SUSE Package Hub - openSUSE-2024-382

Update Info

openSUSE-2024-382

Security update for cobbler

Type: security

Severity: important

Issued: 2024-11-28

Description:

This update for cobbler fixes the following issues:

Update to 3.3.7:

  * Security: Fix issue that allowed anyone to connect to the API
    as admin (CVE-2024-47533, boo#1231332)

  * bind - Fix bug that prevents cname entries from being
    generated successfully
  * Fix build on RHEL9 based distributions (fence-agents-all split)
  * Fix for Windows systems
  * Docs: Add missing dependencies for source installation
  * Fix issue that prevented systems from being synced when the
    profile was edited

Update to 3.3.6:

  * Upstream all openSUSE specific patches that were maintained in Git
  * Fix rename of items that had uppercase letters
  * Skip inconsistent collections instead of crashing the daemon

- Update to 3.3.5:
  * Added collection indicies for UUID's, MAC's, IP addresses and hostnames
    boo#1219933
  * Re-added to_dict() caching
  * Added lazy loading for the daemon (off by default)

- Update to 3.3.4:

  * Added cobbler-tests-containers subpackage
  * Updated the distro_signatures.json database
  * The default name for grub2-efi changed to grubx64.efi to match
    the DHCP template

- Do generate boot menus even if no profiles or systems - only local boot
- Avoid crashing running buildiso in certain conditions.
- Fix settings migration schema to work while upgrading on existing running
  Uyuni and SUSE Manager servers running with old Cobbler settings (boo#1203478)
- Consider case of "next_server" being a hostname during migration
  of Cobbler collections.
- Fix problem with "proxy_url_ext" setting being None type.
- Update v2 to v3 migration script to allow migration of collections
  that contains settings from Cobbler 2. (boo#1203478)
- Fix problem for the migration of "autoinstall" collection attribute.
- Fix failing Cobbler tests after upgrading to 3.3.3.
- Fix regression: allow empty string as interface_type value (boo#1203478) 
- Avoid possible override of existing values during migration
  of collections to 3.0.0 (boo#1206160)
- Add missing code for previous patch file around boot_loaders migration.
- Improve Cobbler performance with item cache and threadpool (boo#1205489)
- Skip collections that are inconsistent instead of crashing (boo#1205749)
- Items: Fix creation of "default" NetworkInterface (boo#1206520)
- S390X systems require their kernel options to have a linebreak at
  79 characters (boo#1207595)
- settings-migration-v1-to-v2.sh will now handle paths with whitespace
  correct
- Fix renaming Cobbler items (boo#1204900, boo#1209149)
- Fix cobbler buildiso so that the artifact can be booted by EFI firmware.
  (boo#1206060)
- Add input_string_*, input_boolean, input_int functiont to public API

References

CVE: CVE-2024-47533
Bugzilla: 1231332 VUL-0: CVE-2024-47533: cobbler: Authentication Exploit
Bugzilla: 1219933 https://bugzilla.opensuse.org/show_bug.cgi?id=1219933
Bugzilla: 1209149 https://bugzilla.opensuse.org/show_bug.cgi?id=1209149
Bugzilla: 1207595 https://bugzilla.opensuse.org/show_bug.cgi?id=1207595
Bugzilla: 1206520 https://bugzilla.opensuse.org/show_bug.cgi?id=1206520
Bugzilla: 1206160 https://bugzilla.opensuse.org/show_bug.cgi?id=1206160
Bugzilla: 1206060 https://bugzilla.opensuse.org/show_bug.cgi?id=1206060
Bugzilla: 1205749 https://bugzilla.opensuse.org/show_bug.cgi?id=1205749
Bugzilla: 1205489 https://bugzilla.opensuse.org/show_bug.cgi?id=1205489
Bugzilla: 1204900 https://bugzilla.opensuse.org/show_bug.cgi?id=1204900
Bugzilla: 1203478 https://bugzilla.opensuse.org/show_bug.cgi?id=1203478

Packages

cobbler-3.3.7-bp155.2.3.2