[Bug 978999] Re: command injection on the host via the xmlrpc api
This bug was fixed in the package cobbler - 2.4.0-0ubuntu2 --- cobbler (2.4.0-0ubuntu2) saucy; urgency=low * cobbler-web.postinst: Generate a random key for SECURITY_KEY in settings.py. -- Timo AaltonenThu, 29 Aug 2013 19:32:56 +0300 ** Changed in: cobbler (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/978999 Title: command injection on the host via the xmlrpc api To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978999] Re: command injection on the host via the xmlrpc api
** Changed in: cobbler (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/978999 Title: command injection on the host via the xmlrpc api To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978999] Re: command injection on the host via the xmlrpc api
AppArmor mitigates this in maas-provision. ** Changed in: maas-provision (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/978999 Title: command injection on the host via the xmlrpc api To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978999] Re: command injection on the host via the xmlrpc api
David, sorry, my question regarding maas-provision was directed at Dave Walker. Dave Walker, does maas utilize the power_system method? ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-2395 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/978999 Title: command injection on the host via the xmlrpc api To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978999] Re: command injection on the host via the xmlrpc api
** Changed in: maas-provision (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/978999 Title: command injection on the host via the xmlrpc api To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978999] Re: command injection on the host via the xmlrpc api
I believe upstream attempted to address this in https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/978999 Title: command injection on the host via the xmlrpc api To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978999] Re: command injection on the host via the xmlrpc api
** Changed in: maas-provision (Ubuntu) Importance: Undecided => High ** Changed in: cobbler (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/978999 Title: command injection on the host via the xmlrpc api To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978999] Re: command injection on the host via the xmlrpc api
Ah right it is https://launchpad.net/maas (/me answering my own question). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/978999 Title: command injection on the host via the xmlrpc api To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978999] Re: command injection on the host via the xmlrpc api
I wasn't aware of the existence of maas-provision. What exactly is it? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/978999 Title: command injection on the host via the xmlrpc api To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978999] Re: command injection on the host via the xmlrpc api
** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu. https://bugs.launchpad.net/bugs/978999 Title: command injection on the host via the xmlrpc api To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs