Fedora 35 Security Update: Moderate Cobbler Issues Resolved and Improved

Cobbler is a network install server. Cobbler supports PXE, ISO

virtualized installs, and re-installing existing Linux machines.

The last two modes use a helper tool, 'koan', that integrates with

cobbler. There is also a web interface 'cobbler-web'. Cobbler's

advanced features include importing distributions from DVDs and rsync

mirrors, kickstart templating, integrated yum mirroring, and built-in

DHCP/DNS Management. Cobbler has a XML-RPC API for integration with

other applications.

* Migrate settings to settings.yaml * Migrate pre-cobbler 3 data if needed

* Fix autoinstall_templates -> templates ---- Update to 3.2.2 New: --- *

Signatures: Add ESXi 7.0 U1 #2525 #2526 #2442 * AlmaLinux & RockyLinux are now

supported * Signatures: Add generic openSUSE Leap 15 #2508 * Settings: Use

.yaml as a file extension #2531 * Settings: Validate what settings we have in

the YAML-File #2533 #2419 #2530 * Modules: We now support automatic Windows

installations #2466 * Docs: Terraform provider now included #2166 #2528

Changes: ----- * Web Frontend: Show VMware as a breed #2449 * Logging

check fails with SELinux #2440 #2441 * Typing: Convert docstring types to

typing types #2564 * ESXi Support: Now partly supported #2541 * ipmitool

now is upstream supported by fence_agents via ipmilanplus #2542 * cobbler

version remove the b prefix #2543 * We are now using inst.ks instead of ks

#2534 * Use the python-file bindings instead of a subprocess call #2482 #2480

* Web Interface: Make new user management more obvious #2484 Bugfixes: -----* Remove redundant .json suffix: #2451 #2376 #2545 #2529 * PAM

Authentication failures are fixed now: #2400 #2444 * Templating: Fix Cheetah

macros #2570 #2509 #2403 * Templating: Fix regex replacements #2513 *

Templating: Add http_port to all snippets we are aware of #2058 * API: Have

the legacy fields kickstart and ks_meta present at all times. #2311 #2568 *

Replicate: revert_strip_none prior adding an object on replicate #2548 #2505 *

Replicate: Fix paths during replication #2516 * Web interface: Fix snippet

path #2520 * Web interface: Prevent duplicate pathing of snippets #2485 *

Fix script path from Cobbler #2479 #2478 * Settings: Add missing rsync flags

option #2467 #2468 * Startup: Cobbler starts with sub-profiles now #2259

#2450 * Web: Permissions for /var/lib/cobbler/web.ss #2439 #2452 * Power

management: Follow the fence_agent return codes #1491 * cobbler check: Fix

dnsmasq check #2155 Other: ---- * Cleanup unused import #2551 * Docs:

Improvements at various places #2547 #2481 #2473 #1801 #2228 * Removed unused

multi-language support #2532 * Un-categorized improvements #2524 #2464 *

Items: Streamline template_types type in all items #2262 Breaking Changes: ----* Possibly the settings file is not correctly migrated and needs to be

manually adjusted. * Rename settings to settings.yaml * Add all keys which

are missing. List will be available in /var/log/cobbler/cobbler.log. * We

dropped support for CentOS 7 since no full Python 3 stack is available #2515

Fedora --- * bz#2006840: CVE-2021-40323: Arbitrary file disclosure/Template

Injection * bz#2006897: CVE-2021-40324: Arbitrary file write via

upload_log_data XMLRPC function * bz#2006904: CVE-2021-40325: Authorization

bypass allows modifying settings

* Thu Sep 23 2021 Orion Poplawski - 3.2.2-2

- Migrate settings to settings.yaml

- Migrate pre-cobbler 3 data if needed

- Fix autoinstall_templates -> templates

* Thu Sep 23 2021 Orion Poplawski - 3.2.2-1

- Update to 3.2.2

- bz#2006840: CVE-2021-40323: Arbitrary file disclosure/Template Injection

- bz#2006897: CVE-2021-40324: Arbitrary file write via upload_log_data XMLRPC function

- bz#2006904: CVE-2021-40325: Authorization bypass allows modifying settings

* Wed Sep 22 2021 Orion Poplawski - 3.2.1-1

- Update to 3.2.1

[ 1 ] Bug #2006840 - CVE-2021-40323 cobbler: Arbitrary File Disclosure/Template Injection via generate_script RPC method

https://bugzilla.redhat.com/show_bug.cgi?id=2006840

[ 2 ] Bug #2006897 - CVE-2021-40324 cobbler: Arbitrary file write via upload_log_data XMLRPC function

https://bugzilla.redhat.com/show_bug.cgi?id=2006897

[ 3 ] Bug #2006904 - CVE-2021-40325 cobbler: Authorization bypass allows modifying settings

https://bugzilla.redhat.com/show_bug.cgi?id=2006904

su -c 'dnf upgrade --advisory FEDORA-2021-3a640d3d4c' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure