/var/lib/cobbler/webui_sessions has insecure permissions
Bug #863755 reported by
Clint Byrum
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cobbler (Ubuntu) |
Fix Released
|
Undecided
|
Clint Byrum |
Bug Description
This directory, owned by cobbler-web, Should not be world readable, but is.
Related branches
lp:~clint-fewbar/ubuntu/oneiric/cobbler/misc-fixes
Ready for review
for merging
into
lp:ubuntu/oneiric/cobbler
- Chuck Short: Pending requested
- Andres Rodriguez: Pending requested
-
Diff: 164 lines (+56/-5)11 files modified.pc/58_fix_egg_cache.patch/web/cobbler.wsgi (+10/-0)
.pc/applied-patches (+1/-0)
debian/changelog (+16/-0)
debian/cobbler-common.install (+0/-1)
debian/cobbler-web.dirs (+1/-0)
debian/cobbler-web.postinst (+3/-0)
debian/cobbler.postinst (+1/-0)
debian/control (+3/-3)
debian/patches/58_fix_egg_cache.patch (+19/-0)
debian/patches/series (+1/-0)
web/cobbler.wsgi (+1/-1)
Changed in cobbler (Ubuntu): | |
assignee: | nobody → Clint Byrum (clint-fewbar) |
status: | New → In Progress |
To post a comment you must log in.
This bug was fixed in the package cobbler - 2.2.2-0ubuntu1
---------------
cobbler (2.2.2-0ubuntu1) precise; urgency=low
[Chuck Short] patches/ 49_ubuntu_ add_arm_ arch_support. patch patches/ 56_ubuntu_ arm_generate_ pxe_files. patch patches/ 50_fix_ cobbler_ timezone. patch: patches/ 47_ubuntu_ add_oneiric_ codename. patch patches/ 47_ubuntu_ add_codenames. patch: patches/ 41_update_ tree_path_ with_arch. patch: patches/ 55_ubuntu_ branding. patch: Will be moved
* New upstream release:
+ Use dh_python2 everywhere.
+ Folded debian/
and debian/
into one patch for easier upstreaming.
+ Dropped debian/
Fix upstream.
+ Dropped debian/
in favor of debian/
It adds "precise" and drops unsupported releases as well.
+ Dropped debian/
No longer needed.
+ Dropped debian/
to orchestra
[Clint Byrum] cobbler. postinst: create users.digest mode 0600 so it patches/ 58_fix_ egg_cache. patch: Do not point dangerous EGG_CACHE at world writable directory. (LP: #858875) cobbler- common. install: remove users.digest as it is cobbler- web.postinst: fix perms on webui_sessions to
* debian/
is not world readable. (LP: #858860)
* debian/control: cobbler needs to depend on python-cobbler
(LP: #863738)
* debian/
PYTHON_
* debian/
not required and contains a known password that would leave
cobblerd vulnerable if started before configuration is done
* debian/
be more secure (LP: #863755)
[Robie Basak]
* Backport safe YAML load from upstream. (LP: #858883)
-- Chuck Short <email address hidden> Tue, 15 Nov 2011 12:35:40 -0500