[Pulp-list] Pulp 2.8.5 Beta Released with Security and bug fixes

Sean Myers sean.myers at redhat.com
Fri Jun 17 17:02:20 UTC 2016 

Pulp 2.8.5 Beta 1 is now available in the beta repositories:

https://repos.fedorapeople.org/repos/pulp/pulp/beta/2.8/

This release addresses two identified Pulp platform security flaws,
and also includes bugfixes for the Pulp platform and all supported plugins.


Upgrading
=========

User action is required to address the CVEs associated with this upgrade!

Included in the list of :fixedbugs:`2.8.4` are two CVEs:

        CVE-2016-3696: Leakage of CA key in pulp-qpid-ssl-cfg
        CVE-2016-3704: Unsafe use of bash $RANDOM for NSS DB password and seed


Upgrade instructions
--------------------

The CVEs require user interaction to remedy if you have been using qpid, and if
you used pulp-qpid-ssl-cfg to generate the TLS keys. Rabbit users and users who
generated their own keys for qpidd are not affected by these CVEs.

Begin by upgrading to Pulp 2.8.4 and running migrations:

> $ sudo systemctl stop qpidd httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
> $ sudo yum upgrade
> $ sudo -u apache pulp-manage-db

Note: You don't need to restart goferd if goferd isn't installed.

Any qpidd CA, server and client certificate and key pairs that were generated with
pulp-qpid-ssl-cfg are unsafe and should be replaced. After upgrading to 2.8.4
(as we did above), you can use the script to replace the certificates and keys:

> $ sudo pulp-qpid-ssl-cfg

Now we are ready to start the services again:

> $ sudo systemctl start qpidd httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd


Issues Addressed
================

  Crane
	1958	uninstall causes POSTUN script failure
  Docker Support
	1994	Docker v1 links missed by 0002 (storage path) migration.
	1831	sync of non-existing repo does not report an error
	1644	Users cannot download Blobs in parallel
	1646	It is theoretically possible for a v2 sync to enter an infinite recursion loop
	1909	Repository syncs fail
  Nectar
	1372	Nectar logging is vague when a certificate is untrusted.
	1820	Fix checking for config.proxy_username
  OSTree Support
	1934	OSTree syncs are broken
  Pulp
	1923	POST /pulp/api/v2/content/actions/delete_orphans/ is broken
	1854	CVE-2016-3696 Leakage of CA key in pulp-qpid-ssl-cfg
	1712	Our packages that depend on pulp-selinux do not Require: that package in our spec file
	1858	CVE-2016-3704: Unsafe use of bash $RANDOM for NSS DB password and seed
	1890	pulp-qpid-ssl-cfg echoes the NSS DB password
	1937	Syncing a puppet module with the same content as a different repo results in no content
	1113	If an instance of pulp_celerybeat dies unexpectedly, Pulp incorrectly tries to "cancel all tasks in its queue"
  Puppet Support
	1950	module upload fails with IOError: [Errno 2] No such file or directory
	1879	Incorrect name when syncing puppet module from the filesystem
	1880	PLP0000: Update failed (The dotted field 'thomasmckay-rsync-0.4.1-thomasmckay'
  Python Support
	1973	Repo symlinks are not removed after repository delete
  RPM Support
	1944	YumMetadataFile copy does not save its new storage_path
	1954	The distribution storage path migration fails when variant is not in the document.
	2007	Errata install API should expect 'id' as part of unit key
	1895	Recursive RPM unit copies are not recursive
	1897	catalog entries not created for pre-existing units
	858	As a user, I would like to receive updated errata metadata
	1462	Errata Install to Content Host takes too long and doesn't scale well
	1955	Need a migration to ensure that Distribution units have a default value of '' for variant.
	1972	migration 28 misses distribution symlinks
	1775	Content removed from a repository never returns
	1979	metadata unit copy action creates incorrect unit count on repo
	1901	Fix error handling during the erratum update
	1910	Errata update fails when id of the repo is added to the existing collection
	1288	warning log level for "Overwriting existing metadata file" is misleading
	1783	figure out how we want to test collections and package lists in errata advisories

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160617/6cb54756/attachment.sig>

More information about the Pulp-list mailing list