Date: Thu, 19 May 2016 16:41:56 -0400 From: Randy Barlow <randy@...ctronsweatshop.com> To: oss-security@...ts.openwall.com Subject: Pulp 2.8.3 Released to address multiple CVEs Pulp 2.8.3 has been released to address multiple CVEs: CVE-2016-3111 (Low Impact): pulp.spec generates its RSA keys for message signing insecurely https://pulp.plan.io/issues/1837 CVE-2016-3112 (Moderate Impact): Pulp consumer private keys are world-readable https://pulp.plan.io/issues/1834 CVE-2016-3107 (Moderate Impact): Node certificate containing private key stored in world-readable file https://pulp.plan.io/issues/1833 CVE-2016-3108 (Moderate Impact): Insecure temporary file used when generating certificate for Pulp Nodes https://pulp.plan.io/issues/1830 CVE-2016-3106 (Low Impact): Insecure creation of temporary directory when generating new CA key https://pulp.plan.io/issues/1827 Additionally, CVE-2013-7450 was announced during this release cycle even though it was fixed in Pulp 2.3.0. Users who have upgraded from Pulp < 2.3.0 may still be vulnerable, action may be required. Users should read the release notes and the mailing list announcement to learn more. Thanks to Florian Weimer, Sander Bos, and Jeremy Cline for reporting these issues and submitting patches.  https://bugzilla.redhat.com/show_bug.cgi?id=1003326  http://pulp.readthedocs.io/en/latest/user-guide/release-notes/2.8.x.html#pulp-2-8-3  https://www.redhat.com/archives/pulp-list/2016-May/msg00054.html -- Randy Barlow [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