Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE verification: Ensure last_override_config does not leak sensitive info #1066

Closed
bmbouter opened this issue Jun 12, 2018 · 0 comments
Closed

CVE verification: Ensure last_override_config does not leak sensitive info #1066

bmbouter opened this issue Jun 12, 2018 · 0 comments
Labels
High Issue Type: Test Case
Milestone
Test automation f...

Comments

@bmbouter
Copy link
Member

This Pulp CVE describes issue 3521 whereby the previous run's override config can be read as the attribute last_override_config on both importers and distributors. The decision (on the issue) was made to remove this attribute altogether due to it's security implications.

Without the fix, when you set an override_config, you'll be able to read that data when viewing the importer or distributor again. With this fix that data will always show up as 'last_override_config': {}.

This should be verified for both Importers and Distributors.

Details on how I tested this during development (with commands) is here: https://pulp.plan.io/issues/3521#note-15

This is a backwards compatible change for 2.16.2 and a release note was added for it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
High Issue Type: Test Case
Projects
None yet
Milestone
Test automation for Sat-Pulp component
Development

No branches or pull requests
3 participants
@bmbouter @Ichimonji10 @nixocio