1325930 – (CVE-2016-3107) CVE-2016-3107 pulp: Node certificate containing private key stored in world-readable file

Bug 1325930 (CVE-2016-3107) - CVE-2016-3107 pulp: Node certificate containing private key stored in world-readable file

Summary: CVE-2016-3107 pulp: Node certificate containing private key stored in world-r...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-3107
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1326913 1326919
Blocks:	1325942
TreeView+	depends on / blocked

Reported:	2016-04-11 12:41 UTC by Adam Mariš
Modified:	2021-04-06 17:58 UTC (History)
CC List:	21 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-09-19 19:02:37 UTC
Embargoed:

Attachments	(Terms of Use)
Proposed patch (1.37 KB, patch) 2016-04-11 12:43 UTC, Adam Mariš	no flags	Details \| Diff
Proposed patch (1.58 KB, patch) 2016-04-12 14:28 UTC, Randy Barlow	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Pulp Redmine	1842	0	Low	CLOSED - WORKSFORME	Test Redmine's Bugzilla Integration	2016-04-13 19:57:11 UTC

Description Adam Mariš 2016-04-11 12:41:55 UTC

It was reported that Pulp node certificates containing private keys are stored in /etc/pki/pulp/nodes/ directory as world-readable.

Comment 1 Adam Mariš 2016-04-11 12:42:03 UTC

Acknowledgments:

Name: Randy Barlow (Red Hat), Jeremy Cline (Red Hat)

Comment 2 Adam Mariš 2016-04-11 12:43:04 UTC

Created attachment 1145987 [details]
Proposed patch

Comment 3 Randy Barlow 2016-04-12 14:28:46 UTC

Created attachment 1146471 [details]
Proposed patch

I am amending the proposed patch to use the -Z flag on mv, and to credit jcline in the commit message for independently reporting the issue.

Comment 4 Randy Barlow 2016-04-13 16:48:20 UTC

This issue is filed upstream as #1833 and is fixed by PR #2529:

https://pulp.plan.io/issues/1833
https://github.com/pulp/pulp/pull/2529

Comment 7 pulp-infra@redhat.com 2016-04-13 19:57:12 UTC

The Pulp upstream bug status is at CLOSED - WORKSFORME. Updating the external tracker on this bug.

Comment 8 pulp-infra@redhat.com 2016-04-13 19:57:18 UTC

The Pulp upstream bug priority is at Low. Updating the external tracker on this bug.

Comment 9 Kurt Seifried 2016-09-19 19:02:37 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.2

Via RHSA-2016:1501

Note You need to log in before you can comment on or make changes to this bug.

bkearney
bmbouter
cbillett
daviddavis
dkliban
ggainey
ipanova
jcline
jmatthew
mhrivnak
mmccune
ohadlevy
pcreech
rbarlow
rchan
sean.myers
security-response-team
tjay
tlestach
tsanders
ttereshc