Your message dated Sun, 29 Mar 2015 21:23:37 +0000 with message-id <[email protected]> and subject line Bug#780828: fixed in ssl-cert 1.0.36 has caused the Debian Bug report #780828, regarding ssl-cert: make-ssl-cert leaves window where new secret key may be world-readable to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 780828: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780828 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: ssl-cert Version: 1.0.35 Severity: normal make-ssl-cert appears to create the secret key material and then chmod it to restrict permissions. This leaves a race condition where a non-privileged user on the system can read the file before the permissions change takes effect, thereby stealing the credentials created by the superuser. make-ssl-cert should use umask instead, so that the new secret key files are protected by default. --dkg -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ssl-cert depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.55 ii openssl 1.0.1k-1 ssl-cert recommends no packages. Versions of packages ssl-cert suggests: pn openssl-blacklist <none> -- debconf-show failed
--- End Message ---
--- Begin Message ---Source: ssl-cert Source-Version: 1.0.36 We believe that the bug you reported is fixed in the latest version of ssl-cert, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch <[email protected]> (supplier of updated ssl-cert package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 29 Mar 2015 22:33:57 +0200 Source: ssl-cert Binary: ssl-cert Architecture: source all Version: 1.0.36 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers <[email protected]> Changed-By: Stefan Fritsch <[email protected]> Description: ssl-cert - simple debconf wrapper for OpenSSL Closes: 780828 Changes: ssl-cert (1.0.36) unstable; urgency=medium . * Set umask to make sure that the generated key is not world-readable for a short timespan while make-ssl-cert runs. Closes: #780828 Checksums-Sha1: 37aa4902f0357e888fcc88a80654dd9fa97d3424 1622 ssl-cert_1.0.36.dsc ee8459b781545ac1b2a528dd990e294051f04af9 24916 ssl-cert_1.0.36.tar.xz b9c8e4ea54f3402927938548933f550aeb4ac8bd 20976 ssl-cert_1.0.36_all.deb Checksums-Sha256: 60ca1e856655455853339e28cd1808b12517638e36d296a393177faa19df0123 1622 ssl-cert_1.0.36.dsc a7d68b2df0cf97dcc6f890c397e3d5280e01c21efaf6f5c8faebbb93f9763444 24916 ssl-cert_1.0.36.tar.xz d533da5f6d2c54de29ca9772e84203498c70fedec2a43600af1d206e16bfbdab 20976 ssl-cert_1.0.36_all.deb Files: b31eeb30126cd674894c2b3b3bac5b16 1622 utils optional ssl-cert_1.0.36.dsc bcf6651ec8d70c56b051af365a9a6e70 24916 utils optional ssl-cert_1.0.36.tar.xz e9ade7598c8e45a3ae1c7dc742a01697 20976 utils optional ssl-cert_1.0.36_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBVRhi2MaHXzVBzv3gAQhQ9A//UkVnJWPCmEbdps1AsfK/RWvavJJ007Ij S2/XB2yixxqQZ2ObaGZ7GaKPojbWkb4dlYvhx/ZJ4b94fbj5dmcqiP1tEqheju/M /d3cDq8C/SZKP5fmHSRUamLVCsT14mzht8WLxwFXw3VlXP8AzVbW5f0Kn+3ZEqOO xbQ5zHtuM4ECdmtg3FJ0qsyMOXRdNaiJ3ANqjKWAkmAAG4f58zG/C0S/OmmjmWEa xGp+hGVwSBZxpLLZAG4kGwJUkPUZEhrgoruQW9D322qA60t4c2fCgHrNvA/7spY8 QpaotCBYd/mAPksYaKca2MSRsqwwQeZJkHkoSbKz6kSGFZj1cXfJsQRZHsuicqu7 VNDZcIVEKB6aLR5o94SnjzIFbnn3TDVwV7JpB63beM/qF082LOPdDnUA3c5rPYxj i59QIinHd1Aelp/KILTTm5IVDv9u/CSLqfx3vaBTNPFrdZvtNAceQlBuWJ9hbHjA Ib686en1YgPvB+z4tjn+Nb8xXTZRXtgj4LTAfN/nfXFjNYhmmn6VFUwz0dBHR1ht 2UK6oWhmjpiTBYLpFiO6HaDYOSqKtoWspCQMMCgK8hlUc55UnvEBZZBIV4fWUM0w NVS6NB6QJ2xs4kEJATeA4+xXyaryu3biWhZe5HxAyRVXy8kMgr1xKT6dY+wmJVlm z4rPsxI7n14= =qKRY -----END PGP SIGNATURE-----
--- End Message ---
