« Previous | Next » 

Revision 791ab580

Added by rbarlow over 5 years ago

CVE-2016-3696: Safely generate qpid TLS keys.

Sander Bos reported that the pulp-qpid-ssl-cfg script creates certificate files and NSS database files in world-readable unsafe temporary directory $DIR, from which is than the content copied to permanent installation directory $INST_DIR with wrongly assigned permissions, which are corrected only after the copying process is done. This bug gives attacker a time frame for stealing sensitive data.

This commit reworks the script to use safe practices to create the secrets so that they begin their lives in a protected state.

fixes #1854