[Pulp-list] Pulp 2.8.4 Beta Released - Security and Bug fixes

Sean Myers sean.myers at redhat.com
Thu May 26 20:05:23 UTC 2016

2.8.4 is a security and bugfix release. Beta 1 has been pushed to the 2.8 repositories:


User action is required to address the CVEs associated with this upgrade!
Read the upgrade instructions below.

This release includes bug fixes to the Pulp platform, as well as its
RPM, Puppet, and Docker plugins.

Security Issues Addressed

Included in the list of :fixedbugs:`2.8.4` are two CVEs:

    * `CVE-2016-3696 <https://pulp.plan.io/issues/1854>`_: Leakage of CA key in pulp-qpid-ssl-cfg
    * `CVE-2016-3704 <https://pulp.plan.io/issues/1858>`_: Unsafe use of bash $RANDOM for NSS DB
      password and seed

Upgrade instructions

The CVEs require user interaction to remedy if you have been using qpid, and if you used
``pulp-qpid-ssl-cfg`` to generate the TLS keys. Rabbit users and users who generated their own keys
for qpidd are not affected by these CVEs. Begin by upgrading to Pulp 2.8.4 and running migrations::

    $ sudo systemctl stop qpidd httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
    $ sudo yum upgrade
    $ sudo -u apache pulp-manage-db

Any qpidd CA, server and client certificate and key pairs that were generated with
``pulp-qpid-ssl-cfg`` are unsafe and should be replaced. After upgrading to 2.8.4 (as we did above),
you can use the script to replace the certificates and keys::

    $ sudo pulp-qpid-ssl-cfg

Now we are ready to start the services again::

    $ sudo systemctl start qpidd httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd

Issues Addressed

  Docker Support
	1909	Repository syncs fail
	1831	sync of non-existing repo does not report an error
	1646	It is theoretically possible for a v2 sync to enter an infinite recursion loop
	1644	Users cannot download Blobs in parallel
	1820	Fix checking for config.proxy_username
	1929	The 0023_importer_tls_storage.py migration assumes that Importers always have configs when they do not
	1858	CVE-2016-3704: Unsafe use of bash $RANDOM for NSS DB password and seed
	1854	CVE-2016-3696 Leakage of CA key in pulp-qpid-ssl-cfg
  Puppet Support
	1880	PLP0000: Update failed (The dotted field 'thomasmckay-rsync-0.4.1-thomasmckay'
	1879	Incorrect name when syncing puppet module from the filesystem
  RPM Support
	1910	Errata update fails when id of the repo is added to the existing collection
	1895	Recursive RPM unit copies are not recursive
	1775	Content removed from a repository never returns
	1462	Errata Install to Content Host takes too long and doesn't scale well
	858	As a user, I would like to receive updated errata metadata

You can view these results in Redmine here:


Notable Dependency Updates

The nectar dependency has been upgraded to include a fix listed above, #1820.

This fix was erroneously listed in the Pulp 2.8.3 Release Notes, and is actually
included with the 2.8.4 release.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160526/4e8401ec/attachment.sig>

More information about the Pulp-list mailing list