https://bugzilla.novell.com/show_bug.cgi?id=638813 https://bugzilla.novell.com/show_bug.cgi?id=638813#c0 Summary: supportutils-1.20-18.2.noarch.rpm retrieves secret keys Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: All OS/Version: SLES 10 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: Ulrich.Windl@rz.uni-regensburg.de QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100714 SUSE/2.0.6-0.1.1 SeaMonkey/2.0.6 Inspecting the output that suportinfo sends to Novell, I noticed that confidential information is retrieved from SLES10 and sent to Novell. For example: The NTP key file ("Files included in /etc/ntp.conf") that contains the private symmetric keys used to authenticate peers. I could not check, but possibly also WIRELESS_WPA_PASSWORD is also included in the output (via /etc/sysconfig files). Proxy and proxy passwords are read from /etc/zmd/zmd.conf. Encrypted user passwords (weak passwords could be revealed) are transfered via /root/autoinst.xml. Reproducible: Didn't try Steps to Reproduce: 1. Get and install supportinfo (wget http://download.opensuse.org/repositories/Novell:/NTS/SLE_10/noarch/supportu...) 2. Install it (http://www.novell.com/communities/node/2332/supportconfig-linux) 3. Run it 4. Inspect contents of archive Actual Results: Confidential security information is archived and transmitted. Expected Results: Sensitive security information should not be transferred without the user being notified before. better not to transfer that information at all. The link to report bugs (http://en.opensuse.org/Supportutils#Reporting_Bugs) did not work due to lack of permission in Bugzilla (https://bugzilla.novell.com/enter_bug.cgi?classification=7261&product=SUSE%20Linux%20Enterprise%20Server%2011&component=Basesystem&version=GM&assigned_to=jrecord@novell.com&short_desc=%5Bsupportutils%5D%20). Therefor I'm reporting the issue against the current stable openSUSE. Please redirect as appropriate. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.