[Bug 877009] New: VUL-0: CVE-2014-3225: cobbler: Local file inclusion
https://bugzilla.novell.com/show_bug.cgi?id=877009 https://bugzilla.novell.com/show_bug.cgi?id=877009#c0 Summary: VUL-0: CVE-2014-3225: cobbler: Local file inclusion Classification: openSUSE Product: openSUSE Factory Version: 13.2 Milestone 0 Platform: Other OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: ug@suse.com ReportedBy: jsegitz@novell.com QAContact: qa-bugs@suse.de Found By: Security Response Team Blocker: --- Reported by Dolev Farhi via oss-security (Message-ID: <BFB17C16CEB8834FBCE8DCF6B3CFC7B601606FA5@SEAEMBX02.olympus.F5Net.com>) A remote user that is able to access the Cobbler WebUI can specify a full path to any desired file in the Kickstart value, and view the contents of that file. Right now there is no patch available for this issue. Affected versions (according to http://de.1337day.com/exploit/22219, no upstream verification): 2.4.x - 2.6.x SUSE:SLE-12:GA 2.4.2 openSUSE:13.1 2.4.0 openSUSE:Factory 2.4.0 References: https://bugzilla.redhat.com/show_bug.cgi?id=1095844 https://github.com/cobbler/cobbler/issues/939 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=877009 https://bugzilla.novell.com/show_bug.cgi?id=877009#c Bernhard Wiedemann <bwiedemann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bwiedemann@suse.com, | |fcastelli@suse.com AssignedTo|bnc-team-screening@forge.pr |mc@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=877009 https://bugzilla.novell.com/show_bug.cgi?id=877009#c3 Flavio Castelli <fcastelli@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED AssignedTo|mc@suse.com |fcastelli@suse.com --- Comment #3 from Flavio Castelli <fcastelli@suse.com> 2014-07-14 13:57:52 UTC --- I'm going to take care of that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=877009 https://bugzilla.novell.com/show_bug.cgi?id=877009#c4 Flavio Castelli <fcastelli@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #4 from Flavio Castelli <fcastelli@suse.com> 2014-07-15 15:07:57 UTC --- Patches have been added to the cobbler package inside of the systemsmanagement project. The package has been submitted to openSUSE:Factory too. The same package is going to be tested by SUSE Manager on SLE12. If everything works as expected we are going to submit that to SLE12 GA too. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=877009 https://bugzilla.novell.com/show_bug.cgi?id=877009#c5 --- Comment #5 from Bernhard Wiedemann <bwiedemann@suse.com> 2014-07-15 18:00:41 CEST --- This is an autogenerated message for OBS integration: This bug (877009) was mentioned in https://build.opensuse.org/request/show/241106 Factory / cobbler -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com