Headline
CVE-2021-45082: Releases · cobbler/cobbler
An issue was discovered in Cobbler through 3.3.0. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the “#from MODULE import” substring. (Only lines beginning with #import are blocked.)
This release addresses mainly security issues and bugfixes.
We have 212 files changed, 2665 insertions(+), 125148 deletions(-)
Milestone: https://github.com/cobbler/cobbler/milestone/15
Diff to last release: v3.3.0…v3.3.1
Announcements:
- Important Security Bugfixes
- CVE-2021-45082: Incomplete template sanitation #2945
- CVE-2021-45083: Make configuration files only readable by root #2945
- Stabilize MongoDB serializer #2919
- Log file pollution: validate the data before logging it #2911
- Authentication: Remove testing module due to hardcoded well known
credentials #2908
New:
- Support for Windows 11 #2819
- Support for FreeBSD 12.2 & 13.0 #2929
- UEFI support #2416
Breaking Changes:
cobbler mkgrub
renamed tocobbler mkloaders
#2807
Bugfixes:
cobbler <item> rename
should work again now #2824- ldap_anonymous_bind #2831
- Wrong bind path for Debian #2927
- RHEL/Fedora arches in signatures #2895
- Auto migrate settings #2871
- System: Fix serial_device and serial_baud_rate #2923
- Cannot set property ‘file’ of image #2878
- Enums: Fix failure to convert
<<inherit>>
#2920 cobbler mkloaders
for non-SUSE distros did not work #2851- Added
ipv6_prefix
topost_install_network_config
#2928
Other:
Internal Refactorings:
- Add systemctl for systemd based systems #2841
- Enums: Create general str to enum converter #2901
- Systems: Re-enable the modify_interface call #2921
- Utils: Check if service is running before stopping it #2936
- Several check enhancements #2809
- Remove old Cobbler Web leftovers #2938
- Simplify remote_boot_file setters #2886
Docs
- Explain TFTP and internal database #2904
Tests:
- Add tftpgen unit tests #2808
- Add system unit tests #2814
- Add system test for
cobbler buildiso
#2822 - XMLRPC test for adding an interface to a system #2907
CI/container:
- Improvements for the development container #2806
- Use prebuilt images for testing #2812
- CentOS to Rocky Linux move for Compose #2939
- Add python-rpm-macros #2872
This release got everything! Security, Features, Bugfixes, …
We have 422 files changed, 25375 insertions(+), 34826 deletions(-)
Milestone: https://github.com/cobbler/cobbler/milestone/10
Diff to last release: v3.2.1…v3.3.0
Known Issues:
cobbler <item> rename
is not working currentlycobbler <item> edit
may have bugs due to the internal refactorings
Breaking Changes:
- The webinterface got removed #2434 #2434 #2700
- Please use the CLI in the meantime
- A new webinterface is under development at https://github.com/cobbler/cobbler-web
- The core code has priority at any time. There are third party tools available which provide a webinterface and use
Cobbler as a backend. A list of those tools can be found at the bottom of the following page: https://cobbler.github.io/users.html
- The Cobbler internal TFTP Demon got removed #2512
yaboot
support got removed as a bootloader for PowerPC #2723
Announcements:
- Important Security Bugfixes #2794 #2795
- Arbitrary Read was possible through
generate_script()
- Arbitrary Write was possible through
upload_log_data()
- Log poisoning with Remote-Code-Execution was possible through any XMLRPC method which logs to the logfile.
- Arbitrary Read was possible through
- There was an internal refactoring from runtime created Python attributes to Python Properties. This allows much
better data validation and thus better error handling but also introduced new bugs.
