Hi, Since the beginning, dtc-xen is generating SSL keys with openssl for it's SOAP server. To have the keys using the correct Unix right, I used umask before calling openssl. Unfortunately, later on (years later), I added a chmod 644 /etc/dtc-xen/*, which unfortunately, destroyed previous use of umask, and then now the keys are world readable.
Since dtc-xen is installed in a Xen dom0, and that it's very bad practice to provide a user shell account in a Xen dom0, one member of the security team replied to me and agreed that it's not serious enough for a DSA. So, I would like to upload DTC-Xen version 0.5.13-1+squeeze1 in squeeze-proposed-updates. Here's the package: http://ftparchive.gplhost.com/pub/dtc-xen/security/dtc-xen_0.5.13-1+squeeze1.dsc There's an interdiff in the same folder. It shows that po files are affected, but in fact, it's just because debconf-updatepo is run in the clean rules (as advised by Christian Perrier). In fact, it's not really an issue, and I think it can be ignored. The only relevant part of the interdiff is: --- dtc-xen-0.5.13/debian/dtc-xen.postinst +++ dtc-xen-0.5.13/debian/dtc-xen.postinst @@ -161,8 +161,8 @@ manage_htpasswd touch /etc/dtc-xen/authorized_keys2 # Make it safer... -chmod 644 ${DTCXEN_ETCPATH}/* chmod 600 ${DTCXEN_ETCPATH}/dtc-xen.conf +chmod 600 /etc/dtc-xen/dtc-xen.cert.cert /etc/dtc-xen/dtc-xen.cert.csr /etc/dtc-xen/dtc-xen.cert.key The already existing umask prevents race conditions, and the above chmod is fixing older installations. Note that Lenny isn't affected by this issue, that it has been fixed in SID, and that it has been tested in production. Please let me know if it's OK to upload to squeeze-proposed-updates. Cheers, Thomas -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
