Bug 1003326 - CVE-2013-7450: All users who install pulp-server will have the same CA certificate and key that is in our public code repository
Summary: CVE-2013-7450: All users who install pulp-server will have the same CA certif...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Pulp
Classification: Retired
Component: rel-eng
Version: Master
Hardware: All
OS: All
low
urgent
Target Milestone: ---
: 2.3.0
Assignee: Jeff Ortel
QA Contact: Preethi Thomas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-01 22:07 UTC by Randy Barlow
Modified: 2016-04-18 17:22 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-09 14:31:29 UTC
Embargoed:


Attachments (Terms of Use)

Description Randy Barlow 2013-09-01 22:07:24 UTC
I learned during our refactor this weekend that we have ca.{crt,key} files in our git repository that our RPM packages and installs on every Pulp installation. This is very bad.

To make matters worse, there is only a tiny paragraph in our docs that mention quite casually that you should make your own SSL certificates. This is putting our users at risk, particularly ones who don't know the full depths of our use of CA certificates. This is particularly bad due to the understated nature of the documentation telling users that they can change the CA if they want to.

A very easy solution would be to have the %post% section of our spec file autogenerate a new CA certificate and key when the package is installed. This has the benefit of still making it easy to install Pulp for newcomers, while also not putting those users at risk to man in the middle attacks. It's still exactly the same effort for the user to install their own CA, if they wish.

Comment 1 Jeff Ortel 2013-09-19 23:07:40 UTC
https://github.com/pulp/pulp/pull/627

Comment 2 Jeff Ortel 2013-09-26 15:36:36 UTC
build: 2.3.0-0.15.alpha

Comment 3 Preethi Thomas 2013-09-30 12:54:50 UTC
verified
[root@pulp-v2-server ~]# rpm -qa pulp-server
pulp-server-2.3.0-0.16.alpha.el6.noarch
[root@pulp-v2-server ~]# 

[root@pulp-v2-server ~]# ls -l /etc/pki/pulp/
total 20
-rw-r-----. 1 root   apache 1082 Sep 27 08:33 ca.crt
-rw-r-----. 1 root   apache 1675 Sep 27 08:33 ca.key
drwxr-xr-x. 2 apache apache 4096 Sep 26 16:44 content
drwxr-xr-x. 2 root   root   4096 Sep 27 09:52 nodes
drwxr-xr-x. 3 root   root   4096 Sep 19 15:03 qpid
[root@pulp-v2-server ~]#

Comment 4 Preethi Thomas 2013-12-09 14:31:29 UTC
Pulp 2.3 released.


Note You need to log in before you can comment on or make changes to this bug.