[Pulp-list] Pulp 2.8.3 Beta 1 released - Security & Bug fixes
Sean Myers
sean.myers at redhat.com
Mon Apr 25 08:39:55 UTC 2016
Pulp, along with the Puppet (pulp_puppet) and RPM (pulp_rpm) plugins,
have been updated to 2.8.3. This release also includes betas for OSTree
plugin (pulp_ostree) version 1.1.1 and the Docker plugin (pulp_docker)
version 2.0.1.
The following Security issues were addressed in this release:
CVE-2016-3111 (Low Impact):
pulp.spec generates its RSA keys for message signing insecurely
https://pulp.plan.io/issues/1837
CVE-2016-3112 (Moderate Impact):
Pulp consumer private keys are world-readable
https://pulp.plan.io/issues/1834
CVE-2016-3107 (Moderate Impact):
Node certificate containing private key stored in world-readable file
https://pulp.plan.io/issues/1833
CVE-2016-3108 (Moderate Impact):
Insecure temporary file used when generating certificate for Pulp Nodes
https://pulp.plan.io/issues/1830
CVE-2016-3106 (Low Impact):
Insecure creation of temporary directory when generating new CA key
https://pulp.plan.io/issues/1827
Details on addressing these vulnerabilities will be released in a
followup email later today, and included in subsequent release
announcements for 2.8.3 (apologies for not being able to include
them in this post).
Bugs fixed in this release:
OSTree Support
1106 relative_path should be checked for url collision
Pulp
1837 CVE-2016-3111: pulp.spec generates its RSA keys for message signing insecurely
1834 CVE-2016-3112: Pulp consumer private keys are world-readable
1833 CVE-2016-3107: Node certificate containing private key stored in world-readable file
1830 CVE-2016-3108: Insecure temporary file used when generating certificate for Pulp Nodes
1827 CVE-2016-3106: Insecure creation of temporary directory when generating new CA key
1824 iso repo publish fails for file in subdirectories
1809 python 2.6 incompatibility during set_importer
1802 Pulp 2.8 client no longer supports sha1 RPM checksum type
1801 Pulp celery_beat and resource_manager are running, but logs say they are not running
1794 A Pulp unit test is failing to find a certificate to be valid
1791 After upgrading from 2.7.1 to pulp 2.8.0 getting 403 error's on all my Pulp repo's.
1784 regression: "pulp-admin rpm repo search" with filters does not work as expected
1771 requests or urllib3 can't read a file which causes Nectar to fail mysteriously
1764 SELinux denial on Celery attempting to read resolv.conf
1601 Migrate /var/lib/pulp/content to new 2.8 storage paths.
1576 content type mongo id searches not working
Puppet Support
1780 PLP0000: Update failed (The dotted field 'thomasmckay-rsync-0.4.1-thomasmckay'
Python Support
1855 Upload broken
RPM Support
1856 publishing kickstart repo fails on EL6
1843 Pulp publishes invalid PULP_DISTRIBUTION.xml metadata
1835 export fails when units are not downloaded
1828 pulp doesn't sync reference title correctly from errata
1813 Handle duplicate key error in comps.xml upload
1812 Comps.xml upload succeeds but units are not associated to the repo.
1808 exporting a sufficiently large repo with 'on_demand' policy results in BSON error
1792 recursive and depsolving unit copy results in PulpExecutionException
1782 <reboot_suggested>None</reboot_suggested> in generated XML for unit with no 'reboot_suggested'
1778 Switching a repository to immediate from on_demand doesn't download its packages
1768 Unable to sync RHEL 5 repositories with a distribution
View the full issue list in redmine here:
http://bit.ly/1Tsld0E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160425/b5516a89/attachment.sig>
More information about the Pulp-list
mailing list