Linux Security
    Linux Security
    Linux Security

    openSUSE: 2021:0046-1 moderate: cobbler

    Date 11 Jan 2021
    281
    Posted By LinuxSecurity Advisories
    An update that solves 6 vulnerabilities and has 58 fixes is now available.
    
       openSUSE Security Update: Security update for cobbler
    ______________________________________________________________________________
    
    Announcement ID:    openSUSE-SU-2021:0046-1
    Rating:             moderate
    References:         #1020376 #1029276 #1048183 #1074594 #1075014 
                        #1081714 #1081739 #1090205 #1097733 #1101670 
                        #1104189 #1104190 #1104287 #1105440 #1105442 
                        #1113747 #1128754 #1128926 #1130658 #1134588 
                        #1149075 #1151875 #1156574 #1159010 #1169207 
                        #1169553 #1169779 #1170462 #660126 #671212 
                        #672471 #682665 #687891 #695955 #714618 #722443 
                        #722445 #757062 #763610 #783671 #790545 #796773 
                        #811025 #812948 #842699 #846580 #869371 #884051 
                        #924118 #952844 #956264 #966622 #966841 #967523 
                        #968406 #969538 #969541 #973413 #973418 #976826 
                        #980577 #984998 #986978 #988889 
    Cross-References:   CVE-2011-4953 CVE-2012-2395 CVE-2017-1000469
                        CVE-2018-1000225 CVE-2018-1000226 CVE-2018-10931
                       
    Affected Products:
                        openSUSE Leap 15.2
    ______________________________________________________________________________
    
       An update that solves 6 vulnerabilities and has 58 fixes is
       now available.
    
    Description:
    
       This update for cobbler fixes the following issues:
    
       - Add cobbler-tests subpackage for unit testing for openSUSE/SLE
       - Adds LoadModule definitions for openSUSE/SLE
       - Switch to new refactored auth module.
    
       - use systemctl to restart cobblerd on logfile rotation (boo#1169207)
         Mainline logrotate conf file uses already /sbin/service instead of
         outdated: /etc/init.d/cobblerd
       - Fix cobbler sync for DHCP or DNS (boo#1169553) Fixed mainline by commit
         2d6cfe42da
       - Signatures file now uses "default_autoinstall" which fixes import
         problem happening with some distributions (boo#1159010)
    
       - Fix for kernel and initrd detection (boo#1159010)
    
       - New:
         * For the distro there is now a parameter remote_boot_initrd and
           remote_boot_kernel ()
         * For the profile there is now a parameter filename for DHCP. (#2280)
         * Signatures for ESXi 6 and 7 (#2308)
         * The hardlink command is now detected more dynamically and thus more
           error resistant (#2297)
         * HTTPBoot will now work in some cases out of the bug. (#2295)
         * Additional DNS query for a case where the wrong record was queried in
           the nsupdate system case (#2285)
       - Changes:
         * Enabled a lot of tests, removed some and implemented new. (#2202)
         * Removed not used files from the codebase. (#2302)
         * Exchanged mkisofs to xorrisofs. (#2296)
         * Removed duplicate code. (#2224)
         * Removed unreachable code. (#2223)
         * Snippet creation and deletion now works again via xmlrpc. (#2244)
         * Replace createrepo with createrepo_c. (#2266)
         * Enable Kerberos through having a case sensitive users.conf. (#2272)
       - Bugfixes:
         * General various Bugfixes (#2331, )
         * Makefile usage and commands. (#2344, #2304)
         * Fix the dhcp template. (#2314)
         * Creation of the management classes and gPXE. (#2310)
         * Fix the scm_track module. (#2275, #2279)
         * Fix passing the netdevice parameter correctly to the linuxrc. (#2263)
         * powerstatus from cobbler now works thanks to a wrapper for ipmitool.
           (#2267)
         * In case the LDAP is used for auth, it now works with ADs. (#2274)
         * Fix passthru authentication. (#2271)
       - Other:
         * Add Codecov. (#2229)
         * Documentation updates. (#2333, #2326, #2305, #2249, #2268)
         * Buildprocess:
           *  Recreation and cleanup of Grub2. (#2278)
           *  Fix small errors for openSUSE Leap. (#2233)
           *  Fix rpmlint errors. (#2237)
           *  Maximum compatibility for debbuild package creation. (#2255, #2292,
       #2242, #2300)
         * Fixes related to our CI Pipeline (#2254, #2269)
         * Internal Code cleanup (#2273, #2270)
       - Breaking Changes:
         * Hash handling in users.digest file. (#2299)
    
