Jonas Smedegaard reports: The ldns-keygen tool creates a keypair, one of which should be kept private. The tool apparently use default access rights for all files, leading to the private key being created world readable. ==== This has been confirmed: # ldns-keygen -a RSASHA1_NSEC3 -b 1024 example.net Kexample.net.+007+63434 # ls -la total 20 drwxr-xr-x. 2 root root 4096 May 3 11:34 . dr-xr-x---. 11 root root 4096 May 3 11:34 .. -rw-r--r--. 1 root root 70 May 3 11:34 Kexample.net.+007+63434.ds -rw-r--r--. 1 root root 242 May 3 11:34 Kexample.net.+007+63434.key -rw-r--r--. 1 root root 943 May 3 11:34 Kexample.net.+007+63434.private External references: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746758
Created ldns tracking bugs for this issue: Affects: fedora-all [bug 1093945] Affects: epel-all [bug 1093946]
MITRE assigned CVE-2014-3209 to this issue: http://seclists.org/oss-sec/2014/q2/241
For reference, I’ve reported this upstream a month ago: <https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=573>
Statement: This issue affects the versions of ldns as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.