Overview Details

File _patchinfo of Package patchinfo

<patchinfo incident="17400">
  <issue tracker="bnc" id="1189458">VUL-0: CVE-2021-40323,CVE-2021-40324,CVE-2021-40325: cobbler: 3.2.1 Critical Security Vulnerabilities</issue>
  <issue tracker="bnc" id="1193678">VUL-0: CVE-2021-45082: cobbler: incomplete template sanitization</issue>
  <issue tracker="bnc" id="1185679"></issue>
  <issue tracker="bnc" id="1193673"></issue>
  <issue tracker="bnc" id="1193675"></issue>
  <issue tracker="bnc" id="1195906"></issue>
  <issue tracker="bnc" id="1186124"></issue>
  <issue tracker="bnc" id="1184561"></issue>
  <issue tracker="bnc" id="1193676"></issue>
  <issue tracker="bnc" id="1193671">VUL-0: CVE-2021-45083: cobbler, koan: unsafe permissions on sensitive files in /etc/cobbler</issue>
  <issue tracker="bnc" id="1195918"></issue>
  <issue tracker="cve" id="2021-45082"/>
  <issue tracker="cve" id="2021-40325"/>
  <issue tracker="cve" id="2021-45083"/>
  <issue tracker="cve" id="2021-40324"/>
  <issue tracker="cve" id="2021-40323"/>
  <packager>agraul</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for cobbler</summary>
  <description>This update for cobbler fixes the following issues:

- CVE-2021-45083: Fixed unsafe permissions on sensitive files (bsc#1193671).
- CVE-2021-45082: Fixed incomplete template sanitation (bsc#1193678).
- CVE-2021-40323, CVE-2021-40324, CVE-2021-40325: Fixed Remote Code Execution in the XMLRPC API which additionally allowed arbitrary file read and write as root (boo#1189458).

The following non-security bugs were fixed:

- Fix issues with installation module logging and validation (boo#1195918)
- Move configuration files ownership to apache (boo#1195906)
- Remove hardcoded test credentials (boo#1193673)
- Prevent log pollution (boo#1193675)
- Missing sanity check on MongoDB configuration file (boo#1193676)
- Avoid traceback when building tftp files for ppc arch system when boot_loader is not set (boo#1185679)
- Prevent some race conditions when writting tftpboot files and the destination directory is not existing (boo#1186124)
- Fix trail stripping in case of using UTF symbols (boo#1184561)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places