Project

Profile

Help

Issue #1837

CVE-2016-3111: pulp.spec generates its RSA keys for message signing insecurely

Added by jcline@redhat.com over 3 years ago. Updated 6 days ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Severity:
1. Low
Version:
Platform Release:
2.8.3
Blocks Release:
OS:
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:

Description

During installation, the RSA key pairs used to validate messages between the pulp server and pulp consumers are generated in a directory that is world-readable with a umask of 002. After it was written, the permissions are modified to protect the key. For a brief moment, the RSA keys are world-readable. An attacker who has access to the host installing Pulp could theoretically open the file after it is created, but before its permissions are set, and read the private key.

Associated revisions

Revision 20955f6f View on GitHub
Added by Jeremy Cline over 3 years ago

pulp.spec now generate RSA keys with umask 077 (CVE-2016-3111)

During installation, the RSA key pairs used to validate messages between
the pulp server and pulp consumers were generated in a directory that is
world-readable with a umask of 002. After it was written, the permissions
were modified to protect the key. For a brief moment, the RSA keys were
world-readable. This commit explicitly sets the umask in the %post
scriptlet to be 077 so it is only readable to the owner.

https://pulp.plan.io/issues/1837

fixes #1837

Revision 20955f6f View on GitHub
Added by Jeremy Cline over 3 years ago

pulp.spec now generate RSA keys with umask 077 (CVE-2016-3111)

During installation, the RSA key pairs used to validate messages between
the pulp server and pulp consumers were generated in a directory that is
world-readable with a umask of 002. After it was written, the permissions
were modified to protect the key. For a brief moment, the RSA keys were
world-readable. This commit explicitly sets the umask in the %post
scriptlet to be 077 so it is only readable to the owner.

https://pulp.plan.io/issues/1837

fixes #1837

Revision 20955f6f View on GitHub
Added by Jeremy Cline over 3 years ago

pulp.spec now generate RSA keys with umask 077 (CVE-2016-3111)

During installation, the RSA key pairs used to validate messages between
the pulp server and pulp consumers were generated in a directory that is
world-readable with a umask of 002. After it was written, the permissions
were modified to protect the key. For a brief moment, the RSA keys were
world-readable. This commit explicitly sets the umask in the %post
scriptlet to be 077 so it is only readable to the owner.

https://pulp.plan.io/issues/1837

fixes #1837

Revision e152f9e1 View on GitHub
Added by rbarlow over 3 years ago

Add release notes for the upcoming 2.8.3.

re #1827
re #1830
re #1833
re #1834
re #1837

Credit goes to Jeremy Cline for writing the included release notes
for CVE-2016-3111 and CVE-2016-3112.

Revision e152f9e1 View on GitHub
Added by rbarlow over 3 years ago

Add release notes for the upcoming 2.8.3.

re #1827
re #1830
re #1833
re #1834
re #1837

Credit goes to Jeremy Cline for writing the included release notes
for CVE-2016-3111 and CVE-2016-3112.

Revision e152f9e1 View on GitHub
Added by rbarlow over 3 years ago

Add release notes for the upcoming 2.8.3.

re #1827
re #1830
re #1833
re #1834
re #1837

Credit goes to Jeremy Cline for writing the included release notes
for CVE-2016-3111 and CVE-2016-3112.

History

#1 Updated by jcline@redhat.com over 3 years ago

  • Subject changed from reserved to pulp.spec generates its RSA keys for message signing insecurely
  • Description updated (diff)

#2 Updated by jcline@redhat.com over 3 years ago

  • Private changed from Yes to No

#3 Updated by jcline@redhat.com over 3 years ago

  • Status changed from NEW to POST
  • Assignee set to jcline@redhat.com

#4 Updated by semyers over 3 years ago

  • Platform Release set to 2.8.3

#5 Updated by semyers over 3 years ago

  • Subject changed from pulp.spec generates its RSA keys for message signing insecurely to CVE-2016-3111: pulp.spec generates its RSA keys for message signing insecurely

#6 Updated by Anonymous over 3 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#7 Updated by mhrivnak over 3 years ago

  • Priority changed from Normal to High
  • Severity changed from 2. Medium to 1. Low
  • Triaged changed from No to Yes

#8 Updated by semyers over 3 years ago

  • Status changed from MODIFIED to ON_QA

#9 Updated by semyers over 3 years ago

  • Status changed from ON_QA to CLOSED - CURRENTRELEASE

#10 Updated by bmbouter 4 months ago

  • Tags Pulp 2 added

#11 Updated by EarlCervantes 25 days ago

server side: regenerate 2 key pairs (rsa and dsa)

ssh-keygen -t dsa -f / etc / ssh / ssh_host_dsa_key
ssh-keygen -t rsa -f / etc / ssh / ssh_host_rsa_key
client side:
generate a dsa key pair (private and public) for user "foo"

ssh-keygen -t dsa -f /home/foo/.ssh/my_client_key
add this new key to ssh-agent at startup

ssh-add /home/foo/.ssh/my_client_key term paper
add the contents of the ssh_host_rsa_key.pub server to the /home/foo/.ssh/known_hosts client after the IP / port.

#12 Updated by Anonymous 6 days ago

You explained in a detailed way and nice to see this here. Looking for the best apps to know the details of viva video. Here you can check it for more updates. https://14wcph.org/viva-video-for-pc/

Please register to edit this issue

Also available in: Atom PDF