Security update for cobbler SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:14891-1 Final 1 1 2022-02-18T10:44:54Z current 2022-02-18T10:44:54Z 2022-02-18T10:44:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cobbler This update for cobbler fixes the following issues: - CVE-2021-45083: Fixed unsafe permissions on sensitive files (bsc#1193671). The following non-security bugs were fixed: - Move configuration files ownership to apache (bsc#1195906) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). slesctsp3-cobbler-14891,slesctsp4-cobbler-14891 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-202214891-1/ Link for SUSE-SU-2022:14891-1 https://lists.suse.com/pipermail/sle-security-updates/2022-February/010255.html E-Mail link for SUSE-SU-2022:14891-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1193671 SUSE Bug 1193671 https://bugzilla.suse.com/1195906 SUSE Bug 1195906 https://www.suse.com/security/cve/CVE-2021-45083/ SUSE CVE CVE-2021-45083 page SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS koan-2.2.2-0.68.15.1 koan-2.2.2-0.68.15.1 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS koan-2.2.2-0.68.15.1 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password. CVE-2021-45083 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:koan-2.2.2-0.68.15.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:koan-2.2.2-0.68.15.1 important 3.6 AV:L/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-202214891-1/ https://www.suse.com/security/cve/CVE-2021-45083.html CVE-2021-45083 https://bugzilla.suse.com/1193671 SUSE Bug 1193671