Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Robert Buchholz <rbu@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200803-30 ] ssl-cert eclass: Certificate disclosure
Date: Thu, 20 Mar 2008 01:20:41
Message-Id: 200803200218.38483.rbu@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200803-30
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: ssl-cert eclass: Certificate disclosure
9 Date: March 20, 2008
10 Bugs: #174759
11 ID: 200803-30
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 An error in the usage of the ssl-cert eclass within multiple ebuilds
19 might allow for disclosure of generated SSL private keys.
20
21 Background
22 ==========
23
24 The ssl-cert eclass is a code module used by Gentoo ebuilds to generate
25 SSL certificates.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 app-admin/conserver < 8.1.16 >= 8.1.16
34 2 mail-mta/postfix < 2.4.6-r2 >= 2.4.6-r2
35 *>= 2.3.8-r1
36 *>= 2.2.11-r1
37 3 net-ftp/netkit-ftpd < 0.17-r7 >= 0.17-r7
38 4 net-im/ejabberd < 1.1.3 >= 1.1.3
39 5 net-irc/unrealircd < 3.2.7-r2 >= 3.2.7-r2
40 6 net-mail/cyrus-imapd < 2.3.9-r1 >= 2.3.9-r1
41 7 net-mail/dovecot < 1.0.10 >= 1.0.10
42 8 net-misc/stunnel < 4.21-r1 >= 4.21-r1
43 < 4.0
44 9 net-nntp/inn < 2.4.3-r1 >= 2.4.3-r1
45 -------------------------------------------------------------------
46 9 affected packages on all of their supported architectures.
47 -------------------------------------------------------------------
48
49 Description
50 ===========
51
52 Robin Johnson reported that the docert() function provided by
53 ssl-cert.eclass can be called by source building stages of an ebuild,
54 such as src_compile() or src_install(), which will result in the
55 generated SSL keys being included inside binary packages (binpkgs).
56
57 Impact
58 ======
59
60 A local attacker could recover the SSL keys from publicly readable
61 binary packages when "emerge" is called with the "--buildpkg (-b)" or
62 "--buildpkgonly (-B)" option. Remote attackers can recover these keys
63 if the packages are served to a network. Binary packages built using
64 "quickpkg" are not affected.
65
66 Workaround
67 ==========
68
69 Do not use pre-generated SSL keys, but use keys that were generated
70 using a different Certificate Authority.
71
72 Resolution
73 ==========
74
75 Upgrading to newer versions of the above packages will neither remove
76 possibly compromised SSL certificates, nor old binary packages. Please
77 remove the certificates installed by Portage, and then emerge an
78 upgrade to the package.
79
80 All Conserver users should upgrade to the latest version:
81
82 # emerge --sync
83 # emerge --ask --oneshot --verbose ">=app-admin/conserver-8.1.16"
84
85 All Postfix 2.4 users should upgrade to the latest version:
86
87 # emerge --sync
88 # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.4.6-r2"
89
90 All Postfix 2.3 users should upgrade to the latest version:
91
92 # emerge --sync
93 # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.3.8-r1"
94
95 All Postfix 2.2 users should upgrade to the latest version:
96
97 # emerge --sync
98 # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.2.11-r1"
99
100 All Netkit FTP Server users should upgrade to the latest version:
101
102 # emerge --sync
103 # emerge --ask --oneshot --verbose ">=net-ftp/netkit-ftpd-0.17-r7"
104
105 All ejabberd users should upgrade to the latest version:
106
107 # emerge --sync
108 # emerge --ask --oneshot --verbose ">=net-im/ejabberd-1.1.3"
109
110 All UnrealIRCd users should upgrade to the latest version:
111
112 # emerge --sync
113 # emerge --ask --oneshot --verbose ">=net-irc/unrealircd-3.2.7-r2"
114
115 All Cyrus IMAP Server users should upgrade to the latest version:
116
117 # emerge --sync
118 # emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-2.3.9-r1"
119
120 All Dovecot users should upgrade to the latest version:
121
122 # emerge --sync
123 # emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.0.10"
124
125 All stunnel 4 users should upgrade to the latest version:
126
127 # emerge --sync
128 # emerge --ask --oneshot --verbose ">=net-misc/stunnel-4.21"
129
130 All InterNetNews users should upgrade to the latest version:
131
132 # emerge --sync
133 # emerge --ask --oneshot --verbose ">=net-nntp/inn-2.4.3-r1"
134
135 References
136 ==========
137
138 [ 1 ] CVE-2008-1383
139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1383
140
141 Availability
142 ============
143
144 This GLSA and any updates to it are available for viewing at
145 the Gentoo Security Website:
146
147 http://security.gentoo.org/glsa/glsa-200803-30.xml
148
149 Concerns?
150 =========
151
152 Security is a primary focus of Gentoo Linux and ensuring the
153 confidentiality and security of our users machines is of utmost
154 importance to us. Any security concerns should be addressed to
155 security@g.o or alternatively, you may file a bug at
156 http://bugs.gentoo.org.
157
158 License
159 =======
160
161 Copyright 2008 Gentoo Foundation, Inc; referenced text
162 belongs to its owner(s).
163
164 The contents of this document are licensed under the
165 Creative Commons - Attribution / Share Alike license.
166
167 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups