Summary: | dev-perl/Mozilla-CA: Ships distrusted certificates for WoSign and StartCom | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Auditing | Assignee: | Gentoo Security Audit Team <security-audit> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bertrand, kentnl, perl, security-audit, titanofold |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://rt.cpan.org/Ticket/Display.html?id=118592 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=598072 | ||
Whiteboard: | [noglsa] | ||
Package list: |
=dev-perl/Mozilla-CA-20999999
|
Runtime testing required: | No |
Description
Kristian Fiskerstrand (RETIRED)
2016-11-01 13:03:39 UTC
As a defensive strategy, we should be starting off at the very least by patching everything that uses Mozilla::CA's cert bundle to not use it by default. That is, eliminate Mozilla::CA in usage from ::gentoo, but leave the dist in-place for people who need to use it in their own code. Because if we're going to be replacing Mozilla::CA's PEM file with a modified version of our own, the point of having Mozilla::CA in tree is pretty much nil. Additionally, if we go down this road we'll be engaging in lots of pointless fluffing patching upstream's pem file, or bundling our own. Where it would be better to simply patch the relevant code to use /etc/ssl/certs correctly. Ideally however, this means IO::Socket::SSL *should* default to /etc/ssl/certs, as opposed to Mozilla::CA Reading the logic here> https://metacpan.org/source/SULLR/IO-Socket-SSL-2.038/lib/IO/Socket/SSL.pm#L438-483 Indicates maybe that is already the case, and Mozilla::CA might only be invoked if etc/ssl/certs is missing/empty. (But the code is a bit difficult to read today with the energy I have) Seems like related https://github.com/gisle/mozilla-ca/pull/9 Newly created =dev-perl/Mozilla-CA-20999999 is a stub package for Gentoo which does not include any certs anymore but points to the files installed by app-misc/ca-certificates. It's a bit fresh right now, but once this "version" is stabilized this problem is gone. Please test and stabilize =dev-perl/Mozilla-CA-20999999 Target: alpha amd64 ppc x86 amd64 stable x86 stable Stable on alpha. The auditing component doesn't show Atoms to Stabilize box :/ ppc stable. Maintainer(s), please cleanup. Hardening, not a vuln, no glsa, and consequently no cleanup needed for closing |