openSUSE Security Update: Security update for cobbler
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2024:0382-1
Rating:             important
References:         #1203478 #1204900 #1205489 #1205749 #1206060 
                    #1206160 #1206520 #1207595 #1209149 #1219933 
                    #1231332 
Cross-References:   CVE-2024-47533
CVSS scores:
                    CVE-2024-47533 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP5
______________________________________________________________________________

   An update that solves one vulnerability and has 10 fixes is
   now available.

Description:

   This update for cobbler fixes the following issues:

   Update to 3.3.7:

     * Security: Fix issue that allowed anyone to connect to the API as admin
       (CVE-2024-47533, boo#1231332)

     * bind - Fix bug that prevents cname entries from being generated
       successfully
     * Fix build on RHEL9 based distributions (fence-agents-all split)
     * Fix for Windows systems
     * Docs: Add missing dependencies for source installation
     * Fix issue that prevented systems from being synced when the profile
       was edited

   Update to 3.3.6:

     * Upstream all openSUSE specific patches that were maintained in Git
     * Fix rename of items that had uppercase letters
     * Skip inconsistent collections instead of crashing the daemon

   - Update to 3.3.5:
     * Added collection indicies for UUID's, MAC's, IP addresses and
       hostnames boo#1219933
     * Re-added to_dict() caching
     * Added lazy loading for the daemon (off by default)

   - Update to 3.3.4:

     * Added cobbler-tests-containers subpackage
     * Updated the distro_signatures.json database
     * The default name for grub2-efi changed to grubx64.efi to match the
       DHCP template

   - Do generate boot menus even if no profiles or systems - only local boot
   - Avoid crashing running buildiso in certain conditions.
   - Fix settings migration schema to work while upgrading on existing
     running Uyuni and SUSE Manager servers running with old Cobbler settings
     (boo#1203478)
   - Consider case of "next_server" being a hostname during migration
     of Cobbler collections.
   - Fix problem with "proxy_url_ext" setting being None type.
   - Update v2 to v3 migration script to allow migration of collections that
     contains settings from Cobbler 2. (boo#1203478)
   - Fix problem for the migration of "autoinstall" collection attribute.
   - Fix failing Cobbler tests after upgrading to 3.3.3.
   - Fix regression: allow empty string as interface_type value (boo#1203478)
   - Avoid possible override of existing values during migration
     of collections to 3.0.0 (boo#1206160)
   - Add missing code for previous patch file around boot_loaders migration.
   - Improve Cobbler performance with item cache and threadpool (boo#1205489)
   - Skip collections that are inconsistent instead of crashing (boo#1205749)
   - Items: Fix creation of "default" NetworkInterface (boo#1206520)
   - S390X systems require their kernel options to have a linebreak at 79
     characters (boo#1207595)
   - settings-migration-v1-to-v2.sh will now handle paths with whitespace
     correct
   - Fix renaming Cobbler items (boo#1204900, boo#1209149)
   - Fix cobbler buildiso so that the artifact can be booted by EFI firmware.
     (boo#1206060)
   - Add input_string_*, input_boolean, input_int functiont to public API


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP5:

      zypper in -t patch openSUSE-2024-382=1



Package List:

   - openSUSE Backports SLE-15-SP5 (noarch):

      cobbler-3.3.7-bp155.2.3.2
      cobbler-tests-3.3.7-bp155.2.3.2
      cobbler-tests-containers-3.3.7-bp155.2.3.2


References:

   https://www.suse.com/security/cve/CVE-2024-47533.html
   https://bugzilla.suse.com/1203478
   https://bugzilla.suse.com/1204900
   https://bugzilla.suse.com/1205489
   https://bugzilla.suse.com/1205749
   https://bugzilla.suse.com/1206060
   https://bugzilla.suse.com/1206160
   https://bugzilla.suse.com/1206520
   https://bugzilla.suse.com/1207595
   https://bugzilla.suse.com/1209149
   https://bugzilla.suse.com/1219933
   https://bugzilla.suse.com/1231332

openSUSE: 2024:0382-1 important: cobbler Advisory Security Update

November 28, 2024
An update that solves one vulnerability and has 10 fixes is now available

Description

This update for cobbler fixes the following issues: Update to 3.3.7: * Security: Fix issue that allowed anyone to connect to the API as admin (CVE-2024-47533, boo#1231332) * bind - Fix bug that prevents cname entries from being generated successfully * Fix build on RHEL9 based distributions (fence-agents-all split) * Fix for Windows systems * Docs: Add missing dependencies for source installation * Fix issue that prevented systems from being synced when the profile was edited Update to 3.3.6: * Upstream all openSUSE specific patches that were maintained in Git * Fix rename of items that had uppercase letters * Skip inconsistent collections instead of crashing the daemon - Update to 3.3.5: * Added collection indicies for UUID's, MAC's, IP addresses and hostnames boo#1219933 * Re-added to_dict() caching * Added lazy loading for the daemon (off by default) - Update to 3.3.4: * Ad...

Read the Full Advisory

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2024-382=1


Package List

- openSUSE Backports SLE-15-SP5 (noarch): cobbler-3.3.7-bp155.2.3.2 cobbler-tests-3.3.7-bp155.2.3.2 cobbler-tests-containers-3.3.7-bp155.2.3.2


References

https://www.suse.com/security/cve/CVE-2024-47533.html https://bugzilla.suse.com/1203478 https://bugzilla.suse.com/1204900 https://bugzilla.suse.com/1205489 https://bugzilla.suse.com/1205749 https://bugzilla.suse.com/1206060 https://bugzilla.suse.com/1206160 https://bugzilla.suse.com/1206520 https://bugzilla.suse.com/1207595 https://bugzilla.suse.com/1209149 https://bugzilla.suse.com/1219933 https://bugzilla.suse.com/1231332


Severity
Announcement ID: openSUSE-SU-2024:0382-1
Rating: important
Affected Products: openSUSE Backports SLE-15-SP5 ble.

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved