[Bug 858883] Re: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.sa
** Branch linked: lp:ubuntu/cobbler -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/858883 Title: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.safe_loads in item.py on line 248: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/858883/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 858883] Re: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.sa
This bug was fixed in the package cobbler - 2.2.2-0ubuntu1 --- cobbler (2.2.2-0ubuntu1) precise; urgency=low [Chuck Short] * New upstream release: + Use dh_python2 everywhere. + Folded debian/patches/49_ubuntu_add_arm_arch_support.patch and debian/patches/56_ubuntu_arm_generate_pxe_files.patch into one patch for easier upstreaming. + Dropped debian/patches/50_fix_cobbler_timezone.patch: Fix upstream. + Dropped debian/patches/47_ubuntu_add_oneiric_codename.patch in favor of debian/patches/47_ubuntu_add_codenames.patch: It adds "precise" and drops unsupported releases as well. + Dropped debian/patches/41_update_tree_path_with_arch.patch: No longer needed. + Dropped debian/patches/55_ubuntu_branding.patch: Will be moved to orchestra [Clint Byrum] * debian/cobbler.postinst: create users.digest mode 0600 so it is not world readable. (LP: #858860) * debian/control: cobbler needs to depend on python-cobbler (LP: #863738) * debian/patches/58_fix_egg_cache.patch: Do not point dangerous PYTHON_EGG_CACHE at world writable directory. (LP: #858875) * debian/cobbler-common.install: remove users.digest as it is not required and contains a known password that would leave cobblerd vulnerable if started before configuration is done * debian/cobbler-web.postinst: fix perms on webui_sessions to be more secure (LP: #863755) [Robie Basak] * Backport safe YAML load from upstream. (LP: #858883) -- Chuck ShortTue, 15 Nov 2011 12:35:40 -0500 ** Changed in: cobbler (Ubuntu Precise) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/858883 Title: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.safe_loads in item.py on line 248: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/858883/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 858883] Re: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.sa
** Branch linked: lp:~racb/ubuntu/oneiric/cobbler/858878_858883 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/858883 Title: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.safe_loads in item.py on line 248: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/858883/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 858883] Re: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.sa
** Changed in: cobbler (Ubuntu Oneiric) Assignee: (unassigned) => Robie Basak (racb) ** Changed in: cobbler (Ubuntu Precise) Assignee: (unassigned) => Robie Basak (racb) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/858883 Title: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.safe_loads in item.py on line 248: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/858883/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 858883] Re: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.sa
** Changed in: cobbler (Ubuntu Oneiric) Status: New => Triaged ** Changed in: cobbler (Ubuntu Precise) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/858883 Title: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.safe_loads in item.py on line 248: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/858883/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 858883] Re: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.sa
** Also affects: cobbler (Ubuntu Oneiric) Importance: Undecided Status: New ** Also affects: cobbler (Ubuntu Precise) Importance: High Status: New ** Changed in: cobbler (Ubuntu Oneiric) Importance: Undecided => High ** Changed in: cobbler (Ubuntu Oneiric) Milestone: None => oneiric-updates ** Changed in: cobbler (Ubuntu Precise) Milestone: None => precise-alpha-1 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/858883 Title: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.safe_loads in item.py on line 248: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/858883/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 858883] Re: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.sa
** Changed in: cobbler (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/858883 Title: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.safe_loads in item.py on line 248: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/858883/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 858883] Re: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.sa
** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/858883 Title: "Management Parameters" (for example a system) which can be set in the web interface can result in arbitrary code execution on the host due to the use of yaml.loads instead of yaml.safe_loads in item.py on line 248: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/858883/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs