/var/log/puppet is world readable and may contain sensitive information Also the files contained within are world readable. Version-Release number of selected component (if applicable): puppet-2.6.14-1.el6.noarch puppet-2.6.17-2.el6.noarch How reproducible: drwxr-xr-x. 2 puppet puppet 4096 Mar 8 16:35 /var/log/puppet
Created puppet tracking bugs for this issue Affects: epel-all [bug 908915]
(In reply to comment #0) > Lukas Zapletal reports: > > /var/log/puppet is world readable and may contain sensitive information FYI that was EPEL bug https://bugzilla.redhat.com/show_bug.cgi?id=857930
And this was a bug in the build system, not in the packaging. A recent update and build without change to the spec file shows that /var/log/puppet now retains the proper permissions. I don't seem to have any access to the blocker bugs, so I don't know what the security team wants to do about closing this out. Please advise or close as appropriate.
The blocker bugs and depends on bugs are for Red Hat internal purposes, a tracking bug for EPEL was created (908915) and you were assigned to it, and it was closed properly so that's all you need to worry about on your side. Basically SRT handles closing of all CVE bugs (like this one).
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0710 https://rhn.redhat.com/errata/RHSA-2013-0710.html
The Red Hat Security Response Team has rated this issue as having low security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.