fixed in git...should this change go also to appliance 1.0???

Good question. Klaus, are you aware of appliances planing to use WebYaST 1.0?

Regarding already existing appliances: They already have the key generated, therefore we should inform ISVs?

Thomas, your comment would be rather welcome...

The information in the Cookie can not be trusted anymore, and the security impact depends on the application logic and Rails' session management.
Because the Cookie is the main mechanism for session management and authentication I would suggest releasing updates (assuming the deployment case of having cloned appliances exist).

(In reply to comment #2)
> Good question. Klaus, are you aware of appliances planing to use WebYaST 1.0?
> 
Yes, Zmanda.

Patch was send to git ( I just cherry-pick so it is safe ).
Klaus - Do you want release it separately or wait until we have stack of fixes?
Klaus - Do you inform ISV which already build appliance? ( update work only if they replace config /srv/www/yastws/config/environment.rb with one from update. Then predefined key is replaced by new one. )

(In reply to comment #5)
> Patch was send to git ( I just cherry-pick so it is safe ).
> Klaus - Do you want release it separately or wait until we have stack of fixes?

We can wait up to 1 week, but no longer.

> Klaus - Do you inform ISV which already build appliance?

No. They're supposed to watch for updates regularly.

OK, so I wait if other issue appear.

CVE-2010-1507

now fixed in running update: 34033

(In reply to comment #5)
> Patch was send to git ( I just cherry-pick so it is safe ).
Here: http://gitorious.org/opensuse/yast-rest-service/commit/55f6d58c9d9cfc5fc690d876f8bac7b20a07c79c

Can this be closed? The yast2-webservice update is covered by bnc#607684 .

ok

Update released for: yast2-webclient-patch_updates, yast2-webservice, yast2-webservice-patches
Products:
SLE-WEBYAST 1.0 (i386, x86_64)