PublicDateAtUSN: 2016-04-18
Candidate: CVE-2016-4036
PublicDate: 2016-04-18 14:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4036
 http://lists.opensuse.org/opensuse-updates/2016-04/msg00040.html
 https://ubuntu.com/security/notices/USN-3102-1
Description:
 The quagga package before 0.99.23-2.6.1 in openSUSE and SUSE Linux
 Enterprise Server 11 SP 1 uses weak permissions for /etc/quagga, which
 allows local users to obtain sensitive information by reading files in the
 directory.
Ubuntu-Description:
Notes:
 mdeslaur> description mentions SUSE, but debian/ubuntu package has similar
 mdeslaur> issue.
Bugs:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835223
 https://bugzilla.suse.com/show_bug.cgi?id=770619
Priority: low
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [5.5 MEDIUM]

Patches_quagga:
upstream_quagga: not-affected
precise_quagga: released (0.99.20.1-0ubuntu0.12.04.5)
trusty_quagga: released (0.99.22.4-3ubuntu1.2)
trusty/esm_quagga: DNE (trusty was released [0.99.22.4-3ubuntu1.2])
vivid/stable-phone-overlay_quagga: DNE
vivid/ubuntu-core_quagga: DNE
wily_quagga: ignored (reached end-of-life)
xenial_quagga: released (0.99.24.1-2ubuntu1.1)
esm-infra/xenial_quagga: released (0.99.24.1-2ubuntu1.1)
devel_quagga: not-affected (1.0.20160315-2)