Thnx4info.TUR
sob., 25.06.2016 o 15:43 użytkownik Patrick Uiterwijk puiterwijk@redhat.com napisał:
Dear Fedora mirror admins,
We recently performed a security audit of the mirrormanager server code. During this audit, we noticed the endpoint used by report_mirror[1] had a security-related flaw inherent to the data format it uses. Note that the security issue is on the server side. Our audit did not reveal any security issues on the mirror side.
Currently this endpoing uses the Python pickle format, and we would like to move this to a JSON-formatted checkin object. We have modified the server to support both formats, to allow an easy transition.
We would like to ask any mirror admins running report_mirror to either:
- Update the mirrormanager-client package to version 1.4.4-5 if you get report_mirror from there
- Update the report_mirror script by grabbing a new copy from [1]
- Manually edit the report_mirror script, replacing all four occurrences
of the string "pickle" with the string "json".
We will be allowing both formats for at least two weeks, after which we will assess whether we need to allow more migration time, or will disable the pickle based checkin mechanism.
This issue has been assigned CVE-2016-1000003.
With kind regards, Patrick Uiterwijk Security Officer, Fedora Infrastructure
--