Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[ GLSA 200803-30 ] ssl-cert eclass: Certificate disclosure
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1303
PostPosted: Thu Mar 20, 2008 2:26 am    Post subject: [ GLSA 200803-30 ] ssl-cert eclass: Certificate disclosure Reply with quote
Gentoo Linux Security Advisory

Title: ssl-cert eclass: Certificate disclosure (GLSA 200803-30)
Severity: normal
Exploitable: remote
Date: March 20, 2008
Bug(s): #174759
ID: 200803-30

Synopsis

An error in the usage of the ssl-cert eclass within multiple ebuilds might allow for disclosure of generated SSL private keys.

Background

The ssl-cert eclass is a code module used by Gentoo ebuilds to generate SSL certificates.

Affected Packages

Package: app-admin/conserver
Vulnerable: < 8.1.16
Unaffected: >= 8.1.16
Architectures: All supported architectures

Package: mail-mta/postfix
Vulnerable: < 2.4.6-r2
Unaffected: >= 2.4.6-r2
Unaffected: >= 2.3.8-r1 < 2.3.9
Unaffected: >= 2.2.11-r1 < 2.2.12
Architectures: All supported architectures

Package: net-ftp/netkit-ftpd
Vulnerable: < 0.17-r7
Unaffected: >= 0.17-r7
Architectures: All supported architectures

Package: net-im/ejabberd
Vulnerable: < 1.1.3
Unaffected: >= 1.1.3
Architectures: All supported architectures

Package: net-irc/unrealircd
Vulnerable: < 3.2.7-r2
Unaffected: >= 3.2.7-r2
Architectures: All supported architectures

Package: net-mail/cyrus-imapd
Vulnerable: < 2.3.9-r1
Unaffected: >= 2.3.9-r1
Architectures: All supported architectures

Package: net-mail/dovecot
Vulnerable: < 1.0.10
Unaffected: >= 1.0.10
Architectures: All supported architectures

Package: net-misc/stunnel
Vulnerable: < 4.21-r1
Unaffected: >= 4.21-r1
Unaffected: < 4.0
Architectures: All supported architectures

Package: net-nntp/inn
Vulnerable: < 2.4.3-r1
Unaffected: >= 2.4.3-r1
Architectures: All supported architectures


Description

Robin Johnson reported that the docert() function provided by ssl-cert.eclass can be called by source building stages of an ebuild, such as src_compile() or src_install(), which will result in the generated SSL keys being included inside binary packages (binpkgs).

Impact

A local attacker could recover the SSL keys from publicly readable binary packages when " emerge " is called with the " --buildpkg (-b) " or " --buildpkgonly (-B) " option. Remote attackers can recover these keys if the packages are served to a network. Binary packages built using " quickpkg " are not affected.

Workaround

Do not use pre-generated SSL keys, but use keys that were generated using a different Certificate Authority.

Resolution

Upgrading to newer versions of the above packages will neither remove possibly compromised SSL certificates, nor old binary packages. Please remove the certificates installed by Portage, and then emerge an upgrade to the package. All Conserver users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/conserver-8.1.16"
All Postfix 2.4 users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.4.6-r2"
All Postfix 2.3 users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.3.8-r1"
All Postfix 2.2 users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.2.11-r1"
All Netkit FTP Server users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-ftp/netkit-ftpd-0.17-r7"
All ejabberd users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-im/ejabberd-1.1.3"
All UnrealIRCd users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-irc/unrealircd-3.2.7-r2"
All Cyrus IMAP Server users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-2.3.9-r1"
All Dovecot users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.0.10"
All stunnel 4 users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/stunnel-4.21"
All InterNetNews users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-nntp/inn-2.4.3-r1"


References

CVE-2008-1383
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2013 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p9 © 2001, 2002 phpBB Group