[Pkg-ganeti-devel] [ganeti] 02/05: RAPI hardening: bind to lo and require authentication

Apollon Oikonomopoulos apoikos at moszumanska.debian.org
Sat Jan 2 13:13:11 UTC 2016 

This is an automated email from the git hooks/post-receive script.

apoikos pushed a commit to branch debian/stable/jessie
in repository ganeti.

commit be731dee93c0e9f4d40f6915a0cf84f7f405bea7
Author: Apollon Oikonomopoulos <apoikos at debian.org>
Date:   Sat Sep 19 15:39:49 2015 +0300

    RAPI hardening: bind to lo and require authentication
    
    Since RAPI is vulnerable to a DoS attack and may provide access to
    sensitive cluster information, we restrict it to localhost and require
    authentication for all operations.
---
 debian/NEWS  | 16 +++++++++++++++-
 debian/rules |  3 ++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/debian/NEWS b/debian/NEWS
index f0c8eab..d4d095d 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,18 @@
+ganeti (2.12.4-1+deb8u2) jessie-security; urgency=medium
+
+  ganeti-rapi is now bound to the loopback interface by default and anonymous
+  access has been turned off even for read-only operations, to prevent
+  potential disclosure of sensitive cluster information, like in the case of
+  CVE-2015-7945. If you rely on RAPI for external tools, make sure to restore
+  the previous behavior by removing the arguments from /etc/default/ganeti.
+
+  Additionally, RAPI's SSL implementation is vulnerable to a Denial-of-Service
+  attack (CVE-2015-7944) when exposed to public networks. If you intend to run
+  RAPI on a public network, you are advised to place it behind a reverse proxy
+  (e.g. nginx, apache or haproxy) for SSL termination.
+
+ -- Apollon Oikonomopoulos <apoikos at debian.org>  Tue, 22 Dec 2015 23:47:32 +0200
+
 ganeti (2.11.5-1) unstable; urgency=high
 
   Security Release.
@@ -168,4 +183,3 @@ ganeti2 (2.0.3-1) unstable; urgency=low
   installing this package.
 
  -- Iustin Pop <iusty at k1024.org>  Sat, 25 Jul 2009 12:12:46 +0200
-
diff --git a/debian/rules b/debian/rules
index c0e0588..07f3108 100755
--- a/debian/rules
+++ b/debian/rules
@@ -82,7 +82,8 @@ override_dh_install-indep:
 
 	cp $(CURDIR)/doc/examples/ganeti.initd $(CURDIR)/debian/ganeti.init
 	cp $(CURDIR)/doc/examples/ganeti.cron $(CURDIR)/debian/ganeti.cron.d
-	cp $(CURDIR)/doc/examples/ganeti.default $(CURDIR)/debian/ganeti.default
+	sed -e 's/^RAPI_ARGS=.*/RAPI_ARGS="-b 127.0.0.1 --require-authentication"/' \
+		$(CURDIR)/doc/examples/ganeti.default > $(CURDIR)/debian/ganeti.default
 
 	# Dummy Python module for the RAPI client
 	# Add missing bits to ganeti and python-ganeti-rapi.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ganeti/ganeti.git

More information about the Pkg-ganeti-devel mailing list