Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 19 May 2016 16:41:56 -0400
From: Randy Barlow <>
Subject: Pulp 2.8.3 Released to address multiple CVEs

Pulp 2.8.3 has been released to address multiple CVEs:

CVE-2016-3111 (Low Impact):
pulp.spec generates its RSA keys for message signing insecurely

CVE-2016-3112 (Moderate Impact):
Pulp consumer private keys are world-readable

CVE-2016-3107 (Moderate Impact):
Node certificate containing private key stored in world-readable file

CVE-2016-3108 (Moderate Impact):
Insecure temporary file used when generating certificate for Pulp Nodes

CVE-2016-3106 (Low Impact):
Insecure creation of temporary directory when generating new CA key

Additionally, CVE-2013-7450[0] was announced during this release cycle
even though it was fixed in Pulp 2.3.0. Users who have upgraded from
Pulp < 2.3.0 may still be vulnerable, action may be required.

Users should read the release notes[1] and the mailing list
announcement[2] to learn more.

Thanks to Florian Weimer, Sander Bos, and Jeremy Cline for reporting
these issues and submitting patches.


Randy Barlow

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