-
-
Notifications
You must be signed in to change notification settings - Fork 648
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cobbler restrict Kickstart Directory (Security Issue) #939
Comments
Fixed in master, will be in 2.8 release |
Awesome! Dolev Farhi
|
We have CVE-2014-3225 bugs filed against the cobbler packages in Fedora/EPEL: https://bugzilla.redhat.com/show_bug.cgi?id=1095846 any chance this could be back-ported to at least 2.6? |
Yes, and in my book this warrants new releases in 2.4 and 2.6. |
@opoplawski are you also maintaining cobbler for EPEL5 ??? |
note to self: one of the patches from alanoe broke cobbler-web for snippets/kickstart edits |
Merged into 2.4 and 2.6, will release tomorrow. |
2.4.6 and 2.6.3 have been released. |
I appear to be the cobbler maintainer for all Fedora and Fedora EPEL releases. |
So, Jimi granted you all rights on the cobbler packages ?? On Sat, Jul 19, 2014 at 12:52 AM, Orion Poplawski notifications@github.com
Grtz, |
On 07/18/2014 11:12 PM, Jörgen Maas wrote:
No, I've been using my provenpackager powers to maintain it. Orion Poplawski |
Hi all |
Add strict kickstart check in the API, again should fix #939.
Add strict kickstart check in the API, again should fix #939.
Add strict kickstart check in the API, again should fix #939.
|
Again, backported to 2.4 and 2.6 branches. |
Will do another release soonish. If you could please test the code? |
will do |
The solution described here is just making it into the redhat world, so I'm only just encountering it. Can you point me at the original discussions as I cannot understand the vulnerability, not the threats from the descriptions in the issue thread. At the same time, the solution appears to introduce an unnecessary privilege escalation, which is a security issue in itself - the kickstart files must now sit in root managed filespace of the cobbler host, leading to wider than necessary write access to those files. |
hi,
As discussed in mailing lists, it makes sense restricting access to the kickstart directory in cobbler, so local file inclusions other than kickstart files are prohibited.
by specifiying 'Kickstart' value to /etc/passwd or any other crucial system file, local files are exposed by the cobbler web_ui and is a security vulnerability.
this issue has been opened here after discussion with Jorgen Maas.
Thanks,
Dolev Farhi, F5 Networks Inc
The text was updated successfully, but these errors were encountered: