Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 6 Apr 2016 16:54:36 -0400
From: Randy Barlow <>
To: OSS Security <>
Subject: Pulp 2.8.2 release for CVE-2016-3095

CVE-2016-3095 was discovered in Pulp's pulp-gen-ca-certificate script.
This script generates the CA certificate that Pulp uses to sign client
certificates during the /login call. The private key was created in a
world-readable folder in /tmp, and was then moved to its final
destination where a chmod operation would protect it. This created a
brief window where a local attacker could read the CA key before it
was put into use.

This script is run during the installation of Pulp by the RPM post
and can also be run by users any time they wish to regenerate the CA

The fix was a single line adjustment that sets the mode on the folder
in /tmp to be 0700 instead of 0755:

Users are encouraged to upgrade to the 2.8.2 release, and then re-
run the pulp-gen-ca-certificate script to generate a new CA. It is
advised to restart all Pulp processes (and httpd) after the new CA is in
place. After this is done, any existing client certificates will be
invalidated, so users will need to use pulp-admin login to generate
new credentials.

Users who do not use Pulp's client certificate authentication system
are not affected.

Thanks to Adam Mariš for advising the Pulp team through the
disclosure process, and to Sean Myers for a speedy code review and
for performing the release process.

Randy Barlow
irc:   bowlofeggs

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.