Your message dated Thu, 29 May 2008 23:02:31 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#482427: fixed in openssl-blacklist 0.3.2 has caused the Debian Bug report #482427, regarding openssl-blacklist: openssl blacklist should be able to accept data from stdin to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 482427: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482427 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: openssl-blacklist Version: 0.3 Severity: wishlist Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It would be nice if you could run openssl-blacklist against a certificate supplied on stdin, rather than needing to create a local file. This would allow simple loops like: for foo in hosta hostb hostc; do echo | openssl s_client -connect $foo | openssl-vulnkey - done and similar conveniences for beleaguered system administrators. I've attached a patch which allows for this (by creating a tempfile, since so much of the code is predicated on the tested cert's existence in the filesystem), and i've patched the documentation as well. This patch includes a fix for a minor bug in the man page, as well as what appears to be a variable substitution in the handling of the "Problem finding modulus". If you'd like, i can file those minor bugs separately. Thanks for providing this tool -- it's useful in a time like this. Regards, --dkg - -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (101, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages openssl-blacklist depends on: ii openssl 0.9.8g-10 Secure Socket Layer (SSL) binary a ii python 2.5.2-1 An interactive high-level object-o openssl-blacklist recommends no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQIVAwUBSDW17czS7ZTSFznpAQIbYA//Sr8jRIpb6UEsQDij3V95a5r3pegWRP2A qPJmNgfHfhY1RQt6SSjGp92CAtq7BFAGriOLBnAHkWpCcWi9xIRRNYR1Oa5jJ87W ykZKmbxjrZCsjQNp7hg1Z82JArCyYQlveHqgJb0Ub8OKEfaMNJO2n5NB84MAsFy1 t/FLBBjjYZO463/OTRY5rOE8AJlE0thU1p5dKLS8tFrtAM6wgYt1Y5N4kDSHNU3W 3xrtxlOD067MulvohNv43uAUvNJSJor9Kpj47kBstJsBMM75392pqySBfBwFHQsv M/u/ljVV80P4G0BoN4rTaCu0lshCXo4BMtZTbmopaP3ent8+K7e5DP7lCBI3KVnZ QtvO6LGlx6T/ckHdOSPTFZL42GjngsUbXWqUh/h/csX20/MU1fsiRanpGLQ6gi6E 2ex3HcKJ1aXsmD855xuH/QOu/83qSU2TZsLreewCQXLYm/UuRZXPXED56PFBeW9Z nxdY0wW5cPAE/KKhopZlOCzxhWWkI1P2tfgLfyBm1gBKyHEWGoVsmGBxUTeE1BlV mk2rWg0RPFOwxbtQC/Md+OAsat/fVr9GZuNpdJxTGhcMcJv0yGtS3Pvj1Q6w5qpu 4e4XJ6iDPdjAihVkHnnymk3sXsGlQqKSSBLEY3cropb11CGN+8Ddt67Gn+oAhDMs wP/oDslcWx0= =cqIw -----END PGP SIGNATURE-----Common subdirectories: openssl-blacklist-0.3/debian and openssl-blacklist-0.3.dkg/debian Common subdirectories: openssl-blacklist-0.3/examples and openssl-blacklist-0.3.dkg/examples diff -u openssl-blacklist-0.3/openssl-vulnkey openssl-blacklist-0.3.dkg/openssl-vulnkey --- openssl-blacklist-0.3/openssl-vulnkey 2008-05-20 12:16:47.000000000 -0400 +++ openssl-blacklist-0.3.dkg/openssl-vulnkey 2008-05-22 13:31:39.000000000 -0400 @@ -24,6 +24,8 @@ import sha import subprocess import sys +import tempfile +import shutil version = "0.1.1" db_prefix = "/usr/share/openssl-blacklist/blacklist.RSA-" @@ -109,23 +111,37 @@ # Check each file found = False +tempname = False for f in args: + realname = f + + if f == "-": + os.umask(077) + if (tempname): + os.unlink(tempname) + # dump stdin to tmpfile, operate on tmpfile instead + (temph,tempname) = tempfile.mkstemp() + temph = os.fdopen(temph, 'w') + shutil.copyfileobj(sys.stdin,temph) + temph.close() + f = tempname + if not os.path.exists(f): if not options.quiet: - print >> sys.stderr, "'%s' could not be opened (skipping)" % (f) + print >> sys.stderr, "'%s' could not be opened (skipping)" % (realname) continue type = get_type(f) if type == "": if not options.quiet: - print >> sys.stderr, "'%s' is not x509 or rsa (skipping)" % (f) + print >> sys.stderr, "'%s' is not x509 or rsa (skipping)" % (realname) continue last_bits = "" bits = get_bits(f, type) if bits == "": if not options.quiet: - print >> sys.stderr, "Key has unknown validity: %s" % (f) + print >> sys.stderr, "Key has unknown validity: %s" % (realname) continue if last_bits != bits: @@ -136,7 +152,7 @@ except: try: print >> sys.stderr, "WARN: could not open database for %s " \ - "bits (skipping %s)" % (bits, f) + "bits (skipping %s)" % (bits, realname) except IOError: pass continue @@ -148,18 +164,21 @@ modulus = get_modulus(f, type) if modulus == "": if not options.quiet: - print >> sys.stderr, "Problem finding modulus: %s" % (file) + print >> sys.stderr, "Problem finding modulus: %s" % (realname) continue key = sha.sha(modulus).hexdigest() #print "bits: %s\nmodulus: %s\nkey: %s\nkey80: %s" % (bits, modulus, key, key[20:]) if key[20:] in db_lines: if not options.quiet: - print "COMPROMISED: %s %s" % (key, f) + print "COMPROMISED: %s %s" % (key, realname) found = True else: if not options.quiet: - print "Not blacklisted: %s %s" % (key, f) + print "Not blacklisted: %s %s" % (key, realname) + +if tempname: + os.unlink(tempname) if found: sys.exit(1) diff -u openssl-blacklist-0.3/openssl-vulnkey.1 openssl-blacklist-0.3.dkg/openssl-vulnkey.1 --- openssl-blacklist-0.3/openssl-vulnkey.1 2008-05-20 12:16:47.000000000 -0400 +++ openssl-blacklist-0.3.dkg/openssl-vulnkey.1 2008-05-22 13:51:54.000000000 -0400 @@ -45,10 +45,25 @@ must be generated using .Xr openssl 8 . .Pp +If +.Dq - +is given as an argument, +.Nm +will read from standard input. +This can be used to process certificate output from +.Xr s_client 1ssl , +for example: +.Pp +.Dl $ echo | openssl s_client -connect remote.example.org:https | openssl-vulnkey - +.Pp +will test the certificate used by remote.example.org for HTTPS. +.Pp +The options are as follows: +.Bl -tag -width Ds .It Fl q Quiet mode. Normally, -.Xr openssl-vulnkey 1 +.Nm outputs the fingerprint of each file scanned, with a description of its status. This option suppresses that output.
--- End Message ---
--- Begin Message ---Source: openssl-blacklist Source-Version: 0.3.2 We believe that the bug you reported is fixed in the latest version of openssl-blacklist, which is due to be installed in the Debian FTP archive: openssl-blacklist_0.3.2.dsc to pool/main/o/openssl-blacklist/openssl-blacklist_0.3.2.dsc openssl-blacklist_0.3.2.tar.gz to pool/main/o/openssl-blacklist/openssl-blacklist_0.3.2.tar.gz openssl-blacklist_0.3.2_all.deb to pool/main/o/openssl-blacklist/openssl-blacklist_0.3.2_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Kees Cook <[EMAIL PROTECTED]> (supplier of updated openssl-blacklist package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 29 May 2008 15:19:16 -0700 Source: openssl-blacklist Binary: openssl-blacklist Architecture: source all Version: 0.3.2 Distribution: unstable Urgency: low Maintainer: Kees Cook <[EMAIL PROTECTED]> Changed-By: Kees Cook <[EMAIL PROTECTED]> Description: openssl-blacklist - list of blacklisted OpenSSL RSA keys Closes: 482427 482435 483310 483542 Changes: openssl-blacklist (0.3.2) unstable; urgency=low . * debian/{rules,dirs,openssl-blacklist.install}: move openssl-vulnkey to /usr/bin (Closes: #482435). * examples/gen_certs.sh: - test for fixed libssl versions (Closes: #483310). - correctly skip pre-existing PEM files, thanks to Michel Meyers (Closes: #483542). - skip invalid pid 32768. * openssl-vulnkey: allow reading from stding, based on patch from Daniel Kahn Gillmor (Closes: #482427). * debian/control: swap maintainer so Ubuntu syncs do not get confused. Checksums-Sha1: 47cf8a94f2326d3ddd083e981fbc42fc2fa150fb 1053 openssl-blacklist_0.3.2.dsc 04677b7b283acfa3b679d5451239c9a21bd7825c 8999539 openssl-blacklist_0.3.2.tar.gz 5887811f5a7060a378843cea93e0d11d78706f81 4237568 openssl-blacklist_0.3.2_all.deb Checksums-Sha256: f3e78a110193a7e993d6f8c2cfe2bebd3d9bc3d39032f9f96388e74e974ff194 1053 openssl-blacklist_0.3.2.dsc e2a9c889258d1034f79693ee500f44dbea2f4d29311652f17f830eb8069df207 8999539 openssl-blacklist_0.3.2.tar.gz 90f01192e5503f9056b4b1bab7597471d962806c146293d67b2a628fbf7cc945 4237568 openssl-blacklist_0.3.2_all.deb Files: ba0b1be8481f76bb3ab8defa8f1587c6 1053 net optional openssl-blacklist_0.3.2.dsc 30522095442919bff38cf7d4febea798 8999539 net optional openssl-blacklist_0.3.2.tar.gz 736875b7b198616a11c9cb133a5fa5f0 4237568 net optional openssl-blacklist_0.3.2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Kees Cook <[EMAIL PROTECTED]> iD8DBQFIPzFLH/9LqRcGPm0RAsnhAJ4+JM3/yR06BkRIiKGGq264tkux4gCfdwto 2O3vL3as+Qd+qw74aYsNJXQ= =Un/9 -----END PGP SIGNATURE-----
--- End Message ---
