← Back to branch summary

~andreserl/+junk/cobbler

« back to all changes in this revision

Viewing changes to debian/cobbler-web.postinst

  • Committer: Andres Rodriguez
  • Date: 2011-12-09 17:39:33 UTC
  • mfrom: (50.1.5 trunk)
  • Revision ID: andreserl@ubuntu.com-20111209173933-6mel1k0noqjd1vad
Tags: 2.1.0+git20110602-0ubuntu26.2
https://launchpad.net/bugs/858860
https://launchpad.net/bugs/858875
https://launchpad.net/bugs/858878
https://launchpad.net/bugs/858883
https://launchpad.net/bugs/863755
* SECURITY UPDATE: arbitrary code execution via PYTHON_EGG_CACHE in insecure
  location (LP: #858875)
  - debian/patches/58_fix_egg_cache.patch: move PYTHON_EGG_CACHE to
    /var/lib/cobbler/webui_cache (copied from fix to precise).
* SECURITY UPDATE: CSRF vulnerability in cobbler-web (LP: #858878)
  - debian/patches/59_add_csrf_protection.patch: use Django's built-in
    CSRF protection (taken from upstream).
* SECURITY UPDATE: arbitrary code execution via web interface (LP: #858883)
  - debian/patches/60_yaml_safe_load.patch: use yaml.safe_load instead of
    yaml.load (taken from upstream).
* SECURITY UPDATE: users.digest file is world readable (LP: #858860)
  - debian/cobbler.postinst: create /etc/cobbler/users.digest as 600
* SECURITY UPDATE: webui_sessions uses insecure permissions (LP: #863755)
  - debian/cobbler.postinst: fix permissions on webui_{sessions,cache} to
    0700

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/cobbler-web.postinst
9
9
                ln -s /etc/cobbler/cobbler_web.conf /etc/apache2/conf.d/cobbler_web.conf 
10
10
        fi
11
11
        chown www-data:www-data /var/lib/cobbler/webui_sessions
 
12
        chmod 0700 /var/lib/cobbler/webui_sessions
 
13
        chown www-data:www-data /var/lib/cobbler/webui_cache
 
14
        chmod 0700 /var/lib/cobbler/webui_cache
12
15
        a2enmod proxy_http
13
16
        a2enmod wsgi
14
17