Red Hat Bugzilla – Bug 988998
CVE-2013-4481 luci: short exposure of authentication secrets while generating configuration file
Last modified: 2014-12-10 09:09:12 EST
It was discovered that the luci configuration file was generated in an insecure manner. Because the configuration is generated on-demand via the luci initscript from a template, and because it is created and then has its permissions changed, the /var/lib/luci/etc/luci.ini file contents are briefly exposed to local users due to world-readable permissions.
This issue was discovered by Jan Pokorný of Red Hat.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:1603 https://rhn.redhat.com/errata/RHSA-2013-1603.html