       - Updated to version 3.1.1.
         * Introduce new packaging from upstream
         * Changelog see below
       - New:
         * We are now having a cross-distro specfile which can be build in the
           OBS (#2220) - before rewritten it was improved by #2144 & #2174
         * Grub Submenu for net-booting machines (#2217)
         * Building the Cent-OS RPMs in Docker (#2190 #2189)
         * Reintroduced manpage build in setup.py (#2185)
         * mgmt_parameters are now passed to the dhcp template (#2182)
         * Using the standard Pyhton3 logger instead of a custom one (#2160 #2139
           #2151)
         * Script for converting the settings file from 3.0.0 to 3.0.1 (#2154)
         * Docs now inside the repo instead of cobbler.github.io and improved
           with sphinx (#2117)
       - Changes:
         * The default tftpboot directory is now /var/lib/tftpboot instead of
           previously /srv/tftpboot (#2220)
         * Distro signatures were adjusted where necessary (#2219 #2134)
         * Removed requirements.txt and placed the requirements in setup.py
           (#2204)
         * Display only entries in grub which are from the same arch (#2191 #2216)
         * Change the name of the cobbler manpage form cobbler-cli to cobbler
           back and move it to section 8 (#2188 #2186)
       - Bugfixes:
         * Incremented Version to 3.1.1 from 3.0.1
         * S390 Support was cleaned up (#2207 #2178)
         * PowerPC Support was cleaned up (#2178)
         * Added a missing import while importing a distro with cobbler import
           (#2201)
         * Fixed a case where a stacktrace would be produced so pass none instead
           (#2203)
         * Rename of suse_kopts_textmode_overwrite to kops_overwrite to utils
           (#2143 #2200)
         * Fix rsync subprocess call (#2199 #2179)
         * Fixed an error where the template rendering did not work (#2176)
         * Fixed some cobbler import errors (#2172)
         * Wrong shebang in various scripts (#2148)
         * Fix some imports which fixes errors introduced by the remodularization
           (#2150 #2153)
       - Other:
         * Issue Templates for Github (#2187)
    
       - Update to latest git HEAD code base This version (from mainline so for
         quite a while already) also includes fixes for "boo#1149075" and
         boo#1151875
    
       - Fix for cobbler import and buildiso (boo#1156574)
       - Adjusted manpage creation (needs sphinx as BuildRequires)
       - Fix cobbler sync for dhcp and dns enabled due to latest module renaming
         patches
    
       - Update to latest git HEAD
          - Fixes permission denied in apache2 context when trying to write
            cobbler log
          - Fixes a bad import in import_signature (item)
          - Fixes bad shebang bash path in mkgrub.sh (used in post section)
    
       - Now track Github master branch WARNING: This release contains breaking
         changes for your settings file!
         * Notable changes:
           - Now using standard python logger
           - Updated dhcpd.template
       - Removed fix_shebang.patch: now in upstream.
       - added -s parameter to fdupes call to prevent hardlink across partititons
    
       - Update to latest v3.0.0 cobbler release
       - Add previouly added patch: exclude_get-loaders_command.patch to the list
         of patches to apply.
    
