← Back to branch summary

~andreserl/+junk/cobbler

« back to all changes in this revision

Viewing changes to cobbler/services.py

  • Committer: Andres Rodriguez
  • Date: 2011-12-09 17:39:33 UTC
  • mfrom: (50.1.5 trunk)
  • Revision ID: andreserl@ubuntu.com-20111209173933-6mel1k0noqjd1vad
Tags: 2.1.0+git20110602-0ubuntu26.2
https://launchpad.net/bugs/858860
https://launchpad.net/bugs/858875
https://launchpad.net/bugs/858878
https://launchpad.net/bugs/858883
https://launchpad.net/bugs/863755
* SECURITY UPDATE: arbitrary code execution via PYTHON_EGG_CACHE in insecure
  location (LP: #858875)
  - debian/patches/58_fix_egg_cache.patch: move PYTHON_EGG_CACHE to
    /var/lib/cobbler/webui_cache (copied from fix to precise).
* SECURITY UPDATE: CSRF vulnerability in cobbler-web (LP: #858878)
  - debian/patches/59_add_csrf_protection.patch: use Django's built-in
    CSRF protection (taken from upstream).
* SECURITY UPDATE: arbitrary code execution via web interface (LP: #858883)
  - debian/patches/60_yaml_safe_load.patch: use yaml.safe_load instead of
    yaml.load (taken from upstream).
* SECURITY UPDATE: users.digest file is world readable (LP: #858860)
  - debian/cobbler.postinst: create /etc/cobbler/users.digest as 600
* SECURITY UPDATE: webui_sessions uses insecure permissions (LP: #863755)
  - debian/cobbler.postinst: fix permissions on webui_{sessions,cache} to
    0700

Show diffs side-by-side

added added

removed removed

Lines of Context:
cobbler/services.py
437
437
    assert data.find("gamma") != -1
438
438
    assert data.find("3") != -1
439
439
    
440
 
    data = yaml.load(data)
 
440
    data = yaml.safe_load(data)
441
441
    assert data.has_key("classes")
442
442
    assert data.has_key("parameters")
443
443