-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2021-3a640d3d4c 2021-09-29 00:16:07.673853 --------------------------------------------------------------------------------
Name : cobbler Product : Fedora 35 Version : 3.2.2 Release : 2.fc35 URL : https://cobbler.github.io/ Summary : Boot server configurator Description : Cobbler is a network install server. Cobbler supports PXE, ISO virtualized installs, and re-installing existing Linux machines. The last two modes use a helper tool, 'koan', that integrates with cobbler. There is also a web interface 'cobbler-web'. Cobbler's advanced features include importing distributions from DVDs and rsync mirrors, kickstart templating, integrated yum mirroring, and built-in DHCP/DNS Management. Cobbler has a XML-RPC API for integration with other applications.
-------------------------------------------------------------------------------- Update Information:
* Migrate settings to settings.yaml * Migrate pre-cobbler 3 data if needed * Fix autoinstall_templates -> templates ---- Update to 3.2.2 New: --- * Signatures: Add ESXi 7.0 U1 #2525 #2526 #2442 * AlmaLinux & RockyLinux are now supported * Signatures: Add generic openSUSE Leap 15 #2508 * Settings: Use .yaml as a file extension #2531 * Settings: Validate what settings we have in the YAML-File #2533 #2419 #2530 * Modules: We now support automatic Windows installations #2466 * Docs: Terraform provider now included #2166 #2528 Changes: ----- * Web Frontend: Show VMware as a breed #2449 * Logging check fails with SELinux #2440 #2441 * Typing: Convert docstring types to typing types #2564 * ESXi Support: Now partly supported #2541 * ipmitool now is upstream supported by fence_agents via ipmilanplus #2542 * cobbler version remove the b prefix #2543 * We are now using inst.ks instead of ks #2534 * Use the python-file bindings instead of a subprocess call #2482 #2480 * Web Interface: Make new user management more obvious #2484 Bugfixes: ----- * Remove redundant .json suffix: #2451 #2376 #2545 #2529 * PAM Authentication failures are fixed now: #2400 #2444 * Templating: Fix Cheetah macros #2570 #2509 #2403 * Templating: Fix regex replacements #2513 * Templating: Add http_port to all snippets we are aware of #2058 * API: Have the legacy fields kickstart and ks_meta present at all times. #2311 #2568 * Replicate: revert_strip_none prior adding an object on replicate #2548 #2505 * Replicate: Fix paths during replication #2516 * Web interface: Fix snippet path #2520 * Web interface: Prevent duplicate pathing of snippets #2485 * Fix script path from Cobbler #2479 #2478 * Settings: Add missing rsync flags option #2467 #2468 * Startup: Cobbler starts with sub-profiles now #2259 #2450 * Web: Permissions for /var/lib/cobbler/web.ss #2439 #2452 * Power management: Follow the fence_agent return codes #1491 * cobbler check: Fix dnsmasq check #2155 Other: ---- * Cleanup unused import #2551 * Docs: Improvements at various places #2547 #2481 #2473 #1801 #2228 * Removed unused multi-language support #2532 * Un-categorized improvements #2524 #2464 * Items: Streamline template_types type in all items #2262 Breaking Changes: ---- * Possibly the settings file is not correctly migrated and needs to be manually adjusted. * Rename settings to settings.yaml * Add all keys which are missing. List will be available in /var/log/cobbler/cobbler.log. * We dropped support for CentOS 7 since no full Python 3 stack is available #2515 Fedora --- * bz#2006840: CVE-2021-40323: Arbitrary file disclosure/Template Injection * bz#2006897: CVE-2021-40324: Arbitrary file write via upload_log_data XMLRPC function * bz#2006904: CVE-2021-40325: Authorization bypass allows modifying settings -------------------------------------------------------------------------------- ChangeLog:
* Thu Sep 23 2021 Orion Poplawski orion@nwra.com - 3.2.2-2 - Migrate settings to settings.yaml - Migrate pre-cobbler 3 data if needed - Fix autoinstall_templates -> templates * Thu Sep 23 2021 Orion Poplawski orion@nwra.com - 3.2.2-1 - Update to 3.2.2 - bz#2006840: CVE-2021-40323: Arbitrary file disclosure/Template Injection - bz#2006897: CVE-2021-40324: Arbitrary file write via upload_log_data XMLRPC function - bz#2006904: CVE-2021-40325: Authorization bypass allows modifying settings * Wed Sep 22 2021 Orion Poplawski orion@nwra.com - 3.2.1-1 - Update to 3.2.1 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2006840 - CVE-2021-40323 cobbler: Arbitrary File Disclosure/Template Injection via generate_script RPC method https://bugzilla.redhat.com/show_bug.cgi?id=2006840 [ 2 ] Bug #2006897 - CVE-2021-40324 cobbler: Arbitrary file write via upload_log_data XMLRPC function https://bugzilla.redhat.com/show_bug.cgi?id=2006897 [ 3 ] Bug #2006904 - CVE-2021-40325 cobbler: Authorization bypass allows modifying settings https://bugzilla.redhat.com/show_bug.cgi?id=2006904 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-3a640d3d4c' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
package-announce@lists.fedoraproject.org