Issue #1830
Updated by rbarlow over 8 years ago
Security researcher Sander Bos contacted the Pulp team to notify us
that the pulp-gen-nodes-certificate script suffers from the same
exploit as was found in CVE-2016-3095, namely that the $TMP
directory that contains the Nodes private key was created in an
unsafe manner. The fix is to use mktemp -d to safely create the
directory.
Thanks to Sander Bos for taking the time to carefully inspect the
Pulp codebase and for writing a wonderfully detailed report
describing the issue and the fix for it.
Credit also goes to Jeremy Cline (Red Hat) for independently
reporting this issue.
.