[Pulp-list] Pulp 2.8.5 Released with Security and bug fixes!
Sean Myers
sean.myers at redhat.com
Mon Jun 27 15:57:09 UTC 2016
Pulp 2.8.5 is now available in the stable repositories:
https://repos.fedorapeople.org/repos/pulp/pulp/stable/2.8/
This release addresses two identified Pulp platform security flaws,
and also includes bugfixes for the Pulp platform and all supported plugins.
Upgrading
=========
User action is required to address the CVEs associated with this upgrade!
Included in the list of :fixedbugs:`2.8.4` are two CVEs:
CVE-2016-3696: Leakage of CA key in pulp-qpid-ssl-cfg
CVE-2016-3704: Unsafe use of bash $RANDOM for NSS DB password and seed
Upgrade instructions
--------------------
The CVEs require user interaction to remedy if you have been using qpid, and if
you used pulp-qpid-ssl-cfg to generate the TLS keys. Rabbit users and users who
generated their own keys for qpidd are not affected by these CVEs.
Begin by upgrading to Pulp 2.8.4 and running migrations:
> $ sudo systemctl stop qpidd httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
> $ sudo yum upgrade
> $ sudo -u apache pulp-manage-db
Note: You don't need to restart goferd if goferd isn't installed.
Any qpidd CA, server and client certificate and key pairs that were generated with
pulp-qpid-ssl-cfg are unsafe and should be replaced. After upgrading to 2.8.4
(as we did above), you can use the script to replace the certificates and keys:
> $ sudo pulp-qpid-ssl-cfg
Now we are ready to start the services again:
> $ sudo systemctl start qpidd httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
Issues Addressed
================
Crane
1958 uninstall causes POSTUN script failure
Docker Support
1994 Docker v1 links missed by 0002 (storage path) migration.
1909 Repository syncs fail
1831 sync of non-existing repo does not report an error
1646 It is theoretically possible for a v2 sync to enter an infinite recursion loop
1644 Users cannot download Blobs in parallel
Nectar
1820 Fix checking for config.proxy_username
1372 Nectar logging is vague when a certificate is untrusted.
OSTree Support
1934 OSTree syncs are broken
Pulp
1937 Syncing a puppet module with the same content as a different repo results in no content
1923 POST /pulp/api/v2/content/actions/delete_orphans/ is broken
1890 pulp-qpid-ssl-cfg echoes the NSS DB password
1858 CVE-2016-3704: Unsafe use of bash $RANDOM for NSS DB password and seed
1854 CVE-2016-3696 Leakage of CA key in pulp-qpid-ssl-cfg
1712 Our packages that depend on pulp-selinux do not Require: that package in our spec file
1113 If an instance of pulp_celerybeat dies unexpectedly, Pulp incorrectly tries to "cancel all tasks in its queue"
Puppet Support
1950 module upload fails with IOError: [Errno 2] No such file or directory
1880 PLP0000: Update failed (The dotted field 'thomasmckay-rsync-0.4.1-thomasmckay'
1879 Incorrect name when syncing puppet module from the filesystem
Python Support
1973 Repo symlinks are not removed after repository delete
RPM Support
2007 Errata install API should expect 'id' as part of unit key
1979 metadata unit copy action creates incorrect unit count on repo
1972 migration 28 misses distribution symlinks
1955 Need a migration to ensure that Distribution units have a default value of '' for variant.
1954 The distribution storage path migration fails when variant is not in the document.
1944 YumMetadataFile copy does not save its new storage_path
1910 Errata update fails when id of the repo is added to the existing collection
1901 Fix error handling during the erratum update
1897 catalog entries not created for pre-existing units
1895 Recursive RPM unit copies are not recursive
1775 Content removed from a repository never returns
1462 Errata Install to Content Host takes too long and doesn't scale well
1288 warning log level for "Overwriting existing metadata file" is misleading
858 As a user, I would like to receive updated errata metadata
View this list in redmine: http://bit.ly/267OC6f
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160627/9acd2d5e/attachment.sig>
More information about the Pulp-list
mailing list