* To: [email protected] * Subject: World writable pid and lock files. * From: helpermn <[email protected]> * Date: Tue, 10 May 2011 15:40:22 +0200 * Message-id: <[email protected]>Hello! I imagine why files listed below have 666 file mode bits set: /var/run/checkers.pid /var/run/vrrp.pid /var/run/keepalived.pid /var/run/starter.pid /var/lock/subsys/ipsec Files are created during startup of ipsec (pluto) and keepalived deamons. I think thar leaving them world writable is security hole. For example delete or change of its content could confuses monit watching them running and restarting when they die. Regards. -- helpermn
It seems this report got turned into a CVE for Openswan, CVE-2011-2147 http://www.securityfocus.com/bid/47958/info http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2147 If debian is still shipping openswan-2.2 unpatched anywhere (released January 2005) this could be a problem, albeit an extremely minor one compared to the actual two CVE issues that have come up in openswan since then. We hope that any openswan-2.2 version that is in active use has at least gotten some serious looking at based on the security releases that have since been made. openswan 2.6.x on debian/ubuntu and fedora/rhel/centos create a read-only file in /var/locl/subsys. If someone finds an issue that is actually a security issue, and they deem it worthy of a CVE release, we strongly encourage those people to contact us beforehand so we can do a proper responsible vulnerability disclosure. We also strongly recommend that the CVE people at least attempt to make an attempt to contact a vendor before releasing vulnerabilities to the public. We don't bite, honest! It looks as if someone or some company was in need of reaching their CVE quota of the month. It would be a shame if future CVE announcements would get ignored because of too many CVE releases on 6 year old software releases. Paul Wouters -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
