{
  "schema_version": "1.7.0",
  "id": "MGASA-2015-0116",
  "published": "2015-03-27T21:12:10Z",
  "modified": "2022-01-22T02:45:17Z",
  "summary": "Updated setup package fixes security vulnerability",
  "details": "An issue has been identified in Mageia 4's setup package where the\n/etc/shadow and /etc/gshadow files containing password hashes were created\nwith incorrect permissions, making them world-readable (mga#14516).\n\nThis update fixes this issue by enforcing that those files are owned by\nthe root user and shadow group, and are only readable by those two entities.\n\nNote that this issue only affected new Mageia 4 installations.  Systems\nthat were updated from previous Mageia versions were not affected.\n\nUPDATE: This update has since been removed as it still created rpmnew files\n        and allowed users to unintentionally remove existing users by applying\n        it. A better fix has since been found and will be pushed separately\n        (mga#15644)\n",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2015-0116.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=14516"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=15644"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:4",
        "name": "setup",
        "purl": "pkg:rpm/mageia/setup?arch=source&distro=mageia-4"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.20-9.4.mga4"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}