[Pulp-list] Pulp 2.8.4 Beta Released - Security and Bug fixes
Sean Myers
sean.myers at redhat.com
Thu May 26 20:05:23 UTC 2016
2.8.4 is a security and bugfix release. Beta 1 has been pushed to the 2.8 repositories:
https://repos.fedorapeople.org/repos/pulp/pulp/beta/2.8/
User action is required to address the CVEs associated with this upgrade!
Read the upgrade instructions below.
This release includes bug fixes to the Pulp platform, as well as its
RPM, Puppet, and Docker plugins.
Security Issues Addressed
=========================
Included in the list of :fixedbugs:`2.8.4` are two CVEs:
* `CVE-2016-3696 <https://pulp.plan.io/issues/1854>`_: Leakage of CA key in pulp-qpid-ssl-cfg
* `CVE-2016-3704 <https://pulp.plan.io/issues/1858>`_: Unsafe use of bash $RANDOM for NSS DB
password and seed
Upgrade instructions
--------------------
The CVEs require user interaction to remedy if you have been using qpid, and if you used
``pulp-qpid-ssl-cfg`` to generate the TLS keys. Rabbit users and users who generated their own keys
for qpidd are not affected by these CVEs. Begin by upgrading to Pulp 2.8.4 and running migrations::
$ sudo systemctl stop qpidd httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
$ sudo yum upgrade
$ sudo -u apache pulp-manage-db
Any qpidd CA, server and client certificate and key pairs that were generated with
``pulp-qpid-ssl-cfg`` are unsafe and should be replaced. After upgrading to 2.8.4 (as we did above),
you can use the script to replace the certificates and keys::
$ sudo pulp-qpid-ssl-cfg
Now we are ready to start the services again::
$ sudo systemctl start qpidd httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
Issues Addressed
================
Docker Support
1909 Repository syncs fail
1831 sync of non-existing repo does not report an error
1646 It is theoretically possible for a v2 sync to enter an infinite recursion loop
1644 Users cannot download Blobs in parallel
Nectar
1820 Fix checking for config.proxy_username
Pulp
1929 The 0023_importer_tls_storage.py migration assumes that Importers always have configs when they do not
1858 CVE-2016-3704: Unsafe use of bash $RANDOM for NSS DB password and seed
1854 CVE-2016-3696 Leakage of CA key in pulp-qpid-ssl-cfg
Puppet Support
1880 PLP0000: Update failed (The dotted field 'thomasmckay-rsync-0.4.1-thomasmckay'
1879 Incorrect name when syncing puppet module from the filesystem
RPM Support
1910 Errata update fails when id of the repo is added to the existing collection
1895 Recursive RPM unit copies are not recursive
1775 Content removed from a repository never returns
1462 Errata Install to Content Host takes too long and doesn't scale well
858 As a user, I would like to receive updated errata metadata
You can view these results in Redmine here:
http://bit.ly/1OPWob4
Notable Dependency Updates
==========================
The nectar dependency has been upgraded to include a fix listed above, #1820.
This fix was erroneously listed in the Pulp 2.8.3 Release Notes, and is actually
included with the 2.8.4 release.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160526/4e8401ec/attachment.sig>
More information about the Pulp-list
mailing list