|Summary:||/usr/bin/jwhois is group-writable|
|Product:||[Fedora] Fedora||Reporter:||Miloslav Trmač <mitr>|
|Component:||jwhois||Assignee:||Vitezslav Crhonek <vcrhonek>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Fixed In Version:||jwhois-4.0-27.fc15||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2011-04-05 21:45:11 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Miloslav Trmač 2011-03-24 18:43:32 UTC
/usr/bin/jwhois in current Fedora 15 (+updates-testing) is group-writable. This is not really a vulnerability, but it might be easier for an attacker to obtain gid=0 than to obtain uid=0 (at the very least, uid=0 trivially implies the ability to get gid=0). Therefore I think it is a good idea to could change /usr/bin/jwhois to not be writable by group: it would somewhat increase security of the system, for very little effort.
Comment 1 Fedora Update System 2011-03-30 12:16:13 UTC
jwhois-4.0-27.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/jwhois-4.0-27.fc15
Comment 2 Fedora Update System 2011-03-31 03:52:05 UTC
Package jwhois-4.0-27.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing jwhois-4.0-27.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/jwhois-4.0-27.fc15 then log in and leave karma (feedback).
Comment 3 Fedora Update System 2011-04-05 21:45:06 UTC
jwhois-4.0-27.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.