← Back to branch summary

~andreserl/+junk/cobbler

~andreserl/+junk/cobbler

« back to all changes in this revision

Viewing changes to debian/patches/58_fix_egg_cache.patch

Committer: Andres Rodriguez
Date: 2011-12-09 17:39:33 UTC
mfrom: (50.1.5 trunk)
Revision ID: andreserl@ubuntu.com-20111209173933-6mel1k0noqjd1vad

Tags: 2.1.0+git20110602-0ubuntu26.2

https://launchpad.net/bugs/858860

https://launchpad.net/bugs/858875

https://launchpad.net/bugs/858878

https://launchpad.net/bugs/858883

https://launchpad.net/bugs/863755

* SECURITY UPDATE: arbitrary code execution via PYTHON_EGG_CACHE in insecure
  location (LP: #858875)
  - debian/patches/58_fix_egg_cache.patch: move PYTHON_EGG_CACHE to
    /var/lib/cobbler/webui_cache (copied from fix to precise).
* SECURITY UPDATE: CSRF vulnerability in cobbler-web (LP: #858878)
  - debian/patches/59_add_csrf_protection.patch: use Django's built-in
    CSRF protection (taken from upstream).
* SECURITY UPDATE: arbitrary code execution via web interface (LP: #858883)
  - debian/patches/60_yaml_safe_load.patch: use yaml.safe_load instead of
    yaml.load (taken from upstream).
* SECURITY UPDATE: users.digest file is world readable (LP: #858860)
  - debian/cobbler.postinst: create /etc/cobbler/users.digest as 600
* SECURITY UPDATE: webui_sessions uses insecure permissions (LP: #863755)
  - debian/cobbler.postinst: fix permissions on webui_{sessions,cache} to
    0700

files added:
.pc/58_fix_egg_cache.patch

.pc/58_fix_egg_cache.patch/.timestamp

.pc/58_fix_egg_cache.patch/web

.pc/58_fix_egg_cache.patch/web/cobbler.wsgi

.pc/59_add_csrf_protection.patch

.pc/59_add_csrf_protection.patch/.timestamp

.pc/59_add_csrf_protection.patch/web

.pc/59_add_csrf_protection.patch/web/cobbler_web

.pc/59_add_csrf_protection.patch/web/cobbler_web/templates

.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/filter.tmpl

.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/generic_edit.tmpl

.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/generic_list.tmpl

.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/import.tmpl

.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/ksfile_edit.tmpl

.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/login.tmpl

.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/master.tmpl

.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/paginate.tmpl

.pc/59_add_csrf_protection.patch/web/cobbler_web/templates/snippet_edit.tmpl

.pc/59_add_csrf_protection.patch/web/cobbler_web/views.py

.pc/59_add_csrf_protection.patch/web/settings.py

.pc/60_yaml_safe_load.patch

.pc/60_yaml_safe_load.patch/.timestamp

.pc/60_yaml_safe_load.patch/cobbler

.pc/60_yaml_safe_load.patch/cobbler/api.py

.pc/60_yaml_safe_load.patch/cobbler/item.py

.pc/60_yaml_safe_load.patch/cobbler/modules

.pc/60_yaml_safe_load.patch/cobbler/modules/serializer_catalog.py

.pc/60_yaml_safe_load.patch/cobbler/modules/serializer_couch.py

.pc/60_yaml_safe_load.patch/cobbler/remote.py

.pc/60_yaml_safe_load.patch/cobbler/services.py

.pc/60_yaml_safe_load.patch/cobbler/utils.py

.pc/60_yaml_safe_load.patch/scripts

.pc/60_yaml_safe_load.patch/scripts/cobbler-ext-nodes

.pc/60_yaml_safe_load.patch/scripts/index.py

.pc/60_yaml_safe_load.patch/scripts/services.py

debian/patches/58_fix_egg_cache.patch

debian/patches/59_add_csrf_protection.patch

debian/patches/60_yaml_safe_load.patch

files modified:
.pc/applied-patches

cobbler/api.py

cobbler/item.py

cobbler/modules/serializer_catalog.py

cobbler/modules/serializer_couch.py

cobbler/remote.py

cobbler/services.py

cobbler/utils.py

debian/changelog

debian/cobbler-web.dirs

debian/cobbler-web.postinst

debian/cobbler.postinst

debian/patches/series

scripts/cobbler-ext-nodes

scripts/index.py

scripts/services.py

web/cobbler.wsgi

web/cobbler_web/templates/filter.tmpl

web/cobbler_web/templates/generic_edit.tmpl

web/cobbler_web/templates/generic_list.tmpl

web/cobbler_web/templates/import.tmpl

web/cobbler_web/templates/ksfile_edit.tmpl

web/cobbler_web/templates/login.tmpl

web/cobbler_web/templates/master.tmpl

web/cobbler_web/templates/paginate.tmpl

web/cobbler_web/templates/snippet_edit.tmpl

web/cobbler_web/views.py

web/settings.py

Show diffs side-by-side

added added

removed removed

debian/patches/58_fix_egg_cache.patch

1

Author: Clint Byrum <clint@ubuntu.com>

2

Description: Changes PYTHON_EGG_CACHE to a safer path owned just by the webserver.

3

Bug: https://fedorahosted.org/cobbler/ticket/688

4

Bug-Ubuntu: http://pad.lv/858875

5

Forwarded: yes

6

7

Index: cobbler/web/cobbler.wsgi

8

===================================================================

9

--- cobbler.orig/web/cobbler.wsgi 2011-09-30 16:53:26.522621805 -0700

10

+++ cobbler/web/cobbler.wsgi 2011-09-30 17:09:53.909158191 -0700

11

@@ -2,7 +2,7 @@

12

import sys

13

14

os.environ['DJANGO_SETTINGS_MODULE'] = 'settings'

15

-os.environ['PYTHON_EGG_CACHE'] = '/tmp'

16

+os.environ['PYTHON_EGG_CACHE'] = '/var/lib/cobbler/webui_cache'

17

sys.path.append('/usr/share/cobbler/web')

18

sys.path.append('/usr/share/cobbler/web/cobbler_web')

19

Older »