oss-sec mailing list archives
Pulp 2.8.3 Released to address multiple CVEs
From: Randy Barlow <randy () electronsweatshop com>
Date: Thu, 19 May 2016 16:41:56 -0400
Pulp 2.8.3 has been released to address multiple CVEs: CVE-2016-3111 (Low Impact): pulp.spec generates its RSA keys for message signing insecurely https://pulp.plan.io/issues/1837 CVE-2016-3112 (Moderate Impact): Pulp consumer private keys are world-readable https://pulp.plan.io/issues/1834 CVE-2016-3107 (Moderate Impact): Node certificate containing private key stored in world-readable file https://pulp.plan.io/issues/1833 CVE-2016-3108 (Moderate Impact): Insecure temporary file used when generating certificate for Pulp Nodes https://pulp.plan.io/issues/1830 CVE-2016-3106 (Low Impact): Insecure creation of temporary directory when generating new CA key https://pulp.plan.io/issues/1827 Additionally, CVE-2013-7450[0] was announced during this release cycle even though it was fixed in Pulp 2.3.0. Users who have upgraded from Pulp < 2.3.0 may still be vulnerable, action may be required. Users should read the release notes[1] and the mailing list announcement[2] to learn more. Thanks to Florian Weimer, Sander Bos, and Jeremy Cline for reporting these issues and submitting patches. [0] https://bugzilla.redhat.com/show_bug.cgi?id=1003326 [1] http://pulp.readthedocs.io/en/latest/user-guide/release-notes/2.8.x.html#pulp-2-8-3 [2] https://www.redhat.com/archives/pulp-list/2016-May/msg00054.html -- Randy Barlow
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Pulp 2.8.3 Released to address multiple CVEs Randy Barlow (May 19)