[Bug 860492] Re: [MIR] cobbler-enlist src, cobbler-enlist-udeb bin
Jamie Strandboge
jamie at ubuntu.com
Thu Sep 29 16:59:56 UTC 2011
Security review:
- does not check return codes in several places surrounding malloc() and xmlrpc_* calls
- SSL is not used due to bug #833994
I would really like to see the error checking done at some time. I
realize this is a time crunch and don't see a vulnerability with the
shallow audit I perfromed. That said, this should be fixed, especially
since cobbler-enlist is intended to be run as a privileged user, and I
have filed bug #862558.
To fully address the SSL issues, bug #833994 needs to be adjusted in the installer and cobbler-enlist. Since it is too late for that, I suggest:
- adjusting the already existing debconf questions/notes to include language that the information is currently submitted in unencrypted form (and a way to abort)
- add language to the --help text that the information is currently submitted in unencrypted form
- add a manpage which among other things includes language that the information is currently submitted in unencrypted form
- add text to README.Debian explaining the lack of SSL, language that the information is currently submitted in unencrypted form and a reference to bug #833994
I have filed bug #862567 to address this.
Since there is no difference between supporting the udeb for cobbler-
enlist and the regular deb for cobbler-enlist, please feel free to
promote and seed once bug #862567 is fixed.
Thanks!
** Changed in: cobbler-enlist (Ubuntu Oneiric)
Status: In Progress => Confirmed
** Changed in: cobbler-enlist (Ubuntu Oneiric)
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cobbler-enlist in Ubuntu.
https://bugs.launchpad.net/bugs/860492
Title:
[MIR] cobbler-enlist src, cobbler-enlist-udeb bin
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cobbler-enlist/+bug/860492/+subscriptions
More information about the Ubuntu-server-bugs
mailing list