Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 6 Apr 2016 16:54:36 -0400
From: Randy Barlow <rbarlow@...hat.com>
To: OSS Security <oss-security@...ts.openwall.com>
Subject: Pulp 2.8.2 release for CVE-2016-3095

CVE-2016-3095 was discovered in Pulp's pulp-gen-ca-certificate script.
This script generates the CA certificate that Pulp uses to sign client
certificates during the /login call. The private key was created in a
world-readable folder in /tmp, and was then moved to its final
destination where a chmod operation would protect it. This created a
brief window where a local attacker could read the CA key before it
was put into use.

This script is run during the installation of Pulp by the RPM post
script,
and can also be run by users any time they wish to regenerate the CA
certificate.

The fix was a single line adjustment that sets the mode on the folder
in /tmp to be 0700 instead of 0755:

https://github.com/pulp/pulp/commit/
9f969b94c4b4f310865455d36db207de6cffebca#diff-
fc698b450b32a4d811f269e108ade790R33

Users are encouraged to upgrade to the 2.8.2 release, and then re-
run the pulp-gen-ca-certificate script to generate a new CA. It is
advised to restart all Pulp processes (and httpd) after the new CA is in
place. After this is done, any existing client certificates will be
invalidated, so users will need to use pulp-admin login to generate
new credentials.

Users who do not use Pulp's client certificate authentication system
are not affected.

Thanks to Adam Mariš for advising the Pulp team through the
disclosure process, and to Sean Myers for a speedy code review and
for performing the release process.

-- 
Randy Barlow
irc:   bowlofeggs

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.