Bug 1193673 (hardcoded_test_creds) - AUDIT-FIND: COBBLER - hardcoded password for testing
Summary: AUDIT-FIND: COBBLER - hardcoded password for testing
Status: RESOLVED FIXED
Alias: hardcoded_test_creds
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Enhancement
Target Milestone: ---
Assignee: Enno Gotthold
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 1191952
  Show dependency treegraph
 
Reported: 2021-12-13 13:36 UTC by Paolo Perego
Modified: 2024-01-17 09:24 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Thomas Leroy 2022-02-04 15:28:58 UTC 
It seems that the following codestreams contain the default user:pass :
- SUSE:SLE-11-SP3:Update/cobbler	
- SUSE:SLE-11-SP3:Update:Products:ManagerToolsBeta:Update/cobbler	
- SUSE:SLE-12:Update/cobbler 
- SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update/cobbler 	
- SUSE:SLE-15-SP2:Update:Products:Manager41:Update/cobbler	
- SUSE:SLE-15-SP3:Update:Products:Manager42:Update/cobbler	
- SUSE:SLE-15-SP4:Update:Products:Manager43:Update/cobbler
- openSUSE:Factory/cobbler
- openSUSE:Backports:SLE-15-SP3/cobbler
- openSUSE:Backports:SLE-15-SP4:Update/cobbler

Koan doesn't seem to be affected.
Comment 6 Julio González Gil 2022-02-04 16:17:00 UTC 
I guess https://build.opensuse.org/project/show/systemsmanagement:Uyuni:Master (upstream for SUSE Manager, and mostly maintained by SUSE, together wit hthe community) is affected as well?
Comment 10 OBSbugzilla Bot 2022-02-18 11:50:16 UTC 
This is an autogenerated message for OBS integration:
This bug (1193673) was mentioned in
https://build.opensuse.org/request/show/955837 Backports:SLE-15-SP3 / cobbler
Comment 11 Swamp Workflow Management 2022-02-18 14:29:37 UTC 
SUSE-SU-2022:0510-1: An update that solves two vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1193671,1193673,1193675,1193676,1193678,1195906,1195918
CVE References: CVE-2021-45082,CVE-2021-45083
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    cobbler-3.0.0+git20190806.32c4bae0-8.22.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-02-18 14:32:08 UTC 
SUSE-SU-2022:0509-1: An update that solves two vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1193671,1193673,1193675,1193676,1193678,1195906,1195918
CVE References: CVE-2021-45082,CVE-2021-45083
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    cobbler-3.1.2-150300.5.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Paolo Perego 2022-02-18 14:40:52 UTC 
Fiexd in upstream commit: https://github.com/cobbler/cobbler/commit/fc36b7c8a9e5e1a64273e6e222974f8f9b000af5
Comment 14 Swamp Workflow Management 2022-03-01 20:20:32 UTC 
openSUSE-SU-2022:0062-1: An update that solves 6 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1184561,1185679,1186124,1189458,1193671,1193673,1193675,1193676,1193678,1194333,1195906,1195918
CVE References: CVE-2021-40323,CVE-2021-40324,CVE-2021-40325,CVE-2021-45082,CVE-2021-45083,CVE-2021-45942
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    openexr-2.2.1-3.41.1
openSUSE Backports SLE-15-SP3 (src):    cobbler-3.1.2-bp153.2.3.1