       - Fix log file world readable (as suggested by Matthias Gerstner) and
         change file attributes via attr in spec file
       - Do not allow get-loaders command (download of third party provided
         network boot loaders we do not trust)
       - Mainline fixes: 3172d1df9b9cc8 Add missing help text in
         redhat_management_key field c8f5490e507a72 Set default interface if
         cobbler system add has no
                        --interface= param 31a1aa31d26c4a Remove apache IfVersion
       tags from apache configs
    
       - Integrated fixes that came in from mainline from other products (to calm
         down obs regression checker): CVE-2011-4953, fate#312397, boo#660126,
         boo#671212, boo#672471, boo#682665 boo#687891, boo#695955, boo#722443,
         boo#722445, boo#757062, boo#763610 boo#783671, boo#790545, boo#796773,
         boo#811025, boo#812948, boo#842699 boo#846580, boo#869371, boo#884051,
         boo#976826, boo#984998 Some older bugs need boo# references as well:
         boo#660126, boo#671212, boo#672471, boo#682665 boo#687891, boo#695955,
         boo#722443, boo#722445, boo#757062, boo#763610 boo#783671, boo#790545,
         boo#796773, boo#811025, boo#812948, boo#842699 boo#846580, boo#869371,
         boo#884051
    
       - Fix for redhat_management_key not being listed as a choice during
         profile rename (boo#1134588)
       - Added:
         * rhn-mngmnt-key-field-fix.diff
    
       - Fixes distribution detection in setup.py for SLESo
       - Added:
         * changes-detection-to-distro-like-for-suse-distributions.diff
    
       - Moving to pytest and adding Docker test integration
       - Added:
         * add-docker-integration-testing.diff
         * refactor-unittest-to-pytest.diff
    
       - Additional compatability changes for old Koan versions.
       - Modified:
         * renamed-methods-alias-part2.patch
    
       - Old Koan versions not only need method aliases, but also need compatible
         responses
       - Added:
         * renamed-methods-alias-part2.patch
    
       - Add the redhat_managment_* fields again to enable templating in SUMA.
       - Added:
         * revert-redhat-management-removal.patch
    
       - Changes return of last_modified_time RPC to float
       - Added:
         * changes-return-to-float.diff
    
       - provide old name aliases for all renamed methods:
         - get_distro_for_koan     =>  get_distro_as_rendered
         - get_profile_for_koan    =>  get_profile_as_rendered
         - get_system_for_koan     =>  get_system_as_rendered
         - get_repo_for_koan       =>  get_repo_as_rendered
         - get_image_for_koan      =>  get_image_as_rendered
         - get_mgmtclass_for_koan  =>  get_mgmtclass_as_rendered
         - get_package_for_koan    =>  get_package_as_rendered
         - get_file_for_koan       =>  get_file_as_rendered
       - Renamed: get_system_for_koan.patch => renamed-methods-alias.patch
    
       - provide renamed method "get_system_for_koan" under old name for old
         clients.
       - Added:
         * get_system_for_koan.patch
    
       - Bring back power_system method in the XML-RPC API
       - Changed lanplus option to lanplus=true in fence_ipmitool.template
       - Added:
         * power_system_xmlrpc_api.patch
       - Changed:
         * fence_ipmitool.template
    
       - Disables nsupdate_enabled by default
       - Added:
         * disable_nsupdate_enabled_by_default.diff
    
       - Fixes issue in distribution detection with "lower" function call.
       - Modified:
         * remodeled-distro-detection.diff
    
       - Adds imporoved distribution detection. Since now all base products get
         detected correctly, we no longer need the SUSE Manager patch.
       - Added:
         * remodeled-distro-detection.diff
    
       - fix grub directory layout
       - Added:
         * create-system-directory-at-the-correct-place.patch
    
       - fix HTTP status code of XMLRPC service
       - Added:
         * fix-http-status-code.patch
    
       - touch /etc/genders when it not exists (boo#1128926)
       - Add patches to fix logging
       - Added:
         * return-the-name-of-the-unknown-method.patch
         * call-with-logger-where-possible.patch
    
       - Switching version schema from 3.0 to 3.0.0
    
       - Fixes case where distribution detection returns None (boo#1130658)
       - Added:
         * fixes-distro-none-case.diff
    
       - Removes newline from token, which caused authentication error
         (boo#1128754)
       - Added:
         * remove-newline-from-token.diff
    
       - Added a patch which fixes an exception when login in with a non-root
         user.
       - Added:
         * fix-login-error.patch
    
       - Added a patch which fixes an exception when login in with a non-root
         user.
       - Added:
         * fix-login-error.patch
    
