Pulp 2.8.3 Released to address multiple CVEs

[Randy Barlow <randy () electronsweatshop com>]

Pulp 2.8.3 has been released to address multiple CVEs:

CVE-2016-3111 (Low Impact):
pulp.spec generates its RSA keys for message signing insecurely
https://pulp.plan.io/issues/1837

CVE-2016-3112 (Moderate Impact):
Pulp consumer private keys are world-readable
https://pulp.plan.io/issues/1834

CVE-2016-3107 (Moderate Impact):
Node certificate containing private key stored in world-readable file
https://pulp.plan.io/issues/1833

CVE-2016-3108 (Moderate Impact):
Insecure temporary file used when generating certificate for Pulp Nodes
https://pulp.plan.io/issues/1830

CVE-2016-3106 (Low Impact):
Insecure creation of temporary directory when generating new CA key
https://pulp.plan.io/issues/1827

Additionally, CVE-2013-7450[0] was announced during this release cycle
even though it was fixed in Pulp 2.3.0. Users who have upgraded from
Pulp < 2.3.0 may still be vulnerable, action may be required.

Users should read the release notes[1] and the mailing list
announcement[2] to learn more.

Thanks to Florian Weimer, Sander Bos, and Jeremy Cline for reporting
these issues and submitting patches.


[0] https://bugzilla.redhat.com/show_bug.cgi?id=1003326
[1]
http://pulp.readthedocs.io/en/latest/user-guide/release-notes/2.8.x.html#pulp-2-8-3
[2] https://www.redhat.com/archives/pulp-list/2016-May/msg00054.html

-- 
Randy Barlow

Attachment: signature.asc
Description: OpenPGP digital signature