Thnx4info.TUR
sob., 25.06.2016 o 15:43 użytkownik Patrick Uiterwijk <puiterwijk(a)redhat.com>
napisał:
Dear Fedora mirror admins,
We recently performed a security audit of the mirrormanager server
code. During this audit, we noticed the endpoint used by
report_mirror[1] had a security-related flaw inherent to the data
format it uses. Note that the security issue is on the server side.
Our audit did not reveal any security issues on the mirror side.
Currently this endpoing uses the Python pickle format, and we would
like to move this to a JSON-formatted checkin object. We have
modified the server to support both formats, to allow an easy
transition.
We would like to ask any mirror admins running report_mirror to
either:
1. Update the mirrormanager-client package to version 1.4.4-5 if you get
report_mirror from there
2. Update the report_mirror script by grabbing a new copy from [1]
3. Manually edit the report_mirror script, replacing all four occurrences
of the
string "pickle" with the string "json".
We will be allowing both formats for at least two weeks, after which we
will
assess whether we need to allow more migration time, or will disable the
pickle based checkin mechanism.
This issue has been assigned CVE-2016-1000003.
[1]:
https://git.fedorahosted.org/cgit/mirrormanager/tree/client
With kind regards,
Patrick Uiterwijk
Security Officer, Fedora Infrastructure
--