[Pkg-ganeti-devel] [ganeti] 03/04: RAPI hardening: bind to lo and require authentication

Apollon Oikonomopoulos apoikos at moszumanska.debian.org
Mon Jan 4 09:28:13 UTC 2016 

This is an automated email from the git hooks/post-receive script.

apoikos pushed a commit to branch precise
in repository ganeti.

commit 49b1abde3ac01f21e420dcecc44b255b2da7f976
Author: Apollon Oikonomopoulos <apoikos at debian.org>
Date:   Sat Sep 19 15:39:49 2015 +0300

    RAPI hardening: bind to lo and require authentication
    
    Since RAPI is vulnerable to a DoS attack and may provide access to
    sensitive cluster information, we restrict it to localhost and require
    authentication for all operations.
---
 debian/NEWS  | 16 +++++++++++++++-
 debian/rules |  3 ++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/debian/NEWS b/debian/NEWS
index f0c8eab..2d8698e 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,18 @@
+ganeti (2.11.8-1~precise+1) unstable; urgency=medium
+
+  ganeti-rapi is now bound to the loopback interface by default and anonymous
+  access has been turned off even for read-only operations, to prevent
+  potential disclosure of sensitive cluster information, like in the case of
+  CVE-2015-7945. If you rely on RAPI for external tools, make sure to restore
+  the previous behavior by removing the arguments from /etc/default/ganeti.
+
+  Additionally, RAPI's SSL implementation is vulnerable to a Denial-of-Service
+  attack (CVE-2015-7944) when exposed to public networks. If you intend to run
+  RAPI on a public network, you are advised to place it behind a reverse proxy
+  (e.g. nginx, apache or haproxy) for SSL termination.
+
+ -- Apollon Oikonomopoulos <apoikos at debian.org>  Wed, 30 Dec 2015 15:47:32 +0200
+
 ganeti (2.11.5-1) unstable; urgency=high
 
   Security Release.
@@ -168,4 +183,3 @@ ganeti2 (2.0.3-1) unstable; urgency=low
   installing this package.
 
  -- Iustin Pop <iusty at k1024.org>  Sat, 25 Jul 2009 12:12:46 +0200
-
diff --git a/debian/rules b/debian/rules
index 3c06b1b..72b22f4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -82,7 +82,8 @@ override_dh_install-indep:
 
 	cp $(CURDIR)/doc/examples/ganeti.initd $(CURDIR)/debian/ganeti.init
 	cp $(CURDIR)/doc/examples/ganeti.cron $(CURDIR)/debian/ganeti.cron.d
-	cp $(CURDIR)/doc/examples/ganeti.default $(CURDIR)/debian/ganeti.default
+	sed -e 's/^RAPI_ARGS=.*/RAPI_ARGS="-b 127.0.0.1 --require-authentication"/' \
+		$(CURDIR)/doc/examples/ganeti.default > $(CURDIR)/debian/ganeti.default
 
 	# Dummy Python module for the RAPI client
 	# Add missing bits to ganeti and python-ganeti-rapi.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ganeti/ganeti.git

More information about the Pkg-ganeti-devel mailing list