Hello community, here is the log from the commit of package cobbler for openSUSE:Factory checked in at 2018-08-12 20:54:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cobbler (Old) and /work/SRC/openSUSE:Factory/.cobbler.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cobbler" Sun Aug 12 20:54:29 2018 rev:44 rq:628613 version:2.8.2 Changes: -------- --- /work/SRC/openSUSE:Factory/cobbler/cobbler.changes 2018-04-27 16:09:01.538943645 +0200 +++ /work/SRC/openSUSE:Factory/.cobbler.new/cobbler.changes 2018-08-12 20:54:35.233371527 +0200 @@ -1,0 +2,12 @@ +Fri Aug 10 10:11:17 UTC 2018 - [email protected] + +- Forbid exposure of private methods in the API (CVE-2018-10931) + (bsc#1104287) (bsc#1104189) +- Check access token when calling 'modify_setting' API endpoint + (bsc#1104190) + +- Added: + * check-access-token-when-calling-modify_setting-api-e.patch + * cve-2018-10931-forbid-exposure-of-private-methods-in.patch + +------------------------------------------------------------------- New: ---- check-access-token-when-calling-modify_setting-api-e.patch cve-2018-10931-forbid-exposure-of-private-methods-in.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cobbler.spec ++++++ --- /var/tmp/diff_new_pack.UBnigP/_old 2018-08-12 20:54:35.821372721 +0200 +++ /var/tmp/diff_new_pack.UBnigP/_new 2018-08-12 20:54:35.821372721 +0200 @@ -73,6 +73,10 @@ Patch18: fix-manpage-creation.patch # PATCH-FIX-UPSTREAM https://github.com/cobbler/cobbler/pull/1889 (not merged yet) Patch19: escape-shell-parameters-provided-by-user-on-reposync.patch +# PATCH-FIX-UPSTREAM https://github.com/cobbler/cobbler/pull/1921 +Patch20: check-access-token-when-calling-modify_setting-api-e.patch +# PATCH-FIX-UPSTREAM https://github.com/cobbler/cobbler/pull/1920 +Patch21: cve-2018-10931-forbid-exposure-of-private-methods-in.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -188,6 +192,8 @@ %patch17 -p1 %patch18 -p1 %patch19 -p1 +%patch20 -p1 +%patch21 -p1 %build %{__python2} setup.py build ++++++ check-access-token-when-calling-modify_setting-api-e.patch ++++++ >From 9be7835c74346f36fde9e7c1b847cc2e6c209eec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?= <[email protected]> Date: Fri, 10 Aug 2018 10:57:58 +0100 Subject: [PATCH] Check access token when calling 'modify_setting' API endpoint --- cobbler/remote.py | 2 ++ 1 file changed, 2 insertions(+) Index: cobbler-2.8.2/cobbler/remote.py =================================================================== --- cobbler-2.8.2.orig/cobbler/remote.py +++ cobbler-2.8.2/cobbler/remote.py @@ -854,6 +854,8 @@ class CobblerXMLRPCInterface: def modify_file(self,object_id,attribute,arg,token): return self.modify_item("file",object_id,attribute,arg,token) def modify_setting(self,setting_name,value,token): + self._log("modify_setting(%s)" % setting_name, token=token) + self.check_access(token, "modify_setting") try: self.api.settings().set(setting_name, value) return 0 ++++++ cve-2018-10931-forbid-exposure-of-private-methods-in.patch ++++++ >From 7595977573184d2be3ff35188601efd6806f158c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?= <[email protected]> Date: Fri, 10 Aug 2018 10:59:04 +0100 Subject: [PATCH] CVE-2018-10931 - forbid exposure of private methods in the API --- cobbler/remote.py | 2 ++ 1 file changed, 2 insertions(+) Index: cobbler-2.8.2/cobbler/remote.py =================================================================== --- cobbler-2.8.2.orig/cobbler/remote.py +++ cobbler-2.8.2/cobbler/remote.py @@ -2066,6 +2066,8 @@ class ProxiedXMLRPCInterface: self.logger = self.proxied.api.logger def _dispatch(self, method, params, **rest): + if method.startswith('_'): + raise CX("forbidden method") if not hasattr(self.proxied, method): raise CX("unknown remote method")
