FW: CVE-2011-2147 is a dud, was Re:World writable pid and lock files.
Looping in MITRE, as they are responsible for the assignment of CVEs.
If it is determined this CVE has been assigned in error, updates to the NVD data feeds will be occur within 24 hours of MITRE updates.
National Vulnerability Database
From: helpermn [mailto:firstname.lastname@example.org]
Sent: Tuesday, May 31, 2011 4:56 AM
To: Paul Wouters
Cc: nvd; email@example.com; firstname.lastname@example.org; email@example.com
Subject: Re: CVE-2011-2147 is a dud, was Re:World writable pid and lock files.
On 2011-05-30 at 23:26 Paul Wouters <firstname.lastname@example.org> wrote:
>> * To: email@example.com
>> * Subject: World writable pid and lock files.
>> * From: helpermn <firstname.lastname@example.org>
>> * Date: Tue, 10 May 2011 15:40:22 +0200
>> * Message-id: <[🔎] 05578BFF-44FC-41B3-9E8E-C11B5B9A6C11@gmail.com>
>> I imagine why files listed below have 666 file mode bits set:
>> Files are created during startup of ipsec (pluto) and keepalived
>> I think thar leaving them world writable is security hole. For
>> example delete or change of its content could confuses monit
>> watching them running and restarting when they die.
> It seems this report got turned into a CVE for Openswan, CVE-2011-2147
> If debian is still shipping openswan-2.2 unpatched anywhere (released
> January 2005) this could be a problem, albeit an extremely minor
> one compared to the actual two CVE issues that have come up in
> since then. We hope that any openswan-2.2 version that is in active
> has at least gotten some serious looking at based on the security
> that have since been made.
> openswan 2.6.x on debian/ubuntu and fedora/rhel/centos create a read-
> file in /var/locl/subsys.
> If someone finds an issue that is actually a security issue, and they
> deem it worthy of a CVE release, we strongly encourage those people to
> contact us beforehand so we can do a proper responsible vulnerability
> disclosure. We also strongly recommend that the CVE people at least
> to make an attempt to contact a vendor before releasing
> to the public. We don't bite, honest!
> It looks as if someone or some company was in need of reaching their
> CVE quota of the month. It would be a shame if future CVE
> would get ignored because of too many CVE releases on 6 year old
> Paul Wouters
I see some mistakes. In stable Debian realease and what I use:
strongswan 4.4.1-5.1 (newest release is 4.5.2 - project homepage)
keepalived 1.1.20-1 (newest release 1.2.2 - project homepage)
So problem is similar but it is not old openswan-2.2 about which we
can read in CVE. I don't know who/how/why did the mistake but the
problem which I have reported here (Debian security group) still exists.