[GeoNode-users] [GeoNode-devel] Urgent GeoNode Security Notice

Thu Mar 30 07:14:21 PDT 2017

Alessio,

Good idea.  Yes, I'll create GitHub issues to add the missing information
to the official docs with the exact page TBD.

In addition to docs and ansible, would it be useful to add a bootstrap
alert to the site-base template for logged in admins that straight up says:
"Your instance is not secure  Please consult the docs at XYZ to change
default passwords."?  It could run a few checks to make sure the 3 accounts
have non-default passwords. That way it would be really hard for system
admins to forget to update.  Like Google Chrome does when you need to
update.

Regards,
Patrick Dufour

On Wed, Mar 29, 2017 at 12:13 PM, Alessio Fabiani <
alessio.fabiani at geo-solutions.it> wrote:

> Yep, thanks Patrik, there is official documentation warning about this.
> Can you also double check that all you controls are stated there?
>
> http://docs.geonode.org/en/master/tutorials/admin/
> geoserver_geonode_security/index.html#geonode-and-
> geoserver-a-a-interaction
>
>
>
> Best Regards,
> Alessio Fabiani.
>
> ==
> GeoServer Professional Services from the experts!
> Visit http://goo.gl/it488V for more information.
> ==
>
> Ing. Alessio Fabiani
> @alfa7691
> github <https://github.com/afabiani?tab=overview>
> Founder/Technical Lead
>
> GeoSolutions S.A.S.
> Via di Montramito 3/A
> 55054  Massarosa (LU)
> Italy
> phone: +39 0584 962313 <+39%200584%20962313>
> fax:     +39 0584 1660272 <+39%200584%20166%200272>
> mob:   +39 331 6233686 <(331)%20623-3686>
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> -------------------------------------------------------
>
> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>
> Le informazioni contenute in questo messaggio di posta elettronica e/o
> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
> darcene notizia via e-mail e di procedere alla distruzione del messaggio
> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
> principi dettati dal D.Lgs. 196/2003.
>
>
>
> The information in this message and/or attachments, is intended solely for
> the attention and use of the named addressee(s) and may be confidential or
> proprietary in nature or covered by the provisions of privacy act
> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
> Code).Any use not in accord with its purpose, any disclosure, reproduction,
> copying, distribution, or either dissemination, either whole or partial, is
> strictly forbidden except previous formal approval of the named
> addressee(s). If you are not the intended recipient, please contact
> immediately the sender by telephone, fax or e-mail and delete the
> information in this message that has been received in error. The sender
> does not give any warranty or accept liability as the content, accuracy or
> completeness of sent messages and accepts no responsibility  for changes
> made after they were sent or for other risks which arise as a result of
> e-mail transmission, viruses, etc.
>
> ---------------------------------------------------------------------
>
> On Wed, Mar 29, 2017 at 6:12 PM, Jeffrey Johnson <jeff at terranodo.io>
> wrote:
>
>> I reverted your changes to the ansible role. It is not appropriate for
>> you to merge your own (huge) PRs by yourself without review from other
>> contributors who rely on this role. I've also locked down the branch
>> so this does not happen again in the future.
>>
>> Thanks for the info on the security issue ...
>>
>> On Wed, Mar 29, 2017 at 9:05 AM, Patrick Dufour <pjdufour.dev at gmail.com>
>> wrote:
>> > All --
>> >
>> > I was notified by a colleague to a critical security issue with
>> GeoNode.  It
>> > expanded from there.  I worked through multiple security issues and
>> > developed patches (ansible and manual tasks).  The primary issue is
>> that the
>> > default GeoServer can be easily rooted with a public master password.
>> For
>> > instance, the GeoServer on our demo instance, can be rooted.  This is an
>> > issue with deployment and doesn't require any changes to the core Django
>> > codebase.
>> >
>> > If you have a custom GeoServer WAR or highly-custom downstream project,
>> you
>> > may not be affected, but very much worth double checking as soon as you
>> can.
>> >
>> > I've created a GeoNode Security guide for manually fixing the issues,
>> which
>> > can be completed in less than an hour.  See the goo.gl link below,
>> which
>> > points to a GitHub gist.
>> >
>> > https://goo.gl/rJn1Tq
>> >
>> > In particular, this guide covers how to secure your (1) Django admin,
>> (2)
>> > GeoServer admin, and (3) GeoServer root accounts (yes, you need to
>> secure 3
>> > separate admin-level accounts).
>> >
>> > I've also updated the public Ansible role on GitHub, so you can
>> immediately
>> > use that by cloning it.  The ansible and manual tasks are complete
>> patches
>> > for the security issues specifically referenced, but do not cover all
>> > GeoNode security best practices.
>> >
>> > Regards,
>> > Patrick Dufour
>> >
>> > _______________________________________________
>> > geonode-devel mailing list
>> > geonode-devel at lists.osgeo.org
>> > https://lists.osgeo.org/mailman/listinfo/geonode-devel
>> >
>>
>>
>>
>> --
>> Jeffrey Johnson
>> Managing Principal
>> p: 17602089488 <(760)%20208-9488>
>> e: jeff at terranodo.io
>> w: terranodo.io
>> _______________________________________________
>> geonode-devel mailing list
>> geonode-devel at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/geonode-devel
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20170330/3d04c71c/attachment.html>