You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
169 lines
6.0 KiB
169 lines
6.0 KiB
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
|
|
|
|
<glsa id="200803-30">
|
|
<title>ssl-cert eclass: Certificate disclosure</title>
|
|
<synopsis>
|
|
An error in the usage of the ssl-cert eclass within multiple ebuilds might
|
|
allow for disclosure of generated SSL private keys.
|
|
</synopsis>
|
|
<product type="ebuild">ssl-cert.eclass</product>
|
|
<announced>March 20, 2008</announced>
|
|
<revised>March 20, 2008: 01</revised>
|
|
<bug>174759</bug>
|
|
<access>remote</access>
|
|
<affected>
|
|
<package name="app-admin/conserver" auto="yes" arch="*">
|
|
<unaffected range="ge">8.1.16</unaffected>
|
|
<vulnerable range="lt">8.1.16</vulnerable>
|
|
</package>
|
|
<package name="mail-mta/postfix" auto="yes" arch="*">
|
|
<unaffected range="ge">2.4.6-r2</unaffected>
|
|
<unaffected range="rge">2.3.8-r1</unaffected>
|
|
<unaffected range="rge">2.2.11-r1</unaffected>
|
|
<vulnerable range="lt">2.4.6-r2</vulnerable>
|
|
</package>
|
|
<package name="net-ftp/netkit-ftpd" auto="yes" arch="*">
|
|
<unaffected range="ge">0.17-r7</unaffected>
|
|
<vulnerable range="lt">0.17-r7</vulnerable>
|
|
</package>
|
|
<package name="net-im/ejabberd" auto="yes" arch="*">
|
|
<unaffected range="ge">1.1.3</unaffected>
|
|
<vulnerable range="lt">1.1.3</vulnerable>
|
|
</package>
|
|
<package name="net-irc/unrealircd" auto="yes" arch="*">
|
|
<unaffected range="ge">3.2.7-r2</unaffected>
|
|
<vulnerable range="lt">3.2.7-r2</vulnerable>
|
|
</package>
|
|
<package name="net-mail/cyrus-imapd" auto="yes" arch="*">
|
|
<unaffected range="ge">2.3.9-r1</unaffected>
|
|
<vulnerable range="lt">2.3.9-r1</vulnerable>
|
|
</package>
|
|
<package name="net-mail/dovecot" auto="yes" arch="*">
|
|
<unaffected range="ge">1.0.10</unaffected>
|
|
<vulnerable range="lt">1.0.10</vulnerable>
|
|
</package>
|
|
<package name="net-misc/stunnel" auto="yes" arch="*">
|
|
<unaffected range="ge">4.21-r1</unaffected>
|
|
<unaffected range="lt">4.0</unaffected>
|
|
<vulnerable range="lt">4.21-r1</vulnerable>
|
|
</package>
|
|
<package name="net-nntp/inn" auto="yes" arch="*">
|
|
<unaffected range="ge">2.4.3-r1</unaffected>
|
|
<vulnerable range="lt">2.4.3-r1</vulnerable>
|
|
</package>
|
|
</affected>
|
|
<background>
|
|
<p>
|
|
The ssl-cert eclass is a code module used by Gentoo ebuilds to generate
|
|
SSL certificates.
|
|
</p>
|
|
</background>
|
|
<description>
|
|
<p>
|
|
Robin Johnson reported that the docert() function provided by
|
|
ssl-cert.eclass can be called by source building stages of an ebuild,
|
|
such as src_compile() or src_install(), which will result in the
|
|
generated SSL keys being included inside binary packages (binpkgs).
|
|
</p>
|
|
</description>
|
|
<impact type="normal">
|
|
<p>
|
|
A local attacker could recover the SSL keys from publicly readable
|
|
binary packages when "<i>emerge</i>" is called with the "<i>--buildpkg
|
|
(-b)</i>" or "<i>--buildpkgonly (-B)</i>" option. Remote attackers can
|
|
recover these keys if the packages are served to a network. Binary
|
|
packages built using "<i>quickpkg</i>" are not affected.
|
|
</p>
|
|
</impact>
|
|
<workaround>
|
|
<p>
|
|
Do not use pre-generated SSL keys, but use keys that were generated
|
|
using a different Certificate Authority.
|
|
</p>
|
|
</workaround>
|
|
<resolution>
|
|
<p>
|
|
Upgrading to newer versions of the above packages will neither remove
|
|
possibly compromised SSL certificates, nor old binary packages. Please
|
|
remove the certificates installed by Portage, and then emerge an
|
|
upgrade to the package.
|
|
</p>
|
|
<p>
|
|
All Conserver users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=app-admin/conserver-8.1.16"</code>
|
|
<p>
|
|
All Postfix 2.4 users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.4.6-r2"</code>
|
|
<p>
|
|
All Postfix 2.3 users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.3.8-r1"</code>
|
|
<p>
|
|
All Postfix 2.2 users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.2.11-r1"</code>
|
|
<p>
|
|
All Netkit FTP Server users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=net-ftp/netkit-ftpd-0.17-r7"</code>
|
|
<p>
|
|
All ejabberd users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=net-im/ejabberd-1.1.3"</code>
|
|
<p>
|
|
All UnrealIRCd users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=net-irc/unrealircd-3.2.7-r2"</code>
|
|
<p>
|
|
All Cyrus IMAP Server users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-2.3.9-r1"</code>
|
|
<p>
|
|
All Dovecot users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.0.10"</code>
|
|
<p>
|
|
All stunnel 4 users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=net-misc/stunnel-4.21"</code>
|
|
<p>
|
|
All InterNetNews users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=net-nntp/inn-2.4.3-r1"</code>
|
|
</resolution>
|
|
<references>
|
|
<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1383">CVE-2008-1383</uri>
|
|
</references>
|
|
<metadata tag="submitter" timestamp="Fri, 14 Mar 2008 23:17:10 +0000">
|
|
rbu
|
|
</metadata>
|
|
<metadata tag="bugReady" timestamp="Sat, 15 Mar 2008 00:11:06 +0000">
|
|
rbu
|
|
</metadata>
|
|
</glsa>
|