Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Oracle announced GNOME Display Manager password disclosure weakness - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Oracle announced GNOME Display Manager password disclosure weakness

According to this announcement:
http://secunia.com/advisories/40780/
"The problem is that passwords may in certain cases be logged to "/var/log/messages" while running GNOME Display Manager in debug mode (disabled by default)"

This was originally reported on 02-15-2009 here:
https://bugzilla.gnome.org/show_bug.cgi?id=571846
A patch was issued the same day. A "supported" patch was issued 05-14-2010.

The secunia advisory did not have many details.
The sunblog link provided did not have very much information.
http://blogs.sun.com/security/entry/cve_2010_2387_password_disclosure

The CVE is reserved and not available yet.
The rest of the information is apparently "in the Customer Are"”.

Does this mean we can count on a "no public disclosure policy" for SUN products now that Oracle owns them?






 

donald

206 Posts
ISC Handler

- http://blogs.sun.com/security/entry/cpu_july_2010
03 Aug 2010 - "In the July 2010 Critical Patch Update, per policy, Oracle no longer provided the mapping between CVE numbers and individual patches. As a result of customer input, Oracle will provide the CVE to individual patch mapping in the July 2010 Critical Patch Update. Oracle plans to reevaluate this policy in time for the October 2010 Critical Patch Update..."
(Ahem... cough)
Anonymous

Sign Up for Free or Log In to start participating in the conversation!