« Previous | Next » 

Revision 1b9b635d

Added by rbarlow over 5 years ago

CVE-2016-3704: Use stronger seed and DB password. (#2555)

Pulp's pulp-qpid-ssl-cfg script used bash's $RANDOM in unsafe ways:

  1. The default NSS DB password was a single value from $RANDOM, limiting it to the strings from 0 to 32768.

  2. The certutil -z flag receives a "noise file". The script used $RANDOM to populate a file with numbers to generate this file. Since $RANDOM was used in this way, the seed file had low diversity since only 11 possible bytes appeared in the file (ASCII 0-9 and newline).

This commit alters the script to use /dev/urandom as the source for generating the DB password and the seed.

fixes #1858