A sensitive information disclosure flaw was found in the way wicd, wireless and wired network connection manager, performed management of sensitive information, to be stored in log files. Fields like 'password', 'identity', 'private_key', 'private_key_passwd' etc., were not excluded from being logged into /var/log/wicd log file, which could allow local attacker, with the privileges of the 'adm' group to view content of these entities in plain text, leading to information disclosure. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652417 [2] https://bugs.gentoo.org/show_bug.cgi?id=401005 [3] http://www.openwall.com/lists/oss-security/2012/01/26/13 (CVE request) [4] http://www.openwall.com/lists/oss-security/2012/01/26/14 (CVE assignment) Upstream (experimental branch) patch: [5] http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/682
This issue affects the version of the wicd package, as shipped with Fedora EPEL 6. Please schedule an update. -- This issue affects the versions of the wicd package, as shipped with Fedora release of 15 and 16. Please schedule an update.
Created wicd tracking bugs for this issue Affects: fedora-all [bug 785149] Affects: epel-6 [bug 785150]
I have patched wicd for F-15, F-16, rawhide, and EPEL-6 and built updates: wicd-1.7.0-11.fc15 wicd-1.7.0-10-fc16 wicd-1.7.1-0.3.b2.fc17 wicd-1.7.0-2.el6 I am confused with the two tracker bugs and how to properly file a security update in the updates system.
(In reply to comment #3) Hello David, > I have patched wicd for F-15, F-16, rawhide, and EPEL-6 and built updates: > > wicd-1.7.0-11.fc15 > wicd-1.7.0-10-fc16 > wicd-1.7.1-0.3.b2.fc17 > wicd-1.7.0-2.el6 Thank you for scheduling these. > > I am confused with the two tracker bugs and how to properly file a security > update in the updates system. When making Bodhi update request, each of the Fedora updates: 1) wicd-1.7.0-11.fc15, wicd-1.7.0-10-fc16, and wicd-1.7.1-0.3.b2.fc17 should reference the following two bugs: #785147 (i.e. this one), and #785149 (i.e. the fedora-all tracker), 2) while the Fedora EPEL 6 update: wicd-1.7.0-2.el6 should reference the following two bugs: #785147 (this one) and #785150 (epel-6 tracker) in the Bugs Fixed section. Bodhi will then take care for the rest.
Thank you for the information. I have filed bodhi updates for wicd-1.7.0-11.fc15, wicd-1.7.0-10-fc16 , and wicd-1.7.0-2.el6. The F-17 build will just make it in to F-17 final.
(In reply to comment #5) > Thank you for the information. I have filed bodhi updates for > wicd-1.7.0-11.fc15, wicd-1.7.0-10-fc16 > , and wicd-1.7.0-2.el6. The F-17 build will just make it in to F-17 final. Brilliant, thank you for those.
wicd-1.7.0-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
wicd-1.7.0-10.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
wicd-1.7.0-11.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 768575 has been marked as a duplicate of this bug. ***