Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 19 May 2016 16:41:56 -0400
From: Randy Barlow <randy@...ctronsweatshop.com>
To: oss-security@...ts.openwall.com
Subject: Pulp 2.8.3 Released to address multiple CVEs

Pulp 2.8.3 has been released to address multiple CVEs:

CVE-2016-3111 (Low Impact):
pulp.spec generates its RSA keys for message signing insecurely
https://pulp.plan.io/issues/1837

CVE-2016-3112 (Moderate Impact):
Pulp consumer private keys are world-readable
https://pulp.plan.io/issues/1834

CVE-2016-3107 (Moderate Impact):
Node certificate containing private key stored in world-readable file
https://pulp.plan.io/issues/1833

CVE-2016-3108 (Moderate Impact):
Insecure temporary file used when generating certificate for Pulp Nodes
https://pulp.plan.io/issues/1830

CVE-2016-3106 (Low Impact):
Insecure creation of temporary directory when generating new CA key
https://pulp.plan.io/issues/1827

Additionally, CVE-2013-7450[0] was announced during this release cycle
even though it was fixed in Pulp 2.3.0. Users who have upgraded from
Pulp < 2.3.0 may still be vulnerable, action may be required.

Users should read the release notes[1] and the mailing list
announcement[2] to learn more.

Thanks to Florian Weimer, Sander Bos, and Jeremy Cline for reporting
these issues and submitting patches.


[0] https://bugzilla.redhat.com/show_bug.cgi?id=1003326
[1]
http://pulp.readthedocs.io/en/latest/user-guide/release-notes/2.8.x.html#pulp-2-8-3
[2] https://www.redhat.com/archives/pulp-list/2016-May/msg00054.html

-- 
Randy Barlow


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