden Linux Release v0.330.0 or higher.
Diego release v0.1444.0 includes Garden Linux v.0.330.0.


Julian Friedman

Will Pragnell

Eric Malm
References: Cloud Foundry:

* Garden-Linux-Release

* Diego-Release <https://github.com/cloudfoundry-incubator/diego-release>

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.