[Pulp-list] Pulp 2.8.5 Beta Released with Security and bug fixes
Sean Myers
sean.myers at redhat.com
Fri Jun 17 17:02:20 UTC 2016
Pulp 2.8.5 Beta 1 is now available in the beta repositories:
https://repos.fedorapeople.org/repos/pulp/pulp/beta/2.8/
This release addresses two identified Pulp platform security flaws,
and also includes bugfixes for the Pulp platform and all supported plugins.
Upgrading
=========
User action is required to address the CVEs associated with this upgrade!
Included in the list of :fixedbugs:`2.8.4` are two CVEs:
CVE-2016-3696: Leakage of CA key in pulp-qpid-ssl-cfg
CVE-2016-3704: Unsafe use of bash $RANDOM for NSS DB password and seed
Upgrade instructions
--------------------
The CVEs require user interaction to remedy if you have been using qpid, and if
you used pulp-qpid-ssl-cfg to generate the TLS keys. Rabbit users and users who
generated their own keys for qpidd are not affected by these CVEs.
Begin by upgrading to Pulp 2.8.4 and running migrations:
> $ sudo systemctl stop qpidd httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
> $ sudo yum upgrade
> $ sudo -u apache pulp-manage-db
Note: You don't need to restart goferd if goferd isn't installed.
Any qpidd CA, server and client certificate and key pairs that were generated with
pulp-qpid-ssl-cfg are unsafe and should be replaced. After upgrading to 2.8.4
(as we did above), you can use the script to replace the certificates and keys:
> $ sudo pulp-qpid-ssl-cfg
Now we are ready to start the services again:
> $ sudo systemctl start qpidd httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
Issues Addressed
================
Crane
1958 uninstall causes POSTUN script failure
Docker Support
1994 Docker v1 links missed by 0002 (storage path) migration.
1831 sync of non-existing repo does not report an error
1644 Users cannot download Blobs in parallel
1646 It is theoretically possible for a v2 sync to enter an infinite recursion loop
1909 Repository syncs fail
Nectar
1372 Nectar logging is vague when a certificate is untrusted.
1820 Fix checking for config.proxy_username
OSTree Support
1934 OSTree syncs are broken
Pulp
1923 POST /pulp/api/v2/content/actions/delete_orphans/ is broken
1854 CVE-2016-3696 Leakage of CA key in pulp-qpid-ssl-cfg
1712 Our packages that depend on pulp-selinux do not Require: that package in our spec file
1858 CVE-2016-3704: Unsafe use of bash $RANDOM for NSS DB password and seed
1890 pulp-qpid-ssl-cfg echoes the NSS DB password
1937 Syncing a puppet module with the same content as a different repo results in no content
1113 If an instance of pulp_celerybeat dies unexpectedly, Pulp incorrectly tries to "cancel all tasks in its queue"
Puppet Support
1950 module upload fails with IOError: [Errno 2] No such file or directory
1879 Incorrect name when syncing puppet module from the filesystem
1880 PLP0000: Update failed (The dotted field 'thomasmckay-rsync-0.4.1-thomasmckay'
Python Support
1973 Repo symlinks are not removed after repository delete
RPM Support
1944 YumMetadataFile copy does not save its new storage_path
1954 The distribution storage path migration fails when variant is not in the document.
2007 Errata install API should expect 'id' as part of unit key
1895 Recursive RPM unit copies are not recursive
1897 catalog entries not created for pre-existing units
858 As a user, I would like to receive updated errata metadata
1462 Errata Install to Content Host takes too long and doesn't scale well
1955 Need a migration to ensure that Distribution units have a default value of '' for variant.
1972 migration 28 misses distribution symlinks
1775 Content removed from a repository never returns
1979 metadata unit copy action creates incorrect unit count on repo
1901 Fix error handling during the erratum update
1910 Errata update fails when id of the repo is added to the existing collection
1288 warning log level for "Overwriting existing metadata file" is misleading
1783 figure out how we want to test collections and package lists in errata advisories
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160617/6cb54756/attachment.sig>
More information about the Pulp-list
mailing list