openSUSE Security Update: Security update for cobbler ______________________________________________________________________________ Announcement ID: openSUSE-SU-2024:0382-1 Rating: important References: #1203478 #1204900 #1205489 #1205749 #1206060 #1206160 #1206520 #1207595 #1209149 #1219933 #1231332 Cross-References: CVE-2024-47533 CVSS scores: CVE-2024-47533 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that solves one vulnerability and has 10 fixes is now available. Description: This update for cobbler fixes the following issues: Update to 3.3.7: * Security: Fix issue that allowed anyone to connect to the API as admin (CVE-2024-47533, boo#1231332) * bind - Fix bug that prevents cname entries from being generated successfully * Fix build on RHEL9 based distributions (fence-agents-all split) * Fix for Windows systems * Docs: Add missing dependencies for source installation * Fix issue that prevented systems from being synced when the profile was edited Update to 3.3.6: * Upstream all openSUSE specific patches that were maintained in Git * Fix rename of items that had uppercase letters * Skip inconsistent collections instead of crashing the daemon - Update to 3.3.5: * Added collection indicies for UUID's, MAC's, IP addresses and hostnames boo#1219933 * Re-added to_dict() caching * Added lazy loading for the daemon (off by default) - Update to 3.3.4: * Added cobbler-tests-containers subpackage * Updated the distro_signatures.json database * The default name for grub2-efi changed to grubx64.efi to match the DHCP template - Do generate boot menus even if no profiles or systems - only local boot - Avoid crashing running buildiso in certain conditions. - Fix settings migration schema to work while upgrading on existing running Uyuni and SUSE Manager servers running with old Cobbler settings (boo#1203478) - Consider case of "next_server" being a hostname during migration of Cobbler collections. - Fix problem with "proxy_url_ext" setting being None type. - Update v2 to v3 migration script to allow migration of collections that contains settings from Cobbler 2. (boo#1203478) - Fix problem for the migration of "autoinstall" collection attribute. - Fix failing Cobbler tests after upgrading to 3.3.3. - Fix regression: allow empty string as interface_type value (boo#1203478) - Avoid possible override of existing values during migration of collections to 3.0.0 (boo#1206160) - Add missing code for previous patch file around boot_loaders migration. - Improve Cobbler performance with item cache and threadpool (boo#1205489) - Skip collections that are inconsistent instead of crashing (boo#1205749) - Items: Fix creation of "default" NetworkInterface (boo#1206520) - S390X systems require their kernel options to have a linebreak at 79 characters (boo#1207595) - settings-migration-v1-to-v2.sh will now handle paths with whitespace correct - Fix renaming Cobbler items (boo#1204900, boo#1209149) - Fix cobbler buildiso so that the artifact can be booted by EFI firmware. (boo#1206060) - Add input_string_*, input_boolean, input_int functiont to public API Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2024-382=1 Package List: - openSUSE Backports SLE-15-SP5 (noarch): cobbler-3.3.7-bp155.2.3.2 cobbler-tests-3.3.7-bp155.2.3.2 cobbler-tests-containers-3.3.7-bp155.2.3.2 References: https://www.suse.com/security/cve/CVE-2024-47533.html https://bugzilla.suse.com/1203478 https://bugzilla.suse.com/1204900 https://bugzilla.suse.com/1205489 https://bugzilla.suse.com/1205749 https://bugzilla.suse.com/1206060 https://bugzilla.suse.com/1206160 https://bugzilla.suse.com/1206520 https://bugzilla.suse.com/1207595 https://bugzilla.suse.com/1209149 https://bugzilla.suse.com/1219933 https://bugzilla.suse.com/1231332