Related: #2433 #2666 #2677 #2753 #2699 #2692 #2684 #2707 2727 #2726 #2685 #2675 #2678 #2682 #2674 #2676 #2681 #2683 #2696 #2702 #2732 #2733 #2722 #2680 #2711 - This is the first release with the new avatar #2604
New:
- The
migrate-data-v2-to-v3.py
script is now packages and can directly be used #2591 - The
mkgrub.sh
script was converted to the commandcobbler mkgrub
#2739 #2721 - We now have automigrations and validation for the application settings #2747 #2719 #2772 #2769
- New distros are now able to be imported:
- Debian 11 #2758
- Fedora 34 #2713
cobbler sync
now supports syncing only specified systems #2601- You can now define your own boot menu structure #2575
- Cobbler is able to run on RockyLinux and import it #2627
- DHCPv6 is now natively supported #2539 #2511 #2647
Changes:
- Internal cache got fully removed with #2684 (related #2661)
cobbler get-loaders
was removed for security reasons #2572- Removed the
simplejson
dependency as it is redundant now #2572 - Docs: Multiple enhancements #2599 #2788
- Logger: Changed to the default Python 3 logger (much more configurable) #2573
- Old bootloaders which were not shipped by default got removed #2641
- Windows autoinstallation was simplified #2767
- We are now using
os.urandom
instead of/dev/urandom
#2752 - We have reduced the usage of the generic
CX
exception #2643 ipmilanplus
is the default fence agent for power operations #2714- For nested GRUB menus we now show an indicator #2693 #2693
- Items can now be found even if the item type is not specified #2663
Bugfixes:
- Be compliant with CORS pre-flight requests #2594
cobbler reposync
: SSL related problems were fixed #2759- Autoinstall templates directory was wrong per default. #2590
- We do not strip the last two characters anymore when rendering via an HTTP(S) Endpoint #2626
cobbler check
does not complain about the old name of the settingsfile anymore #2630- openSUSE Tumbleweed AutoYAST templating was fixed again 2629 #2628 #2632
cobbler hardlink
now works with non default web directories #2774- GRUB got a few Cobbler related fixes #2653 #2792 #2743
pxe_just_once
is working as expected now #2783 #2784- Anaconda installation process
ONBOOT
is now able to be set with and without qotation marks 2775 - The Autoinstall Manager crashes correctly in case of an error #2791
cobbler distro delete
now doesn’t leave repository configs behind #2729 #1370cobbler sync --dns
is now working as expected again #2710 #2712
Other:
- Internal Refactorings:
- Base class for all manager modules is used now #2610
- Cobbler litesync was moved into Cobbler sync #2615
field_info.py
functionality was removed since it was unused #2662- API is used instead of the collection manager #2652
- Settings are now held in the API instead of the collection manager #2664
- Directly use the UUID module where available #2650
- Don’t clone an object during rename #2744
kopts_overwrite
is more error resistent now #2651
- Docs:
- Added missing dependency for building #2571
- Fix build errors #2633
- Extend
__init__.py
files with content about Python modules #2642 - Spelling #2731
- Types for many external API methods #2785
- Document properties #2773
- General cleanup #2771
- Tests: Multiple new testcases to improve stability and coverage #2656 #2740 #2745 #1492 #2645 #2649
- GitHub Issue templates were revamped #2578
- Packaging: Specfile got a few improvements #2780
- CI:
- Obsolete testing container #2730
- Also use the openSUSE Build Service for packaging on PRs #2672
- Package also for openSUSE #2607
- Enhance the Setup scrips #2331
- Development: Container now exposes 80 & 443 2609
This is a security only release.
The Django webinterface is removed with V3.3.0 but is included in V3.2.2!
We have
Milestone: https://github.com/cobbler/cobbler/milestone/17
Diff to last release: v3.2.1…v3.2.2
Breaking Changes: None
Announcements:
- Important Security Bugfixes #2797
- Arbitrary Read was possible through
generate_script()
- Arbitrary Write was possible through
upload_log_data()
- Log poisoning with Remote-Code-Execution was possible through any XMLRPC method which logs to the logfile.
- Arbitrary Read was possible through
New:
- AlmaLinux & RockyLinux are now supported #2705
Changes: None
Bugfixes: None
Other:
- Release preparations #2798
This release is a lot about bug fixes and smaller improvements.
Important: This will be the very last release to contain the already deprecated Django Web Interface.
We have 184 changed files, 8391 insertions and 3362 deletions. We have merged 45 pull requests.
Milestone: https://github.com/cobbler/cobbler/milestone/9
Diff to last release: v3.2.0…v3.2.1
New:
- Signatures: Add ESXi 7.0 U1 #2525 #2526 #2442
- Signatures: Add AlmaLinux to supported distros #2536
- Signatures: Add generic openSUSE Leap 15 #2508
- Settings: Use
.yaml
as a file extension #2531 - Settings: Validate what settings we have in the YAML-File #2533 #2419 #2530
- Modules: We now support automatic Windows installations #2466
- Docs: Terraform provider now included #2166 #2528
Changes:
- Web Frontend: Show VMware as a breed #2449
- Logging check fails with SELinux #2440 #2441
- Typing: Convert docstring types to typing types #2564
- ESXi Support: Now partly supported #2541
ipmitool
now is upstream supported byfence_agents
viaipmilanplus
#2542cobbler version
remove theb
prefix #2543- We are now using
inst.ks
instead ofks
#2534 - Use the python-file bindings instead of a subprocess call #2482 #2480
- Web Interface: Make new user management more obvious #2484
Bugfixes:
- Remove redundant
.json
suffix: #2451 #2376 #2545 #2529 - PAM Authentication failures are fixed now: #2400 #2444
- Templating: Fix Cheetah macros #2570 #2509 #2403
- Templating: Fix regex replacements #2513
- Templating: Add
http_port
to all snippets we are aware of #2058 - API: Have the legacy fields
kickstart
andks_meta
present at all times. #2311 #2568 - Replicate:
revert_strip_none
prior adding an object on replicate #2548 #2505 - Replicate: Fix paths during replication #2516
- Web interface: Fix snippet path #2520
- Web interface: Prevent duplicate pathing of snippets #2485
- Fix script path from Cobbler #2479 #2478
- Settings: Add missing rsync flags option #2467 #2468
- Startup: Cobbler starts with sub-profiles now #2259 #2450
- Web: Permissions for
/var/lib/cobbler/web.ss
#2439 #2452 - Power management: Follow the
fence_agent
return codes #1491 cobbler check
: Fix dnsmasq check #2155
Other:
- CI: We changed to GitHub Actions from Travis #2514
- CI: Add Test-PyPi release for every commit on
master
#2533 #2553 #2565 - CI: Configure linters #2422 #2506
- CI: Replace Fedora 31 with Fedora 33 for building packages #2463
- Tests: Add more coverage #2554 #2550 #2546
- Cleanup unused import #2551
- Docs: Improvements at various places #2547 #2481 #2473 #1801 #2228
- Removed unused multi-language support #2532
- Un-categorized improvements #2524 #2464
- Packaging: CentOS builds because of a virtual provides for a dependency #2340
- Items: Streamline
template_types
type in all items #2262 - Docker: Add
ldap
to the image per default #2335
Breaking Changes:
- Possibly the settings file is not correctly migrated and needs to be manually adjusted.
- Rename
settings
tosettings.yaml
- Add all keys which are missing. List will be available in
/var/log/cobbler/cobbler.log
. - We dropped support for CentOS 7 since no full Python 3 stack is available #2515
Announcement:
- We will try to fade out Cheetah3 over time. Release 4.0.0 will contain only Jinja2 templates. We will aide and help with the transition and try to make it as smooth as possible
- We will remove the internal implementation of the TFTP daemon with 3.3.0. If you use it, please use one from your system vendor in the future.
This release is a lot about bug fixes and smaller improvements.
Important: This will be the last release to contain the already deprecated Django Web Interface.
We have 2,960 additions and 1,018 deletions. We have merged 30 pull requests.
Milestone: V3.2.0
New:
- Include Fedora32 & Ubuntu Focal in
signatures.json
(#2405) - Move rsync flags to the Cobbler settings
reposync_rsync_flags
(#1480 #2399) - Add a new Flag -
cache_enabled
- to enable or disable the cache (#2387) - When doing autoinstallations the conversion of hostnames to ips is now optional via this settings:
convert_server_to_ip
(#2357)
Changes:
- Specfile got multiple improvements (#2413 #2409 #2334 #2351 #2355 #2392)
- Documentation improvements (#2406 #2407 #2377 #2360 #2361 )
- String replacments will now have a better performance (#2417)
- Remove Python2 compability layer fully (#2402)
- Rewrite the Spacewalk Auth Module (#2401)
- Address tech-debt (#2380)
- When building yourself you can configure the tftp directory (#2359)
Bugfixes:
- Finally include ESXI7 Signatures (#2435 #2441)
- Fix startup error when config variable is called before assignment. (#2394)
- Remove dead code (#2367)
- FileNotFoundError when under high load (#2362 #2365)
- Sorting in the WebUI (#2265 #2390)
- When copying a system, the invalid MAC error is now fixed (#2397)
- Fix error message on the cli when using `–verbose`` (#2388)
- Fix some reposync related problems (#2384)
- Fix repo and mgmtclass initializations (#2374 #2373)
Other:
- Improved Tests (#2408 #2420)
Breaking Changes: We should have no breaking changes in this version.
This release syncs release30 with master. No patches for release30 were needed specifically.
We have +13,585 additions and −6,365 removals. We have merged 45 pull requests.
