severity 560771 important thanks * Raphael Geissert <geiss...@debian.org> [2009-12-12 13:23]: > Package: acpid > Version: 1.0.4-5 > Severity: grave > Tags: security > > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for acpid. > > CVE-2009-4235[0]: > | acpid 1.0.4 sets an unrestrictive umask, which might allow local users > | to leverage weak permissions on /var/log/acpid, and obtain sensitive > | information by reading this file or cause a denial of service by > | overwriting this file, a different vulnerability than CVE-2009-4033. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. > > The vulnerability only seems to affect oldstable, but I noticed that none of > the versions remove the log file, so the permissions of the file need to be > fixed by all the other versions.
Lowering the severity as in a typical use case this file does not carry sensitive information and is probably also not used in many scenarios where the DoS vector is of great relevance. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgpoY8G7DfUyC.pgp
Description: PGP signature
