Dear Fedora Community, A security bug has been recently discovered that can allow unauthorized modifications to Fedora 3.1 and 3.2 repositories when Fedora's built-in XACML policy enforcement has been DISABLED. The purpose of this message is to alert you to the issue, help determine whether your repository is at risk, and provide instructions on correcting the issue if you are affected.
[RISK FACTORS] Your repository should be considered at risk if ALL of the following are true: 1) You are running Fedora 3.1 or 3.2. You can check the version of Fedora you're running by pointing your browser to /fedora/describe on the web server where Fedora is installed. 2) You have DISABLED Fedora's built-in XACML policy enforcement, or modified the default repository policies such that an administrative user is NOT required in order to execute API-M operations. You can check whether XACML is enabled by finding the value of the ENFORCE-MODE parameter in fedora.fcfg. If it is set to "permit-all-requests", it is DISABLED. If it is set to "enforce-policies", it is ENABLED. 3) Your repository's REST API (/fedora/objects/*) is reachable by untrusted users or applications. In the case of Fedora 3.1, this requires that the REST API be enabled. [DESCRIPTION / IMPACT] Regardless of the XACML configuration, Fedora's authentication filters are intended to prevent the execution of all requests that should be accompanied by a valid username and password, but are not. With Fedora 3.1 and 3.2, when going against the REST API, this protection is not provided. This is not a problem when Fedora's default policy enforcement is in place because such requests are subsequently caught and rejected by the XACML layer. However, if XACML has been disabled, this bug could allow malicious users to add, change, or remove content from your repository via Fedora's REST API. [REMEDY] We have prepared a simple patch to correct this problem. If your repository is at risk, please download the following zip file and follow the readme.txt instructions therein: http://downloads.sourceforge.net/fedora-commons/fedora-upgrade-3.x.1.zip We have also released Fedora 3.2.1 today, so that new users won't be subject to this problem. For existing users, applying the above patch to an existing 3.2 repository will update it to 3.2.1. Applying the patch to an existing 3.1 repository will update it to 3.1.1, a version for which there is no formal release but which indicates that the patch has been applied. For more information on this release, please see: http://fedora-commons.org/confluence/x/4gK8 Special thanks to Willy Mene for reporting this issue and Asger Blekinge-Rasmussen for highlighting the impact. Thanks, FC Repository Development Team ------------------------------------------------------------------------------ _______________________________________________ Fedora-commons-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
