[GeoNode-devel] Urgent GeoNode Security Notice
Alessio Fabiani
alessio.fabiani at geo-solutions.it
Wed Mar 29 09:13:26 PDT 2017
Yep, thanks Patrik, there is official documentation warning about this. Can
you also double check that all you controls are stated there?
http://docs.geonode.org/en/master/tutorials/admin/geoserver_geonode_security/index.html#geonode-and-geoserver-a-a-interaction
Best Regards,
Alessio Fabiani.
==
GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information.
==
Ing. Alessio Fabiani
@alfa7691
github <https://github.com/afabiani?tab=overview>
Founder/Technical Lead
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 331 6233686
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.
---------------------------------------------------------------------
On Wed, Mar 29, 2017 at 6:12 PM, Jeffrey Johnson <jeff at terranodo.io> wrote:
> I reverted your changes to the ansible role. It is not appropriate for
> you to merge your own (huge) PRs by yourself without review from other
> contributors who rely on this role. I've also locked down the branch
> so this does not happen again in the future.
>
> Thanks for the info on the security issue ...
>
> On Wed, Mar 29, 2017 at 9:05 AM, Patrick Dufour <pjdufour.dev at gmail.com>
> wrote:
> > All --
> >
> > I was notified by a colleague to a critical security issue with
> GeoNode. It
> > expanded from there. I worked through multiple security issues and
> > developed patches (ansible and manual tasks). The primary issue is that
> the
> > default GeoServer can be easily rooted with a public master password.
> For
> > instance, the GeoServer on our demo instance, can be rooted. This is an
> > issue with deployment and doesn't require any changes to the core Django
> > codebase.
> >
> > If you have a custom GeoServer WAR or highly-custom downstream project,
> you
> > may not be affected, but very much worth double checking as soon as you
> can.
> >
> > I've created a GeoNode Security guide for manually fixing the issues,
> which
> > can be completed in less than an hour. See the goo.gl link below, which
> > points to a GitHub gist.
> >
> > https://goo.gl/rJn1Tq
> >
> > In particular, this guide covers how to secure your (1) Django admin, (2)
> > GeoServer admin, and (3) GeoServer root accounts (yes, you need to
> secure 3
> > separate admin-level accounts).
> >
> > I've also updated the public Ansible role on GitHub, so you can
> immediately
> > use that by cloning it. The ansible and manual tasks are complete
> patches
> > for the security issues specifically referenced, but do not cover all
> > GeoNode security best practices.
> >
> > Regards,
> > Patrick Dufour
> >
> > _______________________________________________
> > geonode-devel mailing list
> > geonode-devel at lists.osgeo.org
> > https://lists.osgeo.org/mailman/listinfo/geonode-devel
> >
>
>
>
> --
> Jeffrey Johnson
> Managing Principal
> p: 17602089488
> e: jeff at terranodo.io
> w: terranodo.io
> _______________________________________________
> geonode-devel mailing list
> geonode-devel at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geonode-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170329/f957a8d0/attachment.html>
More information about the geonode-devel
mailing list