Bug#795892: wheezy-pu: package ssl-cert/1.0.32+deb7u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#795892: wheezy-pu: package ssl-cert/1.0.32+deb7u1
From: Stefan Fritsch <sf@sfritsch.de>
Date: Sun, 16 Aug 2015 13:43:06 +0200
Message-id: <[🔎] E1ZROst-0004oV-74@eru.sfritsch.de>
Reply-to: Stefan Fritsch <sf@sfritsch.de>, 795892@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Please review ssl-cert_1.0.32+deb7u1 for inclusion in oldstable. The
main change is switching from sha1 to sha256 for new certificates
because browsers start marking sha1 as insecure.

ssl-cert (1.0.32+deb7u1) wheezy; urgency=medium

  * Switch to SHA2 for newly generated certificates. Closes: #733255, #773815
  * Set umask to make sure that the generated key is not world-readable
    for a short timespan while make-ssl-cert runs. Closes: #780828

 -- Stefan Fritsch <sf@debian.org>  Sun, 16 Aug 2015 13:27:23 +0200

Debdiff is attached

diff -Nru ssl-cert-1.0.32/debian/changelog ssl-cert-1.0.32+deb7u1/debian/changelog
--- ssl-cert-1.0.32/debian/changelog    2012-08-26 19:45:06.000000000 +0200
+++ ssl-cert-1.0.32+deb7u1/debian/changelog     2015-08-16 13:38:05.000000000 +0200
@@ -1,3 +1,11 @@
+ssl-cert (1.0.32+deb7u1) wheezy; urgency=medium
+
+  * Switch to SHA2 for newly generated certificates. Closes: #733255, #773815
+  * Set umask to make sure that the generated key is not world-readable
+    for a short timespan while make-ssl-cert runs. Closes: #780828
+
+ -- Stefan Fritsch <sf@debian.org>  Sun, 16 Aug 2015 13:27:23 +0200
+
 ssl-cert (1.0.32) unstable; urgency=low
 
   * Update Brazilian Portuguese, thanks to J. S. Júnior. Closes: #685887
diff -Nru ssl-cert-1.0.32/make-ssl-cert ssl-cert-1.0.32+deb7u1/make-ssl-cert
--- ssl-cert-1.0.32/make-ssl-cert       2012-06-09 20:25:20.000000000 +0200
+++ ssl-cert-1.0.32+deb7u1/make-ssl-cert        2015-08-16 13:38:05.000000000 +0200
@@ -99,8 +99,10 @@
 
 # create the certificate.
 
+umask 077
+
 if [ "$1" != "generate-default-snakeoil" ]; then
-    if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes \
+    if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
        -out $output -keyout $output > $TMPOUT 2>&1
     then
        echo Could not create certificate. Openssl output was: >&2
@@ -112,7 +114,7 @@
     cd $(dirname $output)
     ln -sf $(basename $output) $(openssl x509 -hash -noout -in $(basename $output))
 else
-    if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes \
+    if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
        -out /etc/ssl/certs/ssl-cert-snakeoil.pem \
         -keyout /etc/ssl/private/ssl-cert-snakeoil.key > $TMPOUT 2>&1
     then

Reply to:

Follow-Ups:
- Bug#795892: wheezy-pu: package ssl-cert/1.0.32+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#795892: wheezy-pu: package ssl-cert/1.0.32+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#795892: wheezy-pu: package ssl-cert/1.0.32+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed (with 1 errors): Merge bugs
Next by Date: Bug#791045: transition: geos (spatialite->postgis->gdal->spatialite circular dependency)
Previous by thread: Processed (with 1 errors): Merge bugs
Next by thread: Bug#795892: wheezy-pu: package ssl-cert/1.0.32+deb7u1
Index(es):
- Date
- Thread