-
Committer:
Andres Rodriguez
-
Date:
2011-12-09 17:39:33 UTC
-
mfrom:
(50.1.5 trunk)
-
Revision ID:
andreserl@ubuntu.com-20111209173933-6mel1k0noqjd1vad
Tags: 2.1.0+git20110602-0ubuntu26.2
* SECURITY UPDATE: arbitrary code execution via PYTHON_EGG_CACHE in insecure
location (LP: #858875)
- debian/patches/58_fix_egg_cache.patch: move PYTHON_EGG_CACHE to
/var/lib/cobbler/webui_cache (copied from fix to precise).
* SECURITY UPDATE: CSRF vulnerability in cobbler-web (LP: #858878)
- debian/patches/59_add_csrf_protection.patch: use Django's built-in
CSRF protection (taken from upstream).
* SECURITY UPDATE: arbitrary code execution via web interface (LP: #858883)
- debian/patches/60_yaml_safe_load.patch: use yaml.safe_load instead of
yaml.load (taken from upstream).
* SECURITY UPDATE: users.digest file is world readable (LP: #858860)
- debian/cobbler.postinst: create /etc/cobbler/users.digest as 600
* SECURITY UPDATE: webui_sessions uses insecure permissions (LP: #863755)
- debian/cobbler.postinst: fix permissions on webui_{sessions,cache} to
0700