A cobbler security update has been released for Fedora 35.

SECURITY: Fedora 35 Update: cobbler-3.2.2-2.fc35

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2021-3a640d3d4c
2021-09-29 00:16:07.673853
--------------------------------------------------------------------------------

Name : cobbler
Product : Fedora 35
Version : 3.2.2
Release : 2.fc35
URL :   https://cobbler.github.io/
Summary : Boot server configurator
Description :
Cobbler is a network install server. Cobbler supports PXE, ISO
virtualized installs, and re-installing existing Linux machines.
The last two modes use a helper tool, 'koan', that integrates with
cobbler. There is also a web interface 'cobbler-web'. Cobbler's
advanced features include importing distributions from DVDs and rsync
mirrors, kickstart templating, integrated yum mirroring, and built-in
DHCP/DNS Management. Cobbler has a XML-RPC API for integration with
other applications.

--------------------------------------------------------------------------------
Update Information:

* Migrate settings to settings.yaml * Migrate pre-cobbler 3 data if needed
* Fix autoinstall_templates -> templates ---- Update to 3.2.2 New: --- *
Signatures: Add ESXi 7.0 U1 #2525 #2526 #2442 * AlmaLinux & RockyLinux are now
supported * Signatures: Add generic openSUSE Leap 15 #2508 * Settings: Use
.yaml as a file extension #2531 * Settings: Validate what settings we have in
the YAML-File #2533 #2419 #2530 * Modules: We now support automatic Windows
installations #2466 * Docs: Terraform provider now included #2166 #2528
Changes: ----- * Web Frontend: Show VMware as a breed #2449 * Logging
check fails with SELinux #2440 #2441 * Typing: Convert docstring types to
typing types #2564 * ESXi Support: Now partly supported #2541 * ipmitool
now is upstream supported by fence_agents via ipmilanplus #2542 * cobbler
version remove the b prefix #2543 * We are now using inst.ks instead of ks
#2534 * Use the python-file bindings instead of a subprocess call #2482 #2480
* Web Interface: Make new user management more obvious #2484 Bugfixes: -----
* Remove redundant .json suffix: #2451 #2376 #2545 #2529 * PAM
Authentication failures are fixed now: #2400 #2444 * Templating: Fix Cheetah
macros #2570 #2509 #2403 * Templating: Fix regex replacements #2513 *
Templating: Add http_port to all snippets we are aware of #2058 * API: Have
the legacy fields kickstart and ks_meta present at all times. #2311 #2568 *
Replicate: revert_strip_none prior adding an object on replicate #2548 #2505 *
Replicate: Fix paths during replication #2516 * Web interface: Fix snippet
path #2520 * Web interface: Prevent duplicate pathing of snippets #2485 *
Fix script path from Cobbler #2479 #2478 * Settings: Add missing rsync flags
option #2467 #2468 * Startup: Cobbler starts with sub-profiles now #2259
#2450 * Web: Permissions for /var/lib/cobbler/web.ss #2439 #2452 * Power
management: Follow the fence_agent return codes #1491 * cobbler check: Fix
dnsmasq check #2155 Other: ---- * Cleanup unused import #2551 * Docs:
Improvements at various places #2547 #2481 #2473 #1801 #2228 * Removed unused
multi-language support #2532 * Un-categorized improvements #2524 #2464 *
Items: Streamline template_types type in all items #2262 Breaking Changes: ----
* Possibly the settings file is not correctly migrated and needs to be
manually adjusted. * Rename settings to settings.yaml * Add all keys which
are missing. List will be available in /var/log/cobbler/cobbler.log. * We
dropped support for CentOS 7 since no full Python 3 stack is available #2515
Fedora --- * bz#2006840: CVE-2021-40323: Arbitrary file disclosure/Template
Injection * bz#2006897: CVE-2021-40324: Arbitrary file write via
upload_log_data XMLRPC function * bz#2006904: CVE-2021-40325: Authorization
bypass allows modifying settings
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 23 2021 Orion Poplawski - 3.2.2-2
- Migrate settings to settings.yaml
- Migrate pre-cobbler 3 data if needed
- Fix autoinstall_templates -> templates
* Thu Sep 23 2021 Orion Poplawski - 3.2.2-1
- Update to 3.2.2
- bz#2006840: CVE-2021-40323: Arbitrary file disclosure/Template Injection
- bz#2006897: CVE-2021-40324: Arbitrary file write via upload_log_data XMLRPC function
- bz#2006904: CVE-2021-40325: Authorization bypass allows modifying settings
* Wed Sep 22 2021 Orion Poplawski - 3.2.1-1
- Update to 3.2.1
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2006840 - CVE-2021-40323 cobbler: Arbitrary File Disclosure/Template Injection via generate_script RPC method
  https://bugzilla.redhat.com/show_bug.cgi?id=2006840
[ 2 ] Bug #2006897 - CVE-2021-40324 cobbler: Arbitrary file write via upload_log_data XMLRPC function
  https://bugzilla.redhat.com/show_bug.cgi?id=2006897
[ 3 ] Bug #2006904 - CVE-2021-40325 cobbler: Authorization bypass allows modifying settings
  https://bugzilla.redhat.com/show_bug.cgi?id=2006904
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-3a640d3d4c' at the command
line. For more information, refer to the dnf documentation available at
  http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
  https://fedoraproject.org/keys