[mirror-admin] Request to update report_mirror script
Tomasz Urbański
utom.pl at gmail.com
Mon Jun 27 06:46:05 EDT 2016
Thnx4info.TUR
sob., 25.06.2016 o 15:43 użytkownik Patrick Uiterwijk <puiterwijk at redhat.com>
napisał:
> Dear Fedora mirror admins,
>
> We recently performed a security audit of the mirrormanager server
> code. During this audit, we noticed the endpoint used by
> report_mirror[1] had a security-related flaw inherent to the data
> format it uses. Note that the security issue is on the server side.
> Our audit did not reveal any security issues on the mirror side.
>
> Currently this endpoing uses the Python pickle format, and we would
> like to move this to a JSON-formatted checkin object. We have
> modified the server to support both formats, to allow an easy
> transition.
>
> We would like to ask any mirror admins running report_mirror to
> either:
> 1. Update the mirrormanager-client package to version 1.4.4-5 if you get
> report_mirror from there
> 2. Update the report_mirror script by grabbing a new copy from [1]
> 3. Manually edit the report_mirror script, replacing all four occurrences
> of the
> string "pickle" with the string "json".
>
> We will be allowing both formats for at least two weeks, after which we
> will
> assess whether we need to allow more migration time, or will disable the
> pickle based checkin mechanism.
>
> This issue has been assigned CVE-2016-1000003.
>
> [1]: https://git.fedorahosted.org/cgit/mirrormanager/tree/client
>
> With kind regards,
> Patrick Uiterwijk
> Security Officer, Fedora Infrastructure
>
> --
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/mirror-admin/attachments/20160627/bb07fa74/attachment.html>
-------------- next part --------------
--
More information about the Mirror-admin
mailing list