Bug 850745 - Application.config.secret_token is not generated properly
Application.config.secret_token is not generated properly
Status: CLOSED UPSTREAM
Product: Katello
Classification: Community
Component: Packaging (Show other bugs)
1.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Zapletal
Katello QA List
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-22 06:12 EDT by Lukas Zapletal
Modified: 2012-08-22 07:48 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-22 07:48:23 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lukas Zapletal 2012-08-22 06:12:12 EDT
We have found a flaw in the generation of the
Application.config.secret_token value. This value is used in the file
/usr/share/katello/config/initializers/secret_token.rb to provide a secret
token when session cookies are generated for user sessions within Katello.

Specifically a static key with a value of:

f466b184ef680822293d7130f57593a7087a34b5de0607c64d1ceb66fcac4dce\
6810a6f176feba3fbbf2489de93c0918397c0c275996eb476b2fa6079ab849c1

is included by default. The spec file for Katello includes commands to generate a new key:

NEWKEY=$(</dev/urandom tr -dc A-Za-z0-9 | head -c128)
sed -i "s/^Src::Application.config.secret_token = '.*'/Src::Application.config.secret_token = '$NEWKEY'/" \
    /usr/share/katello/config/initializers/secret_token.rb

however this was erroneously placed in the "postuninstall" section, which is 
run when removing Katello from the system). Thus a new secret token is not 
created and all affected Katello installations have the same secret token 
value.

https://access.redhat.com/security/cve/CVE-2012-3503
Comment 2 Lukas Zapletal 2012-08-22 07:48:23 EDT
https://github.com/Katello/katello/pull/499

Note You need to log in before you can comment on or make changes to this bug.