Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Chris St. Pierre <chris.a.st.pierre <at> gmail.com>
Subject: Security flaw in 1.1.x; testers wanted
Newsgroups: gmane.comp.sysutils.bcfg2.devel
Date: Tuesday 16th August 2011 14:43:21 UTC (over 5 years ago)
There is a security flaw in 1.1.x that could allow an attacker who has
gained root access to a Bcfg2 client machine to run arbitrary code on
the Bcfg2 server.  The flaw results from an unescaped shell command in
the SSHbase module.

We have produced a patch that fixes what we believe to be all of the
potentially dangerous external command invocations in Bcfg2; this
patch has already been applied in Git, but most of the Bcfg2
developers are already running HEAD and do not have any way to
reasonably test the patch to the 1.1.x tree.  We'd like a few people
to try out the patch and give us feedback so we can get a 1.1.3 tag
released as soon as possible.  The patchset can be found at:

https://github.com/solj/bcfg2/commit/46795ae451ca6ede55a0edeb726978aef4684b53

The patches only need to be applied on the Bcfg2 server.

If you do not want to apply the patch immediately, or if you are
running a 1.0.x or older version of the server, or a tagged 1.2
prerelease (i.e., not 1.2 HEAD), we recommend disabling the SSHbase
plugin until you can update.
-- 
Chris St. Pierre
 
CD: 4ms