Bug 848103 (CVE-2013-4476) - VUL-0: CVE-2013-4476: samba: key.pem world readable
Summary: VUL-0: CVE-2013-4476: samba: key.pem world readable
Status: RESOLVED FIXED
Alias: CVE-2013-4476
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Lars Müller
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-29 15:30 UTC by Marcus Meissner
Modified: 2015-02-18 23:49 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-10-29 15:30:27 UTC 
via samba bugzilla , embargoed

Am 21.10.2013 21:53, Stefan (metze) Metzmacher wrote:
> Hi,
>
> I just noticed that /var/lib/samba/private/tls is world readable
> and it contains the private key in key.pem also world readable...
>
> I noticed it as we use 750 for /var/lib/samba/private
> in the sernet packages and someone complained that it doesn't
> work together with a bind9 setup, that want to grant access to
> /var/lib/samba/private/dns to bind9.
>
> I'd really like to keep /var/lib/samba/private as 750 in our packages,
> wouldn't it be better to use something like /var/lib/samba/dns to give
> access to
> bind9?


CVE-2013-4476

Same release date as the other issue.
Comment 1 Marcus Meissner 2013-10-29 15:41:29 UTC 
(do we have that in this form? I do not see it on my machine)
Comment 2 Swamp Workflow Management 2013-10-30 23:00:12 UTC 
bugbot adjusting priority
Comment 5 Bernhard Wiedemann 2013-11-11 16:00:35 UTC 
This is an autogenerated message for OBS integration:
This bug (848103) was mentioned in
https://build.opensuse.org/request/show/206497 13.1 / samba
Comment 6 Bernhard Wiedemann 2013-11-14 09:00:21 UTC 
This is an autogenerated message for OBS integration:
This bug (848103) was mentioned in
https://build.opensuse.org/request/show/206855 Factory / samba
Comment 7 Bernhard Wiedemann 2013-11-15 19:00:19 UTC 
This is an autogenerated message for OBS integration:
This bug (848103) was mentioned in
https://build.opensuse.org/request/show/207063 13.1 / samba
https://build.opensuse.org/request/show/207064 13.1 / samba
Comment 8 Marcus Meissner 2013-11-20 17:44:10 UTC 
only affected Samba 4, so SLES 11 and older are not affected.
Comment 9 Swamp Workflow Management 2013-11-22 04:04:34 UTC 
openSUSE-SU-2013:1742-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 848101,848103,850656
CVE References: CVE-2013-4475,CVE-2013-4476
Sources used:
openSUSE 13.1 (src):    samba-4.1.0-3.8.1
Comment 10 Marcus Meissner 2013-12-09 10:21:26 UTC 
released
Comment 11 Bernhard Wiedemann 2013-12-10 18:00:31 UTC 
This is an autogenerated message for OBS integration:
This bug (848103) was mentioned in
https://build.opensuse.org/request/show/210422 13.1 / samba
Comment 12 Swamp Workflow Management 2013-12-19 17:05:37 UTC 
openSUSE-SU-2013:1921-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 844720,848101,848103,853021,853347
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4475,CVE-2013-4476
Sources used:
openSUSE 13.1 (src):    samba-4.1.3-3.12.1