Date: Wed, 6 Apr 2016 16:54:36 -0400 From: Randy Barlow <rbarlow@...hat.com> To: OSS Security <oss-security@...ts.openwall.com> Subject: Pulp 2.8.2 release for CVE-2016-3095 CVE-2016-3095 was discovered in Pulp's pulp-gen-ca-certificate script. This script generates the CA certificate that Pulp uses to sign client certificates during the /login call. The private key was created in a world-readable folder in /tmp, and was then moved to its final destination where a chmod operation would protect it. This created a brief window where a local attacker could read the CA key before it was put into use. This script is run during the installation of Pulp by the RPM post script, and can also be run by users any time they wish to regenerate the CA certificate. The fix was a single line adjustment that sets the mode on the folder in /tmp to be 0700 instead of 0755: https://github.com/pulp/pulp/commit/ 9f969b94c4b4f310865455d36db207de6cffebca#diff- fc698b450b32a4d811f269e108ade790R33 Users are encouraged to upgrade to the 2.8.2 release, and then re- run the pulp-gen-ca-certificate script to generate a new CA. It is advised to restart all Pulp processes (and httpd) after the new CA is in place. After this is done, any existing client certificates will be invalidated, so users will need to use pulp-admin login to generate new credentials. Users who do not use Pulp's client certificate authentication system are not affected. Thanks to Adam Mariš for advising the Pulp team through the disclosure process, and to Sean Myers for a speedy code review and for performing the release process. -- Randy Barlow irc: bowlofeggs [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