CVE-2016-3107: Node certificate containing private key stored in world-readable file
CLOSED - CURRENTRELEASE
The Node certificate is installed
$ ls -lah /etc/pki/pulp/nodes/ total 4.0K drwxr-xr-x. 2 root root 21 Apr 8 16:37 . drwxr-xr-x. 4 root root 90 Apr 8 16:37 .. -rw-r--r--. 1 root root 3.2K Apr 8 16:37 node.crt
The fix adjusts the generation script to limit the permissions
to 0640, and to adjust the group ownership to the apache group. It
also uses the -Z flag on the mv command to ensure the correct
SELinux context is used on the installed file.
Credit also goes to Jeremy Cline (Red Hat) for independently
discovering and reporting this issue.
Add release notes for the upcoming 2.8.3.
re #1827 re #1830 re #1833 re #1834 re #1837
Credit goes to Jeremy Cline for writing the included release notes for CVE-2016-3111 and CVE-2016-3112.