Overview Repositories Revisions Requests Users Attributes Meta
Security update for cobbler

This update for cobbler fixes the following issues:

- CVE-2021-45083: Fixed unsafe permissions on sensitive files (bsc#1193671).
- CVE-2021-45082: Fixed incomplete template sanitation (bsc#1193678).
- CVE-2021-40323, CVE-2021-40324, CVE-2021-40325: Fixed Remote Code Execution in the XMLRPC API which additionally allowed arbitrary file read and write as root (boo#1189458).

The following non-security bugs were fixed:

- Fix issues with installation module logging and validation (boo#1195918)
- Move configuration files ownership to apache (boo#1195906)
- Remove hardcoded test credentials (boo#1193673)
- Prevent log pollution (boo#1193675)
- Missing sanity check on MongoDB configuration file (boo#1193676)
- Avoid traceback when building tftp files for ppc arch system when boot_loader is not set (boo#1185679)
- Prevent some race conditions when writting tftpboot files and the destination directory is not existing (boo#1186124)
- Fix trail stripping in case of using UTF symbols (boo#1184561)

Fixed bugs
bnc#1189458
VUL-0: CVE-2021-40323,CVE-2021-40324,CVE-2021-40325: cobbler: 3.2.1 Critical Security Vulnerabilities
bnc#1193678
VUL-0: CVE-2021-45082: cobbler: incomplete template sanitization
bnc#1185679
bnc#1193673
AUDIT-FIND: COBBLER - hardcoded password for testing
bnc#1193675
AUDIT-FIND: COBBLER - log file pollution
bnc#1195906
bnc#1186124
bnc#1184561
bnc#1193676
AUDIT-FIND: COBBLER - Missing sanity check on server config file
bnc#1193671
VUL-0: CVE-2021-45083: cobbler, koan: unsafe permissions on sensitive files in /etc/cobbler
bnc#1195918
CVE-2021-45082
CVE-2021-40325
CVE-2021-45083
CVE-2021-40324
CVE-2021-40323
Selected Binaries
openSUSE Build Service is sponsored by
Places