On Fri, Dec 11, 2009 at 09:23:58PM -0600, Raphael Geissert wrote: > the following CVE (Common Vulnerabilities & Exposures) id was > published for acpid. > > CVE-2009-4235[0]: > | acpid 1.0.4 sets an unrestrictive umask, which might allow local users > | to leverage weak permissions on /var/log/acpid, and obtain sensitive > | information by reading this file or cause a denial of service by > | overwriting this file, a different vulnerability than CVE-2009-4033.
This functonality was removed when going to version 1.0.6 which happened on September 18th, 2007. > The vulnerability only seems to affect oldstable, but I noticed that none of > the versions remove the log file, so the permissions of the file need to be > fixed by all the other versions. The file hasn't been used for more than 2 years and probably does not contain sensible information at all. Anyway all information therein is probably outdated. Shall we still release a new version deleting that file for all versions? Besides, I do not have an etch system anymore, so help is needed. Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org ICQ: 179140304, AIM/Yahoo/Skype: michaelmeskes, Jabber: mes...@jabber.org VfL Borussia! Forca Barca! Go SF 49ers! Use: Debian GNU/Linux, PostgreSQL -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
