Bug 1393912

Summary: CVE-2016-8637 dracut: Local information disclosure of initramfs when early cpio is used
Product: Red Hat Enterprise Linux 7 Reporter: Lukáš Nykrýn <lnykryn>
Component: dracutAssignee: Lukáš Nykrýn <lnykryn>
Status: CLOSED CURRENTRELEASE QA Contact: Release Test Team <release-test-team-automation>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: amaris, anemec, dkholia, dracut-maint-list, harald, lnykryn, security-response-team, slawomir
Target Milestone: rcKeywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: CVE-2016-8637 Environment:
Last Closed: 2016-12-01 18:04:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1392056    

Comment 1 Dhiru Kholia 2016-11-11 08:34:54 UTC 
Hi,

Please note that RHEL 7.3 and RHEL 7.4 are not affected by this bug (0396-dracut-only-use-one-tmpdir.patch fixes this flaw, perhaps accidentally). RHEL 7.0, RHEL 7.1 and RHEL 7.2 are affected. 

The Product Security team has rated this flaw as having a moderate security impact. So there won't be any 7.0.z / 7.1.z / 7.2.z security errata (RHSA) for this bug.