CVE-2014-3929: Unsafe SSH keypairs path in default config #5
Labels
Comments
lucab
changed the title
Cougar
added a commit
that referenced
this issue
Jun 22, 2014
Closes #5: CVE-2014-3929: Unsafe SSH keypairs path in default config
Cougar
added a commit
that referenced
this issue
Jun 22, 2014
Closes #5: CVE-2014-3929: Unsafe SSH keypairs path in default config (cherry picked from commit 856cba2)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've already tried to report security issues privately via mail (message-id 20140520102828.30d346b6@xantho) on 20/05/2014 but didn't get any reply, thus I'm filing a public report.
In the default template config, at
lg.conf:18the default path for SSH keypairs is/var/www/.ssh, and the software README doesn't suggest any additional protections./var/www/is the default web docroot in many distributions (eg. all Debian stable and Ubuntu LTS), and as such files may be directly served from there by the web server.A possible solutions would be as suggested in #4.
cc @emdel for credits
The text was updated successfully, but these errors were encountered: