Bug#863270: marked as done (cups: https uses SHA-1 signature algorithm)

[Debian Bug Tracking System]

Your message dated Sat, 9 Nov 2019 15:30:36 +0000
with message-id <09112019152049.8c2348a31...@desktop.copernicus.org.uk>
and subject line Re: Bug#863270: cups: https uses SHA-1 signature algorithm
has caused the Debian Bug report #863270,
regarding cups: https uses SHA-1 signature algorithm
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863270
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: cups-daemon
Version: 2.2.1-8
Severity: normal

Dear Maintainer,

the cups webserver on port 631 supports the https protocol.

When browsing cups using the https protocol a certificate/key pair is
created in /etc/cups/ssl.

$ openssl x509 -in /etc/cups/ssl/hostname.crt -text         
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1495639838 (0x5925a71E)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = US, CN = hostname, O = hostname, OU = Unknown, ST = 
Unknown, L = Unknown
        Validity
            Not Before: May 24 15:30:42 2017 GMT
            Not After : May 22 15:30:42 2027 GMT
        Subject: C = US, CN = hostname, O = hostname, OU = Unknown, ST = 
Unknown, L = Unknown
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

Using SHA-1 as signature algorithm is unsafe.
This algorithm will not be accepted in future browser versions.

I have no clue why the country is set to US. That is not where my system is.
Please, remove this bogus when fixing the SHA-1 issue.

Best regards

Heinrich Schuchardt

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cups depends on:
ii  cups-client            2.2.1-8
ii  cups-common            2.2.1-8
ii  cups-core-drivers      2.2.1-8
ii  cups-daemon            2.2.1-8
ii  cups-filters           1.11.6-3
ii  cups-ppdc              2.2.1-8
ii  cups-server-common     2.2.1-8
ii  debconf [debconf-2.0]  1.5.60
ii  ghostscript            9.20~dfsg-3.2
ii  libavahi-client3       0.6.32-2
ii  libavahi-common3       0.6.32-2
ii  libc-bin               2.24-10
ii  libc6                  2.24-10
ii  libcups2               2.2.1-8
ii  libcupscgi1            2.2.1-8
ii  libcupsimage2          2.2.1-8
ii  libcupsmime1           2.2.1-8
ii  libcupsppdc1           2.2.1-8
ii  libgcc1                1:6.3.0-18
ii  libstdc++6             6.3.0-18
ii  libusb-1.0-0           2:1.0.21-1
ii  poppler-utils          0.48.0-2
ii  procps                 2:3.3.12-3

Versions of packages cups recommends:
ii  avahi-daemon                     0.6.32-2
ii  colord                           1.3.3-2
ii  cups-filters [ghostscript-cups]  1.11.6-3
ii  printer-driver-gutenprint        5.2.11-1+b2

Versions of packages cups suggests:
ii  cups-bsd                                   2.2.1-8
pn  cups-pdf                                   <none>
ii  foomatic-db-compressed-ppds [foomatic-db]  20161201-1
ii  hplip                                      3.16.11+repack0-3
ii  printer-driver-hpcups                      3.16.11+repack0-3
pn  smbclient                                  <none>
ii  udev                                       232-23

-- debconf information:
  cupsys/raw-print: true
  cupsys/backend: lpd, socket, usb, snmp, dnssd

--- End Message ---

--- Begin Message ---

On Wed 24 May 2017 at 18:26:11 +0200, Heinrich Schuchardt wrote:

> Package: cups-daemon
> Version: 2.2.1-8
> Severity: normal
> 
> Dear Maintainer,
> 
> the cups webserver on port 631 supports the https protocol.
> 
> When browsing cups using the https protocol a certificate/key pair is
> created in /etc/cups/ssl.
> 
> $ openssl x509 -in /etc/cups/ssl/hostname.crt -text         
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 1495639838 (0x5925a71E)
>     Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C = US, CN = hostname, O = hostname, OU = Unknown, ST = 
> Unknown, L = Unknown
>         Validity
>             Not Before: May 24 15:30:42 2017 GMT
>             Not After : May 22 15:30:42 2027 GMT
>         Subject: C = US, CN = hostname, O = hostname, OU = Unknown, ST = 
> Unknown, L = Unknown
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
> 
> Using SHA-1 as signature algorithm is unsafe.
> This algorithm will not be accepted in future browser versions.
> 
> I have no clue why the country is set to US. That is not where my system is.
> Please, remove this bogus when fixing the SHA-1 issue.

On cups 2.3.0-7 (the present unstable) we see

  Signature Algorithm: sha256WithRSAEncryption

The change appears to have came about in Issue #5862

  https://github.com/apple/cups/issues/4862

I guess we can close this report.

Regards,

Brian.

--- End Message ---