https://bugzilla.novell.com/show_bug.cgi?id=877009 https://bugzilla.novell.com/show_bug.cgi?id=877009#c0 Summary: VUL-0: CVE-2014-3225: cobbler: Local file inclusion Classification: openSUSE Product: openSUSE Factory Version: 13.2 Milestone 0 Platform: Other OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: ug@suse.com ReportedBy: jsegitz@novell.com QAContact: qa-bugs@suse.de Found By: Security Response Team Blocker: --- Reported by Dolev Farhi via oss-security (Message-ID: <BFB17C16CEB8834FBCE8DCF6B3CFC7B601606FA5@SEAEMBX02.olympus.F5Net.com>) A remote user that is able to access the Cobbler WebUI can specify a full path to any desired file in the Kickstart value, and view the contents of that file. Right now there is no patch available for this issue. Affected versions (according to http://de.1337day.com/exploit/22219, no upstream verification): 2.4.x - 2.6.x SUSE:SLE-12:GA 2.4.2 openSUSE:13.1 2.4.0 openSUSE:Factory 2.4.0 References: https://bugzilla.redhat.com/show_bug.cgi?id=1095844 https://github.com/cobbler/cobbler/issues/939 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.