[Pulp-list] Pulp 2.8.3 Beta 1 released - Security & Bug fixes

Mon Apr 25 08:39:55 UTC 2016

Pulp, along with the Puppet (pulp_puppet) and RPM (pulp_rpm) plugins,
have been updated to 2.8.3. This release also includes betas for OSTree
plugin (pulp_ostree) version 1.1.1 and the Docker plugin (pulp_docker)
version 2.0.1.

The following Security issues were addressed in this release:

CVE-2016-3111 (Low Impact):
pulp.spec generates its RSA keys for message signing insecurely
https://pulp.plan.io/issues/1837

CVE-2016-3112 (Moderate Impact):
Pulp consumer private keys are world-readable
https://pulp.plan.io/issues/1834

CVE-2016-3107 (Moderate Impact):
Node certificate containing private key stored in world-readable file
https://pulp.plan.io/issues/1833

CVE-2016-3108 (Moderate Impact):
Insecure temporary file used when generating certificate for Pulp Nodes
https://pulp.plan.io/issues/1830

CVE-2016-3106 (Low Impact):
Insecure creation of temporary directory when generating new CA key
https://pulp.plan.io/issues/1827

Details on addressing these vulnerabilities will be released in a
followup email later today, and included in subsequent release
announcements for 2.8.3 (apologies for not being able to include
them in this post).

Bugs fixed in this release:

  OSTree Support
	1106	relative_path should be checked for url collision
  Pulp
	1837	CVE-2016-3111: pulp.spec generates its RSA keys for message signing insecurely
	1834	CVE-2016-3112: Pulp consumer private keys are world-readable
	1833	CVE-2016-3107: Node certificate containing private key stored in world-readable file
	1830	CVE-2016-3108: Insecure temporary file used when generating certificate for Pulp Nodes
	1827	CVE-2016-3106: Insecure creation of temporary directory when generating new CA key
	1824	iso repo publish fails for file in subdirectories
	1809	python 2.6 incompatibility during set_importer
	1802	Pulp 2.8 client no longer supports sha1 RPM checksum type
	1801	Pulp celery_beat and resource_manager are running, but logs say they are not running
	1794	A Pulp unit test is failing to find a certificate to be valid
	1791	After upgrading from 2.7.1 to pulp 2.8.0 getting 403 error's on all my Pulp repo's.
	1784	regression: "pulp-admin rpm repo search" with filters does not work as expected
	1771	requests or urllib3 can't read a file which causes Nectar to fail mysteriously
	1764	SELinux denial on Celery attempting to read resolv.conf
	1601	Migrate /var/lib/pulp/content to new 2.8 storage paths.
	1576	content type mongo id searches not working
  Puppet Support
	1780	PLP0000: Update failed (The dotted field 'thomasmckay-rsync-0.4.1-thomasmckay'
  Python Support
	1855	Upload broken
  RPM Support
	1856	publishing kickstart repo fails on EL6
	1843	Pulp publishes invalid PULP_DISTRIBUTION.xml metadata
	1835	export fails when units are not downloaded
	1828	pulp doesn't sync reference title correctly from errata
	1813	Handle duplicate key error in comps.xml upload
	1812	Comps.xml upload succeeds but units are not associated to the repo.
	1808	exporting a sufficiently large repo with 'on_demand' policy results in BSON error
	1792	recursive and depsolving unit copy results in PulpExecutionException
	1782	<reboot_suggested>None</reboot_suggested> in generated XML for unit with no 'reboot_suggested'
	1778	Switching a repository to immediate from on_demand doesn't download its packages
	1768	Unable to sync RHEL 5 repositories with a distribution

View the full issue list in redmine here:
http://bit.ly/1Tsld0E

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160425/b5516a89/attachment.sig>