Bug 1328930 (CVE-2016-3696) - CVE-2016-3696 pulp: Leakage of CA key in pulp-qpid-ssl-cfg
Summary: CVE-2016-3696 pulp: Leakage of CA key in pulp-qpid-ssl-cfg
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-3696
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20160420,reported=2...
Depends On: 1545354 1545355
Blocks: 1325942 1432305
TreeView+ depends on / blocked
 
Reported: 2016-04-20 15:51 UTC by Adam Mariš
Modified: 2019-07-12 13:04 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the private CA key was created in a directory that is world-readable for a small amount of time. A local user could possibly use this flaw to gain access to the private key information in the file.
Clone Of:
Environment:
Last Closed: 2019-07-12 13:04:09 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0336 normal SHIPPED_LIVE Important: Satellite 6.3 security, bug fix, and enhancement update 2018-02-21 22:43:42 UTC
Pulp Redmine 1854 High CLOSED - CURRENTRELEASE CVE-2016-3696 Leakage of CA key in pulp-qpid-ssl-cfg 2016-06-27 17:01:15 UTC

Description Adam Mariš 2016-04-20 15:51:53 UTC
Sander Bos reports:

It was found that pulp-qpid-ssl-cfg script creates certificate files and NSS database files in world-readable unsafe temporary directory $DIR, from which is than the content copied to permanent installation directory $INST_DIR with wrongly assigned permissions, which are corrected only after the copying process is done. This bug gives attacker a time frame for stealing sensitive data.

Comment 1 Adam Mariš 2016-04-20 15:52:04 UTC
Acknowledgments:

Name: Sander Bos

Comment 2 pulp-infra@redhat.com 2016-04-20 19:03:24 UTC
The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.

Comment 3 pulp-infra@redhat.com 2016-04-20 19:03:30 UTC
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Comment 4 pulp-infra@redhat.com 2016-04-22 15:03:38 UTC
The Pulp upstream bug priority is at High. Updating the external tracker on this bug.

Comment 5 pulp-infra@redhat.com 2016-04-25 17:33:38 UTC
The Pulp upstream bug status is at POST. Updating the external tracker on this bug.

Comment 6 pulp-infra@redhat.com 2016-05-03 17:33:43 UTC
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.

Comment 7 pulp-infra@redhat.com 2016-05-26 20:30:59 UTC
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.

Comment 8 pulp-infra@redhat.com 2016-05-31 17:30:48 UTC
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.

Comment 9 pulp-infra@redhat.com 2016-06-17 17:30:57 UTC
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.

Comment 10 pulp-infra@redhat.com 2016-06-27 17:01:16 UTC
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.

Comment 11 Fedora Update System 2016-08-16 19:24:39 UTC
pulp-2.8.6-1.fc24, pulp-docker-2.0.2-1.fc24, pulp-ostree-1.1.2-1.fc24, pulp-puppet-2.8.6-2.fc24, pulp-python-1.1.2-1.fc24, pulp-rpm-2.8.6-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 pulp-infra@redhat.com 2016-11-21 21:02:17 UTC
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.

Comment 15 pulp-infra@redhat.com 2018-02-21 08:35:52 UTC
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.

Comment 16 errata-xmlrpc 2018-02-21 12:26:37 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.3 for RHEL 7

Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336

Comment 17 Product Security DevOps Team 2019-07-12 13:04:09 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-3696


Note You need to log in before you can comment on or make changes to this bug.