Bug 1003326 - CVE-2013-7450: All users who install pulp-server will have the same CA certificate and key that is in our public code repository
CVE-2013-7450: All users who install pulp-server will have the same CA certif...
Status: CLOSED CURRENTRELEASE
Product: Pulp
Classification: Community
Component: rel-eng (Show other bugs)
Master
All All
low Severity urgent
: ---
: 2.3.0
Assigned To: Jeff Ortel
Preethi Thomas
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-01 18:07 EDT by Randy Barlow
Modified: 2016-04-18 13:22 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-09 09:31:29 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Randy Barlow 2013-09-01 18:07:24 EDT
I learned during our refactor this weekend that we have ca.{crt,key} files in our git repository that our RPM packages and installs on every Pulp installation. This is very bad.

To make matters worse, there is only a tiny paragraph in our docs that mention quite casually that you should make your own SSL certificates. This is putting our users at risk, particularly ones who don't know the full depths of our use of CA certificates. This is particularly bad due to the understated nature of the documentation telling users that they can change the CA if they want to.

A very easy solution would be to have the %post% section of our spec file autogenerate a new CA certificate and key when the package is installed. This has the benefit of still making it easy to install Pulp for newcomers, while also not putting those users at risk to man in the middle attacks. It's still exactly the same effort for the user to install their own CA, if they wish.
Comment 1 Jeff Ortel 2013-09-19 19:07:40 EDT
https://github.com/pulp/pulp/pull/627
Comment 2 Jeff Ortel 2013-09-26 11:36:36 EDT
build: 2.3.0-0.15.alpha
Comment 3 Preethi Thomas 2013-09-30 08:54:50 EDT
verified
[root@pulp-v2-server ~]# rpm -qa pulp-server
pulp-server-2.3.0-0.16.alpha.el6.noarch
[root@pulp-v2-server ~]# 

[root@pulp-v2-server ~]# ls -l /etc/pki/pulp/
total 20
-rw-r-----. 1 root   apache 1082 Sep 27 08:33 ca.crt
-rw-r-----. 1 root   apache 1675 Sep 27 08:33 ca.key
drwxr-xr-x. 2 apache apache 4096 Sep 26 16:44 content
drwxr-xr-x. 2 root   root   4096 Sep 27 09:52 nodes
drwxr-xr-x. 3 root   root   4096 Sep 19 15:03 qpid
[root@pulp-v2-server ~]#
Comment 4 Preethi Thomas 2013-12-09 09:31:29 EST
Pulp 2.3 released.

Note You need to log in before you can comment on or make changes to this bug.