    
       - Remove patch merged at upstream:
         * 0001-return-token-as-string.patch
    
       - change grub2-x86_64-efi dependency to Recommends
    
       - grub2-i386pc is not really required. Changed to recommended to allow
         building for architectures other than x86_64
    
       - Use cdrtools starting with SLE-15 and Leap-15 again. (boo#1081739)
       - Update cobbler loaders server hostname (boo#980577)
       - Update outdated apache config (boo#956264)
       - Replace builddate with changelog date to fix build-compare (boo#969538)
       - LOCKFILE usage removed on openSUSE (boo#714618)
       - Power management subsystem completely re-worked to prevent
         command-injection (CVE-2012-2395)
       - Removed patch merged at upstream:
         * cobblerd_needs_apache2_service_started.patch
    
       - Checking bug fixes of released products are in latest develop pkg:
         - remove fix-nameserver-search.fix; bug is invalid (boo#1029276)
           -> not needed anymore
         - fix cobbler yaboot handling (boo#968406, boo#966622)
           -> no yaboot support anymore
         - support UEFI boot with cobbler generated tftp tree (boo#1020376)
           -> upstream
         - Enabling PXE grub2 support for PowerPC (boo#986978)
           -> We have grub2 support for ppc64le
         - (boo#1048183) fix missing args and location for xen
           -> is in
         - no koan support anymore: boo#969541, boo#924118, boo#967523
         - not installed (boo#966841) works.
       - These still have to be looked at: SUSE system as systemd only
         (boo#952844) handle list value for kernel options correctly (boo#973413)
         entry in pxe menu (boo#988889)
       - This still has to be switched off (at least in internal cobbler
         versions): Disabling 'get-loaders' command and 'check' fixed. boo#973418
    
       - Add explicity require to tftp, so it is used for both SLE and openSUSE
         (originally from This email address is being protected from spambots. You need JavaScript enabled to view it.)
       - Moved Recommends according to spec_cleaner
    
       - Require latest apache2-mod_wsgi-python3 package This fixes interface to
         https://localhost/cblr/svc/...
       - Use latest github cobbler/cobbler master branch in _service file
       - cobblerd_needs_apache2_service_started.patch reverted, that is mainline
         now:
       - Only recommend grub2-arm and grub2-ppc packages or we might not be able
         to build on factory where arm/ppc might not be built
       - Remove genders package requires. A genders file is generated, but we do
         not need/use the genders package.
    
       - Update to latest cobbler version 3.0 mainline git HEAD version and
         remove already integrated or not needed anymore patches.
       - Serial console support added, did some testing already Things should
         start to work as expected
    
       - Add general grub2 support
    
       - Put mkgrub.* into mkgrub.sh
    
       - Add git date and commit to version string for now
    
       - Add grub2 mkimage scripts: mkgrub.i386-pc mkgrub.powerpc-ieee1275
         mkgrub.x86_64-efi mkgrub.arm64-efi and generate grub executables with
         them in the %post section
    
    
       - build server wants explicite package in BuildRequires; use tftp
       - require tftp(server) instead of atftp
       - cleanup: cobbler is noarch, so arch specific requires do not make sense
       - SLES15 is using /etc/os-release instead of /etc/SuSE-release, use this
         one for checking also
       - add sles15 distro profile (boo#1090205)
       - fix signature for SLES15 (boo#1075014)
       - fix signature for SLES15 (boo#1075014)
       - fix koan wait parameter initialization
       - Fix koan shebang
       - Escape shell parameters provided by the user for the reposync action
         (CVE-2017-1000469) (boo#1074594)
       - detect if there is already another instance of "cobbler sync" running
         and exit with failure if so (boo#1081714)
       - do not try to hardlink to a symlink. The result will be a dangling
         symlink in the general case (boo#1097733)
       - fix service restart after logrotate for cobblerd (boo#1113747)
       - rotate cobbler logs at higher frequency to prevent disk fillup
         (boo#1113747)
       - Forbid exposure of private methods in the API (CVE-2018-10931)
         (CVE-2018-1000225) (boo#1104287) (boo#1104189) (boo#1105442)
       - Check access token when calling 'modify_setting' API endpoint
         (boo#1104190) (boo#1105440) (CVE-2018-1000226)
    
    
    Patch Instructions:
    
       To install this openSUSE Security Update use the SUSE recommended installation methods
       like YaST online_update or "zypper patch".
    
