Update Info


Security update for cobbler

Type: security
Severity: important
Issued: 2022-03-01
This update for cobbler fixes the following issues:

- CVE-2021-45083: Fixed unsafe permissions on sensitive files (bsc#1193671).
- CVE-2021-45082: Fixed incomplete template sanitation (bsc#1193678).
- CVE-2021-40323, CVE-2021-40324, CVE-2021-40325: Fixed Remote Code Execution in the XMLRPC API which additionally allowed arbitrary file read and write as root (boo#1189458).

The following non-security bugs were fixed:

- Fix issues with installation module logging and validation (boo#1195918)
- Move configuration files ownership to apache (boo#1195906)
- Remove hardcoded test credentials (boo#1193673)
- Prevent log pollution (boo#1193675)
- Missing sanity check on MongoDB configuration file (boo#1193676)
- Avoid traceback when building tftp files for ppc arch system when boot_loader is not set (boo#1185679)
- Prevent some race conditions when writting tftpboot files and the destination directory is not existing (boo#1186124)
- Fix trail stripping in case of using UTF symbols (boo#1184561)



  • cobbler-3.1.2-bp153.2.3.1