Pulp 2.8 Release Notes¶
Pulp 2.8.5¶
Warning
User action is required to address the CVEs associated with this upgrade! Read the upgrade instructions below.
2.8.5 is a security and bugfix release.
Included in the list of bugs fixed in 2.8.5 are two CVEs:
- CVE-2016-3696: Leakage of CA key in pulp-qpid-ssl-cfg
- CVE-2016-3704: Unsafe use of bash $RANDOM for NSS DB password and seed
Upgrade instructions¶
The CVEs require user interaction to remedy if you have been using qpid, and if you used pulp-qpid-ssl-cfg to generate the TLS keys. Rabbit users and users who generated their own keys for qpidd are not affected by these CVEs. Begin by upgrading to Pulp 2.8.5 and running migrations:
$ sudo systemctl stop qpidd httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
$ sudo yum upgrade
$ sudo -u apache pulp-manage-db
Note
You don’t need to restart goferd if goferd isn’t installed.
Any qpidd CA, server and client certificate and key pairs that were generated with pulp-qpid-ssl-cfg are unsafe and should be replaced. After upgrading to 2.8.5 (as we did above), you can use the script to replace the certificates and keys:
$ sudo pulp-qpid-ssl-cfg
Now we are ready to start the services again:
$ sudo systemctl start qpidd httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
Pulp 2.8.4¶
This is a hotfix release to address migration failures introduced in earlier versions of Pulp.
Upgrade instructions¶
If you haven’t already upgraded (or attempted to upgrade) to 2.8.3, you should follow the upgrade instructions below for 2.8.3. If you have already dealt with the security issues in the 2.8.3 upgrade instructions, then the normal upgrade process, with migrations, should be followed:
$ sudo systemctl stop httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
$ sudo yum upgrade
$ sudo -u apache pulp-manage-db
$ sudo systemctl start httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
Bug Fixes¶
See the list of bugs fixed in 2.8.4
Pulp 2.8.3¶
Warning
User action is required to address the CVEs associated with this upgrade! Read the upgrade instructions below.
2.8.3 is a security and bugfix release. This release includes new migrations that need to be run.
Included in the list of bugs fixed in 2.8.3 are a number of CVEs:
- CVE-2016-3106: Insecure creation of temporary directory when generating new CA key
- CVE-2016-3107: Node certificate containing private key stored in world-readable file
- CVE-2016-3108: Insecure temporary file used when generating certificate for Pulp Nodes
- CVE-2016-3111: pulp.spec generates its RSA keys for message signing insecurely
- CVE-2016-3112: Pulp consumer private keys are world-readable
Additionally, CVE-2013-7450 was announced during this release cycle, even though it was fixed in Pulp 2.3.0. Users who have upgraded from Pulp < 2.3.0 may still be vulnerable, action may be required.
Upgrade instructions¶
Some of the CVEs require user interaction to remedy. Begin by upgrading to Pulp 2.8.3, and running migrations:
$ sudo systemctl stop httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
$ sudo yum upgrade
$ sudo -u apache pulp-manage-db
$ sudo systemctl start httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
CVE-2016-3112 (Part I)¶
The client certificate for consumers (/etc/pki/pulp/consumer/consumer-cert.pem) was installed world-readable. This issue has been fixed for new certificates issued to consumers, but upgrading to 2.8.3 does not modify the permissions of old certificates. It is recommended that users regenerate the certificates by unregistering and re-registering all consumers. However, the consumers cannot be re-registered until CVE-2013-7450, CVE-2016-3095, CVE-2016-3106, and CVE-2016-3111 have been addressed below. Thus, start by unregistering each of your consumers (we will return to this CVE later to re-register them):
$ sudo pulp-consumer unregister
CVE-2013-7450, CVE-2016-3095, and CVE-2016-3106¶
There are two reasons that you may wish to regenerate Pulp’s internal certificate authority key and certificate. First, if your Pulp installation started off as a version lower than 2.3.0 and you are still using the default CA certificate and key that was distributed with those versions of Pulp, then you are still vulnerable to CVE-2013-7450 and it is crucial that you generate a new unique CA.
