[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#795892: marked as done (wheezy-pu: package ssl-cert/1.0.32+deb7u1)

Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <1441460034.2151.33.camel@adam-barratt.org.uk>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #795892,
regarding wheezy-pu: package ssl-cert/1.0.32+deb7u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
795892: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795892
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Please review ssl-cert_1.0.32+deb7u1 for inclusion in oldstable. The
main change is switching from sha1 to sha256 for new certificates
because browsers start marking sha1 as insecure.

ssl-cert (1.0.32+deb7u1) wheezy; urgency=medium

  * Switch to SHA2 for newly generated certificates. Closes: #733255, #773815
  * Set umask to make sure that the generated key is not world-readable
    for a short timespan while make-ssl-cert runs. Closes: #780828

 -- Stefan Fritsch <sf@debian.org>  Sun, 16 Aug 2015 13:27:23 +0200

Debdiff is attached

diff -Nru ssl-cert-1.0.32/debian/changelog ssl-cert-1.0.32+deb7u1/debian/changelog
--- ssl-cert-1.0.32/debian/changelog    2012-08-26 19:45:06.000000000 +0200
+++ ssl-cert-1.0.32+deb7u1/debian/changelog     2015-08-16 13:38:05.000000000 +0200
@@ -1,3 +1,11 @@
+ssl-cert (1.0.32+deb7u1) wheezy; urgency=medium
+
+  * Switch to SHA2 for newly generated certificates. Closes: #733255, #773815
+  * Set umask to make sure that the generated key is not world-readable
+    for a short timespan while make-ssl-cert runs. Closes: #780828
+
+ -- Stefan Fritsch <sf@debian.org>  Sun, 16 Aug 2015 13:27:23 +0200
+
 ssl-cert (1.0.32) unstable; urgency=low
 
   * Update Brazilian Portuguese, thanks to J. S. Júnior. Closes: #685887
diff -Nru ssl-cert-1.0.32/make-ssl-cert ssl-cert-1.0.32+deb7u1/make-ssl-cert
--- ssl-cert-1.0.32/make-ssl-cert       2012-06-09 20:25:20.000000000 +0200
+++ ssl-cert-1.0.32+deb7u1/make-ssl-cert        2015-08-16 13:38:05.000000000 +0200
@@ -99,8 +99,10 @@
 
 # create the certificate.
 
+umask 077
+
 if [ "$1" != "generate-default-snakeoil" ]; then
-    if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes \
+    if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
        -out $output -keyout $output > $TMPOUT 2>&1
     then
        echo Could not create certificate. Openssl output was: >&2
@@ -112,7 +114,7 @@
     cd $(dirname $output)
     ln -sf $(basename $output) $(openssl x509 -hash -noout -in $(basename $output))
 else
-    if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes \
+    if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
        -out /etc/ssl/certs/ssl-cert-snakeoil.pem \
         -keyout /etc/ssl/private/ssl-cert-snakeoil.key > $TMPOUT 2>&1
     then

--- End Message ---
--- Begin Message --- 
Version: 7.9

Hi,

These bugs relate to updates which were included in the 7.9 point
release.

Regards,

Adam

--- End Message ---
Reply to: