From Ludwid Nussel: nm-applet.conf contains the following rules: <policy context="default"> <allow send_destination="org.freedesktop.NetworkManagerUserSettings"/> <allow send_interface="org.freedesktop.NetworkManagerSettings"/> <!-- Only root can get secrets --> <deny send_interface="org.freedesktop.NetworkManagerSettings.Secrets"/> Ie anyone can call methods on destination org.freedesktop.NetworkManagerUserSettings. There is a line that is supposed to block users from calling the GetSecrets method on the separate interface for secrets. Unfortunately that interface is not called "org.freedesktop.NetworkManagerSettings.Secrets" but "org.freedesktop.NetworkManagerSettings.Connection.Secrets". So the deny statement is useless and any user on the system can fetch the connection secrets. The same problem can be found in nm-system-settings. Acknowledgements: Red Hat would like to thank Ludwig Nussel for reporting this flaw responsibly.
Public now via: http://www.ubuntu.com/usn/USN-727-1
Fedora packages are already in-queue for updates, and Rawhide packages were out on Wednesday night.
NetworkManager-0.7.0.99-1.fc9, NetworkManager-vpnc-0.7.0.99-1.fc9, NetworkManager-openvpn-0.7.0.99-1.fc9, NetworkManager-pptp-0.7.0.99-1.fc9, NetworkManager-openconnect-0.7.0.99-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
NetworkManager-0.7.0.99-1.fc10, knetworkmanager-0.7-0.8.20080926svn.fc10, NetworkManager-vpnc-0.7.0.99-1.fc10, NetworkManager-openvpn-0.7.0.99-1.fc10, NetworkManager-pptp-0.7.0.99-1.fc10, NetworkManager-openconnect-0.7.0.99-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:0361 https://rhn.redhat.com/errata/RHSA-2009-0361.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:0362 https://rhn.redhat.com/errata/RHSA-2009-0362.html
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2009-0361.html http://rhn.redhat.com/errata/RHSA-2009-0362.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-2419 https://admin.fedoraproject.org/updates/F9/FEDORA-2009-2420