[Git][security-tracker-team/security-tracker][master] CVE-2019-9929/cfengine2: Add assessment about STATEDIR file permissions in...

[Mike Gabriel]

Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d6056b0c by Mike Gabriel at 2019-06-28T11:24:05Z
CVE-2019-9929/cfengine2: Add assessment about STATEDIR file permissions in cfengine2 (observed in a runtime system).

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -7733,6 +7733,7 @@ CVE-2019-9930
 CVE-2019-9929 (Northern.tech CFEngine Enterprise 3.12.1 has Insecure Permissions. ...)
 	- cfengine3 <undetermined>
 	NOTE: older cfengine variants (cfengine2) affected? Only Enterprise version affected (same version as src:cfengine3)?
+	NOTE: cfengine2 has various publicly readable files in $STATEDIR that reveal info on the modifications done by cfengine2. No credentials found in such files, so far.
 	NOTE: https://github.com/cfengine/core/commit/f7556bf1a0061644e35114a07a91e9b0c3267c48#diff-291cd8f3f0f8a5c1875630ef64a667a2
 	NOTE: related: https://github.com/cfengine/core/commit/461dc7019ab5acebabc341143838a2307d9b92db#diff-a877a71a0122c0ea1c66c03883130b86
 CVE-2019-9928 (GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP c ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d6056b0c76226b1d182dc9601c8fdf25d35f485e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d6056b0c76226b1d182dc9601c8fdf25d35f485e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190628/12722860/attachment.html>