Bug 954407 (CVE-2015-7328) - VUL-1: CVE-2015-7328: puppet: CA key leak
Summary: VUL-1: CVE-2015-7328: puppet: CA key leak
Status: RESOLVED INVALID
Alias: CVE-2015-7328
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Kristyna Streitova
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/158685/
Whiteboard: CVSSv2:NVD:CVE-2015-7328:4.9:(AV:L/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-10 09:06 UTC by Sebastian Krahmer
Modified: 2015-11-10 10:47 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2015-11-10 09:06:37 UTC 
Quoting from puppetlabs:

During the initial installation and configuration of Puppet Enterprise, there is a short window of time where the generated CA key is left world-readable. This is corrected later during the configuration/bootstrapping steps.

In Puppet Enterprise 3.8.3 and 2015.2.3, the CA key (and all other SSL private keys) are created with the correct permissions.
CVE-2015-7328



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7328
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7328.html
https://puppetlabs.com/security/cve/cve-2015-7328