[Openswan dev] [Announce] CVE-2011-2147 is a dud, was Re:World writable pid and lock files.
Paul Wouters
paul at xelerance.com
Mon May 30 17:26:29 EDT 2011
>
> * To: debian-security at lists.debian.org
> * Subject: World writable pid and lock files.
> * From: helpermn <helpermn at gmail.com>
> * Date: Tue, 10 May 2011 15:40:22 +0200
> * Message-id: <05578BFF-44FC-41B3-9E8E-C11B5B9A6C11 at gmail.com>
>
> Hello!
>
> I imagine why files listed below have 666 file mode bits set:
> /var/run/checkers.pid
> /var/run/vrrp.pid
> /var/run/keepalived.pid
> /var/run/starter.pid
> /var/lock/subsys/ipsec
>
>
> Files are created during startup of ipsec (pluto) and keepalived deamons.
>
> I think thar leaving them world writable is security hole. For example delete or change of its content could confuses monit watching them running and restarting when they die.
>
> Regards.
>
> --
> helpermn
It seems this report got turned into a CVE for Openswan, CVE-2011-2147
http://www.securityfocus.com/bid/47958/info
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2147
If debian is still shipping openswan-2.2 unpatched anywhere (released
January 2005) this could be a problem, albeit an extremely minor
one compared to the actual two CVE issues that have come up in openswan
since then. We hope that any openswan-2.2 version that is in active use
has at least gotten some serious looking at based on the security releases
that have since been made.
openswan 2.6.x on debian/ubuntu and fedora/rhel/centos create a read-only
file in /var/locl/subsys.
If someone finds an issue that is actually a security issue, and they
deem it worthy of a CVE release, we strongly encourage those people to
contact us beforehand so we can do a proper responsible vulnerability
disclosure. We also strongly recommend that the CVE people at least attempt
to make an attempt to contact a vendor before releasing vulnerabilities
to the public. We don't bite, honest!
It looks as if someone or some company was in need of reaching their
CVE quota of the month. It would be a shame if future CVE announcements
would get ignored because of too many CVE releases on 6 year old software
releases.
Paul Wouters
_______________________________________________
Announce mailing list
Announce at openswan.org
http://lists.openswan.org/mailman/listinfo/announce
More information about the Dev
mailing list