oss-sec: CVE ASSIGN: pnp4nagios: process_perfdata.cfg world readable

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683879

Package: pnp4nagios-bin
Version: 0.6.16-1
Severity: important
Tags: security


Hi.

Marking as severity important as it might have security implications.

process_perfdata.cfg shouldn't be world-readable.
Event though not used per default in Debian, it contains the "KEY"
option which may be used (in alternative to "KEY_FILE") to hold
the Gearman shared secret.

Cheers,
Chris.

==============================
This affects 0.6 only, 0.4 doesn't support KEYS.

# A shared password which will be used for
# encryption of data pakets. Should be at least 8
# bytes long. Maximum length is 32 characters.
#
KEY = should_be_changed

=============================

Please use CVE-2012-3457 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQIBr2AAoJEBYNRVNeJnmTn3AQAJzz5cPSK4/1TGfNpO78cG7S
Tos7jeicNmviWKsbE0QgzXmBqcOCq+Zrbi5bwhYBHpWHe60rBsFLETR0LEho0P03
HRy4PmAP7hd3Uj/4UBORdsDnMS2Tn7/4dVIIv25JAgsYTJLyKm5WpMW5Th1+YX19
qEagGADORA9Ed+St+v3dxkoA5Ux82R+a8Y+zYI3/sX2ajSjWWvp5c7Z/dMGAm/QG
26uxOxhBrFMVoa07ySbV2w0TE9xbEh1uqI33rwEK3sUgcRNnvnOD2j1F9tt3QoEY
Qw5oUygazSf5ofgMFH0P/PNlqzCXngsU4/oaOcabVWx6zI2JrOjWfZNywNVfjjK5
YV2pzzMIG1cOl2y/3c9q0U5mUwdXEF7Z9rtdqGK0YfGJS+RsdkETiy43zTSRYS9y
VXnTHarkikZ1/pNOiEqrVpeGUddri0YKWI8ZeXwThUzr1xvhC50i0+KoeZW1WWAz
J2f+5VQBuyQU8mw8JXca+QJA+BsHy//TdP6EyFa5crpLPK4UzfmjGYdQKK3G8bpV
HOmCJRSNu1jGvrvt4CErW1O2rr7OBKN8ATw6G64xWLCV2pPIQ3uhFCOYu6fUt2tY
U2RYtRHjWLUJseu+LadzEwZ3FCJsFQGORHxrTucMCkAQ6QkDgm+9vyzMirdvKgHa
dhN68WG5tZ4CecyHgZxq
=HMaW
-----END PGP SIGNATURE-----