Project

Profile

Help

Issue #1834

closed

CVE-2016-3112: Pulp consumer private keys are world-readable

Added by jcline@redhat.com over 8 years ago. Updated over 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
1. Low
Version:
Platform Release:
2.8.3
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Pulp consumers write the certificate and private key issued by the Pulp server's registration process to /etc/pki/pulp/consumer/consumer-cert.pem with 644 permissions, which allowed anyone on the host to read the private key.

This means a non-privileged user on the host could authenticate with the Pulp server as the consumer.

Actions #1

Updated by jcline@redhat.com over 8 years ago

  • Private changed from No to Yes
Actions #2

Updated by jcline@redhat.com over 8 years ago

  • Subject changed from reserved to Pulp consumer private keys are world-readable
  • Description updated (diff)
  • Private changed from Yes to No
Actions #3

Updated by jcline@redhat.com over 8 years ago

  • Status changed from NEW to POST
  • Assignee set to jcline@redhat.com
Actions #4

Updated by semyers over 8 years ago

  • Platform Release set to 2.8.3
Actions #5

Updated by semyers over 8 years ago

  • Subject changed from Pulp consumer private keys are world-readable to CVE-2016-3112: Pulp consumer private keys are world-readable

Added by Jeremy Cline over 8 years ago

Revision 707a39cb | View on GitHub

Create consumer private keys with 600 permissions (CVE-2016-3112)

Prior to this commit, consumers wrote the certificate and private key issued by the Pulp server's registration process to /etc/pki/pulp/consumer/consumer-cert.pem with 644 permissions, which allowed anyone on the host to read the private key. This ensures the file is written with 600 permissions.

https://pulp.plan.io/issues/1834

fixes #1834

Added by Jeremy Cline over 8 years ago

Revision 707a39cb | View on GitHub

Create consumer private keys with 600 permissions (CVE-2016-3112)

Prior to this commit, consumers wrote the certificate and private key issued by the Pulp server's registration process to /etc/pki/pulp/consumer/consumer-cert.pem with 644 permissions, which allowed anyone on the host to read the private key. This ensures the file is written with 600 permissions.

https://pulp.plan.io/issues/1834

fixes #1834

Actions #6

Updated by Anonymous over 8 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #7

Updated by mhrivnak over 8 years ago

  • Priority changed from Normal to High
  • Severity changed from 2. Medium to 1. Low
  • Triaged changed from No to Yes

Added by rbarlow over 8 years ago

Revision e152f9e1 | View on GitHub

Add release notes for the upcoming 2.8.3.

re #1827 re #1830 re #1833 re #1834 re #1837

Credit goes to Jeremy Cline for writing the included release notes for CVE-2016-3111 and CVE-2016-3112.

Added by rbarlow over 8 years ago

Revision e152f9e1 | View on GitHub

Add release notes for the upcoming 2.8.3.

re #1827 re #1830 re #1833 re #1834 re #1837

Credit goes to Jeremy Cline for writing the included release notes for CVE-2016-3111 and CVE-2016-3112.

Actions #8

Updated by semyers over 8 years ago

  • Status changed from MODIFIED to 5
Actions #9

Updated by semyers over 8 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #10

Updated by bmbouter over 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF