Bug#780828: marked as done (ssl-cert: make-ssl-cert leaves window where new secret key may be world-readable)
Your message dated Sun, 29 Mar 2015 21:23:37 +0000
with message-id <E1YcKgD-0004IK-Eb@franck.debian.org>
and subject line Bug#780828: fixed in ssl-cert 1.0.36
has caused the Debian Bug report #780828,
regarding ssl-cert: make-ssl-cert leaves window where new secret key may be world-readable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
780828: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780828
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: ssl-cert
Version: 1.0.35
Severity: normal
make-ssl-cert appears to create the secret key material and then chmod
it to restrict permissions. This leaves a race condition where a
non-privileged user on the system can read the file before the
permissions change takes effect, thereby stealing the credentials
created by the superuser.
make-ssl-cert should use umask instead, so that the new secret key
files are protected by default.
--dkg
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ssl-cert depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.55
ii openssl 1.0.1k-1
ssl-cert recommends no packages.
Versions of packages ssl-cert suggests:
pn openssl-blacklist <none>
-- debconf-show failed
--- End Message ---
--- Begin Message ---
Source: ssl-cert
Source-Version: 1.0.36
We believe that the bug you reported is fixed in the latest version of
ssl-cert, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 780828@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated ssl-cert package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 29 Mar 2015 22:33:57 +0200
Source: ssl-cert
Binary: ssl-cert
Architecture: source all
Version: 1.0.36
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
ssl-cert - simple debconf wrapper for OpenSSL
Closes: 780828
Changes:
ssl-cert (1.0.36) unstable; urgency=medium
.
* Set umask to make sure that the generated key is not world-readable
for a short timespan while make-ssl-cert runs. Closes: #780828
Checksums-Sha1:
37aa4902f0357e888fcc88a80654dd9fa97d3424 1622 ssl-cert_1.0.36.dsc
ee8459b781545ac1b2a528dd990e294051f04af9 24916 ssl-cert_1.0.36.tar.xz
b9c8e4ea54f3402927938548933f550aeb4ac8bd 20976 ssl-cert_1.0.36_all.deb
Checksums-Sha256:
60ca1e856655455853339e28cd1808b12517638e36d296a393177faa19df0123 1622 ssl-cert_1.0.36.dsc
a7d68b2df0cf97dcc6f890c397e3d5280e01c21efaf6f5c8faebbb93f9763444 24916 ssl-cert_1.0.36.tar.xz
d533da5f6d2c54de29ca9772e84203498c70fedec2a43600af1d206e16bfbdab 20976 ssl-cert_1.0.36_all.deb
Files:
b31eeb30126cd674894c2b3b3bac5b16 1622 utils optional ssl-cert_1.0.36.dsc
bcf6651ec8d70c56b051af365a9a6e70 24916 utils optional ssl-cert_1.0.36.tar.xz
e9ade7598c8e45a3ae1c7dc742a01697 20976 utils optional ssl-cert_1.0.36_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBVRhi2MaHXzVBzv3gAQhQ9A//UkVnJWPCmEbdps1AsfK/RWvavJJ007Ij
S2/XB2yixxqQZ2ObaGZ7GaKPojbWkb4dlYvhx/ZJ4b94fbj5dmcqiP1tEqheju/M
/d3cDq8C/SZKP5fmHSRUamLVCsT14mzht8WLxwFXw3VlXP8AzVbW5f0Kn+3ZEqOO
xbQ5zHtuM4ECdmtg3FJ0qsyMOXRdNaiJ3ANqjKWAkmAAG4f58zG/C0S/OmmjmWEa
xGp+hGVwSBZxpLLZAG4kGwJUkPUZEhrgoruQW9D322qA60t4c2fCgHrNvA/7spY8
QpaotCBYd/mAPksYaKca2MSRsqwwQeZJkHkoSbKz6kSGFZj1cXfJsQRZHsuicqu7
VNDZcIVEKB6aLR5o94SnjzIFbnn3TDVwV7JpB63beM/qF082LOPdDnUA3c5rPYxj
i59QIinHd1Aelp/KILTTm5IVDv9u/CSLqfx3vaBTNPFrdZvtNAceQlBuWJ9hbHjA
Ib686en1YgPvB+z4tjn+Nb8xXTZRXtgj4LTAfN/nfXFjNYhmmn6VFUwz0dBHR1ht
2UK6oWhmjpiTBYLpFiO6HaDYOSqKtoWspCQMMCgK8hlUc55UnvEBZZBIV4fWUM0w
NVS6NB6QJ2xs4kEJATeA4+xXyaryu3biWhZe5HxAyRVXy8kMgr1xKT6dY+wmJVlm
z4rPsxI7n14=
=qKRY
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: