[GeoNode-devel] Urgent GeoNode Security Notice

[Jeffrey Johnson]

I reverted your changes to the ansible role. It is not appropriate for
you to merge your own (huge) PRs by yourself without review from other
contributors who rely on this role. I've also locked down the branch
so this does not happen again in the future.

Thanks for the info on the security issue ...

On Wed, Mar 29, 2017 at 9:05 AM, Patrick Dufour <pjdufour.dev at gmail.com> wrote:
> All --
>
> I was notified by a colleague to a critical security issue with GeoNode.  It
> expanded from there.  I worked through multiple security issues and
> developed patches (ansible and manual tasks).  The primary issue is that the
> default GeoServer can be easily rooted with a public master password.  For
> instance, the GeoServer on our demo instance, can be rooted.  This is an
> issue with deployment and doesn't require any changes to the core Django
> codebase.
>
> If you have a custom GeoServer WAR or highly-custom downstream project, you
> may not be affected, but very much worth double checking as soon as you can.
>
> I've created a GeoNode Security guide for manually fixing the issues, which
> can be completed in less than an hour.  See the goo.gl link below, which
> points to a GitHub gist.
>
> https://goo.gl/rJn1Tq
>
> In particular, this guide covers how to secure your (1) Django admin, (2)
> GeoServer admin, and (3) GeoServer root accounts (yes, you need to secure 3
> separate admin-level accounts).
>
> I've also updated the public Ansible role on GitHub, so you can immediately
> use that by cloning it.  The ansible and manual tasks are complete patches
> for the security issues specifically referenced, but do not cover all
> GeoNode security best practices.
>
> Regards,
> Patrick Dufour
>
> _______________________________________________
> geonode-devel mailing list
> geonode-devel at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geonode-devel
>



-- 
Jeffrey Johnson
Managing Principal
p: 17602089488
e: jeff at terranodo.io
w: terranodo.io