openSUSE Security Update: Security update for cobbler
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:0058-1
Rating:             moderate
References:         #1020376 #1029276 #1048183 #1074594 #1075014 
                    #1081714 #1081739 #1090205 #1097733 #1101670 
                    #1104189 #1104190 #1104287 #1105440 #1105442 
                    #1113747 #1128754 #1128926 #1130658 #1134588 
                    #1149075 #1151875 #1156574 #1159010 #1169207 
                    #1169553 #1169779 #1170462 #660126 #671212 
                    #672471 #682665 #687891 #695955 #714618 #722443 
                    #722445 #757062 #763610 #783671 #790545 #796773 
                    #811025 #812948 #842699 #846580 #869371 #884051 
                    #924118 #952844 #956264 #966622 #966841 #967523 
                    #968406 #969538 #969541 #973413 #973418 #976826 
                    #980577 #984998 #986978 #988889 
Cross-References:   CVE-2011-4953 CVE-2012-2395 CVE-2017-1000469
                    CVE-2018-1000225 CVE-2018-1000226 CVE-2018-10931
                   
Affected Products:
                    openSUSE Backports SLE-15-SP2
______________________________________________________________________________

   An update that solves 6 vulnerabilities and has 58 fixes is
   now available.

Description:

   This update for cobbler fixes the following issues:

   - Add cobbler-tests subpackage for unit testing for openSUSE/SLE
   - Adds LoadModule definitions for openSUSE/SLE
   - Switch to new refactored auth module.

   - use systemctl to restart cobblerd on logfile rotation (boo#1169207)
     Mainline logrotate conf file uses already /sbin/service instead of
     outdated: /etc/init.d/cobblerd
   - Fix cobbler sync for DHCP or DNS (boo#1169553) Fixed mainline by commit
     2d6cfe42da
   - Signatures file now uses "default_autoinstall" which fixes import
     problem happening with some distributions (boo#1159010)

   - Fix for kernel and initrd detection (boo#1159010)

   - New:
     * For the distro there is now a parameter remote_boot_initrd and
       remote_boot_kernel ()
     * For the profile there is now a parameter filename for DHCP. (#2280)
     * Signatures for ESXi 6 and 7 (#2308)
     * The hardlink command is now detected more dynamically and thus more
       error resistant (#2297)
     * HTTPBoot will now work in some cases out of the bug. (#2295)
     * Additional DNS query for a case where the wrong record was queried in
       the nsupdate system case (#2285)
   - Changes:
     * Enabled a lot of tests, removed some and implemented new. (#2202)
     * Removed not used files from the codebase. (#2302)
     * Exchanged mkisofs to xorrisofs. (#2296)
     * Removed duplicate code. (#2224)
     * Removed unreachable code. (#2223)
     * Snippet creation and deletion now works again via xmlrpc. (#2244)
     * Replace createrepo with createrepo_c. (#2266)
     * Enable Kerberos through having a case sensitive users.conf. (#2272)
   - Bugfixes:
     * General various Bugfixes (#2331, )
     * Makefile usage and commands. (#2344, #2304)
     * Fix the dhcp template. (#2314)
     * Creation of the management classes and gPXE. (#2310)
     * Fix the scm_track module. (#2275, #2279)
     * Fix passing the netdevice parameter correctly to the linuxrc. (#2263)
     * powerstatus from cobbler now works thanks to a wrapper for ipmitool.
       (#2267)
     * In case the LDAP is used for auth, it now works with ADs. (#2274)
     * Fix passthru authentication. (#2271)
   - Other:
     * Add Codecov. (#2229)
     * Documentation updates. (#2333, #2326, #2305, #2249, #2268)
     * Buildprocess:
       *  Recreation and cleanup of Grub2. (#2278)
       *  Fix small errors for openSUSE Leap. (#2233)
       *  Fix rpmlint errors. (#2237)
       *  Maximum compatibility for debbuild package creation. (#2255, #2292,
   #2242, #2300)
     * Fixes related to our CI Pipeline (#2254, #2269)
     * Internal Code cleanup (#2273, #2270)
   - Breaking Changes:
     * Hash handling in users.digest file. (#2299)

