Описание
Security update for cobbler
This update for cobbler fixes the following issues:
Update to 3.3.7
- Security: Fix issue that allowed anyone to connect to the API as admin (CVE-2024-47533, boo#1231332)
- bind - Fix bug that prevents cname entries from being generated successfully
- Fix build on RHEL9 based distributions (fence-agents-all split)
- Fix for Windows systems
- Docs: Add missing dependencies for source installation
- Fix issue that prevented systems from being synced when the profile was edited
Список пакетов
SUSE Package Hub 15 SP6
cobbler-3.3.7-bp156.2.6.1
cobbler-tests-3.3.7-bp156.2.6.1
cobbler-tests-containers-3.3.7-bp156.2.6.1
openSUSE Leap 15.6
cobbler-3.3.7-bp156.2.6.1
cobbler-tests-3.3.7-bp156.2.6.1
cobbler-tests-containers-3.3.7-bp156.2.6.1
Ссылки
- E-Mail link for openSUSE-SU-2024:0370-1
- SUSE Security Ratings
- SUSE Bug 1231332
- SUSE CVE CVE-2024-47533 page
Описание
Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue.
Затронутые продукты
SUSE Package Hub 15 SP6:cobbler-3.3.7-bp156.2.6.1
SUSE Package Hub 15 SP6:cobbler-tests-3.3.7-bp156.2.6.1
SUSE Package Hub 15 SP6:cobbler-tests-containers-3.3.7-bp156.2.6.1
openSUSE Leap 15.6:cobbler-3.3.7-bp156.2.6.1
Ссылки
- CVE-2024-47533
- SUSE Bug 1231332