Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 6 Apr 2016 16:54:36 -0400
From: Randy Barlow <rbarlow@...hat.com>
To: OSS Security <oss-security@...ts.openwall.com>
Subject: Pulp 2.8.2 release for CVE-2016-3095

CVE-2016-3095 was discovered in Pulp's pulp-gen-ca-certificate script.
This script generates the CA certificate that Pulp uses to sign client
certificates during the /login call. The private key was created in a
world-readable folder in /tmp, and was then moved to its final
destination where a chmod operation would protect it. This created a
brief window where a local attacker could read the CA key before it
was put into use.

This script is run during the installation of Pulp by the RPM post
script,
and can also be run by users any time they wish to regenerate the CA
certificate.

The fix was a single line adjustment that sets the mode on the folder
in /tmp to be 0700 instead of 0755:

https://github.com/pulp/pulp/commit/
9f969b94c4b4f310865455d36db207de6cffebca#diff-
fc698b450b32a4d811f269e108ade790R33

Users are encouraged to upgrade to the 2.8.2 release, and then re-
run the pulp-gen-ca-certificate script to generate a new CA. It is
advised to restart all Pulp processes (and httpd) after the new CA is in
place. After this is done, any existing client certificates will be
invalidated, so users will need to use pulp-admin login to generate
new credentials.

Users who do not use Pulp's client certificate authentication system
are not affected.

Thanks to Adam Mariš for advising the Pulp team through the
disclosure process, and to Sean Myers for a speedy code review and
for performing the release process.

-- 
Randy Barlow
irc:   bowlofeggs

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