import pki-core-10.10.5-3.module+el8.4.0+11039+635979e4
This commit is contained in:
parent
000d4583c5
commit
7b23e1ce93
@ -0,0 +1,31 @@
|
|||||||
|
From 82eaf721ea35d7e6ad5bcdb4c1a5f5862aeed59c Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Endi S. Dewata" <edewata@redhat.com>
|
||||||
|
Date: Mon, 17 May 2021 17:39:50 -0500
|
||||||
|
Subject: [PATCH] Fix permission for existing installation logs
|
||||||
|
|
||||||
|
The spec file has been updated to remove world access
|
||||||
|
from existing installation logs in /var/log/pki.
|
||||||
|
|
||||||
|
Resolves: CVE-2021-3551
|
||||||
|
---
|
||||||
|
pki.spec | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/pki.spec b/pki.spec
|
||||||
|
index a9ea345d8f..64bfd4fe7d 100644
|
||||||
|
--- a/pki.spec
|
||||||
|
+++ b/pki.spec
|
||||||
|
@@ -991,6 +991,10 @@ fi
|
||||||
|
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
|
||||||
|
## PKI deployment process
|
||||||
|
|
||||||
|
+# CVE-2021-3551
|
||||||
|
+# Remove world access from existing installation logs
|
||||||
|
+find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
|
||||||
|
+
|
||||||
|
# Reload systemd daemons on upgrade only
|
||||||
|
if [ "$1" == "2" ]
|
||||||
|
then
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
49
SOURCES/0001-Fix-permission-for-new-installation-logs.patch
Normal file
49
SOURCES/0001-Fix-permission-for-new-installation-logs.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
From 7da63502137eb8c111b8ae5b5426aec8f7ebdf6b Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Endi S. Dewata" <edewata@redhat.com>
|
||||||
|
Date: Mon, 17 May 2021 15:39:44 -0500
|
||||||
|
Subject: [PATCH] Fix permission for new installation logs
|
||||||
|
|
||||||
|
The enable_pki_logger() has been updated to disable
|
||||||
|
world access for new installation logs to be created
|
||||||
|
in /var/log/pki.
|
||||||
|
|
||||||
|
Resolves: CVE-2021-3551
|
||||||
|
---
|
||||||
|
.../python/pki/server/deployment/pkilogging.py | 12 ++++++++++--
|
||||||
|
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/base/server/python/pki/server/deployment/pkilogging.py b/base/server/python/pki/server/deployment/pkilogging.py
|
||||||
|
index 089a292559..0926173700 100644
|
||||||
|
--- a/base/server/python/pki/server/deployment/pkilogging.py
|
||||||
|
+++ b/base/server/python/pki/server/deployment/pkilogging.py
|
||||||
|
@@ -21,8 +21,12 @@
|
||||||
|
# System Imports
|
||||||
|
from __future__ import absolute_import
|
||||||
|
import logging
|
||||||
|
+import os
|
||||||
|
+import pathlib
|
||||||
|
import pprint
|
||||||
|
|
||||||
|
+import pki
|
||||||
|
+
|
||||||
|
sensitive_parameters = []
|
||||||
|
|
||||||
|
# Initialize 'pretty print' for objects
|
||||||
|
@@ -51,8 +55,12 @@ def enable_pki_logger(filename, name):
|
||||||
|
console_format = logging.Formatter('%(levelname)s: %(message)s')
|
||||||
|
console.setFormatter(console_format)
|
||||||
|
|
||||||
|
- # Configure file handler
|
||||||
|
- log_file = logging.FileHandler(filename, 'w')
|
||||||
|
+ # Create an empty file with the proper permission
|
||||||
|
+ pathlib.Path(filename).touch()
|
||||||
|
+ os.chmod(filename, pki.server.DEFAULT_FILE_MODE)
|
||||||
|
+
|
||||||
|
+ # Configure file handler with append mode to preserve the permission
|
||||||
|
+ log_file = logging.FileHandler(filename)
|
||||||
|
file_format = logging.Formatter('%(asctime)s %(levelname)s: %(message)s',
|
||||||
|
'%Y-%m-%d %H:%M:%S')
|
||||||
|
log_file.setFormatter(file_format)
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
236
SOURCES/0001-Use-password-file-when-creating-admin-user.patch
Normal file
236
SOURCES/0001-Use-password-file-when-creating-admin-user.patch
Normal file
@ -0,0 +1,236 @@
|
|||||||
|
From 5764a80e5edd7fa38323146261c6b4e498d282dd Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Endi S. Dewata" <edewata@redhat.com>
|
||||||
|
Date: Mon, 17 May 2021 18:17:26 -0500
|
||||||
|
Subject: [PATCH] Use password file when creating admin user
|
||||||
|
|
||||||
|
The pki-server <subsystem>-user-add has been updated to
|
||||||
|
provide a --password-file option. The deployment tool
|
||||||
|
has been modified to use this option when creating the
|
||||||
|
admin user to avoid the password from getting logged in
|
||||||
|
the debug mode.
|
||||||
|
|
||||||
|
Resolves: CVE-2021-3551
|
||||||
|
---
|
||||||
|
base/server/python/pki/server/cli/user.py | 9 ++-
|
||||||
|
.../python/pki/server/deployment/__init__.py | 5 +-
|
||||||
|
base/server/python/pki/server/subsystem.py | 74 +++++++++++--------
|
||||||
|
.../server/cli/SubsystemUserAddCLI.java | 11 +++
|
||||||
|
4 files changed, 66 insertions(+), 33 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/base/server/python/pki/server/cli/user.py b/base/server/python/pki/server/cli/user.py
|
||||||
|
index c00a1acb50..c5c8d52956 100644
|
||||||
|
--- a/base/server/python/pki/server/cli/user.py
|
||||||
|
+++ b/base/server/python/pki/server/cli/user.py
|
||||||
|
@@ -47,6 +47,7 @@ class UserAddCLI(pki.cli.CLI):
|
||||||
|
print(' --full-name <full name> Full name')
|
||||||
|
print(' --email <email> Email')
|
||||||
|
print(' --password <password> Password')
|
||||||
|
+ print(' --password-file <path> Password file')
|
||||||
|
print(' --phone <phone> Phone')
|
||||||
|
print(' --type <type> Type')
|
||||||
|
print(' --state <state> State')
|
||||||
|
@@ -59,7 +60,8 @@ class UserAddCLI(pki.cli.CLI):
|
||||||
|
def execute(self, argv):
|
||||||
|
try:
|
||||||
|
opts, args = getopt.gnu_getopt(argv, 'i:v', [
|
||||||
|
- 'instance=', 'full-name=', 'email=', 'password=',
|
||||||
|
+ 'instance=', 'full-name=', 'email=',
|
||||||
|
+ 'password=', 'password-file=',
|
||||||
|
'phone=', 'type=', 'state=', 'tps-profiles=',
|
||||||
|
'verbose', 'debug', 'help'])
|
||||||
|
|
||||||
|
@@ -73,6 +75,7 @@ class UserAddCLI(pki.cli.CLI):
|
||||||
|
full_name = None
|
||||||
|
email = None
|
||||||
|
password = None
|
||||||
|
+ password_file = None
|
||||||
|
phone = None
|
||||||
|
user_type = None
|
||||||
|
state = None
|
||||||
|
@@ -91,6 +94,9 @@ class UserAddCLI(pki.cli.CLI):
|
||||||
|
elif o == '--password':
|
||||||
|
password = a
|
||||||
|
|
||||||
|
+ elif o == '--password-file':
|
||||||
|
+ password_file = a
|
||||||
|
+
|
||||||
|
elif o == '--phone':
|
||||||
|
phone = a
|
||||||
|
|
||||||
|
@@ -149,6 +155,7 @@ class UserAddCLI(pki.cli.CLI):
|
||||||
|
full_name=full_name,
|
||||||
|
email=email,
|
||||||
|
password=password,
|
||||||
|
+ password_file=password_file,
|
||||||
|
phone=phone,
|
||||||
|
user_type=user_type,
|
||||||
|
tps_profiles=tps_profiles,
|
||||||
|
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
|
||||||
|
index 347ab1acdd..6d5f083b47 100644
|
||||||
|
--- a/base/server/python/pki/server/deployment/__init__.py
|
||||||
|
+++ b/base/server/python/pki/server/deployment/__init__.py
|
||||||
|
@@ -373,6 +373,8 @@ class PKIDeployer:
|
||||||
|
|
||||||
|
response = client.setupAdmin(request)
|
||||||
|
|
||||||
|
+ # Run the command as current user such that
|
||||||
|
+ # it can read the temporary password file.
