SUSE 5184 Published by

A cobbler security update has been released for SUSE Linux Enterprise 15 SP2.



openSUSE-SU-2021:0058-1: moderate: Security update for cobbler


openSUSE Security Update: Security update for cobbler
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:0058-1
Rating: moderate
References: #1020376 #1029276 #1048183 #1074594 #1075014
#1081714 #1081739 #1090205 #1097733 #1101670
#1104189 #1104190 #1104287 #1105440 #1105442
#1113747 #1128754 #1128926 #1130658 #1134588
#1149075 #1151875 #1156574 #1159010 #1169207
#1169553 #1169779 #1170462 #660126 #671212
#672471 #682665 #687891 #695955 #714618 #722443
#722445 #757062 #763610 #783671 #790545 #796773
#811025 #812948 #842699 #846580 #869371 #884051
#924118 #952844 #956264 #966622 #966841 #967523
#968406 #969538 #969541 #973413 #973418 #976826
#980577 #984998 #986978 #988889
Cross-References: CVE-2011-4953 CVE-2012-2395 CVE-2017-1000469
CVE-2018-1000225 CVE-2018-1000226 CVE-2018-10931

Affected Products:
openSUSE Backports SLE-15-SP2
______________________________________________________________________________

An update that solves 6 vulnerabilities and has 58 fixes is
now available.

Description:

This update for cobbler fixes the following issues:

- Add cobbler-tests subpackage for unit testing for openSUSE/SLE
- Adds LoadModule definitions for openSUSE/SLE
- Switch to new refactored auth module.

- use systemctl to restart cobblerd on logfile rotation (boo#1169207)
Mainline logrotate conf file uses already /sbin/service instead of
outdated: /etc/init.d/cobblerd
- Fix cobbler sync for DHCP or DNS (boo#1169553) Fixed mainline by commit
2d6cfe42da
- Signatures file now uses "default_autoinstall" which fixes import
problem happening with some distributions (boo#1159010)

- Fix for kernel and initrd detection (boo#1159010)

- New:
* For the distro there is now a parameter remote_boot_initrd and
remote_boot_kernel ()
* For the profile there is now a parameter filename for DHCP. (#2280)
* Signatures for ESXi 6 and 7 (#2308)
* The hardlink command is now detected more dynamically and thus more
error resistant (#2297)
* HTTPBoot will now work in some cases out of the bug. (#2295)
* Additional DNS query for a case where the wrong record was queried in
the nsupdate system case (#2285)
- Changes:
* Enabled a lot of tests, removed some and implemented new. (#2202)
* Removed not used files from the codebase. (#2302)
* Exchanged mkisofs to xorrisofs. (#2296)
* Removed duplicate code. (#2224)
* Removed unreachable code. (#2223)
* Snippet creation and deletion now works again via xmlrpc. (#2244)
* Replace createrepo with createrepo_c. (#2266)
* Enable Kerberos through having a case sensitive users.conf. (#2272)
- Bugfixes:
* General various Bugfixes (#2331, )
* Makefile usage and commands. (#2344, #2304)
* Fix the dhcp template. (#2314)
* Creation of the management classes and gPXE. (#2310)
* Fix the scm_track module. (#2275, #2279)
* Fix passing the netdevice parameter correctly to the linuxrc. (#2263)
* powerstatus from cobbler now works thanks to a wrapper for ipmitool.
(#2267)
* In case the LDAP is used for auth, it now works with ADs. (#2274)
* Fix passthru authentication. (#2271)
- Other:
* Add Codecov. (#2229)
* Documentation updates. (#2333, #2326, #2305, #2249, #2268)
* Buildprocess:
* Recreation and cleanup of Grub2. (#2278)
* Fix small errors for openSUSE Leap. (#2233)
* Fix rpmlint errors. (#2237)
* Maximum compatibility for debbuild package creation. (#2255, #2292,
#2242, #2300)
* Fixes related to our CI Pipeline (#2254, #2269)
* Internal Code cleanup (#2273, #2270)
- Breaking Changes:
* Hash handling in users.digest file. (#2299)

