2.8.4 is a security and bugfix release. Beta 1 has been pushed to the 2.8 repositories:
https://repos.fedorapeople.org/repos/pulp/pulp/beta/2.8/ User action is required to address the CVEs associated with this upgrade! Read the upgrade instructions below. This release includes bug fixes to the Pulp platform, as well as its RPM, Puppet, and Docker plugins. Security Issues Addressed ========================= Included in the list of :fixedbugs:`2.8.4` are two CVEs: * `CVE-2016-3696 <https://pulp.plan.io/issues/1854>`_: Leakage of CA key in pulp-qpid-ssl-cfg * `CVE-2016-3704 <https://pulp.plan.io/issues/1858>`_: Unsafe use of bash $RANDOM for NSS DB password and seed Upgrade instructions -------------------- The CVEs require user interaction to remedy if you have been using qpid, and if you used ``pulp-qpid-ssl-cfg`` to generate the TLS keys. Rabbit users and users who generated their own keys for qpidd are not affected by these CVEs. Begin by upgrading to Pulp 2.8.4 and running migrations:: $ sudo systemctl stop qpidd httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd $ sudo yum upgrade $ sudo -u apache pulp-manage-db Any qpidd CA, server and client certificate and key pairs that were generated with ``pulp-qpid-ssl-cfg`` are unsafe and should be replaced. After upgrading to 2.8.4 (as we did above), you can use the script to replace the certificates and keys:: $ sudo pulp-qpid-ssl-cfg Now we are ready to start the services again:: $ sudo systemctl start qpidd httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd Issues Addressed ================ Docker Support 1909 Repository syncs fail 1831 sync of non-existing repo does not report an error 1646 It is theoretically possible for a v2 sync to enter an infinite recursion loop 1644 Users cannot download Blobs in parallel Nectar 1820 Fix checking for config.proxy_username Pulp 1929 The 0023_importer_tls_storage.py migration assumes that Importers always have configs when they do not 1858 CVE-2016-3704: Unsafe use of bash $RANDOM for NSS DB password and seed 1854 CVE-2016-3696 Leakage of CA key in pulp-qpid-ssl-cfg Puppet Support 1880 PLP0000: Update failed (The dotted field 'thomasmckay-rsync-0.4.1-thomasmckay' 1879 Incorrect name when syncing puppet module from the filesystem RPM Support 1910 Errata update fails when id of the repo is added to the existing collection 1895 Recursive RPM unit copies are not recursive 1775 Content removed from a repository never returns 1462 Errata Install to Content Host takes too long and doesn't scale well 858 As a user, I would like to receive updated errata metadata You can view these results in Redmine here: http://bit.ly/1OPWob4 Notable Dependency Updates ========================== The nectar dependency has been upgraded to include a fix listed above, #1820. This fix was erroneously listed in the Pulp 2.8.3 Release Notes, and is actually included with the 2.8.4 release.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
