Bug 1021784 (CVE-2013-4455) - CVE-2013-4455 Katello: node-installer creates world readable private key file
Summary: CVE-2013-4455 Katello: node-installer creates world readable private key file
Status: CLOSED CANTFIX
Alias: CVE-2013-4455
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20131021,repor...
Keywords: Security
Depends On: 1021119
Blocks: 1021787
TreeView+ depends on / blocked
 
Reported: 2013-10-22 06:09 UTC by Garth Mollett
Modified: 2019-06-08 19:45 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-06-25 05:46:22 UTC


Attachments (Terms of Use)

Description Garth Mollett 2013-10-22 06:09:45 UTC
Dominic Cleal reports:

/etc/pki/tls/private/katello-node.key is created in the apache::certs class in node-installer when a child Pulp node is deployed.

It contains the private key for the node, that's normally kept in files with 0600 permissions.

Comment 4 Kurt Seifried 2013-10-25 19:58:28 UTC
Added a patch accidentally to this BZ entry, removed.

Comment 6 Kurt Seifried 2014-06-25 05:46:22 UTC
This was verified and delivered with Satellite 6 MDP2. Upstream has also been addressed.


Note You need to log in before you can comment on or make changes to this bug.