Upload of dtc-xen 0.5.13-1+squeeze1 in squeeze-proposed-updates
Hi,
Since the beginning, dtc-xen is generating SSL keys with openssl for
it's SOAP server. To have the keys using the correct Unix right, I used
umask before calling openssl. Unfortunately, later on (years later), I
added a chmod 644 /etc/dtc-xen/*, which unfortunately, destroyed
previous use of umask, and then now the keys are world readable.
Since dtc-xen is installed in a Xen dom0, and that it's very bad
practice to provide a user shell account in a Xen dom0, one member of
the security team replied to me and agreed that it's not serious enough
for a DSA.
So, I would like to upload DTC-Xen version 0.5.13-1+squeeze1 in
squeeze-proposed-updates. Here's the package:
http://ftparchive.gplhost.com/pub/dtc-xen/security/dtc-xen_0.5.13-1+squeeze1.dsc
There's an interdiff in the same folder. It shows that po files are
affected, but in fact, it's just because debconf-updatepo is run in the
clean rules (as advised by Christian Perrier). In fact, it's not really
an issue, and I think it can be ignored. The only relevant part of the
interdiff is:
--- dtc-xen-0.5.13/debian/dtc-xen.postinst
+++ dtc-xen-0.5.13/debian/dtc-xen.postinst
@@ -161,8 +161,8 @@
manage_htpasswd
touch /etc/dtc-xen/authorized_keys2
# Make it safer...
-chmod 644 ${DTCXEN_ETCPATH}/*
chmod 600 ${DTCXEN_ETCPATH}/dtc-xen.conf
+chmod 600 /etc/dtc-xen/dtc-xen.cert.cert /etc/dtc-xen/dtc-xen.cert.csr
/etc/dtc-xen/dtc-xen.cert.key
The already existing umask prevents race conditions, and the above chmod
is fixing older installations.
Note that Lenny isn't affected by this issue, that it has been fixed in
SID, and that it has been tested in production.
Please let me know if it's OK to upload to squeeze-proposed-updates.
Cheers,
Thomas
Reply to: