Bug 770619 - VUL-1 : quagga: /etc/quagga and its contents are world-readable despite containing passwords
Summary: VUL-1 : quagga: /etc/quagga and its contents are world-readable despite conta...
Status: RESOLVED FIXED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All openSUSE 13.1
: P4 - Low : Normal
Target Milestone: ---
Deadline: 2016-04-25
Assignee: Pawel Wieczorkiewicz
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:NVD:CVE-2016-4036:2.1:(AV:L/AC...
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-10 08:53 UTC by Zsolt Sági
Modified: 2017-05-11 00:45 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zsolt Sági 2012-07-10 08:53:13 UTC
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0

See above. Isn't is a vulnerability?

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Zsolt Sági 2012-07-12 13:34:20 UTC
BTW, that's the case in every openSUSE version known by me, and even in SLES 11 (SP 1)!!!
Comment 4 Bernhard Wiedemann 2014-04-29 12:57:55 UTC
/etc/quagga/zebra.conf is still 644
and containing passwords
Comment 5 Marcus Meissner 2014-08-21 07:00:52 UTC
lets tag, so we mioght have it better on the radar.
Comment 6 Swamp Workflow Management 2014-08-21 22:00:12 UTC
bugbot adjusting priority
Comment 7 Marcus Meissner 2016-03-22 15:11:28 UTC
reassign to current maintainer
Comment 8 Pawel Wieczorkiewicz 2016-03-30 12:18:55 UTC
Fix implemented. Now building some test setup to see whether it (and the update to the recent upstream release) works as expected.
Comment 10 Bernhard Wiedemann 2016-04-01 09:00:15 UTC
This is an autogenerated message for OBS integration:
This bug (770619) was mentioned in
https://build.opensuse.org/request/show/382809 13.2 / quagga
https://build.opensuse.org/request/show/382812 42.1 / quagga
Comment 11 Pawel Wieczorkiewicz 2016-04-01 09:42:58 UTC
Fix tested and sent to all repos.
Comment 12 Swamp Workflow Management 2016-04-05 14:08:44 UTC
SUSE-SU-2016:0953-1: An update that contains security fixes can now be installed.

Category: security (low)
Bug References: 770619
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    quagga-0.99.22.1-9.1
SUSE Linux Enterprise Software Development Kit 12 (src):    quagga-0.99.22.1-9.1
SUSE Linux Enterprise Server 12-SP1 (src):    quagga-0.99.22.1-9.1
SUSE Linux Enterprise Server 12 (src):    quagga-0.99.22.1-9.1
Comment 13 Swamp Workflow Management 2016-04-05 14:09:05 UTC
SUSE-SU-2016:0954-1: An update that contains security fixes can now be installed.

Category: security (low)
Bug References: 770619
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    quagga-0.99.15-0.21.1
SUSE Linux Enterprise Server 11-SP4 (src):    quagga-0.99.15-0.21.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    quagga-0.99.15-0.21.1
Comment 14 Swamp Workflow Management 2016-04-11 12:42:29 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-04-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62624
Comment 15 Swamp Workflow Management 2016-04-14 10:08:01 UTC
openSUSE-SU-2016:1030-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 770619
CVE References: 
Sources used:
openSUSE Leap 42.1 (src):    quagga-0.99.24.1-8.1
openSUSE 13.2 (src):    quagga-0.99.23-2.6.1