Agile board
Agile charts

Agile boards

Pulp 2 QE Agile Board
Pulp 2 QE Agile Board - Priority View
Pulp 3 QE Agile Board
Pulp 3 RPM Tests Agile Board
Sprint 112 Agile Board

Custom queries

[All Projects] All Test Trackers
2.21.4 - Next Bugfix Release
2.21.4 MODIFIED
2.21.5
3.14.3
CI/CD
Easy Fix
FIPS open
Functional Tests
Galaxy NG
Groomed
Installer - Triage
Installer Items
Issues for Triage
Katello Integration
Next Docs Day
Operator issues
POST/ASSIGNED - no Sprint - Pulp2
POST/ASSIGNED - no Sprint - Pulp3
Prioritized Bugs
Pulp 3 Docs issues
Pulp2 issues available for next release
Pulpcore
SELinux related
Sprint 111
Sprint 112
Sprint Candidates (also groomed)
Un-Triaged Bugs
Verification Required

Actions

Send by e-mail Copy link

Issue #1833

closed

CVE-2016-3107: Node certificate containing private key stored in world-readable file

Added by rbarlow over 8 years ago. Updated over 5 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

Normal

Assignee:

rbarlow

Category:

Sprint/Milestone:

Start date:

Due date:

Estimated time:

Severity:

2. Medium

Version:

Platform Release:

2.8.3

OS:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Pulp 2

Sprint:

Quarter:

Description

The Node certificate is installed
world-readable:

$ ls -lah /etc/pki/pulp/nodes/
total 4.0K
drwxr-xr-x. 2 root root 21 Apr 8 16:37 .
drwxr-xr-x. 4 root root 90 Apr 8 16:37 ..
-rw-r--r--. 1 root root 3.2K Apr 8 16:37 node.crt

The fix adjusts the generation script to limit the permissions
to 0640, and to adjust the group ownership to the apache group. It
also uses the -Z flag on the mv command to ensure the correct
SELinux context is used on the installed file.

Credit also goes to Jeremy Cline (Red Hat) for independently
discovering and reporting this issue.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by rbarlow over 8 years ago

Subject changed from reserved to CVE-2016-3107: Node certificate containing private key stored in world-readable file
Description updated (diff)
Status changed from NEW to POST
Assignee set to rbarlow
Private changed from Yes to No
Triaged changed from No to Yes

https://github.com/pulp/pulp/pull/2529

Actions

Copy link

Updated by rbarlow over 8 years ago

Description updated (diff)

Actions

Copy link

Updated by rbarlow over 8 years ago

https://github.com/pulp/pulp/pull/2534

Actions

Copy link

Updated by semyers over 8 years ago

Platform Release set to 2.8.3

Actions

Copy link

Updated by rbarlow over 8 years ago

https://github.com/pulp/pulp/pull/2543

Actions

Copy link

Updated by rbarlow over 8 years ago

https://github.com/pulp/pulp/pull/2544

Added by rbarlow over 8 years ago

Revision e152f9e1 | View on GitHub

Add release notes for the upcoming 2.8.3.

re #1827 re #1830 re #1833 re #1834 re #1837

Credit goes to Jeremy Cline for writing the included release notes for CVE-2016-3111 and CVE-2016-3112.

Added by rbarlow over 8 years ago

Revision e152f9e1 | View on GitHub

Add release notes for the upcoming 2.8.3.

re #1827 re #1830 re #1833 re #1834 re #1837

Credit goes to Jeremy Cline for writing the included release notes for CVE-2016-3111 and CVE-2016-3112.

Added by rbarlow over 8 years ago

Revision 8571d9a0 | View on GitHub

CVE-2016-3107 & CVE-2016-3108: Safely generate Nodes certificate.

This commit fixes two CVEs.

CVE-2016-3107¶

Install Node certificate with 640, apache owned (CVE-2016-3107).

Prior to this commit, the Node certificate had been installed world-readable:

$ ls -lah /etc/pki/pulp/nodes/ total 4.0K drwxr-xr-x. 2 root root 21 Apr 8 16:37 . drwxr-xr-x. 4 root root 90 Apr 8 16:37 .. -rw-r--r--. 1 root root 3.2K Apr 8 16:37 node.crt

This commit adjusts the generation script to limit the permissions to 0640, and to adjust the group ownership to the apache group.

Credit also goes to Jeremy Cline (Red Hat) for independently discovering and reporting this issue.

https://pulp.plan.io/issues/1833

fixes #1833

CVE-2016-3108¶

Safely create tmp dir for the Nodes certificate (CVE-2016-3108).

Security researcher Sander Bos contacted the Pulp team to notify us that the pulp-gen-nodes-certificate script suffers from the same exploit as was found in CVE-2016-3095, namely that the $TMP directory that contains the Nodes private key was created in an unsafe manner. This commit contains his proposed fix to use mktemp -d to safely create the directory.

Additionally, I added a set -e so that the script would exit upon error.

Thanks to Sander Bos for taking the time to carefully inspect the Pulp codebase and for writing a wonderfully detailed report describing the issue and the fix for it.

Credit also goes to Jeremy Cline (Red Hat) for independently reporting this issue.

https://pulp.plan.io/issues/1830

fixes #1830

Added by rbarlow over 8 years ago

Revision 8571d9a0 | View on GitHub

CVE-2016-3107 & CVE-2016-3108: Safely generate Nodes certificate.

This commit fixes two CVEs.

CVE-2016-3107¶

Install Node certificate with 640, apache owned (CVE-2016-3107).

Prior to this commit, the Node certificate had been installed world-readable:

$ ls -lah /etc/pki/pulp/nodes/ total 4.0K drwxr-xr-x. 2 root root 21 Apr 8 16:37 . drwxr-xr-x. 4 root root 90 Apr 8 16:37 .. -rw-r--r--. 1 root root 3.2K Apr 8 16:37 node.crt

This commit adjusts the generation script to limit the permissions to 0640, and to adjust the group ownership to the apache group.

Credit also goes to Jeremy Cline (Red Hat) for independently discovering and reporting this issue.

https://pulp.plan.io/issues/1833

fixes #1833

CVE-2016-3108¶

Safely create tmp dir for the Nodes certificate (CVE-2016-3108).

Additionally, I added a set -e so that the script would exit upon error.

Thanks to Sander Bos for taking the time to carefully inspect the Pulp codebase and for writing a wonderfully detailed report describing the issue and the fix for it.

Credit also goes to Jeremy Cline (Red Hat) for independently reporting this issue.

https://pulp.plan.io/issues/1830

fixes #1830

Actions

Copy link