--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2021-3a640d3d4c
2021-09-29 00:16:07.673853
--------------------------------------------------------------------------------

Name        : cobbler
Product     : Fedora 35
Version     : 3.2.2
Release     : 2.fc35
URL         : https://cobbler.github.io/
Summary     : Boot server configurator
Description :
Cobbler is a network install server.  Cobbler supports PXE, ISO
virtualized installs, and re-installing existing Linux machines.
The last two modes use a helper tool, 'koan', that integrates with
cobbler.  There is also a web interface 'cobbler-web'.  Cobbler's
advanced features include importing distributions from DVDs and rsync
mirrors, kickstart templating, integrated yum mirroring, and built-in
DHCP/DNS Management.  Cobbler has a XML-RPC API for integration with
other applications.

--------------------------------------------------------------------------------
Update Information:

*    Migrate settings to settings.yaml *   Migrate pre-cobbler 3 data if needed
*    Fix autoinstall_templates -> templates   ----  Update to 3.2.2  New: --- *
Signatures: Add ESXi 7.0 U1 #2525 #2526 #2442 * AlmaLinux & RockyLinux are now
supported *  Signatures: Add generic openSUSE Leap 15 #2508 *  Settings: Use
.yaml as a file extension #2531 *    Settings: Validate what settings we have in
the YAML-File #2533 #2419 #2530 *    Modules: We now support automatic Windows
installations #2466 *    Docs: Terraform provider now included #2166 #2528
Changes: ----- *    Web Frontend: Show VMware as a breed #2449 *    Logging
check fails with SELinux #2440 #2441 *    Typing: Convert docstring types to
typing types #2564 *    ESXi Support: Now partly supported #2541 *    ipmitool
now is upstream supported by fence_agents via ipmilanplus #2542 *    cobbler
version remove the b prefix #2543 *   We are now using inst.ks instead of ks
#2534 *   Use the python-file bindings instead of a subprocess call #2482 #2480
*    Web Interface: Make new user management more obvious #2484  Bugfixes: -----
*    Remove redundant .json suffix: #2451 #2376 #2545 #2529 *    PAM
Authentication failures are fixed now: #2400 #2444 *    Templating: Fix Cheetah
macros #2570 #2509 #2403 *    Templating: Fix regex replacements #2513 *
Templating: Add http_port to all snippets we are aware of #2058 *    API: Have
the legacy fields kickstart and ks_meta present at all times. #2311 #2568 *
Replicate: revert_strip_none prior adding an object on replicate #2548 #2505 *
Replicate: Fix paths during replication #2516 *    Web interface: Fix snippet
path #2520 *    Web interface: Prevent duplicate pathing of snippets #2485 *
Fix script path from Cobbler #2479 #2478 *    Settings: Add missing rsync flags
option #2467 #2468 *    Startup: Cobbler starts with sub-profiles now #2259
#2450 *    Web: Permissions for /var/lib/cobbler/web.ss #2439 #2452 *    Power
management: Follow the fence_agent return codes #1491 *    cobbler check: Fix
dnsmasq check #2155  Other: ---- *    Cleanup unused import #2551 *    Docs:
Improvements at various places #2547 #2481 #2473 #1801 #2228 *    Removed unused
multi-language support #2532 *    Un-categorized improvements #2524 #2464 *
Items: Streamline template_types type in all items #2262  Breaking Changes: ----
*    Possibly the settings file is not correctly migrated and needs to be
manually adjusted. *    Rename settings to settings.yaml *    Add all keys which
are missing. List will be available in /var/log/cobbler/cobbler.log. *    We
dropped support for CentOS 7 since no full Python 3 stack is available #2515
Fedora --- *    bz#2006840: CVE-2021-40323: Arbitrary file disclosure/Template
Injection *    bz#2006897: CVE-2021-40324: Arbitrary file write via
upload_log_data XMLRPC function *    bz#2006904: CVE-2021-40325: Authorization
bypass allows modifying settings
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 23 2021 Orion Poplawski  - 3.2.2-2
- Migrate settings to settings.yaml
- Migrate pre-cobbler 3 data if needed
- Fix autoinstall_templates -> templates
* Thu Sep 23 2021 Orion Poplawski  - 3.2.2-1
- Update to 3.2.2
- bz#2006840: CVE-2021-40323: Arbitrary file disclosure/Template Injection
- bz#2006897: CVE-2021-40324: Arbitrary file write via upload_log_data XMLRPC function
- bz#2006904: CVE-2021-40325: Authorization bypass allows modifying settings
* Wed Sep 22 2021 Orion Poplawski  - 3.2.1-1
- Update to 3.2.1
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2006840 - CVE-2021-40323 cobbler: Arbitrary File Disclosure/Template Injection via generate_script RPC method
        https://bugzilla.redhat.com/show_bug.cgi?id=2006840
  [ 2 ] Bug #2006897 - CVE-2021-40324 cobbler: Arbitrary file write via upload_log_data XMLRPC function
        https://bugzilla.redhat.com/show_bug.cgi?id=2006897
  [ 3 ] Bug #2006904 - CVE-2021-40325 cobbler: Authorization bypass allows modifying settings
        https://bugzilla.redhat.com/show_bug.cgi?id=2006904
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-3a640d3d4c' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure