Bug#863270: cups: https uses SHA-1 signature algorithm

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#863270: cups: https uses SHA-1 signature algorithm
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
Date: Wed, 24 May 2017 18:26:11 +0200
Message-id: <[🔎] 149564317163.9596.863510103307915532.reportbug@LT002.fritz.box>
Reply-to: Heinrich Schuchardt <xypron.glpk@gmx.de>, 863270@bugs.debian.org

Package: cups-daemon
Version: 2.2.1-8
Severity: normal

Dear Maintainer,

the cups webserver on port 631 supports the https protocol.

When browsing cups using the https protocol a certificate/key pair is
created in /etc/cups/ssl.

$ openssl x509 -in /etc/cups/ssl/hostname.crt -text         
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1495639838 (0x5925a71E)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = US, CN = hostname, O = hostname, OU = Unknown, ST = Unknown, L = Unknown
        Validity
            Not Before: May 24 15:30:42 2017 GMT
            Not After : May 22 15:30:42 2027 GMT
        Subject: C = US, CN = hostname, O = hostname, OU = Unknown, ST = Unknown, L = Unknown
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

Using SHA-1 as signature algorithm is unsafe.
This algorithm will not be accepted in future browser versions.

I have no clue why the country is set to US. That is not where my system is.
Please, remove this bogus when fixing the SHA-1 issue.

Best regards

Heinrich Schuchardt

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cups depends on:
ii  cups-client            2.2.1-8
ii  cups-common            2.2.1-8
ii  cups-core-drivers      2.2.1-8
ii  cups-daemon            2.2.1-8
ii  cups-filters           1.11.6-3
ii  cups-ppdc              2.2.1-8
ii  cups-server-common     2.2.1-8
ii  debconf [debconf-2.0]  1.5.60
ii  ghostscript            9.20~dfsg-3.2
ii  libavahi-client3       0.6.32-2
ii  libavahi-common3       0.6.32-2
ii  libc-bin               2.24-10
ii  libc6                  2.24-10
ii  libcups2               2.2.1-8
ii  libcupscgi1            2.2.1-8
ii  libcupsimage2          2.2.1-8
ii  libcupsmime1           2.2.1-8
ii  libcupsppdc1           2.2.1-8
ii  libgcc1                1:6.3.0-18
ii  libstdc++6             6.3.0-18
ii  libusb-1.0-0           2:1.0.21-1
ii  poppler-utils          0.48.0-2
ii  procps                 2:3.3.12-3

Versions of packages cups recommends:
ii  avahi-daemon                     0.6.32-2
ii  colord                           1.3.3-2
ii  cups-filters [ghostscript-cups]  1.11.6-3
ii  printer-driver-gutenprint        5.2.11-1+b2

Versions of packages cups suggests:
ii  cups-bsd                                   2.2.1-8
pn  cups-pdf                                   <none>
ii  foomatic-db-compressed-ppds [foomatic-db]  20161201-1
ii  hplip                                      3.16.11+repack0-3
ii  printer-driver-hpcups                      3.16.11+repack0-3
pn  smbclient                                  <none>
ii  udev                                       232-23

-- debconf information:
  cupsys/raw-print: true
  cupsys/backend: lpd, socket, usb, snmp, dnssd

Reply to:

Prev by Date: Bug#855325: Acknowledgement (libgs9: I updated yesterday my Wheeze System and now libgs.so.9 seggfault while printing with cups)
Next by Date: Bug#863279: jbig2dec: CVE-2017-9216: NULL pointer dereference in the jbig2_huffman_get function
Previous by thread: Bug#855325: Acknowledgement (libgs9: I updated yesterday my Wheeze System and now libgs.so.9 seggfault while printing with cups)
Next by thread: Bug#863279: jbig2dec: CVE-2017-9216: NULL pointer dereference in the jbig2_huffman_get function
Index(es):
- Date
- Thread