[Pkg-nagios-devel] Bug#683879: CVE ASSIGN: pnp4nagios: process_perfdata.cfg world readable

Christoph Anton Mitterer calestyo at scientia.net
Mon Aug 6 21:42:22 UTC 2012 

Hi Kurt.

Assigning a CVE might be a bit overkill... ?! ;-)

Anyway... let be forward this to the Debian bug report for the records:

On Mon, 2012-08-06 at 13:28 -0600, Kurt Seifried wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683879
> 
> Package: pnp4nagios-bin
> Version: 0.6.16-1
> Severity: important
> Tags: security
> 
> 
> Hi.
> 
> Marking as severity important as it might have security implications.
> 
> process_perfdata.cfg shouldn't be world-readable.
> Event though not used per default in Debian, it contains the "KEY"
> option which may be used (in alternative to "KEY_FILE") to hold
> the Gearman shared secret.
> 
> Cheers,
> Chris.
> 
> ==============================
> This affects 0.6 only, 0.4 doesn't support KEYS.
> 
> # A shared password which will be used for
> # encryption of data pakets. Should be at least 8
> # bytes long. Maximum length is 32 characters.
> #
> KEY = should_be_changed
> 
> =============================
> 
> Please use CVE-2012-3457 for this issue.
> 
> - -- 
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQIcBAEBAgAGBQJQIBr2AAoJEBYNRVNeJnmTn3AQAJzz5cPSK4/1TGfNpO78cG7S
> Tos7jeicNmviWKsbE0QgzXmBqcOCq+Zrbi5bwhYBHpWHe60rBsFLETR0LEho0P03
> HRy4PmAP7hd3Uj/4UBORdsDnMS2Tn7/4dVIIv25JAgsYTJLyKm5WpMW5Th1+YX19
> qEagGADORA9Ed+St+v3dxkoA5Ux82R+a8Y+zYI3/sX2ajSjWWvp5c7Z/dMGAm/QG
> 26uxOxhBrFMVoa07ySbV2w0TE9xbEh1uqI33rwEK3sUgcRNnvnOD2j1F9tt3QoEY
> Qw5oUygazSf5ofgMFH0P/PNlqzCXngsU4/oaOcabVWx6zI2JrOjWfZNywNVfjjK5
> YV2pzzMIG1cOl2y/3c9q0U5mUwdXEF7Z9rtdqGK0YfGJS+RsdkETiy43zTSRYS9y
> VXnTHarkikZ1/pNOiEqrVpeGUddri0YKWI8ZeXwThUzr1xvhC50i0+KoeZW1WWAz
> J2f+5VQBuyQU8mw8JXca+QJA+BsHy//TdP6EyFa5crpLPK4UzfmjGYdQKK3G8bpV
> HOmCJRSNu1jGvrvt4CErW1O2rr7OBKN8ATw6G64xWLCV2pPIQ3uhFCOYu6fUt2tY
> U2RYtRHjWLUJseu+LadzEwZ3FCJsFQGORHxrTucMCkAQ6QkDgm+9vyzMirdvKgHa
> dhN68WG5tZ4CecyHgZxq
> =HMaW
> -----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5450 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20120806/6c3d298c/attachment.bin>

More information about the Pkg-nagios-devel mailing list