New:
- For the distro there is now a parameter
remote_boot_initrd
andremote_boot_kernel
() - For the profile there is now a parameter
filename
for DHCP. (#2280) - Signatures for ESXi 6 and 7 (#2308)
- The
hardlink
command is now detected more dynamically and thus more error resistant (#2297) - HTTPBoot will now work in some cases out of the bug. (#2295)
- Additional DNS query for a case where the wrong record was queried in the
nsupdate system
case (#2285)
Changes:
- Enabled a lot of tests, removed some and implemented new. (#2202)
- Removed not used files from the codebase. (#2302)
- Exchanged
mkisofs
toxorrisofs
. (#2296) - Removed duplicate code. (#2224)
- Removed unreachable code. (#2223)
- Snippet creation and deletion now works again via xmlrpc. (#2244)
- Replace
createrepo
withcreaterepo_c
. (#2266) - Enable Kerberos through having a case sensitive
users.conf
. (#2272)
Bugfixes:
- General various Bugfixes (#2331, )
Makefile
usage and commands. (#2344, #2304)- Fix the dhcp template. (#2314)
- Creation of the management classes and gPXE. (#2310)
- Fix the
scm_track
module. (#2275, #2279) - Fix passing the
netdevice
parameter correctly to thelinuxrc
. (#2263) powerstatus
from cobbler now works thanks to a wrapper foripmitool
. (#2267)- In case the LDAP is used for auth, it now works with ADs. (#2274)
- Fix passthru authentication. (#2271)
Other:
- Add Codecov. (#2229)
- Documentation updates. (#2333, #2326, #2305, #2249, #2268)
- Buildprocess:
- Recreation and cleanup of Grub2. (#2278)
- Fix small errors for openSUSE Leap. (#2233)
- Fix
rpmlint
errors. (#2237) - Maximum compatibility for debbuild package creation. (#2255, #2292, #2242, #2300)
- Fixes related to our CI Pipeline (#2254, #2269)
- Internal Code cleanup (#2273, #2270)
Breaking Changes:
- Hash handling in users.digest file. (#2299)
- When using a DEB or RPM we now replace the configs. So preserving the config needs to be ensured by you.
Bugfixes:
- Incremented Version to 3.1.1 from 3.0.1
This release syncs release30 with master. No patches for release30 were needed specifically.
I would like to especially thank @Conan-Kudo for his work on the cross-distro specfile for cobbler and koan as well as @rbberger who was so kind to contribute a lot regarding building the rpms in docker for CentOS with the specfile this helped a lot!
We have a 8497 line diff for this release.
New:
- We are now having a cross-distro specfile which can be build in the OBS (#2220) - before rewritten it was improved by #2144 & #2174
- Grub Submenu for net-booting machines (#2217)
- Building the Cent-OS RPMs in Docker (#2190 #2189)
- Reintroduced manpage build in
setup.py
(#2185) mgmt_parameters
are now passed to the dhcp template (#2182)- Using the standard Pyhton3 logger instead of a custom one (#2160 #2139 #2151)
- Script for converting the settings file from 3.0.0 to 3.0.1 (#2154)
- Docs now inside the repo instead of cobbler.github.io and improved with sphinx (#2117)
Changes:
- The default tftpboot directory is now
/var/lib/tftpboot
instead of previously/srv/tftpboot
(#2220) - Distro signatures were adjusted where necessary (#2219 #2134)
- Removed
requirements.txt
and placed the requirements insetup.py
(#2204) - Display only entries in grub which are from the same arch (#2191 #2216)
- Change the name of the cobbler manpage form
cobbler-cli
tocobbler
back and move it to section 8 (#2188 #2186)
Bugfixes:
- S390 Support was cleaned up (#2207 #2178)
- PowerPC Support was cleaned up (#2178)
- Added a missing import while importing a distro with
cobbler import
(#2201) - Fixed a case where a stacktrace would be produced so pass none instead (#2203)
- Rename of
suse_kopts_textmode_overwrite
tokops_overwrite
toutils
(#2143 #2200) - Fix rsync subprocess call (#2199 #2179)
- Fixed an error where the template rendering did not work (#2176)
- Fixed some
cobbler import
errors (#2172) - Wrong shebang in various scripts (#2148)
- Fix some imports which fixes errors introduced by the remodularization (#2150 #2153)
Other:
- Issue Templates for Github (#2187)
Breaking Changes: None
This version comes with the following changes and new features:
Fixes:
- Fixes the use of disk drivers with koan (#1936)
- Fix rsync distro import (#1613)
- Fix built-in tftp server (#2018)
- Fix URL generation when https is enabled (#2063)
- Update the signatures (#2141 #2105)
- Update the sample.seed file with master (#2092)
- Only use the set-module only as a fallback (#2090)
- Fix IPMI usage (#2110)
- Some small Web-UI fixes (#2111 - contains also the version bump in the files where needed)
- Fix for the dhcp_tag being undefined (#2095)
New:
- Use django 1.8+ (#2104)
- Add mgmt_parameters to the dhcp template (#2180)
- Docs are now maintained inside this repo for readthedocs.io (#2197)
Announcements: The V3.x.x branch is now maintained in his own branch to allow development changes to go on top of master.
Changes:
- We made cobbler now more modularized. So plugins can be grouped by directories and can be imported from sub-directories.
- We dropped support for older Ubuntu versions.
- We updated the
dhcpd.template
to bring an improved experience with dhcp templating. - We removed the custom logger and are now using the standard python3 logger with a config in
/etc/cobbler/logging_config.conf
- We fixed some shebangs to
/usr/bin/python3
to ease the pain for package maintainers - And more smaller fixes which should not affect your day to day usage but should improve your experience with cobbler.
WARNING: This release contains breaking changes for your settings file! A guide on how to convert your settings file can be found here cobbler.github.io