- Updated to version 3.1.1.
* Introduce new packaging from upstream
* Changelog see below
- New:
* We are now having a cross-distro specfile which can be build in the
OBS (#2220) - before rewritten it was improved by #2144 & #2174
* Grub Submenu for net-booting machines (#2217)
* Building the Cent-OS RPMs in Docker (#2190 #2189)
* Reintroduced manpage build in setup.py (#2185)
* mgmt_parameters are now passed to the dhcp template (#2182)
* Using the standard Pyhton3 logger instead of a custom one (#2160 #2139
#2151)
* Script for converting the settings file from 3.0.0 to 3.0.1 (#2154)
* Docs now inside the repo instead of cobbler.github.io and improved
with sphinx (#2117)
- Changes:
* The default tftpboot directory is now /var/lib/tftpboot instead of
previously /srv/tftpboot (#2220)
* Distro signatures were adjusted where necessary (#2219 #2134)
* Removed requirements.txt and placed the requirements in setup.py
(#2204)
* Display only entries in grub which are from the same arch (#2191 #2216)
* Change the name of the cobbler manpage form cobbler-cli to cobbler
back and move it to section 8 (#2188 #2186)
- Bugfixes:
* Incremented Version to 3.1.1 from 3.0.1
* S390 Support was cleaned up (#2207 #2178)
* PowerPC Support was cleaned up (#2178)
* Added a missing import while importing a distro with cobbler import
(#2201)
* Fixed a case where a stacktrace would be produced so pass none instead
(#2203)
* Rename of suse_kopts_textmode_overwrite to kops_overwrite to utils
(#2143 #2200)
* Fix rsync subprocess call (#2199 #2179)
* Fixed an error where the template rendering did not work (#2176)
* Fixed some cobbler import errors (#2172)
* Wrong shebang in various scripts (#2148)
* Fix some imports which fixes errors introduced by the remodularization
(#2150 #2153)
- Other:
* Issue Templates for Github (#2187)

- Update to latest git HEAD code base This version (from mainline so for
quite a while already) also includes fixes for "boo#1149075" and
boo#1151875

- Fix for cobbler import and buildiso (boo#1156574)
- Adjusted manpage creation (needs sphinx as BuildRequires)
- Fix cobbler sync for dhcp and dns enabled due to latest module renaming
patches

- Update to latest git HEAD
- Fixes permission denied in apache2 context when trying to write
cobbler log
- Fixes a bad import in import_signature (item)
- Fixes bad shebang bash path in mkgrub.sh (used in post section)

- Now track Github master branch WARNING: This release contains breaking
changes for your settings file!
* Notable changes:
- Now using standard python logger
- Updated dhcpd.template
- Removed fix_shebang.patch: now in upstream.
- added -s parameter to fdupes call to prevent hardlink across partititons

- Update to latest v3.0.0 cobbler release
- Add previouly added patch: exclude_get-loaders_command.patch to the list
of patches to apply.

- Fix log file world readable (as suggested by Matthias Gerstner) and
change file attributes via attr in spec file
- Do not allow get-loaders command (download of third party provided
network boot loaders we do not trust)
- Mainline fixes: 3172d1df9b9cc8 Add missing help text in
redhat_management_key field c8f5490e507a72 Set default interface if
cobbler system add has no
--interface= param 31a1aa31d26c4a Remove apache IfVersion
tags from apache configs

- Integrated fixes that came in from mainline from other products (to calm
down obs regression checker): CVE-2011-4953, fate#312397, boo#660126,
boo#671212, boo#672471, boo#682665 boo#687891, boo#695955, boo#722443,
boo#722445, boo#757062, boo#763610 boo#783671, boo#790545, boo#796773,
boo#811025, boo#812948, boo#842699 boo#846580, boo#869371, boo#884051,
boo#976826, boo#984998 Some older bugs need boo# references as well:
boo#660126, boo#671212, boo#672471, boo#682665 boo#687891, boo#695955,
boo#722443, boo#722445, boo#757062, boo#763610 boo#783671, boo#790545,
boo#796773, boo#811025, boo#812948, boo#842699 boo#846580, boo#869371,
boo#884051

- Fix for redhat_management_key not being listed as a choice during
profile rename (boo#1134588)
- Added:
* rhn-mngmnt-key-field-fix.diff

- Fixes distribution detection in setup.py for SLESo
- Added:
* changes-detection-to-distro-like-for-suse-distributions.diff

- Moving to pytest and adding Docker test integration
- Added:
* add-docker-integration-testing.diff
* refactor-unittest-to-pytest.diff

- Additional compatability changes for old Koan versions.
- Modified:
* renamed-methods-alias-part2.patch

- Old Koan versions not only need method aliases, but also need compatible
responses
- Added:
* renamed-methods-alias-part2.patch

- Add the redhat_managment_* fields again to enable templating in SUMA.
- Added:
* revert-redhat-management-removal.patch

- Changes return of last_modified_time RPC to float
- Added:
* changes-return-to-float.diff

- provide old name aliases for all renamed methods:
- get_distro_for_koan => get_distro_as_rendered
- get_profile_for_koan => get_profile_as_rendered
- get_system_for_koan => get_system_as_rendered
- get_repo_for_koan => get_repo_as_rendered
- get_image_for_koan => get_image_as_rendered
- get_mgmtclass_for_koan => get_mgmtclass_as_rendered
- get_package_for_koan => get_package_as_rendered
- get_file_for_koan => get_file_as_rendered
- Renamed: get_system_for_koan.patch => renamed-methods-alias.patch

