Pulp 2.8.5 Beta 1 is now available in the beta repositories: https://repos.fedorapeople.org/repos/pulp/pulp/beta/2.8/
This release addresses two identified Pulp platform security flaws, and also includes bugfixes for the Pulp platform and all supported plugins. Upgrading ========= User action is required to address the CVEs associated with this upgrade! Included in the list of :fixedbugs:`2.8.4` are two CVEs: CVE-2016-3696: Leakage of CA key in pulp-qpid-ssl-cfg CVE-2016-3704: Unsafe use of bash $RANDOM for NSS DB password and seed Upgrade instructions -------------------- The CVEs require user interaction to remedy if you have been using qpid, and if you used pulp-qpid-ssl-cfg to generate the TLS keys. Rabbit users and users who generated their own keys for qpidd are not affected by these CVEs. Begin by upgrading to Pulp 2.8.4 and running migrations: > $ sudo systemctl stop qpidd httpd pulp_workers pulp_resource_manager > pulp_celerybeat goferd > $ sudo yum upgrade > $ sudo -u apache pulp-manage-db Note: You don't need to restart goferd if goferd isn't installed. Any qpidd CA, server and client certificate and key pairs that were generated with pulp-qpid-ssl-cfg are unsafe and should be replaced. After upgrading to 2.8.4 (as we did above), you can use the script to replace the certificates and keys: > $ sudo pulp-qpid-ssl-cfg Now we are ready to start the services again: > $ sudo systemctl start qpidd httpd pulp_workers pulp_resource_manager > pulp_celerybeat goferd Issues Addressed ================ Crane 1958 uninstall causes POSTUN script failure Docker Support 1994 Docker v1 links missed by 0002 (storage path) migration. 1831 sync of non-existing repo does not report an error 1644 Users cannot download Blobs in parallel 1646 It is theoretically possible for a v2 sync to enter an infinite recursion loop 1909 Repository syncs fail Nectar 1372 Nectar logging is vague when a certificate is untrusted. 1820 Fix checking for config.proxy_username OSTree Support 1934 OSTree syncs are broken Pulp 1923 POST /pulp/api/v2/content/actions/delete_orphans/ is broken 1854 CVE-2016-3696 Leakage of CA key in pulp-qpid-ssl-cfg 1712 Our packages that depend on pulp-selinux do not Require: that package in our spec file 1858 CVE-2016-3704: Unsafe use of bash $RANDOM for NSS DB password and seed 1890 pulp-qpid-ssl-cfg echoes the NSS DB password 1937 Syncing a puppet module with the same content as a different repo results in no content 1113 If an instance of pulp_celerybeat dies unexpectedly, Pulp incorrectly tries to "cancel all tasks in its queue" Puppet Support 1950 module upload fails with IOError: [Errno 2] No such file or directory 1879 Incorrect name when syncing puppet module from the filesystem 1880 PLP0000: Update failed (The dotted field 'thomasmckay-rsync-0.4.1-thomasmckay' Python Support 1973 Repo symlinks are not removed after repository delete RPM Support 1944 YumMetadataFile copy does not save its new storage_path 1954 The distribution storage path migration fails when variant is not in the document. 2007 Errata install API should expect 'id' as part of unit key 1895 Recursive RPM unit copies are not recursive 1897 catalog entries not created for pre-existing units 858 As a user, I would like to receive updated errata metadata 1462 Errata Install to Content Host takes too long and doesn't scale well 1955 Need a migration to ensure that Distribution units have a default value of '' for variant. 1972 migration 28 misses distribution symlinks 1775 Content removed from a repository never returns 1979 metadata unit copy action creates incorrect unit count on repo 1901 Fix error handling during the erratum update 1910 Errata update fails when id of the repo is added to the existing collection 1288 warning log level for "Overwriting existing metadata file" is misleading 1783 figure out how we want to test collections and package lists in errata advisories
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list