USN-2105-1: MAAS vulnerabilities
13 February 2014
The cluster could be made to run programs as an administrator.
Releases
Packages
- maas - Ubuntu MAAS Server
Details
James Troup discovered that MAAS stored RabbitMQ authentication
credentials in a world-readable file. A local authenticated user
could read this password and potentially gain privileges of other
user accounts. This update restricts the file permissions to prevent
unintended access. (CVE-2013-1069)
Chris Glass discovered that the MAAS API was vulnerable to cross-site
scripting vulnerabilities. With cross-site scripting vulnerabilities,
if a user were tricked into viewing a specially crafted page, a remote
attacker could exploit this to modify the contents, or steal confidential
data, within the same domain. (CVE-2013-1070)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 13.10
-
maas-region-controller
-
1.4+bzr1693+dfsg-0ubuntu2.3
-
python-django-maas
-
1.4+bzr1693+dfsg-0ubuntu2.3
Ubuntu 12.10
-
maas-region-controller
-
1.2+bzr1373+dfsg-0ubuntu1.2
-
python-django-maas
-
1.2+bzr1373+dfsg-0ubuntu1.2
Ubuntu 12.04
-
maas-region-controller
-
1.2+bzr1373+dfsg-0ubuntu1~12.04.5
-
python-django-maas
-
1.2+bzr1373+dfsg-0ubuntu1~12.04.5
After a standard system update you need to restart apache2 to make all
the necessary changes.