|
||||||
|
subsystem.add_user(
|
||||||
|
uid,
|
||||||
|
full_name=full_name,
|
||||||
|
@@ -380,7 +382,8 @@ class PKIDeployer:
|
||||||
|
password=password,
|
||||||
|
user_type='adminType',
|
||||||
|
state='1',
|
||||||
|
- tps_profiles=tps_profiles)
|
||||||
|
+ tps_profiles=tps_profiles,
|
||||||
|
+ as_current_user=True)
|
||||||
|
|
||||||
|
admin_groups = subsystem.config['preop.admin.group']
|
||||||
|
groups = [x.strip() for x in admin_groups.split(',')]
|
||||||
|
diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py
|
||||||
|
index a3ed0c7f3a..41d8d67c2e 100644
|
||||||
|
--- a/base/server/python/pki/server/subsystem.py
|
||||||
|
+++ b/base/server/python/pki/server/subsystem.py
|
||||||
|
@@ -1335,54 +1335,66 @@ class PKISubsystem(object):
|
||||||
|
full_name=None,
|
||||||
|
email=None,
|
||||||
|
password=None,
|
||||||
|
+ password_file=None,
|
||||||
|
phone=None,
|
||||||
|
user_type=None,
|
||||||
|
state=None,
|
||||||
|
tps_profiles=None,
|
||||||
|
as_current_user=False):
|
||||||
|
|
||||||
|
- cmd = [self.name + '-user-add']
|
||||||
|
+ tmpdir = tempfile.mkdtemp()
|
||||||
|
|
||||||
|
- if full_name:
|
||||||
|
- cmd.append('--full-name')
|
||||||
|
- cmd.append(full_name)
|
||||||
|
+ try:
|
||||||
|
+ if password and not password_file:
|
||||||
|
+ password_file = os.path.join(tmpdir, 'password.txt')
|
||||||
|
+ with open(password_file, 'w') as f:
|
||||||
|
+ f.write(password)
|
||||||
|
|
||||||
|
- if email:
|
||||||
|
- cmd.append('--email')
|
||||||
|
- cmd.append(email)
|
||||||
|
+ cmd = [self.name + '-user-add']
|
||||||
|
|
||||||
|
- if password:
|
||||||
|
- cmd.append('--password')
|
||||||
|
- cmd.append(password)
|
||||||
|
+ if full_name:
|
||||||
|
+ cmd.append('--full-name')
|
||||||
|
+ cmd.append(full_name)
|
||||||
|
|
||||||
|
- if phone:
|
||||||
|
- cmd.append('--phone')
|
||||||
|
- cmd.append(phone)
|
||||||
|
+ if email:
|
||||||
|
+ cmd.append('--email')
|
||||||
|
+ cmd.append(email)
|
||||||
|
|
||||||
|
- if user_type:
|
||||||
|
- cmd.append('--type')
|
||||||
|
- cmd.append(user_type)
|
||||||
|
+ if password_file:
|
||||||
|
+ cmd.append('--password-file')
|
||||||
|
+ cmd.append(password_file)
|
||||||
|
|
||||||
|
- if state:
|
||||||
|
- cmd.append('--state')
|
||||||
|
- cmd.append(state)
|
||||||
|
+ if phone:
|
||||||
|
+ cmd.append('--phone')
|
||||||
|
+ cmd.append(phone)
|
||||||
|
|
||||||
|
- if tps_profiles:
|
||||||
|
- cmd.append('--tps-profiles')
|
||||||
|
- cmd.append(','.join(tps_profiles))
|
||||||
|
+ if user_type:
|
||||||
|
+ cmd.append('--type')
|
||||||
|
+ cmd.append(user_type)
|
||||||
|
|
||||||
|
- if logger.isEnabledFor(logging.DEBUG):
|
||||||
|
- cmd.append('--debug')
|
||||||
|
+ if state:
|
||||||
|
+ cmd.append('--state')
|
||||||
|
+ cmd.append(state)
|
||||||
|
|
||||||
|
- elif logger.isEnabledFor(logging.INFO):
|
||||||
|
- cmd.append('--verbose')
|
||||||
|
+ if tps_profiles:
|
||||||
|
+ cmd.append('--tps-profiles')
|
||||||
|
+ cmd.append(','.join(tps_profiles))
|
||||||
|
|
||||||
|
- cmd.append(user_id)
|
||||||
|
+ if logger.isEnabledFor(logging.DEBUG):
|
||||||
|
+ cmd.append('--debug')
|
||||||
|
|
||||||
|
- self.run(
|
||||||
|
- cmd,
|
||||||
|
- as_current_user=as_current_user,
|
||||||
|
- capture_output=True)
|
||||||
|
+ elif logger.isEnabledFor(logging.INFO):
|
||||||
|
+ cmd.append('--verbose')
|
||||||
|
+
|
||||||
|
+ cmd.append(user_id)
|
||||||
|
+
|
||||||
|
+ self.run(
|
||||||
|
+ cmd,
|
||||||
|
+ as_current_user=as_current_user,
|
||||||
|
+ capture_output=True)
|
||||||
|
+
|
||||||
|
+ finally:
|
||||||
|
+ shutil.rmtree(tmpdir)
|
||||||
|
|
||||||
|
def modify_user(self, user_id, add_see_also=None, del_see_also=None,
|
||||||
|
as_current_user=False):
|
||||||
|
diff --git a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
|
||||||
|
index 5a385c359f..04d68de758 100644
|
||||||
|
--- a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
|
||||||
|
+++ b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
|
||||||
|
@@ -6,6 +6,8 @@
|
||||||
|
package org.dogtagpki.server.cli;
|
||||||
|
|
||||||
|
import java.io.File;
|
||||||
|
+import java.nio.file.Files;
|
||||||
|
+import java.nio.file.Paths;
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
@@ -60,6 +62,10 @@ public class SubsystemUserAddCLI extends CommandCLI {
