Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 166801
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Jakub Moc (RETIRED) <jakub@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 166801 depends on: Show dependency tree
Bug 166801 blocks: 158271

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-02-14 09:51 0000 
Opfer noticed that vpnc.conf is installed with 0644 permissions, it definitely
should not as it contains sensitive data.

# cat vpnc.conf 
IPSec gateway 131.246.118.240
IPSec ID unikl
IPSec secret unikl
Xauth username abcdef

------- Comment #1 From Raphael Marichez 2007-02-14 09:58:29 0000 ------- 
Indeed

------- Comment #2 From Christian Faulhammer 2007-02-16 06:58:17 0000 ------- 
hanno has sent a patch upstream, we wait for integration.

------- Comment #3 From Hanno Boeck 2007-02-19 21:36:09 0000 ------- 
Now 0.4.0 is in and I'd like to soon remove all older versions.

Security, do you think this is worth an advisory? It's imho no real security
flaw, just bad defaults.

------- Comment #4 From Hanno Boeck 2007-02-21 15:52:10 0000 ------- 
Archs, please mark stable vpnc-0.4.0 so we can get rid of the svn-snapshot
ebuilds.

------- Comment #5 From Christian Faulhammer 2007-02-21 16:20:38 0000 ------- 
x86 stable

------- Comment #6 From Markus Rothe 2007-02-21 20:53:33 0000 ------- 
ppc64 stable

------- Comment #7 From Raphael Marichez 2007-02-23 17:44:30 0000 ------- 
(In reply to comment #3)

> Security, do you think this is worth an advisory? It's imho no real security
> flaw, just bad defaults.
> 

probably no

------- Comment #8 From Tobias Scherbaum 2007-02-27 19:01:01 0000 ------- 
ppc stable

------- Comment #9 From Steve Dibb 2007-03-03 14:09:42 0000 ------- 
amd64 stable

------- Comment #10 From Matthias Geerdsen 2007-03-06 14:31:00 0000 ------- 
undecided... tend to vote no though

the account used for my uni's vpn is the same as for mail etc, so it might
contain pretty sensitive information

------- Comment #11 From Stefan Cornelius (RETIRED) 2007-03-06 14:35:33 0000 ------- 
yet another no

------- Comment #12 From Raphael Marichez 2007-03-13 23:03:21 0000 ------- 
(In reply to comment #11)
> yet another no
> 

i agree
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug