Headline
CVE-2016-3107: Issue #1833: CVE-2016-3107: Node certificate containing private key stored in world-readable file - Pulp - Pulp
It was found that the private key for the node certificate was contained in a world-readable file. A local user could possibly use this flaw to gain access to the private key information in the file.
closed
CVE-2016-3107: Node certificate containing private key stored in world-readable file
Status:
CLOSED - CURRENTRELEASE
Description
The Node certificate is installed
world-readable:
$ ls -lah /etc/pki/pulp/nodes/
total 4.0K
drwxr-xr-x. 2 root root 21 Apr 8 16:37 .
drwxr-xr-x. 4 root root 90 Apr 8 16:37 ..
-rw-r--r--. 1 root root 3.2K Apr 8 16:37 node.crt
The fix adjusts the generation script to limit the permissions
to 0640, and to adjust the group ownership to the apache group. It
also uses the -Z flag on the mv command to ensure the correct
SELinux context is used on the installed file.
Credit also goes to Jeremy Cline (Red Hat) for independently
discovering and reporting this issue.
Subject changed from reserved to CVE-2016-3107: Node certificate containing private key stored in world-readable file
Description updated (diff)
Status changed from NEW to POST
Assignee set to rbarlow
Private changed from Yes to No
Triaged changed from No to Yes
Description updated (diff)
Platform Release set to 2.8.3
Status changed from POST to MODIFIED
% Done changed from 0 to 100
Status changed from MODIFIED to 5
Status changed from 5 to CLOSED - CURRENTRELEASE
Tags Pulp 2 added
Also available in: Atom PDF