Additionally, CVE-2016-3095 and CVE-2016-3106 made it possible for local attackers to read the CA key during generation (which happens during the initial installation of Pulp or any time an admin ran pulp-gen-ca-certificate). If you are concerned that a local user may have read that CA key during the brief window that it was visible it is recommended that you regenerate the key and cert.
To regenerate the certificate, you should remove the old one and then you may use the provided utility:
# First remove the old files so that the new files get the correct SELinux context.
$ sudo rm /etc/pki/pulp/ca.*
$ sudo pulp-gen-ca-certificate
If you choose not to perform the CA regeneration, you may wish to apply the correct SELinux type to your existing CA files as versions of Pulp < 2.8.3 generated this file with an incorrect SELinux type. You don’t need to do this if you removed the old file and regenerated it with pulp-gen-ca-certificate. You can run restorecon recursively on the /etc/pki/pulp folder to fix the SELinux label on your existing CA certificate:
# You only need to do this if you didn't regenerate the CA above.
$ sudo restorecon -R /etc/pki/pulp
CVE-2016-3107 and CVE-2016-3108¶
For Nodes users, the /etc/pki/pulp/nodes/node.crt file was installed world-readable. Users are recommended to remove this file and regenerate it by running pulp-gen-nodes-certificate:
# It is important to remove the file so that the new file has the correct permissions.
$ sudo rm /etc/pki/pulp/nodes/node.crt
$ sudo pulp-gen-nodes-certificate
CVE-2016-3111¶
Both the RSA key pair for the Pulp server and RSA key pair for each Pulp consumer was generated during installation in an insecure directory. This vulnerability allowed a local attacker to read the private key portion of the key pair. These keys are used for message authentication between the Pulp server and the Pulp consumers. If you are concerned that a local attacker was able to read these keys, you can regenerate them. We do not ship a script to perform this, but the process is straight-forward. For the Pulp server, do the following as root:
$ cd /etc/pki/pulp/
$ rm rsa.key rsa_pub.key
$ umask 077
$ openssl genrsa -out rsa.key <bits> # <bits> should be at least 2048
$ openssl rsa -in rsa.key -pubout > rsa_pub.key
$ chgrp apache rsa.key rsa_pub.key
$ chmod 640 rsa.key # Apache must be able to read the private key
$ chmod 644 rsa_pub.key # The public key is world-readable as it is served via Apache
The Pulp consumer key is similar:
$ cd /etc/pki/pulp/consumer/
$ rm rsa.key rsa_pub.key
$ umask 077
$ openssl genrsa -out rsa.key <bits> # <bits> should be at least 2048
$ openssl rsa -in rsa.key -pubout > rsa_pub.key
CVE-2016-3112 (Part II)¶
Now that we have regenerated the server’s CA certificate, we can finish re-registering each consumer to Pulp:
$ sudo pulp-consumer -u <admin-username> register --consumer-id=<consumer-id>
Restart¶
Pulp services are now ready to be restarted again to pick up the new certificates. For systemd users:
$ sudo systemctl restart httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd
Troubleshooting¶
Regenerating the CA certificate will invalidate all client certificates that were issued by the old CA. All users will need to login to Pulp again to obtain a new client certificate. If you forget a step, you may see one of the following error messages:
- “pulp.server.managers.auth.authentication:ERROR: Auth certificate with CN [admin:admin:57155b83e779896cb3d634a4] is signed by a foreign CA” (or similar) in the server log can indicate that httpd has not been restarted since the CA was replaced.
- “The specified user does not have permission to execute the given command” from pulp-admin can mean that the user has not logged in since the new CA was present, or that httpd has not been restarted since the certificate was replaced. More generally, this error message can also mean that the user is not authorized to perform the given action.
- “An error occurred attempting to contact the server. More information may be found using the -v flag.” may be output by pulp-admin if you have restarted httpd but have not logged in again to get a new CA certificate. If you provide that -v flag and see “ConnectionException: (None, ‘tlsv1 alert decrypt error’, None)”, this is likely the issue.
