Описание
Security update for cobbler
This update for cobbler fixes the following issues:
Update to 3.3.7:
-
Security: Fix issue that allowed anyone to connect to the API as admin (CVE-2024-47533, boo#1231332)
-
bind - Fix bug that prevents cname entries from being generated successfully
-
Fix build on RHEL9 based distributions (fence-agents-all split)
-
Fix for Windows systems
-
Docs: Add missing dependencies for source installation
-
Fix issue that prevented systems from being synced when the profile was edited
Update to 3.3.6:
- Upstream all openSUSE specific patches that were maintained in Git
- Fix rename of items that had uppercase letters
- Skip inconsistent collections instead of crashing the daemon
-
Update to 3.3.5:
- Added collection indicies for UUID's, MAC's, IP addresses and hostnames boo#1219933
- Re-added to_dict() caching
- Added lazy loading for the daemon (off by default)
-
Update to 3.3.4:
- Added cobbler-tests-containers subpackage
- Updated the distro_signatures.json database
- The default name for grub2-efi changed to grubx64.efi to match the DHCP template
-
Do generate boot menus even if no profiles or systems - only local boot
-
Avoid crashing running buildiso in certain conditions.
-
Fix settings migration schema to work while upgrading on existing running Uyuni and SUSE Manager servers running with old Cobbler settings (boo#1203478)
-
Consider case of 'next_server' being a hostname during migration of Cobbler collections.
-
Fix problem with 'proxy_url_ext' setting being None type.
-
Update v2 to v3 migration script to allow migration of collections that contains settings from Cobbler 2. (boo#1203478)
-
Fix problem for the migration of 'autoinstall' collection attribute.
-
Fix failing Cobbler tests after upgrading to 3.3.3.
-
Fix regression: allow empty string as interface_type value (boo#1203478)
-
Avoid possible override of existing values during migration of collections to 3.0.0 (boo#1206160)
-
Add missing code for previous patch file around boot_loaders migration.
-
Improve Cobbler performance with item cache and threadpool (boo#1205489)
-
Skip collections that are inconsistent instead of crashing (boo#1205749)
-
Items: Fix creation of 'default' NetworkInterface (boo#1206520)
-
S390X systems require their kernel options to have a linebreak at 79 characters (boo#1207595)
-
settings-migration-v1-to-v2.sh will now handle paths with whitespace correct
-
Fix renaming Cobbler items (boo#1204900, boo#1209149)
-
Fix cobbler buildiso so that the artifact can be booted by EFI firmware. (boo#1206060)
-
Add input_string_*, input_boolean, input_int functiont to public API
Список пакетов
SUSE Package Hub 15 SP5
openSUSE Leap 15.5
Ссылки
- E-Mail link for openSUSE-SU-2024:0382-1
- SUSE Security Ratings
- SUSE Bug 1203478
- SUSE Bug 1204900
- SUSE Bug 1205489
- SUSE Bug 1205749
- SUSE Bug 1206060
- SUSE Bug 1206160
- SUSE Bug 1206520
- SUSE Bug 1207595
- SUSE Bug 1209149
- SUSE Bug 1219933
- SUSE Bug 1231332
- SUSE CVE CVE-2024-47533 page
Описание
Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue.
Затронутые продукты
Ссылки
- CVE-2024-47533
- SUSE Bug 1231332