Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 8 Mar 2011 08:59:03 +0100
From: Ludwig Nussel <ludwig.nussel@...e.de>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
	Stefan Fritsch <sf@...itsch.de>, Florian Zumbiehl <florz@...rz.de>,
	Petr Uzel <petr.uzel@...e.cz>, Thomas Biege <thomas@...e.de>,
	Jan Kalu┼ża <jkaluza@...hat.com>
Subject: Re: CVE Request -- logrotate -- nine issues

Josh Bressers wrote:
> [...]
> It seems there is now a consensus on this (at least that's how I'm reading
> it). Here is what I plan to do with CVE ids unless someone speaks up.
> 
> As best as I can tell, logrotate only needs a CVE id for this:
> 
>     8) Issue #8: logrotate: TOCTOU race condition by creation of new files
>        (between opening the file and moment, final permissions have been
>        applied) [information disclosure]
> 

Ack.
 
> We then will need to assign IDs for various broken uses of /var/log (If
> someone has a list of the currently known ones, please pass it along)

AFAICS on openSUSE Factory we have
cobbler
inn
safte-monitor
uucp

service owned log dirs without logrotate:
cups
horde

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