Issue #1834: CVE-2016-3112: Pulp consumer private keys are world-readable - Pulp

Agile board
Agile charts

Agile boards

Pulp 2 QE Agile Board
Pulp 2 QE Agile Board - Priority View
Pulp 3 QE Agile Board
Pulp 3 RPM Tests Agile Board
Sprint 112 Agile Board

Custom queries

[All Projects] All Test Trackers
2.21.4 - Next Bugfix Release
2.21.4 MODIFIED
2.21.5
3.14.3
CI/CD
Easy Fix
FIPS open
Functional Tests
Galaxy NG
Groomed
Installer - Triage
Installer Items
Issues for Triage
Katello Integration
Next Docs Day
Operator issues
POST/ASSIGNED - no Sprint - Pulp2
POST/ASSIGNED - no Sprint - Pulp3
Prioritized Bugs
Pulp 3 Docs issues
Pulp2 issues available for next release
Pulpcore
SELinux related
Sprint 111
Sprint 112
Sprint Candidates (also groomed)
Un-Triaged Bugs
Verification Required

Actions

Send by e-mail Copy link

Issue #1834

closed

CVE-2016-3112: Pulp consumer private keys are world-readable

Added by jcline@redhat.com about 8 years ago. Updated almost 3 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

High

Assignee:

jcline@redhat.com

Category:

Sprint/Milestone:

Start date:

Due date:

Estimated time:

Severity:

1. Low

Version:

Platform Release:

2.8.3

OS:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Pulp 2

Sprint:

Quarter:

Description

Pulp consumers write the certificate and private key issued by the Pulp server's registration process to /etc/pki/pulp/consumer/consumer-cert.pem with 644 permissions, which allowed anyone on the host to read the private key.

This means a non-privileged user on the host could authenticate with the Pulp server as the consumer.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by jcline@redhat.com about 8 years ago

Private changed from No to Yes

Actions

Copy link

Updated by jcline@redhat.com about 8 years ago

Subject changed from reserved to Pulp consumer private keys are world-readable
Description updated (diff)
Private changed from Yes to No

https://github.com/pulp/pulp/pull/2531

Actions

Copy link

Updated by jcline@redhat.com about 8 years ago

Status changed from NEW to POST
Assignee set to jcline@redhat.com

Actions

Copy link

Updated by semyers about 8 years ago

Platform Release set to 2.8.3

Actions

Copy link

Updated by semyers about 8 years ago

Subject changed from Pulp consumer private keys are world-readable to CVE-2016-3112: Pulp consumer private keys are world-readable

Added by Jeremy Cline about 8 years ago

Revision 707a39cb | View on GitHub

Create consumer private keys with 600 permissions (CVE-2016-3112)

Prior to this commit, consumers wrote the certificate and private key issued by the Pulp server's registration process to /etc/pki/pulp/consumer/consumer-cert.pem with 644 permissions, which allowed anyone on the host to read the private key. This ensures the file is written with 600 permissions.

https://pulp.plan.io/issues/1834

fixes #1834