850745 - secret_token is not generated properly (CVE-2012-3503) #499
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We have found a flaw in the generation of the Application.config.secret_token value. This value is used in the file /usr/share/katello/config/initializers/secret_token.rb to provide a secret token when session cookies are generated for user sessions within Katello. Specifically a static key with a value of: f466b184ef680822293d7130f57593a7087a34b5de0607c64d1ceb66fcac4dce\ 6810a6f176feba3fbbf2489de93c0918397c0c275996eb476b2fa6079ab849c1 is included by default. The spec file for Katello includes commands to generate a new key: NEWKEY=$(</dev/urandom tr -dc A-Za-z0-9 | head -c128) sed -i "s/^Src::Application.config.secret_token = '.*'/Src::Application.config.secret_token = '$NEWKEY'/" \ /usr/share/katello/config/initializers/secret_token.rb however this was erroneously placed in the "postuninstall" section, which is run when removing Katello from the system). Thus a new secret token is not created and all affected Katello installations have the same secret token value. https://access.redhat.com/security/cve/CVE-2012-3503
|
ACK |
1 similar comment
|
ACK |
lzap
added a commit
that referenced
this pull request
Aug 22, 2012
850745 - secret_token is not generated properly (CVE-2012-3503)
|
FYI: This fix is heading to Katello 1.0 as well. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We have found a flaw in the generation of the
Application.config.secret_token value. This value is used in the file
/usr/share/katello/config/initializers/secret_token.rb to provide a secret
token when session cookies are generated for user sessions within Katello.
Specifically a static key with a value of:
f466b184ef680822293d7130f57593a7087a34b5de0607c64d1ceb66fcac4dce
6810a6f176feba3fbbf2489de93c0918397c0c275996eb476b2fa6079ab849c1
is included by default. The spec file for Katello includes commands to
generate a new key:
NEWKEY=$(</dev/urandom tr -dc A-Za-z0-9 | head -c128) sed -i
"s/^Src::Application.config.secret_token =
'.*'/Src::Application.config.secret_token = '$NEWKEY'/"
/usr/share/katello/config/initializers/secret_token.rb
however this was erroneously placed in the "postuninstall" section, which is
run when removing Katello from the system). Thus a new secret token is not
created and all affected Katello installations have the same secret token
value.
https://access.redhat.com/security/cve/CVE-2012-3503