Summary: | <net-mail/uw-imap-2007e-r1: possible exposure of SSL keys (missing ssl-cert.eclass usage) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Christian Hoffmann (RETIRED) <hoffie> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | net-mail+disabled, r.wolf.gentoo |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Christian Hoffmann (RETIRED)
2008-08-19 20:24:44 UTC
Seems they don't care if you do it. uw-imap package generates new key and cert and while installation it overwrites these files in /etc/ssl/certs. It should check, if these files exist and do not overwrite. Either ask to overwrite, or (probably better) is to handle update of these files as config files (make update using etc-update). (In reply to comment #2) > uw-imap package generates new key and cert and while installation it overwrites > these files in /etc/ssl/certs. It should check, if these files exist and do not > overwrite. Either ask to overwrite, or (probably better) is to handle update of > these files as config files (make update using etc-update). *** ehm, which is done in install_cert from ssl-cert.eclass ... does anyone update this ebuild? It should not be able to write to /etc directly. Robert, if you want to fasten up this bug, please provide a patch. Look for ssl-cert.eclass for details on those functions. net-mail, the uw-imap-2007e version still generates this key and exposes it in binary packages. Please make sure it is deleted and a proper way of generating a default key (ssl-cert.eclass) is being used. *ping* +*uw-imap-2007e-r1 (01 Jun 2011) + + 01 Jun 2011; Eray Aslan <eras@gentoo.org> +uw-imap-2007e-r1.ebuild: + Fix patching - bug #368785. Proper SSL key generation - bug #235227. Tidy up + and EAPI bump. + Arches, please test and mark stable: =net-mail/uw-imap-2007e-r1 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" amd64 ok x86 stable amd64 done. Thanks Agostino Stable for HPPA. ppc/ppc64 stable alpha/ia64/sparc stable Thanks, folks. GLSA Vote: no. voting no too, and closing. |