       Alternatively you can run the command listed for your product:
    
       - openSUSE Leap 15.2:
    
          zypper in -t patch openSUSE-2021-46=1
    
    
    
    Package List:
    
       - openSUSE Leap 15.2 (noarch):
    
          cobbler-3.1.2-lp152.6.3.1
          cobbler-tests-3.1.2-lp152.6.3.1
          cobbler-web-3.1.2-lp152.6.3.1
    
    
    References:
    
       https://www.suse.com/security/cve/CVE-2011-4953.html
       https://www.suse.com/security/cve/CVE-2012-2395.html
       https://www.suse.com/security/cve/CVE-2017-1000469.html
       https://www.suse.com/security/cve/CVE-2018-1000225.html
       https://www.suse.com/security/cve/CVE-2018-1000226.html
       https://www.suse.com/security/cve/CVE-2018-10931.html
       https://bugzilla.suse.com/1020376
       https://bugzilla.suse.com/1029276
       https://bugzilla.suse.com/1048183
       https://bugzilla.suse.com/1074594
       https://bugzilla.suse.com/1075014
       https://bugzilla.suse.com/1081714
       https://bugzilla.suse.com/1081739
       https://bugzilla.suse.com/1090205
       https://bugzilla.suse.com/1097733
       https://bugzilla.suse.com/1101670
       https://bugzilla.suse.com/1104189
       https://bugzilla.suse.com/1104190
       https://bugzilla.suse.com/1104287
       https://bugzilla.suse.com/1105440
       https://bugzilla.suse.com/1105442
       https://bugzilla.suse.com/1113747
       https://bugzilla.suse.com/1128754
       https://bugzilla.suse.com/1128926
       https://bugzilla.suse.com/1130658
       https://bugzilla.suse.com/1134588
       https://bugzilla.suse.com/1149075
       https://bugzilla.suse.com/1151875
       https://bugzilla.suse.com/1156574
       https://bugzilla.suse.com/1159010
       https://bugzilla.suse.com/1169207
       https://bugzilla.suse.com/1169553
       https://bugzilla.suse.com/1169779
       https://bugzilla.suse.com/1170462
       https://bugzilla.suse.com/660126
       https://bugzilla.suse.com/671212
       https://bugzilla.suse.com/672471
       https://bugzilla.suse.com/682665
       https://bugzilla.suse.com/687891
       https://bugzilla.suse.com/695955
       https://bugzilla.suse.com/714618
       https://bugzilla.suse.com/722443
       https://bugzilla.suse.com/722445
       https://bugzilla.suse.com/757062
       https://bugzilla.suse.com/763610
       https://bugzilla.suse.com/783671
       https://bugzilla.suse.com/790545
       https://bugzilla.suse.com/796773
       https://bugzilla.suse.com/811025
       https://bugzilla.suse.com/812948
       https://bugzilla.suse.com/842699
       https://bugzilla.suse.com/846580
       https://bugzilla.suse.com/869371
       https://bugzilla.suse.com/884051
       https://bugzilla.suse.com/924118
       https://bugzilla.suse.com/952844
       https://bugzilla.suse.com/956264
       https://bugzilla.suse.com/966622
       https://bugzilla.suse.com/966841
       https://bugzilla.suse.com/967523
       https://bugzilla.suse.com/968406
       https://bugzilla.suse.com/969538
       https://bugzilla.suse.com/969541
       https://bugzilla.suse.com/973413
       https://bugzilla.suse.com/973418
       https://bugzilla.suse.com/976826
       https://bugzilla.suse.com/980577
       https://bugzilla.suse.com/984998
       https://bugzilla.suse.com/986978
       https://bugzilla.suse.com/988889
    

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"9","type":"x","order":"1","pct":30,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"6","type":"x","order":"2","pct":20,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"15","type":"x","order":"3","pct":50,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.