   - Updated to version 3.1.1.
     * Introduce new packaging from upstream
     * Changelog see below
   - New:
     * We are now having a cross-distro specfile which can be build in the
       OBS (#2220) - before rewritten it was improved by #2144 & #2174
     * Grub Submenu for net-booting machines (#2217)
     * Building the Cent-OS RPMs in Docker (#2190 #2189)
     * Reintroduced manpage build in setup.py (#2185)
     * mgmt_parameters are now passed to the dhcp template (#2182)
     * Using the standard Pyhton3 logger instead of a custom one (#2160 #2139
       #2151)
     * Script for converting the settings file from 3.0.0 to 3.0.1 (#2154)
     * Docs now inside the repo instead of cobbler.github.io and improved
       with sphinx (#2117)
   - Changes:
     * The default tftpboot directory is now /var/lib/tftpboot instead of
       previously /srv/tftpboot (#2220)
     * Distro signatures were adjusted where necessary (#2219 #2134)
     * Removed requirements.txt and placed the requirements in setup.py
       (#2204)
     * Display only entries in grub which are from the same arch (#2191 #2216)
     * Change the name of the cobbler manpage form cobbler-cli to cobbler
       back and move it to section 8 (#2188 #2186)
   - Bugfixes:
     * Incremented Version to 3.1.1 from 3.0.1
     * S390 Support was cleaned up (#2207 #2178)
     * PowerPC Support was cleaned up (#2178)
     * Added a missing import while importing a distro with cobbler import
       (#2201)
     * Fixed a case where a stacktrace would be produced so pass none instead
       (#2203)
     * Rename of suse_kopts_textmode_overwrite to kops_overwrite to utils
       (#2143 #2200)
     * Fix rsync subprocess call (#2199 #2179)
     * Fixed an error where the template rendering did not work (#2176)
     * Fixed some cobbler import errors (#2172)
     * Wrong shebang in various scripts (#2148)
     * Fix some imports which fixes errors introduced by the remodularization
       (#2150 #2153)
   - Other:
     * Issue Templates for Github (#2187)

   - Update to latest git HEAD code base This version (from mainline so for
     quite a while already) also includes fixes for "boo#1149075" and
     boo#1151875

   - Fix for cobbler import and buildiso (boo#1156574)
   - Adjusted manpage creation (needs sphinx as BuildRequires)
   - Fix cobbler sync for dhcp and dns enabled due to latest module renaming
     patches

   - Update to latest git HEAD
      - Fixes permission denied in apache2 context when trying to write
        cobbler log
      - Fixes a bad import in import_signature (item)
      - Fixes bad shebang bash path in mkgrub.sh (used in post section)

   - Now track Github master branch WARNING: This release contains breaking
     changes for your settings file!
     * Notable changes:
       - Now using standard python logger
       - Updated dhcpd.template
   - Removed fix_shebang.patch: now in upstream.
   - added -s parameter to fdupes call to prevent hardlink across partititons

   - Update to latest v3.0.0 cobbler release
   - Add previouly added patch: exclude_get-loaders_command.patch to the list
     of patches to apply.

   - Fix log file world readable (as suggested by Matthias Gerstner) and
     change file attributes via attr in spec file
   - Do not allow get-loaders command (download of third party provided
     network boot loaders we do not trust)
   - Mainline fixes: 3172d1df9b9cc8 Add missing help text in
     redhat_management_key field c8f5490e507a72 Set default interface if
     cobbler system add has no
                    --interface= param 31a1aa31d26c4a Remove apache IfVersion
   tags from apache configs

   - Integrated fixes that came in from mainline from other products (to calm
     down obs regression checker): CVE-2011-4953, fate#312397, boo#660126,
     boo#671212, boo#672471, boo#682665 boo#687891, boo#695955, boo#722443,
     boo#722445, boo#757062, boo#763610 boo#783671, boo#790545, boo#796773,
     boo#811025, boo#812948, boo#842699 boo#846580, boo#869371, boo#884051,
     boo#976826, boo#984998 Some older bugs need boo# references as well:
     boo#660126, boo#671212, boo#672471, boo#682665 boo#687891, boo#695955,
     boo#722443, boo#722445, boo#757062, boo#763610 boo#783671, boo#790545,
     boo#796773, boo#811025, boo#812948, boo#842699 boo#846580, boo#869371,
     boo#884051

   - Fix for redhat_management_key not being listed as a choice during
     profile rename (boo#1134588)
   - Added:
     * rhn-mngmnt-key-field-fix.diff

   - Fixes distribution detection in setup.py for SLESo
   - Added:
     * changes-detection-to-distro-like-for-suse-distributions.diff

   - Moving to pytest and adding Docker test integration
   - Added:
     * add-docker-integration-testing.diff
     * refactor-unittest-to-pytest.diff

   - Additional compatability changes for old Koan versions.
   - Modified:
     * renamed-methods-alias-part2.patch

   - Old Koan versions not only need method aliases, but also need compatible
     responses
   - Added:
     * renamed-methods-alias-part2.patch

   - Add the redhat_managment_* fields again to enable templating in SUMA.
   - Added:
     * revert-redhat-management-removal.patch

   - Changes return of last_modified_time RPC to float
   - Added:
     * changes-return-to-float.diff

   - provide old name aliases for all renamed methods:
     - get_distro_for_koan     =>  get_distro_as_rendered
     - get_profile_for_koan    =>  get_profile_as_rendered
     - get_system_for_koan     =>  get_system_as_rendered
     - get_repo_for_koan       =>  get_repo_as_rendered
     - get_image_for_koan      =>  get_image_as_rendered
     - get_mgmtclass_for_koan  =>  get_mgmtclass_as_rendered
     - get_package_for_koan    =>  get_package_as_rendered
     - get_file_for_koan       =>  get_file_as_rendered
   - Renamed: get_system_for_koan.patch => renamed-methods-alias.patch

   - provide renamed method "get_system_for_koan" under old name for old
     clients.
   - Added:
     * get_system_for_koan.patch

   - Bring back power_system method in the XML-RPC API
   - Changed lanplus option to lanplus=true in fence_ipmitool.template
   - Added:
     * power_system_xmlrpc_api.patch
   - Changed:
     * fence_ipmitool.template

   - Disables nsupdate_enabled by default
   - Added:
     * disable_nsupdate_enabled_by_default.diff

   - Fixes issue in distribution detection with "lower" function call.
   - Modified:
     * remodeled-distro-detection.diff

   - Adds imporoved distribution detection. Since now all base products get
     detected correctly, we no longer need the SUSE Manager patch.
   - Added:
     * remodeled-distro-detection.diff

   - fix grub directory layout
   - Added:
     * create-system-directory-at-the-correct-place.patch

   - fix HTTP status code of XMLRPC service
   - Added:
     * fix-http-status-code.patch

   - touch /etc/genders when it not exists (boo#1128926)
   - Add patches to fix logging
   - Added:
     * return-the-name-of-the-unknown-method.patch
     * call-with-logger-where-possible.patch

   - Switching version schema from 3.0 to 3.0.0

   - Fixes case where distribution detection returns None (boo#1130658)
   - Added:
     * fixes-distro-none-case.diff

   - Removes newline from token, which caused authentication error
     (boo#1128754)
   - Added:
     * remove-newline-from-token.diff

   - Added a patch which fixes an exception when login in with a non-root
     user.
   - Added:
     * fix-login-error.patch

   - Added a patch which fixes an exception when login in with a non-root
     user.
   - Added:
     * fix-login-error.patch


   - Remove patch merged at upstream:
     * 0001-return-token-as-string.patch

   - change grub2-x86_64-efi dependency to Recommends

   - grub2-i386pc is not really required. Changed to recommended to allow
     building for architectures other than x86_64

   - Use cdrtools starting with SLE-15 and Leap-15 again. (boo#1081739)
   - Update cobbler loaders server hostname (boo#980577)
   - Update outdated apache config (boo#956264)
   - Replace builddate with changelog date to fix build-compare (boo#969538)
   - LOCKFILE usage removed on openSUSE (boo#714618)
   - Power management subsystem completely re-worked to prevent
     command-injection (CVE-2012-2395)
   - Removed patch merged at upstream:
     * cobblerd_needs_apache2_service_started.patch

   - Checking bug fixes of released products are in latest develop pkg:
     - remove fix-nameserver-search.fix; bug is invalid (boo#1029276)
       -> not needed anymore
     - fix cobbler yaboot handling (boo#968406, boo#966622)
       -> no yaboot support anymore
     - support UEFI boot with cobbler generated tftp tree (boo#1020376)
       -> upstream
     - Enabling PXE grub2 support for PowerPC (boo#986978)
       -> We have grub2 support for ppc64le
     - (boo#1048183) fix missing args and location for xen
       -> is in
     - no koan support anymore: boo#969541, boo#924118, boo#967523
     - not installed (boo#966841) works.
   - These still have to be looked at: SUSE system as systemd only
     (boo#952844) handle list value for kernel options correctly (boo#973413)
     entry in pxe menu (boo#988889)
   - This still has to be switched off (at least in internal cobbler
     versions): Disabling 'get-loaders' command and 'check' fixed. boo#973418

   - Add explicity require to tftp, so it is used for both SLE and openSUSE
     (originally from [email protected])
   - Moved Recommends according to spec_cleaner

   - Require latest apache2-mod_wsgi-python3 package This fixes interface to
     https://localhost/cblr/svc/...
   - Use latest github cobbler/cobbler master branch in _service file
   - cobblerd_needs_apache2_service_started.patch reverted, that is mainline
     now:
   - Only recommend grub2-arm and grub2-ppc packages or we might not be able
     to build on factory where arm/ppc might not be built
   - Remove genders package requires. A genders file is generated, but we do
     not need/use the genders package.

   - Update to latest cobbler version 3.0 mainline git HEAD version and
     remove already integrated or not needed anymore patches.
   - Serial console support added, did some testing already Things should
     start to work as expected

   - Add general grub2 support

   - Put mkgrub.* into mkgrub.sh

   - Add git date and commit to version string for now

   - Add grub2 mkimage scripts: mkgrub.i386-pc mkgrub.powerpc-ieee1275
     mkgrub.x86_64-efi mkgrub.arm64-efi and generate grub executables with
     them in the %post section


   - build server wants explicite package in BuildRequires; use tftp
   - require tftp(server) instead of atftp
   - cleanup: cobbler is noarch, so arch specific requires do not make sense
   - SLES15 is using /etc/os-release instead of /etc/SuSE-release, use this
     one for checking also
   - add sles15 distro profile (boo#1090205)
   - fix signature for SLES15 (boo#1075014)
   - fix signature for SLES15 (boo#1075014)
   - fix koan wait parameter initialization
   - Fix koan shebang
   - Escape shell parameters provided by the user for the reposync action
     (CVE-2017-1000469) (boo#1074594)
   - detect if there is already another instance of "cobbler sync" running
     and exit with failure if so (boo#1081714)
   - do not try to hardlink to a symlink. The result will be a dangling
     symlink in the general case (boo#1097733)
   - fix service restart after logrotate for cobblerd (boo#1113747)
   - rotate cobbler logs at higher frequency to prevent disk fillup
     (boo#1113747)
   - Forbid exposure of private methods in the API (CVE-2018-10931)
     (CVE-2018-1000225) (boo#1104287) (boo#1104189) (boo#1105442)
   - Check access token when calling 'modify_setting' API endpoint
     (boo#1104190) (boo#1105440) (CVE-2018-1000226)