- provide renamed method "get_system_for_koan" under old name for old
clients.
- Added:
* get_system_for_koan.patch

- Bring back power_system method in the XML-RPC API
- Changed lanplus option to lanplus=true in fence_ipmitool.template
- Added:
* power_system_xmlrpc_api.patch
- Changed:
* fence_ipmitool.template

- Disables nsupdate_enabled by default
- Added:
* disable_nsupdate_enabled_by_default.diff

- Fixes issue in distribution detection with "lower" function call.
- Modified:
* remodeled-distro-detection.diff

- Adds imporoved distribution detection. Since now all base products get
detected correctly, we no longer need the SUSE Manager patch.
- Added:
* remodeled-distro-detection.diff

- fix grub directory layout
- Added:
* create-system-directory-at-the-correct-place.patch

- fix HTTP status code of XMLRPC service
- Added:
* fix-http-status-code.patch

- touch /etc/genders when it not exists (boo#1128926)
- Add patches to fix logging
- Added:
* return-the-name-of-the-unknown-method.patch
* call-with-logger-where-possible.patch

- Switching version schema from 3.0 to 3.0.0

- Fixes case where distribution detection returns None (boo#1130658)
- Added:
* fixes-distro-none-case.diff

- Removes newline from token, which caused authentication error
(boo#1128754)
- Added:
* remove-newline-from-token.diff

- Added a patch which fixes an exception when login in with a non-root
user.
- Added:
* fix-login-error.patch

- Added a patch which fixes an exception when login in with a non-root
user.
- Added:
* fix-login-error.patch

- Remove patch merged at upstream:
* 0001-return-token-as-string.patch

- change grub2-x86_64-efi dependency to Recommends

- grub2-i386pc is not really required. Changed to recommended to allow
building for architectures other than x86_64

- Use cdrtools starting with SLE-15 and Leap-15 again. (boo#1081739)
- Update cobbler loaders server hostname (boo#980577)
- Update outdated apache config (boo#956264)
- Replace builddate with changelog date to fix build-compare (boo#969538)
- LOCKFILE usage removed on openSUSE (boo#714618)
- Power management subsystem completely re-worked to prevent
command-injection (CVE-2012-2395)
- Removed patch merged at upstream:
* cobblerd_needs_apache2_service_started.patch

- Checking bug fixes of released products are in latest develop pkg:
- remove fix-nameserver-search.fix; bug is invalid (boo#1029276)
-> not needed anymore
- fix cobbler yaboot handling (boo#968406, boo#966622)
-> no yaboot support anymore
- support UEFI boot with cobbler generated tftp tree (boo#1020376)
-> upstream
- Enabling PXE grub2 support for PowerPC (boo#986978)
-> We have grub2 support for ppc64le
- (boo#1048183) fix missing args and location for xen
-> is in
- no koan support anymore: boo#969541, boo#924118, boo#967523
- not installed (boo#966841) works.
- These still have to be looked at: SUSE system as systemd only
(boo#952844) handle list value for kernel options correctly (boo#973413)
entry in pxe menu (boo#988889)
- This still has to be switched off (at least in internal cobbler
versions): Disabling 'get-loaders' command and 'check' fixed. boo#973418

- Add explicity require to tftp, so it is used for both SLE and openSUSE
(originally from jgonzalez@suse.com)
- Moved Recommends according to spec_cleaner

- Require latest apache2-mod_wsgi-python3 package This fixes interface to
http://localhost/cblr/svc/...
- Use latest github cobbler/cobbler master branch in _service file
- cobblerd_needs_apache2_service_started.patch reverted, that is mainline
now:
- Only recommend grub2-arm and grub2-ppc packages or we might not be able
to build on factory where arm/ppc might not be built
- Remove genders package requires. A genders file is generated, but we do
not need/use the genders package.

