Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200803-30 ] ssl-cert eclass: Certificate disclosure
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1569

PostPosted: Thu Mar 20, 2008 2:26 am    Post subject: [ GLSA 200803-30 ] ssl-cert eclass: Certificate disclosure Reply with quote

Gentoo Linux Security Advisory

Title: ssl-cert eclass: Certificate disclosure (GLSA 200803-30)
Severity: normal
Exploitable: remote
Date: March 20, 2008
Bug(s): #174759
ID: 200803-30

Synopsis


An error in the usage of the ssl-cert eclass within multiple ebuilds might
allow for disclosure of generated SSL private keys.


Background


The ssl-cert eclass is a code module used by Gentoo ebuilds to generate
SSL certificates.


Affected Packages

Package: app-admin/conserver
Vulnerable: < 8.1.16
Unaffected: >= 8.1.16
Architectures: All supported architectures

Package: mail-mta/postfix
Vulnerable: < 2.4.6-r2
Unaffected: >= 2.4.6-r2
Unaffected: >= 2.3.8-r1 < 2.3.9
Unaffected: >= 2.2.11-r1 < 2.2.12
Architectures: All supported architectures

Package: net-ftp/netkit-ftpd
Vulnerable: < 0.17-r7
Unaffected: >= 0.17-r7
Architectures: All supported architectures

Package: net-im/ejabberd
Vulnerable: < 1.1.3
Unaffected: >= 1.1.3
Architectures: All supported architectures

Package: net-irc/unrealircd
Vulnerable: < 3.2.7-r2
Unaffected: >= 3.2.7-r2
Architectures: All supported architectures

Package: net-mail/cyrus-imapd
Vulnerable: < 2.3.9-r1
Unaffected: >= 2.3.9-r1
Architectures: All supported architectures

Package: net-mail/dovecot
Vulnerable: < 1.0.10
Unaffected: >= 1.0.10
Architectures: All supported architectures

Package: net-misc/stunnel
Vulnerable: < 4.21-r1
Unaffected: >= 4.21-r1
Unaffected: < 4.0
Architectures: All supported architectures

Package: net-nntp/inn
Vulnerable: < 2.4.3-r1
Unaffected: >= 2.4.3-r1
Architectures: All supported architectures


Description


Robin Johnson reported that the docert() function provided by
ssl-cert.eclass can be called by source building stages of an ebuild,
such as src_compile() or src_install(), which will result in the
generated SSL keys being included inside binary packages (binpkgs).


Impact


A local attacker could recover the SSL keys from publicly readable
binary packages when " emerge " is called with the " --buildpkg
(-b)
" or " --buildpkgonly (-B) " option. Remote attackers can
recover these keys if the packages are served to a network. Binary
packages built using " quickpkg " are not affected.


Workaround


Do not use pre-generated SSL keys, but use keys that were generated
using a different Certificate Authority.


Resolution


Upgrading to newer versions of the above packages will neither remove
possibly compromised SSL certificates, nor old binary packages. Please
remove the certificates installed by Portage, and then emerge an
upgrade to the package.

All Conserver users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=app-admin/conserver-8.1.16"

All Postfix 2.4 users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.4.6-r2"

All Postfix 2.3 users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.3.8-r1"

All Postfix 2.2 users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.2.11-r1"

All Netkit FTP Server users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=net-ftp/netkit-ftpd-0.17-r7"

All ejabberd users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=net-im/ejabberd-1.1.3"

All UnrealIRCd users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=net-irc/unrealircd-3.2.7-r2"

All Cyrus IMAP Server users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-2.3.9-r1"

All Dovecot users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.0.10"

All stunnel 4 users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/stunnel-4.21"

All InterNetNews users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=net-nntp/inn-2.4.3-r1"


References

CVE-2008-1383


Last edited by GLSA on Wed May 21, 2014 4:27 am; edited 2 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum