openSUSE: 2022:0062-1 important: cobbler
Description
This update for cobbler fixes the following issues: - CVE-2021-45083: Fixed unsafe permissions on sensitive files (bsc#1193671). - CVE-2021-45082: Fixed incomplete template sanitation (bsc#1193678). - CVE-2021-40323, CVE-2021-40324, CVE-2021-40325: Fixed Remote Code Execution in the XMLRPC API which additionally allowed arbitrary file read and write as root (boo#1189458). The following non-security bugs were fixed: - Fix issues with installation module logging and validation (boo#1195918) - Move configuration files ownership to apache (boo#1195906) - Remove hardcoded test credentials (boo#1193673) - Prevent log pollution (boo#1193675) - Missing sanity check on MongoDB configuration file (boo#1193676) - Avoid traceback when building tftp files for ppc arch system when boot_loader is not set (boo#1185679) - Prevent some race conditions when writting tftpboot files and the destination directory is not existing (boo#1186124) - Fix trail stripping in case of using UTF symbols (boo#1184561)
Patch
Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-62=1 - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-62=1
Package List
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): libIlmImf-2_2-23-2.2.1-3.41.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.41.1 libIlmImfUtil-2_2-23-2.2.1-3.41.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.41.1 openexr-2.2.1-3.41.1 openexr-debuginfo-2.2.1-3.41.1 openexr-debugsource-2.2.1-3.41.1 openexr-devel-2.2.1-3.41.1 openexr-doc-2.2.1-3.41.1 - openSUSE Leap 15.3 (x86_64): libIlmImf-2_2-23-32bit-2.2.1-3.41.1 libIlmImf-2_2-23-32bit-debuginfo-2.2.1-3.41.1 libIlmImfUtil-2_2-23-32bit-2.2.1-3.41.1 libIlmImfUtil-2_2-23-32bit-debuginfo-2.2.1-3.41.1 - openSUSE Backports SLE-15-SP3 (noarch): cobbler-3.1.2-bp153.2.3.1 cobbler-tests-3.1.2-bp153.2.3.1 cobbler-web-3.1.2-bp153.2.3.1
References
https://www.suse.com/security/cve/CVE-2021-40323.html https://www.suse.com/security/cve/CVE-2021-40324.html https://www.suse.com/security/cve/CVE-2021-40325.html https://www.suse.com/security/cve/CVE-2021-45082.html https://www.suse.com/security/cve/CVE-2021-45083.html https://www.suse.com/security/cve/CVE-2021-45942.html https://bugzilla.suse.com/1184561 https://bugzilla.suse.com/1185679 https://bugzilla.suse.com/1186124 https://bugzilla.suse.com/1189458 https://bugzilla.suse.com/1193671 https://bugzilla.suse.com/1193673 https://bugzilla.suse.com/1193675 https://bugzilla.suse.com/1193676 https://bugzilla.suse.com/1193678 https://bugzilla.suse.com/1194333 https://bugzilla.suse.com/1195906 https://bugzilla.suse.com/1195918