Security update for cobbler (moderate)

An update that solves 6 vulnerabilities and has 58 fixes is
now available.

Description:

This update for cobbler fixes the following issues:

• Add cobbler-tests subpackage for unit testing for openSUSE/SLE

• Adds LoadModule definitions for openSUSE/SLE

• Switch to new refactored auth module.

• use systemctl to restart cobblerd on logfile rotation (boo#1169207)
  Mainline logrotate conf file uses already /sbin/service instead of
  outdated: /etc/init.d/cobblerd

• Fix cobbler sync for DHCP or DNS (boo#1169553) Fixed mainline by commit
  2d6cfe42da

• Signatures file now uses “default_autoinstall” which fixes import
  problem happening with some distributions (boo#1159010)

• Fix for kernel and initrd detection (boo#1159010)

• New:

  • For the distro there is now a parameter remote_boot_initrd and
    remote_boot_kernel ()
  • For the profile there is now a parameter filename for DHCP. (#2280)
  • Signatures for ESXi 6 and 7 (#2308)
  • The hardlink command is now detected more dynamically and thus more
    error resistant (#2297)
  • HTTPBoot will now work in some cases out of the bug. (#2295)
  • Additional DNS query for a case where the wrong record was queried in
    the nsupdate system case (#2285)

• Changes:

  • Enabled a lot of tests, removed some and implemented new. (#2202)
  • Removed not used files from the codebase. (#2302)
  • Exchanged mkisofs to xorrisofs. (#2296)
  • Removed duplicate code. (#2224)
  • Removed unreachable code. (#2223)
  • Snippet creation and deletion now works again via xmlrpc. (#2244)
  • Replace createrepo with createrepo_c. (#2266)
  • Enable Kerberos through having a case sensitive users.conf. (#2272)

• Bugfixes:

  • General various Bugfixes (#2331, )
  • Makefile usage and commands. (#2344, #2304)
  • Fix the dhcp template. (#2314)
  • Creation of the management classes and gPXE. (#2310)
  • Fix the scm_track module. (#2275, #2279)
  • Fix passing the netdevice parameter correctly to the linuxrc. (#2263)
  • powerstatus from cobbler now works thanks to a wrapper for ipmitool.
    (#2267)
  • In case the LDAP is used for auth, it now works with ADs. (#2274)
  • Fix passthru authentication. (#2271)

• Other:

  • Add Codecov. (#2229)
  • Documentation updates. (#2333, #2326, #2305, #2249, #2268)
  • Buildprocess:
    • Recreation and cleanup of Grub2. (#2278)
    • Fix small errors for openSUSE Leap. (#2233)
    • Fix rpmlint errors. (#2237)
    • Maximum compatibility for debbuild package creation. (#2255, #2292,
      #2242, #2300)
  • Fixes related to our CI Pipeline (#2254, #2269)
  • Internal Code cleanup (#2273, #2270)

• Breaking Changes:

  • Hash handling in users.digest file. (#2299)

• Updated to version 3.1.1.

  • Introduce new packaging from upstream
  • Changelog see below

• New:

  • We are now having a cross-distro specfile which can be build in the
    OBS (#2220) - before rewritten it was improved by #2144 & #2174
  • Grub Submenu for net-booting machines (#2217)
  • Building the Cent-OS RPMs in Docker (#2190 #2189)
  • Reintroduced manpage build in setup.py (#2185)
  • mgmt_parameters are now passed to the dhcp template (#2182)
  • Using the standard Pyhton3 logger instead of a custom one (#2160 #2139
    #2151)
  • Script for converting the settings file from 3.0.0 to 3.0.1 (#2154)
  • Docs now inside the repo instead of cobbler.github.io and improved
    with sphinx (#2117)

• Changes:

  • The default tftpboot directory is now /var/lib/tftpboot instead of
    previously /srv/tftpboot (#2220)
  • Distro signatures were adjusted where necessary (#2219 #2134)
  • Removed requirements.txt and placed the requirements in setup.py
    (#2204)
  • Display only entries in grub which are from the same arch (#2191 #2216)
  • Change the name of the cobbler manpage form cobbler-cli to cobbler
    back and move it to section 8 (#2188 #2186)

• Bugfixes:

  • Incremented Version to 3.1.1 from 3.0.1
  • S390 Support was cleaned up (#2207 #2178)
  • PowerPC Support was cleaned up (#2178)
  • Added a missing import while importing a distro with cobbler import
    (#2201)
  • Fixed a case where a stacktrace would be produced so pass none instead
    (#2203)
  • Rename of suse_kopts_textmode_overwrite to kops_overwrite to utils
    (#2143 #2200)
  • Fix rsync subprocess call (#2199 #2179)
  • Fixed an error where the template rendering did not work (#2176)
  • Fixed some cobbler import errors (#2172)
  • Wrong shebang in various scripts (#2148)
  • Fix some imports which fixes errors introduced by the remodularization
    (#2150 #2153)

