Ina Panova of Red Hat reports: Entitlement certificates keys have open permission in all client configuration rpms. Custom client conf package: [root@cli1 ~]# ls -la /etc/pki/entitlement/*key* -rw-r--r--. 1 root root 1679 Nov 5 08:35 /etc/pki/entitlement/key.pem [root@cli1 ~]# Rh-amazon-rhui-client package: [root@rhua ~]# ls -la /etc/pki/entitlement/*key* -rw-r--r--. 1 root root 1675 Jan 22 2013 /etc/pki/entitlement/content-rhel6.key -rw-r--r--. 1 root root 1679 Jan 22 2013 /etc/pki/entitlement/rhui-client-config-server-6.key [root@rhua ~]#
OpenShift Online does not appear to be affected: [appname-username.rhcloud.com 012345678901234567890123]\> cat /etc/pki/entitlement/content-rhel6.key cat: /etc/pki/entitlement/content-rhel6.key: Permission denied [appname-username.rhcloud.com 012345678901234567890123]\> cat /etc/pki/entitlement/rhui-client-config-server-6.key cat: /etc/pki/entitlement/rhui-client-config-server-6.key: Permission denied
Statement: Red Hat Update Infrastructure 2.1.3 is now in Production 2 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Update Infrastructure Life Cycle: https://access.redhat.com/support/policy/updates/rhui.