Security update for cobbler SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0382-1 Final 1 1 2024-11-28T17:32:46Z current 2024-11-28T17:32:46Z 2024-11-28T17:32:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cobbler This update for cobbler fixes the following issues: Update to 3.3.7: * Security: Fix issue that allowed anyone to connect to the API as admin (CVE-2024-47533, boo#1231332) * bind - Fix bug that prevents cname entries from being generated successfully * Fix build on RHEL9 based distributions (fence-agents-all split) * Fix for Windows systems * Docs: Add missing dependencies for source installation * Fix issue that prevented systems from being synced when the profile was edited Update to 3.3.6: * Upstream all openSUSE specific patches that were maintained in Git * Fix rename of items that had uppercase letters * Skip inconsistent collections instead of crashing the daemon - Update to 3.3.5: * Added collection indicies for UUID's, MAC's, IP addresses and hostnames boo#1219933 * Re-added to_dict() caching * Added lazy loading for the daemon (off by default) - Update to 3.3.4: * Added cobbler-tests-containers subpackage * Updated the distro_signatures.json database * The default name for grub2-efi changed to grubx64.efi to match the DHCP template - Do generate boot menus even if no profiles or systems - only local boot - Avoid crashing running buildiso in certain conditions. - Fix settings migration schema to work while upgrading on existing running Uyuni and SUSE Manager servers running with old Cobbler settings (boo#1203478) - Consider case of 'next_server' being a hostname during migration of Cobbler collections. - Fix problem with 'proxy_url_ext' setting being None type. - Update v2 to v3 migration script to allow migration of collections that contains settings from Cobbler 2. (boo#1203478) - Fix problem for the migration of 'autoinstall' collection attribute. - Fix failing Cobbler tests after upgrading to 3.3.3. - Fix regression: allow empty string as interface_type value (boo#1203478) - Avoid possible override of existing values during migration of collections to 3.0.0 (boo#1206160) - Add missing code for previous patch file around boot_loaders migration. - Improve Cobbler performance with item cache and threadpool (boo#1205489) - Skip collections that are inconsistent instead of crashing (boo#1205749) - Items: Fix creation of 'default' NetworkInterface (boo#1206520) - S390X systems require their kernel options to have a linebreak at 79 characters (boo#1207595) - settings-migration-v1-to-v2.sh will now handle paths with whitespace correct - Fix renaming Cobbler items (boo#1204900, boo#1209149) - Fix cobbler buildiso so that the artifact can be booted by EFI firmware. (boo#1206060) - Add input_string_*, input_boolean, input_int functiont to public API The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-382 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CGWWFM26ZMG5SCPMDNQQNYHHTROXVX2Q/ E-Mail link for openSUSE-SU-2024:0382-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1203478 SUSE Bug 1203478 https://bugzilla.suse.com/1204900 SUSE Bug 1204900 https://bugzilla.suse.com/1205489 SUSE Bug 1205489 https://bugzilla.suse.com/1205749 SUSE Bug 1205749 https://bugzilla.suse.com/1206060 SUSE Bug 1206060 https://bugzilla.suse.com/1206160 SUSE Bug 1206160 https://bugzilla.suse.com/1206520 SUSE Bug 1206520 https://bugzilla.suse.com/1207595 SUSE Bug 1207595 https://bugzilla.suse.com/1209149 SUSE Bug 1209149 https://bugzilla.suse.com/1219933 SUSE Bug 1219933 https://bugzilla.suse.com/1231332 SUSE Bug 1231332 https://www.suse.com/security/cve/CVE-2024-47533/ SUSE CVE CVE-2024-47533 page SUSE Package Hub 15 SP5 openSUSE Leap 15.5 cobbler-3.3.7-bp155.2.3.2 cobbler-tests-3.3.7-bp155.2.3.2 cobbler-tests-containers-3.3.7-bp155.2.3.2 cobbler-3.3.7-bp155.2.3.2 as a component of SUSE Package Hub 15 SP5 cobbler-tests-3.3.7-bp155.2.3.2 as a component of SUSE Package Hub 15 SP5 cobbler-tests-containers-3.3.7-bp155.2.3.2 as a component of SUSE Package Hub 15 SP5 cobbler-3.3.7-bp155.2.3.2 as a component of openSUSE Leap 15.5 cobbler-tests-3.3.7-bp155.2.3.2 as a component of openSUSE Leap 15.5 cobbler-tests-containers-3.3.7-bp155.2.3.2 as a component of openSUSE Leap 15.5 Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue. CVE-2024-47533 SUSE Package Hub 15 SP5:cobbler-3.3.7-bp155.2.3.2 SUSE Package Hub 15 SP5:cobbler-tests-3.3.7-bp155.2.3.2 SUSE Package Hub 15 SP5:cobbler-tests-containers-3.3.7-bp155.2.3.2 openSUSE Leap 15.5:cobbler-3.3.7-bp155.2.3.2 openSUSE Leap 15.5:cobbler-tests-3.3.7-bp155.2.3.2 openSUSE Leap 15.5:cobbler-tests-containers-3.3.7-bp155.2.3.2 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CGWWFM26ZMG5SCPMDNQQNYHHTROXVX2Q/ https://www.suse.com/security/cve/CVE-2024-47533.html CVE-2024-47533 https://bugzilla.suse.com/1231332 SUSE Bug 1231332