|
||||||
|
option.setArgName("password");
|
||||||
|
options.addOption(option);
|
||||||
|
|
||||||
|
+ option = new Option(null, "password-file", true, "Password file");
|
||||||
|
+ option.setArgName("path");
|
||||||
|
+ options.addOption(option);
|
||||||
|
+
|
||||||
|
option = new Option(null, "phone", true, "Phone");
|
||||||
|
option.setArgName("phone");
|
||||||
|
options.addOption(option);
|
||||||
|
@@ -95,11 +101,16 @@ public class SubsystemUserAddCLI extends CommandCLI {
|
||||||
|
|
||||||
|
String email = cmd.getOptionValue("email");
|
||||||
|
String password = cmd.getOptionValue("password");
|
||||||
|
+ String passwordFile = cmd.getOptionValue("password-file");
|
||||||
|
String phone = cmd.getOptionValue("phone");
|
||||||
|
String type = cmd.getOptionValue("type");
|
||||||
|
String state = cmd.getOptionValue("state");
|
||||||
|
String tpsProfiles = cmd.getOptionValue("tps-profiles");
|
||||||
|
|
||||||
|
+ if (passwordFile != null) {
|
||||||
|
+ password = new String(Files.readAllBytes(Paths.get(passwordFile)), "UTF-8").trim();
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
String catalinaBase = System.getProperty("catalina.base");
|
||||||
|
|
||||||
|
TomcatJSS tomcatjss = TomcatJSS.getInstance();
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
@ -13,7 +13,7 @@ License: GPLv2 and LGPLv2
|
|||||||
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
|
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
|
||||||
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
|
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
|
||||||
Version: 10.10.5
|
Version: 10.10.5
|
||||||
Release: 2%{?_timestamp}%{?_commit_id}%{?dist}
|
Release: 3%{?_timestamp}%{?_commit_id}%{?dist}
|
||||||
#global _phase -beta1
|
#global _phase -beta1
|
||||||
|
|
||||||
# To create a tarball from a version tag:
|
# To create a tarball from a version tag:
|
||||||
@ -37,6 +37,9 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
|
|||||||
# [Errno 111] Connection refused -- Some packages may not be found!
|
# [Errno 111] Connection refused -- Some packages may not be found!
|
||||||
Patch1: 0001-Removed-dependency-on-pytest-runner.patch
|
Patch1: 0001-Removed-dependency-on-pytest-runner.patch
|
||||||
Patch2: 0001-Fix-renewal-profile-approval-process.patch
|
Patch2: 0001-Fix-renewal-profile-approval-process.patch
|
||||||
|
Patch3: 0001-Use-password-file-when-creating-admin-user.patch
|
||||||
|
Patch4: 0001-Fix-permission-for-new-installation-logs.patch
|
||||||
|
Patch5: 0001-Fix-permission-for-existing-installation-logs.patch
|
||||||
|
|
||||||
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
|
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
|
||||||
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
|
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
|
||||||
@ -1021,6 +1024,10 @@ fi
|
|||||||
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
|
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
|
||||||
## PKI deployment process
|
## PKI deployment process
|
||||||
|
|
||||||
|
# CVE-2021-3551
|
||||||
|
# Remove world access from existing installation logs
|
||||||
|
find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
|
||||||
|
|
||||||
# Reload systemd daemons on upgrade only
|
# Reload systemd daemons on upgrade only
|
||||||
if [ "$1" == "2" ]
|
if [ "$1" == "2" ]
|
||||||
then
|
then
|
||||||
@ -1395,8 +1402,11 @@ fi
|
|||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed May 19 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-3
|
||||||
|
- Bug 1960146 - CVE-2021-3551 Dogtag installer "pkispawn" logs admin credentials into a world-readable log file
|
||||||
|
|
||||||
* Tue Mar 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-2
|
* Tue Mar 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-2
|
||||||
- Bug 1914396 - CVE-2021-20179 pki-core:10.6/pki-core: Unprivileged users can renew any certificate
|
- Bug 1914396 - CVE-2021-20179 Unprivileged users can renew any certificate
|
||||||
|
|
||||||
* Tue Feb 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-1
|
* Tue Feb 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-1
|
||||||
- Rebase to PKI 10.10.5
|
- Rebase to PKI 10.10.5
|
||||||
|
Loading…
Reference in New Issue
Block a user