Bug 1021784 (CVE-2013-4455) - CVE-2013-4455 katello-installer: node-installer creates world readable private key file
Summary: CVE-2013-4455 katello-installer: node-installer creates world readable privat...
Keywords:
Status: CLOSED CANTFIX
Alias: CVE-2013-4455
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1021119
Blocks: 1021787
TreeView+ depends on / blocked
 
Reported: 2013-10-22 06:09 UTC by Garth Mollett
Modified: 2021-12-14 18:47 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-25 05:46:22 UTC
Embargoed:


Attachments (Terms of Use)

Description Garth Mollett 2013-10-22 06:09:45 UTC
Dominic Cleal reports:

/etc/pki/tls/private/katello-node.key is created in the apache::certs class in node-installer when a child Pulp node is deployed.

It contains the private key for the node, that's normally kept in files with 0600 permissions.

Comment 4 Kurt Seifried 2013-10-25 19:58:28 UTC
Added a patch accidentally to this BZ entry, removed.

Comment 6 Kurt Seifried 2014-06-25 05:46:22 UTC
This was verified and delivered with Satellite 6 MDP2. Upstream has also been addressed.

Comment 7 Yadnyawalk Tale 2020-07-13 15:00:07 UTC
This flaw is already been fixed:

* Actual tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1021119
* Downstream patch: https://gitlab.satellite.lab.eng.rdu2.redhat.com/satellite6/katello-installer/-/commit/15e01086bcb3f5d42525730e8b162bca11bec85e
* Fixed erratas: https://errata.devel.redhat.com/package/show/katello-installer
* Fixed versions (from released erratas): 
    - katello-installer-0.0.67-1.el7sat
    - katello-installer-0.0.64-1.el7sat


Note You need to log in before you can comment on or make changes to this bug.