CAN-2003-0461 /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. http://www.redhat.com/support/errata/RHSA-2003-238.html http://rsbac.dyndns.org/pipermail/rsbac/2002-May/000162.html http://developer.osdl.org/~chrisw/audit/2.4/proc_tty_serial.diff This is a minor issue but should be addressed with some future update.
(note not fixed in 2.4.21-7.EL)
A fix for this problem has just been committed to the RHEL3 U2 patch pool tonight. It will first be available in kernel version 2.4.21-9.7.EL. The /proc/tty/driver directory will now have permissions of 500 (i.e., root-only access).
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-188.html