Pulp 2.8.2¶
Security Fixes¶
This release addresses a low impact security vulnerability related to the regeneration of pulp CA certificates:
Upgrade instructions¶
Users are advised to skip this release and move on to at least 2.8.3. See above.
Pulp 2.8.1¶
Bug Fixes¶
See the list of bugs fixed in 2.8.1
Pulp 2.8.0¶
New Features¶
- Multiple instances of pulp_celerybeat can now run simultaneously. If one of them goes down, another instance will dispatch scheduled tasks as usual.
- Pulp now supports configuring repositories to download content on-demand when it is requested by a client, or in the background after a sync and publish has occurred. This feature requires several additional packages and services, and is not supported on all content types. As part of this feature we now provide a new package, python-pulp-streamer. More information on these alternate download policies can be found in the alternate download policies documentation.
- Several changes have been made to the provided Apache httpd configuration files. In addition to these changes, a new Apache httpd configuration file is provided by Pulp. This configuration file, pulp_content.conf, is used to configure the new WSGI application used to serve content.
- When downloading content, Pulp now uses the system certificate authority trust store rather than the certificate authority trust store bundled with python-requests.
- Content applicability for an updated repository is calculated in parallel.
Deprecation¶
Dependency/Platform Changes¶
- If run on CentOS or Red Hat Enterprise Linux, the Pulp server now requires either version 7.1+ or 6.7+.
- pymongo >= 3.0.0 is now required.
- mod_xsendfile >= 0.12 is now required.
Client Changes¶
- Tasks with complete states (except canceled state) can now be deleted. This can be done using pulp-admin tasks purge command.
Other Changes¶
- Pulp used to store WSGI files under /srv, which was a violation of FHS. These files have been moved to /usr/share/pulp/wsgi.
- Pulp platform now automatically calculates the added_count, removed_count, and updated_count fields of repository sync task output.
Agent Changes¶
Bugs¶
Known Issues¶
RHEL 7 and CentOS 7 users may experience a problem when upgrading. Please refer to note in upgrade instructions for workaround.
Users that have the /var/lib/pulp directory or one of it’s subdirectories symlinked will experience a problem. Replacing the symlink with a bind mount will resolve the issue.
RHEL 6 and CentOS 6 users who use Qpid as their broker need to be aware that the Qpid repository has changed locations. The most recent Qpid repository definition file can be obtained from Qpid packaging docs. Using an older version of python-qpid package will produce the following error in the logs:
AttributeError: Session instance has no attribute 'set_message_received_notify_handler'
Before Upgrade¶
The Pulp team added stronger data validation in 2.8. To ensure that your data gets smoothly upgraded, please test your data with the provided testing tool before attempting an upgrade. You can read about how to perform the test here:
https://raw.githubusercontent.com/pulp/pulp/pulp-2.8.0-1/playpen/mongoengine/README
Upgrade Instructions for 2.7.x –> 2.8.x¶
Note
When upgrading on CentOS 7, it is possible that your system has ‘python-semantic-version’ package installed. As result you will experience a problem when updating Pulp packages. If this package is present on your system you should remove it:
sudo rpm -e --nodeps python-semantic-version
Upgrade the packages using:
sudo yum update
After yum completes you should migrate the database using:
sudo -u apache pulp-manage-db
Note
If using systemd, you need to reload the systemd process before restarting services. This can be done using:
sudo systemctl daemon-reload
After migrating the database, restart httpd, pulp_workers, pulp_celerybeat, and pulp_resource_manager.
Upgrade From Older Release¶
If you are upgrading from pulp older than 2.4.0, you must first upgrade to some release between 2.4.0 and 2.7.x, and then upgrade to 2.8.0 or greater.
Rest API Changes¶
- Tasks with complete states (except canceled state) can now be deleted.
- The API for regenerating content applicability for updated repositories no longer returns a Call Report. Instead a Group Call Report is returned.
- Task Groups with tasks having incomplete states can now be canceled.