[Secure-testing-commits] r35196 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Sun Jun 28 13:25:17 UTC 2015


Author: carnil
Date: 2015-06-28 13:25:17 +0000 (Sun, 28 Jun 2015)
New Revision: 35196

Modified:
   data/CVE/list
Log:
Update CVE-2015-3243/rsyslog, mark as unimportant

NOTE for reviewers: Please double check if you agree on the assesment.
rsyslog in Debian set's in the package provided rsyslog.conf
$FileCreateMode to 0640. Post of Kurt Seifried on oss-security
https://marc.info/?l=oss-security&m=143465023811345&w=2 mentions more
details on the issue on Red Hat's side.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-06-28 12:09:06 UTC (rev 35195)
+++ data/CVE/list	2015-06-28 13:25:17 UTC (rev 35196)
@@ -4574,8 +4574,9 @@
 	RESERVED
 CVE-2015-3243 [some log files are created world-readable]
 	RESERVED
-	- rsyslog <undetermined>
-	TODO: check
+	- rsyslog <unfixed> (unimportant)
+	NOTE: The default for syslog is $FileCreateMode 0644 but the rsyslog.conf
+	NOTE: provided by the Debian package sets $FileCreateMode 0640
 CVE-2015-3242
 	RESERVED
 	NOTE: To be rejected




More information about the Secure-testing-commits mailing list