Giuseppe Iuculano
2010-Jan-02 11:37 UTC
[Secure-testing-team] Bug#563371: CVE-2009-4145: information disclosure
Package: network-manager-applet
Severity: important
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for network-manager-applet.
CVE-2009-4145[0]:
| nm-connection-editor in NetworkManager (NM) 0.7.x exports connection
| objects over D-Bus upon actions in the connection editor GUI, which
| allows local users to obtain sensitive information by reading D-Bus
| signals, as demonstrated by using dbus-monitor to discover the
| password for the WiFi network.
Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable and oldstable. It
does not warrant a DSA.
However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4145
http://security-tracker.debian.org/tracker/CVE-2009-4145
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAks/L/YACgkQNxpp46476arPBACeNs+9eC93EMDJUxvxMdxjvnvI
wP8AoJNMHewgvBXSxUA4iIHHuWZEEoK6
=vfPq
-----END PGP SIGNATURE-----