<div dir="ltr">Thnx4info.<span style="line-height:1.5">TUR</span></div><br><div class="gmail_quote"><div dir="ltr">sob., 25.06.2016 o 15:43 użytkownik Patrick Uiterwijk <<a href="mailto:puiterwijk@redhat.com">puiterwijk@redhat.com</a>> napisał:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear Fedora mirror admins,<br>
<br>
We recently performed a security audit of the mirrormanager server<br>
code. During this audit, we noticed the endpoint used by<br>
report_mirror[1] had a security-related flaw inherent to the data<br>
format it uses. Note that the security issue is on the server side.<br>
Our audit did not reveal any security issues on the mirror side.<br>
<br>
Currently this endpoing uses the Python pickle format, and we would<br>
like to move this to a JSON-formatted checkin object. We have<br>
modified the server to support both formats, to allow an easy<br>
transition.<br>
<br>
We would like to ask any mirror admins running report_mirror to<br>
either:<br>
1. Update the mirrormanager-client package to version 1.4.4-5 if you get<br>
report_mirror from there<br>
2. Update the report_mirror script by grabbing a new copy from [1]<br>
3. Manually edit the report_mirror script, replacing all four occurrences of the<br>
string "pickle" with the string "json".<br>
<br>
We will be allowing both formats for at least two weeks, after which we will<br>
assess whether we need to allow more migration time, or will disable the<br>
pickle based checkin mechanism.<br>
<br>
This issue has been assigned CVE-2016-1000003.<br>
<br>
[1]: <a href="https://git.fedorahosted.org/cgit/mirrormanager/tree/client" rel="noreferrer" target="_blank">https://git.fedorahosted.org/cgit/mirrormanager/tree/client</a><br>
<br>
With kind regards,<br>
Patrick Uiterwijk<br>
Security Officer, Fedora Infrastructure<br>
<br>
--<br>
</blockquote></div>