- Update to latest cobbler version 3.0 mainline git HEAD version and
remove already integrated or not needed anymore patches.
- Serial console support added, did some testing already Things should
start to work as expected

- Add general grub2 support

- Put mkgrub.* into mkgrub.sh

- Add git date and commit to version string for now

- Add grub2 mkimage scripts: mkgrub.i386-pc mkgrub.powerpc-ieee1275
mkgrub.x86_64-efi mkgrub.arm64-efi and generate grub executables with
them in the %post section

- build server wants explicite package in BuildRequires; use tftp
- require tftp(server) instead of atftp
- cleanup: cobbler is noarch, so arch specific requires do not make sense
- SLES15 is using /etc/os-release instead of /etc/SuSE-release, use this
one for checking also
- add sles15 distro profile (boo#1090205)
- fix signature for SLES15 (boo#1075014)
- fix signature for SLES15 (boo#1075014)
- fix koan wait parameter initialization
- Fix koan shebang
- Escape shell parameters provided by the user for the reposync action
(CVE-2017-1000469) (boo#1074594)
- detect if there is already another instance of "cobbler sync" running
and exit with failure if so (boo#1081714)
- do not try to hardlink to a symlink. The result will be a dangling
symlink in the general case (boo#1097733)
- fix service restart after logrotate for cobblerd (boo#1113747)
- rotate cobbler logs at higher frequency to prevent disk fillup
(boo#1113747)
- Forbid exposure of private methods in the API (CVE-2018-10931)
(CVE-2018-1000225) (boo#1104287) (boo#1104189) (boo#1105442)
- Check access token when calling 'modify_setting' API endpoint
(boo#1104190) (boo#1105440) (CVE-2018-1000226)

This update was imported from the openSUSE:Leap:15.2:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP2:

zypper in -t patch openSUSE-2021-58=1


Package List:

- openSUSE Backports SLE-15-SP2 (noarch):

cobbler-3.1.2-bp152.4.3.1
cobbler-tests-3.1.2-bp152.4.3.1
cobbler-web-3.1.2-bp152.4.3.1

References:

  https://www.suse.com/security/cve/CVE-2011-4953.html
  https://www.suse.com/security/cve/CVE-2012-2395.html
  https://www.suse.com/security/cve/CVE-2017-1000469.html
  https://www.suse.com/security/cve/CVE-2018-1000225.html
  https://www.suse.com/security/cve/CVE-2018-1000226.html
  https://www.suse.com/security/cve/CVE-2018-10931.html
  https://bugzilla.suse.com/1020376
  https://bugzilla.suse.com/1029276
  https://bugzilla.suse.com/1048183
  https://bugzilla.suse.com/1074594
  https://bugzilla.suse.com/1075014
  https://bugzilla.suse.com/1081714
  https://bugzilla.suse.com/1081739
  https://bugzilla.suse.com/1090205
  https://bugzilla.suse.com/1097733
  https://bugzilla.suse.com/1101670
  https://bugzilla.suse.com/1104189
  https://bugzilla.suse.com/1104190
  https://bugzilla.suse.com/1104287
  https://bugzilla.suse.com/1105440
  https://bugzilla.suse.com/1105442
  https://bugzilla.suse.com/1113747
  https://bugzilla.suse.com/1128754
  https://bugzilla.suse.com/1128926
  https://bugzilla.suse.com/1130658
  https://bugzilla.suse.com/1134588
  https://bugzilla.suse.com/1149075
  https://bugzilla.suse.com/1151875
  https://bugzilla.suse.com/1156574
  https://bugzilla.suse.com/1159010
  https://bugzilla.suse.com/1169207
  https://bugzilla.suse.com/1169553
  https://bugzilla.suse.com/1169779
  https://bugzilla.suse.com/1170462
  https://bugzilla.suse.com/660126
  https://bugzilla.suse.com/671212
  https://bugzilla.suse.com/672471
  https://bugzilla.suse.com/682665
  https://bugzilla.suse.com/687891
  https://bugzilla.suse.com/695955
  https://bugzilla.suse.com/714618
  https://bugzilla.suse.com/722443
  https://bugzilla.suse.com/722445
  https://bugzilla.suse.com/757062
  https://bugzilla.suse.com/763610
  https://bugzilla.suse.com/783671
  https://bugzilla.suse.com/790545
  https://bugzilla.suse.com/796773
  https://bugzilla.suse.com/811025
  https://bugzilla.suse.com/812948
  https://bugzilla.suse.com/842699
  https://bugzilla.suse.com/846580
  https://bugzilla.suse.com/869371
  https://bugzilla.suse.com/884051
  https://bugzilla.suse.com/924118
  https://bugzilla.suse.com/952844
  https://bugzilla.suse.com/956264
  https://bugzilla.suse.com/966622
  https://bugzilla.suse.com/966841
  https://bugzilla.suse.com/967523
  https://bugzilla.suse.com/968406
  https://bugzilla.suse.com/969538
  https://bugzilla.suse.com/969541
  https://bugzilla.suse.com/973413
  https://bugzilla.suse.com/973418
  https://bugzilla.suse.com/976826
  https://bugzilla.suse.com/980577
  https://bugzilla.suse.com/984998
  https://bugzilla.suse.com/986978
  https://bugzilla.suse.com/988889