• Other:

  • Issue Templates for Github (#2187)

• Update to latest git HEAD code base This version (from mainline so for
  quite a while already) also includes fixes for “boo#1149075” and
  boo#1151875

• Fix for cobbler import and buildiso (boo#1156574)

• Adjusted manpage creation (needs sphinx as BuildRequires)

• Fix cobbler sync for dhcp and dns enabled due to latest module renaming
  patches

• Update to latest git HEAD

  • Fixes permission denied in apache2 context when trying to write
    cobbler log
  • Fixes a bad import in import_signature (item)
  • Fixes bad shebang bash path in mkgrub.sh (used in post section)

• Now track Github master branch WARNING: This release contains breaking
  changes for your settings file!

  • Notable changes:
    • Now using standard python logger
    • Updated dhcpd.template

• Removed fix_shebang.patch: now in upstream.

• added -s parameter to fdupes call to prevent hardlink across partititons

• Update to latest v3.0.0 cobbler release

• Add previouly added patch: exclude_get-loaders_command.patch to the list
  of patches to apply.

• Fix log file world readable (as suggested by Matthias Gerstner) and
  change file attributes via attr in spec file

• Do not allow get-loaders command (download of third party provided
  network boot loaders we do not trust)

• Mainline fixes: 3172d1df9b9cc8 Add missing help text in
  redhat_management_key field c8f5490e507a72 Set default interface if
  cobbler system add has no
  –interface= param 31a1aa31d26c4a Remove apache IfVersion
  tags from apache configs

• Integrated fixes that came in from mainline from other products (to calm
  down obs regression checker): CVE-2011-4953, fate#312397, boo#660126,
  boo#671212, boo#672471, boo#682665 boo#687891, boo#695955, boo#722443,
  boo#722445, boo#757062, boo#763610 boo#783671, boo#790545, boo#796773,
  boo#811025, boo#812948, boo#842699 boo#846580, boo#869371, boo#884051,
  boo#976826, boo#984998 Some older bugs need boo# references as well:
  boo#660126, boo#671212, boo#672471, boo#682665 boo#687891, boo#695955,
  boo#722443, boo#722445, boo#757062, boo#763610 boo#783671, boo#790545,
  boo#796773, boo#811025, boo#812948, boo#842699 boo#846580, boo#869371,
  boo#884051

• Fix for redhat_management_key not being listed as a choice during
  profile rename (boo#1134588)

• Added:

  • rhn-mngmnt-key-field-fix.diff

• Fixes distribution detection in setup.py for SLESo

• Added:

  • changes-detection-to-distro-like-for-suse-distributions.diff

• Moving to pytest and adding Docker test integration

• Added:

  • add-docker-integration-testing.diff
  • refactor-unittest-to-pytest.diff

• Additional compatability changes for old Koan versions.

• Modified:

  • renamed-methods-alias-part2.patch

• Old Koan versions not only need method aliases, but also need compatible
  responses

• Added:

  • renamed-methods-alias-part2.patch

• Add the redhat_managment_* fields again to enable templating in SUMA.

• Added:

  • revert-redhat-management-removal.patch

• Changes return of last_modified_time RPC to float

• Added:

  • changes-return-to-float.diff

• provide old name aliases for all renamed methods:

  • get_distro_for_koan => get_distro_as_rendered
  • get_profile_for_koan => get_profile_as_rendered
  • get_system_for_koan => get_system_as_rendered
  • get_repo_for_koan => get_repo_as_rendered
  • get_image_for_koan => get_image_as_rendered
  • get_mgmtclass_for_koan => get_mgmtclass_as_rendered
  • get_package_for_koan => get_package_as_rendered
  • get_file_for_koan => get_file_as_rendered

• Renamed: get_system_for_koan.patch => renamed-methods-alias.patch

• provide renamed method “get_system_for_koan” under old name for old
  clients.

• Added:

  • get_system_for_koan.patch

• Bring back power_system method in the XML-RPC API

• Changed lanplus option to lanplus=true in fence_ipmitool.template

• Added:

  • power_system_xmlrpc_api.patch

• Changed:

  • fence_ipmitool.template

• Disables nsupdate_enabled by default

• Added:

  • disable_nsupdate_enabled_by_default.diff

• Fixes issue in distribution detection with “lower” function call.

• Modified:

  • remodeled-distro-detection.diff

• Adds imporoved distribution detection. Since now all base products get
  detected correctly, we no longer need the SUSE Manager patch.

• Added:

  • remodeled-distro-detection.diff

• fix grub directory layout

• Added:

  • create-system-directory-at-the-correct-place.patch

• fix HTTP status code of XMLRPC service

• Added:

  • fix-http-status-code.patch

• touch /etc/genders when it not exists (boo#1128926)

• Add patches to fix logging

• Added:

  • return-the-name-of-the-unknown-method.patch
  • call-with-logger-where-possible.patch

• Switching version schema from 3.0 to 3.0.0

• Fixes case where distribution detection returns None (boo#1130658)

• Added:

  • fixes-distro-none-case.diff

• Removes newline from token, which caused authentication error
  (boo#1128754)

• Added:

  • remove-newline-from-token.diff

• Added a patch which fixes an exception when login in with a non-root
  user.

• Added:

  • fix-login-error.patch

• Added a patch which fixes an exception when login in with a non-root
  user.

• Added:

  • fix-login-error.patch

• Remove patch merged at upstream:

  • 0001-return-token-as-string.patch

• change grub2-x86_64-efi dependency to Recommends

• grub2-i386pc is not really required. Changed to recommended to allow
  building for architectures other than x86_64

• Use cdrtools starting with SLE-15 and Leap-15 again. (boo#1081739)

• Update cobbler loaders server hostname (boo#980577)

• Update outdated apache config (boo#956264)

• Replace builddate with changelog date to fix build-compare (boo#969538)

• LOCKFILE usage removed on openSUSE (boo#714618)

• Power management subsystem completely re-worked to prevent
  command-injection (CVE-2012-2395)

• Removed patch merged at upstream:

  • cobblerd_needs_apache2_service_started.patch

• Checking bug fixes of released products are in latest develop pkg:

  • remove fix-nameserver-search.fix; bug is invalid (boo#1029276)
    -> not needed anymore
  • fix cobbler yaboot handling (boo#968406, boo#966622)
    -> no yaboot support anymore
  • support UEFI boot with cobbler generated tftp tree (boo#1020376)
    -> upstream
  • Enabling PXE grub2 support for PowerPC (boo#986978)
    -> We have grub2 support for ppc64le
  • (boo#1048183) fix missing args and location for xen
    -> is in
  • no koan support anymore: boo#969541, boo#924118, boo#967523
  • not installed (boo#966841) works.

• These still have to be looked at: SUSE system as systemd only
  (boo#952844) handle list value for kernel options correctly (boo#973413)
  entry in pxe menu (boo#988889)

• This still has to be switched off (at least in internal cobbler
  versions): Disabling ‘get-loaders’ command and ‘check’ fixed. boo#973418

• Add explicity require to tftp, so it is used for both SLE and openSUSE
  (originally from jgonzalez(a)suse.com)

• Moved Recommends according to spec_cleaner

• Require latest apache2-mod_wsgi-python3 package This fixes interface to
  http://localhost/cblr/svc/…

• Use latest github cobbler/cobbler master branch in _service file

• cobblerd_needs_apache2_service_started.patch reverted, that is mainline
  now:

• Only recommend grub2-arm and grub2-ppc packages or we might not be able
  to build on factory where arm/ppc might not be built

• Remove genders package requires. A genders file is generated, but we do
  not need/use the genders package.

• Update to latest cobbler version 3.0 mainline git HEAD version and
  remove already integrated or not needed anymore patches.

• Serial console support added, did some testing already Things should
  start to work as expected

• Add general grub2 support

• Put mkgrub.* into mkgrub.sh

• Add git date and commit to version string for now

• Add grub2 mkimage scripts: mkgrub.i386-pc mkgrub.powerpc-ieee1275
  mkgrub.x86_64-efi mkgrub.arm64-efi and generate grub executables with
  them in the %post section

• build server wants explicite package in BuildRequires; use tftp

• require tftp(server) instead of atftp

• cleanup: cobbler is noarch, so arch specific requires do not make sense

• SLES15 is using /etc/os-release instead of /etc/SuSE-release, use this
  one for checking also

• add sles15 distro profile (boo#1090205)

• fix signature for SLES15 (boo#1075014)

• fix signature for SLES15 (boo#1075014)

• fix koan wait parameter initialization

• Fix koan shebang

• Escape shell parameters provided by the user for the reposync action
  (CVE-2017-1000469) (boo#1074594)

• detect if there is already another instance of “cobbler sync” running
  and exit with failure if so (boo#1081714)

• do not try to hardlink to a symlink. The result will be a dangling
  symlink in the general case (boo#1097733)

• fix service restart after logrotate for cobblerd (boo#1113747)

• rotate cobbler logs at higher frequency to prevent disk fillup
  (boo#1113747)

• Forbid exposure of private methods in the API (CVE-2018-10931)
  (CVE-2018-1000225) (boo#1104287) (boo#1104189) (boo#1105442)

• Check access token when calling ‘modify_setting’ API endpoint
  (boo#1104190) (boo#1105440) (CVE-2018-1000226)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.2:

  zypper in -t patch openSUSE-2021-46=1