   This update was imported from the openSUSE:Leap:15.2:Update update project.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP2:

      zypper in -t patch openSUSE-2021-58=1



Package List:

   - openSUSE Backports SLE-15-SP2 (noarch):

      cobbler-3.1.2-bp152.4.3.1
      cobbler-tests-3.1.2-bp152.4.3.1
      cobbler-web-3.1.2-bp152.4.3.1


References:

   https://www.suse.com/security/cve/CVE-2011-4953.html
   https://www.suse.com/security/cve/CVE-2012-2395.html
   https://www.suse.com/security/cve/CVE-2017-1000469.html
   https://www.suse.com/security/cve/CVE-2018-1000225.html
   https://www.suse.com/security/cve/CVE-2018-1000226.html
   https://www.suse.com/security/cve/CVE-2018-10931.html
   https://bugzilla.suse.com/1020376
   https://bugzilla.suse.com/1029276
   https://bugzilla.suse.com/1048183
   https://bugzilla.suse.com/1074594
   https://bugzilla.suse.com/1075014
   https://bugzilla.suse.com/1081714
   https://bugzilla.suse.com/1081739
   https://bugzilla.suse.com/1090205
   https://bugzilla.suse.com/1097733
   https://bugzilla.suse.com/1101670
   https://bugzilla.suse.com/1104189
   https://bugzilla.suse.com/1104190
   https://bugzilla.suse.com/1104287
   https://bugzilla.suse.com/1105440
   https://bugzilla.suse.com/1105442
   https://bugzilla.suse.com/1113747
   https://bugzilla.suse.com/1128754
   https://bugzilla.suse.com/1128926
   https://bugzilla.suse.com/1130658
   https://bugzilla.suse.com/1134588
   https://bugzilla.suse.com/1149075
   https://bugzilla.suse.com/1151875
   https://bugzilla.suse.com/1156574
   https://bugzilla.suse.com/1159010
   https://bugzilla.suse.com/1169207
   https://bugzilla.suse.com/1169553
   https://bugzilla.suse.com/1169779
   https://bugzilla.suse.com/1170462
   https://bugzilla.suse.com/660126
   https://bugzilla.suse.com/671212
   https://bugzilla.suse.com/672471
   https://bugzilla.suse.com/682665
   https://bugzilla.suse.com/687891
   https://bugzilla.suse.com/695955
   https://bugzilla.suse.com/714618
   https://bugzilla.suse.com/722443
   https://bugzilla.suse.com/722445
   https://bugzilla.suse.com/757062
   https://bugzilla.suse.com/763610
   https://bugzilla.suse.com/783671
   https://bugzilla.suse.com/790545
   https://bugzilla.suse.com/796773
   https://bugzilla.suse.com/811025
   https://bugzilla.suse.com/812948
   https://bugzilla.suse.com/842699
   https://bugzilla.suse.com/846580
   https://bugzilla.suse.com/869371
   https://bugzilla.suse.com/884051
   https://bugzilla.suse.com/924118
   https://bugzilla.suse.com/952844
   https://bugzilla.suse.com/956264
   https://bugzilla.suse.com/966622
   https://bugzilla.suse.com/966841
   https://bugzilla.suse.com/967523
   https://bugzilla.suse.com/968406
   https://bugzilla.suse.com/969538
   https://bugzilla.suse.com/969541
   https://bugzilla.suse.com/973413
   https://bugzilla.suse.com/973418
   https://bugzilla.suse.com/976826
   https://bugzilla.suse.com/980577
   https://bugzilla.suse.com/984998
   https://bugzilla.suse.com/986978
   https://bugzilla.suse.com/988889