Re: [Powerpc-utils-devel] submit request for CVE-2014-4040

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 10/28/2014 03:55 PM, Jan Löser wrote:
> Hi,
>
> I attached a patch/workaround for CVE-2014-4040.
>
> CVE is about:
>
> snap in powerpc-utils 1.2.20 produces an archive with fstab and
> yaboot.conf files potentially containing cleartext passwords, and lacks
> a warning about reviewing this archive to detect included passwords,
> which might allow remote attackers to obtain sensitive information by
> leveraging access to a technical-support data stream.
>

We are working towards enabling distro provided data collection tool to collect 
Power specific data as well... (supportconfig from SLES12+, sosreport from 
RHEL7+, apport-collect fro Ubuntu).

Ultimate goal is to deprecate this tool.  So I think we are fine with removing 
those two files.

-Vasant