FEDORA-EPEL-2016-911ea9b639

security update in Fedora EPEL 7 for fedfind and python-wikitcms

Status: stable 2 years ago

python-wikitcms 2.1.9 is a SECURITY fix for an issue with potentially serious consequences but very limited scope. If an administrator of a wiki you talked to using python-wikitcms were malicious, they could cause arbitrary code execution as the user running wikitcms. No-one besides a wiki administrator could do this, as it requires crafting the wiki's response to an edit request to include a malicious payload.

fedfind 3.0 changes how fedfind finds images for composes without metadata (which is basically milestone - Alpha / Beta - and stable releases). Formerly it found them by scraping rsync output, which was slow, generated quite a lot of load on both server and client, and was vulnerable to the rsync server being full. We have now tweaked things so that the primary mirror has imagelist files for the fedora, alt and archive trees which list every single image file - but no other files - in those trees. fedfind now simply parses these imagelist files to find images.

As the files only list images they are pretty small (the biggest is under 500KiB) and they are cached locally and only re-downloaded when they change, this is much faster, more efficient, and uses less bandwidth.

There are also some changes to ensure the tests run properly on EL 6, EL 7 and Fedora 23, and a missing dependency for EL 6 was added - argparse is a part of the Python standard library for all the other distros, but for EL 6 it is still a separate package.

fedfind 3.1 changes how fedfind handles metadata for composes which were originally created by Pungi 4 and had real metadata, but were then modified in some ways and had their metadata removed. This includes milestone and stable releases for Fedora 24 and later: when these are placed in their 'final' locations on the mirrors, some contents are split into different locations and some deliverables are removed. Previously, fedfind would simply synthesize metadata for these composes, as it does for pre-Pungi 4 composes. Now, it first attempts to find the original metadata (from PDC) and adjust it for the modified image locations, while preserving all the other image attributes from the original metadata (including ones it could not synthesize). It will only fall back to synthesizing the metadata if it cannot find corresponding metadata from PDC. The practical result of this is that you should get more reliable and complete metadata for these composes.

fedfind 3.2 adds support for the post-release live respin composes to fedfind. These work a little differently to most other compose types: please see the documentation for more information. This support is primarily intended to enable testing of these composes in openQA.

How to install

sudo dnf upgrade --advisory=FEDORA-EPEL-2016-911ea9b639

Comments 12

This update has been submitted for testing by adamwill.

This update has been pushed to testing.

adamwill edited this update.

New build(s):

  • fedfind-3.1.3-1.el7

Removed build(s):

  • fedfind-3.0.4-1.el7

This update has been submitted for testing by adamwill.

adamwill edited this update.

New build(s):

  • fedfind-3.1.3-2.el7

Removed build(s):

  • fedfind-3.1.3-1.el7

This update has been pushed to testing.

adamwill edited this update.

New build(s):

  • python-wikitcms-2.1.9-1.el7
  • fedfind-3.2.3-1.el7

Removed build(s):

  • fedfind-3.1.3-2.el7

This update has been submitted for testing by adamwill.

This update has been pushed to testing.

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

This update has been submitted for stable by adamwill.

This update has been pushed to stable.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
high
Karma
0
stable threshold: 3
unstable threshold: -3
Autopush
Enabled
Dates
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago
modified 2 years ago

Automated Test Results