Maintenance: Planio will be observing a scheduled maintenance window this Sunday, November 10, 2024 from 20:00 UTC until 21:00 UTC to perform important network maintenance in our primary data center. Your Planio account will be unavailable for a few minutes during this maintenance window.
Actions
Issue #1833
closedCVE-2016-3107: Node certificate containing private key stored in world-readable file
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.8.3
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:
Description
The Node certificate is installed
world-readable:
$ ls -lah /etc/pki/pulp/nodes/
total 4.0K
drwxr-xr-x. 2 root root 21 Apr 8 16:37 .
drwxr-xr-x. 4 root root 90 Apr 8 16:37 ..
-rw-r--r--. 1 root root 3.2K Apr 8 16:37 node.crt
The fix adjusts the generation script to limit the permissions
to 0640, and to adjust the group ownership to the apache group. It
also uses the -Z flag on the mv command to ensure the correct
SELinux context is used on the installed file.
Credit also goes to Jeremy Cline (Red Hat) for independently
discovering and reporting this issue.
Actions
Add release notes for the upcoming 2.8.3.
re #1827 re #1830 re #1833 re #1834 re #1837
Credit goes to Jeremy Cline for writing the included release notes for CVE-2016-3111 and CVE-2016-3112.