Bug 1830805 (CVE-2020-12831)
Summary: | CVE-2020-12831 frr: default permission issue eases information leaks | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Robert Scheck <redhat-bugzilla> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | mbenatto, mrehak, mruprich |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-04 02:25:15 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1848993, 1852476 | ||
Bug Blocks: | 1848994 |
Description
Robert Scheck
2020-05-03 23:18:05 UTC
As per https://github.com/FRRouting/frr/blob/master/tools/frr.in#L100 this seems to be a possible frr vulnerability on upstream side rather a downstream mistake; please assign a CVE number. Given the Red Hat Product Security team did not really care about this report, even after contacting secalert explicitly, I got in touch with upstream's security contact, which lead to https://github.com/FRRouting/frr/pull/6383 which will be also backported to upstream stable branches. Submitted CVE Request 892850 for CVE ID directly at MITRE. Created frr tracking bugs for this issue: Affects: fedora-all [bug 1848993] Upstream commit for this issue: https://github.com/FRRouting/frr/commit/5c9063771195bb51a8cc1c64f9924e53a0602817 Hello Robert, We are now handling this as a security issue. Thank you very much for reporting this earlier. May we acknowledge you as the reporter on our cve pages? If yes, how would you like to be called? Best regards. Marian Hello Marian, yes, you may acknowledge me as the reporter, using just "Robert Scheck" is fine. Acknowledgments: Name: Robert Scheck This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12831 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4619 https://access.redhat.com/errata/RHSA-2020:4619 |