{ "schema_version": "1.7.0", "id": "MGASA-2015-0162", "published": "2015-04-23T21:14:25Z", "modified": "2015-04-23T21:02:29Z", "summary": "Updated setup packages fix security vulnerabilities", "details": "Updated setup package fixes security issue\n\nAn issue has been identified in Mageia 4's setup package where the\n/etc/shadow and /etc/gshadow files containing password hashes were created\nwith incorrect permissions, making them world-readable (mga#14516).\n\nThis update fixes this issue by enforcing that those files are owned by\nthe root user and shadow group, and are only readable by those two entities.\n\nNote that this issue only affected new Mageia 4 installations. Systems that\nwere updated from previous Mageia versions were not affected.\n\nThis update was already issued as MGASA-2015-0116, but the latter was withdrawn\nas it generated .rpmnew files for critical configuration files, and rpmdrake\nmight propose the user to use those basically empty files, thus leading to\nloss of passwords or partition table. This new update ensures that such .rpmnew\nfiles are not kept after the update.\n", "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2015-0162.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=15644" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=14516" }, { "type": "ADVISORY", "url": "http://advisories.mageia.org/MGASA-2015-0116.html" }, { "type": "WEB", "url": "https://ml.mageia.org/l/arc/qa-discuss/2015-03/msg00399.html" } ], "affected": [ { "package": { "ecosystem": "Mageia:4", "name": "setup", "purl": "pkg:rpm/mageia/setup?arch=source&distro=mageia-4" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.20-9.4.mga4" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }