[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#464930: marked as done (ssl-cert: please use 'hostname -f' in /usr/sbin/make-ssl-cert)



Your message dated Sun, 10 Feb 2008 22:02:05 +0000
with message-id <E1JOKFR-000120-6Q@ries.debian.org>
and subject line Bug#464930: fixed in ssl-cert 1.0.15
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: ssl-cert
Version: 1.0.14
Severity: important
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: ubuntu-patch origin-ubuntu hardy

make-ssl-cert currently uses 'hostname' to set the cn of the default snake
oil certificate.  This results in a cn set to a relative hostname, not an
FQDN (which would be given by 'hostname -f').  This yields a suboptimal
certificate: OpenLDAP, for instance, will map 'localhost' to the fqdn when
verifying certificates, which will properly fail to match the relative
hostname in most cases, and there's also the issue that having a certificate
that only works with the relative hostname ensures that users will only
/connect/ using the relative hostname, opening a subtle attack vector in the
form of hostname collisions in the domain search list.

The attached patch implements this change in the most trivial fashion.
However, it's probably also reasonable to have the unqualified hostname as
an alternative name in the certificate for convenience; in that case, it
makes sense to add a subjectAlternativeName to the snakeoil cert as well,
including the value of $(hostname).  If you prefer, I can look at
implementing this.

Incidentally, is this package actually maintained today?  I notice that the
maintainer is listed as "Debian Apache Maintainers", and that none of the
uploaders listed have been active in Apache maintenance for some time...

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
diff -Nru ssl-cert-1.0.14/debian/changelog ssl-cert-1.0.14/debian/changelog
--- ssl-cert-1.0.14/debian/changelog	2007-02-02 22:47:27.000000000 -0800
+++ ssl-cert-1.0.14/debian/changelog	2008-02-09 14:15:27.000000000 -0800
@@ -1,3 +1,13 @@
+ssl-cert (1.0.14-0.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Use 'hostname -f' for the snakeoil CN instead of 'hostname', since
+    relative hostnames are subject to namespace collisions that could be
+    exploited (and also because OpenLDAP doesn't care for them when
+    connecting to localhost).
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 09 Feb 2008 22:13:25 +0000
+
 ssl-cert (1.0.14) unstable; urgency=low
 
   * Non-maintainer upload to fix pending l10n issues.
diff -Nru /tmp/jDzpFqLCPH/ssl-cert-1.0.14/make-ssl-cert /tmp/rrqcQpBL77/ssl-cert-1.0.14/make-ssl-cert
--- ssl-cert-1.0.14/make-ssl-cert	2006-05-18 05:02:20.000000000 -0700
+++ ssl-cert-1.0.14/make-ssl-cert	2008-02-09 14:15:45.000000000 -0800
@@ -56,7 +56,7 @@
      LocalityName="Everywhere"
      OrganisationName="OCOSA"
      OUName="Office for Complication of Otherwise Simple Affairs"
-     HostName="$(hostname)"
+     HostName="$(hostname -f)"
      Email="root@$HostName"
 }
 

--- End Message ---
--- Begin Message ---
Source: ssl-cert
Source-Version: 1.0.15

We believe that the bug you reported is fixed in the latest version of
ssl-cert, which is due to be installed in the Debian FTP archive:

ssl-cert_1.0.15.dsc
  to pool/main/s/ssl-cert/ssl-cert_1.0.15.dsc
ssl-cert_1.0.15.tar.gz
  to pool/main/s/ssl-cert/ssl-cert_1.0.15.tar.gz
ssl-cert_1.0.15_all.deb
  to pool/main/s/ssl-cert/ssl-cert_1.0.15_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 464930@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tollef Fog Heen <tfheen@debian.org> (supplier of updated ssl-cert package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 10 Feb 2008 20:22:54 +0100
Source: ssl-cert
Binary: ssl-cert
Architecture: source all
Version: 1.0.15
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Tollef Fog Heen <tfheen@debian.org>
Description: 
 ssl-cert   - simple debconf wrapper for OpenSSL
Closes: 230391 287692 292157 293821 384591 384595 444902 445589 446210 446311 446488 446640 446640 446670 446679 446878 446900 447138 447441 447900 447909 447921 448226 464930
Changes: 
 ssl-cert (1.0.15) unstable; urgency=low
 .
   * Use 'hostname -f' for the snakeoil CN instead of 'hostname', since
     relative hostnames are subject to namespace collisions that could be
     exploited (and also because OpenLDAP doesn't care for them when
     connecting to localhost).  Thanks to Steve Langasek for the patch.
     Closes: 464930
   * Debconf templates and debian/control reviewed by the debian-l10n-
     english team as part of the Smith review project. Closes: #445589
   * [Debconf translation updates]
   * Bulgarian. Closes: #446210
   * Galician. Closes: #446488
   * Spanish; Castilian. Closes: #446311
   * Finnish. Closes: #446640
   * Czech. Closes: #446670
   * Portuguese. Closes: #446679
   * Finnish. Closes: #446640
   * Turkish. Closes: #446878
   * Vietnamese. Closes: #446900
   * Basque. Closes: #447138
   * Italian. Closes: #447441
   * Russian. Closes: #447900
   * Slovak. Closes: #447909
   * German. Closes: #447921
   * French. Closes: #448226
   * Do getent group rather than getent passwd in postinst.  Closes: 444902
   * Make the default SSL cert have a lifetime of 10 years rather than 30
     days.  Closes: 293821
   * Add set -e to postinst and postrm.  Closes: 384591
   * Make default openssl config pull RANDFILE from the environment.
     Closes: 384595.
   * Only ask for hostname, drop questions about country, organisation and
     such.  Closes: 230391, 287692.
   * Handle relative output file paths correctly by using basename when
     symlinking to the hash file.  Closes: 292157.
   * Fix lintian warnings (clean-should-be-satisfied-by-build-depends
     debhelper and newer-debconf-templates).
   * Add buid-dependency on po-debconf.
Files: 
 2a62363c956540ab4f58d6c57da6a005 683 utils optional ssl-cert_1.0.15.dsc
 5dded65992ee4c562baedcd556d1f20f 18311 utils optional ssl-cert_1.0.15.tar.gz
 280b6896d694ce1fb88fe6ca7cbe64df 7938 utils optional ssl-cert_1.0.15_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHr3EPQSseMYF6mWoRAjeFAJ9HrV6Tmzzrsaq1ssA1OPO3Qffg3QCgurKt
Pa/pMnaT07HCZGsPM10ZyJw=
=YgL1
-----END PGP SIGNATURE-----



--- End Message ---

Reply to: