Security update for cobbler (important)

An update that solves 6 vulnerabilities and has 6 fixes is
now available.

Description:

This update for cobbler fixes the following issues:

• CVE-2021-45083: Fixed unsafe permissions on sensitive files
  (bsc#1193671).
• CVE-2021-45082: Fixed incomplete template sanitation (bsc#1193678).
• CVE-2021-40323, CVE-2021-40324, CVE-2021-40325: Fixed Remote Code
  Execution in the XMLRPC API which additionally allowed arbitrary file
  read and write as root (boo#1189458).

The following non-security bugs were fixed:

• Fix issues with installation module logging and validation (boo#1195918)
• Move configuration files ownership to apache (boo#1195906)
• Remove hardcoded test credentials (boo#1193673)
• Prevent log pollution (boo#1193675)
• Missing sanity check on MongoDB configuration file (boo#1193676)
• Avoid traceback when building tftp files for ppc arch system when
  boot_loader is not set (boo#1185679)
• Prevent some race conditions when writting tftpboot files and the
  destination directory is not existing (boo#1186124)
• Fix trail stripping in case of using UTF symbols (boo#1184561)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.3:

  zypper in -t patch openSUSE-SLE-15.3-2022-62=1

• openSUSE Backports SLE-15-SP3:

  zypper in -t patch openSUSE-2022-62=1