[Pkg-ganeti-devel] [ganeti] 02/05: RAPI hardening: bind to lo and require authentication
Apollon Oikonomopoulos
apoikos at moszumanska.debian.org
Sat Jan 2 13:13:11 UTC 2016
This is an automated email from the git hooks/post-receive script.
apoikos pushed a commit to branch debian/stable/jessie
in repository ganeti.
commit be731dee93c0e9f4d40f6915a0cf84f7f405bea7
Author: Apollon Oikonomopoulos <apoikos at debian.org>
Date: Sat Sep 19 15:39:49 2015 +0300
RAPI hardening: bind to lo and require authentication
Since RAPI is vulnerable to a DoS attack and may provide access to
sensitive cluster information, we restrict it to localhost and require
authentication for all operations.
---
debian/NEWS | 16 +++++++++++++++-
debian/rules | 3 ++-
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/debian/NEWS b/debian/NEWS
index f0c8eab..d4d095d 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,18 @@
+ganeti (2.12.4-1+deb8u2) jessie-security; urgency=medium
+
+ ganeti-rapi is now bound to the loopback interface by default and anonymous
+ access has been turned off even for read-only operations, to prevent
+ potential disclosure of sensitive cluster information, like in the case of
+ CVE-2015-7945. If you rely on RAPI for external tools, make sure to restore
+ the previous behavior by removing the arguments from /etc/default/ganeti.
+
+ Additionally, RAPI's SSL implementation is vulnerable to a Denial-of-Service
+ attack (CVE-2015-7944) when exposed to public networks. If you intend to run
+ RAPI on a public network, you are advised to place it behind a reverse proxy
+ (e.g. nginx, apache or haproxy) for SSL termination.
+
+ -- Apollon Oikonomopoulos <apoikos at debian.org> Tue, 22 Dec 2015 23:47:32 +0200
+
ganeti (2.11.5-1) unstable; urgency=high
Security Release.
@@ -168,4 +183,3 @@ ganeti2 (2.0.3-1) unstable; urgency=low
installing this package.
-- Iustin Pop <iusty at k1024.org> Sat, 25 Jul 2009 12:12:46 +0200
-
diff --git a/debian/rules b/debian/rules
index c0e0588..07f3108 100755
--- a/debian/rules
+++ b/debian/rules
@@ -82,7 +82,8 @@ override_dh_install-indep:
cp $(CURDIR)/doc/examples/ganeti.initd $(CURDIR)/debian/ganeti.init
cp $(CURDIR)/doc/examples/ganeti.cron $(CURDIR)/debian/ganeti.cron.d
- cp $(CURDIR)/doc/examples/ganeti.default $(CURDIR)/debian/ganeti.default
+ sed -e 's/^RAPI_ARGS=.*/RAPI_ARGS="-b 127.0.0.1 --require-authentication"/' \
+ $(CURDIR)/doc/examples/ganeti.default > $(CURDIR)/debian/ganeti.default
# Dummy Python module for the RAPI client
# Add missing bits to ganeti and python-ganeti-rapi.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ganeti/ganeti.git
More information about the Pkg-ganeti-devel
mailing list