Hi,
I use the gentoo framework to build binary packages. I noticed that most
packages creates the ssl certificate during src_install(). This makes
all binary packages contain the ssl certs which is a security threat.
The net-nds/openldap package has understood this and calls docert from
pkg_postinst() and even includes this comment:
# You cannot build SSL certificates during src_install that will make
# binary packages containing your SSL key, which is both a security risk
# and a misconfiguration if multiple machines use the same key and cert.
# Additionally, it overwrites
The net-im/ejabberd seems to create ssl cert from antoher script.
The vulnerable packages are:
app-admin/conserver
mail-mta/postfix
net-analyzer/sguil-server
net-firewall/nufw
net-ftp/netkit-ftpd
net-irc/ptlink-ircd
net-irc/unrealircd
net-mail/cyrus-imapd
net-mail/cyrus-imspd
net-mail/dovecot
net-misc/stunnel
net-nntp/inn
www-servers/nginx
Should I create a bug for every vulnerable package?
>From a binary packagers perspective I would really prefer to create the
certs from init.d script.
Thanks!
Natanael Copa
--
gentoo-dev@gentoo.org mailing list
I use the gentoo framework to build binary packages. I noticed that most
packages creates the ssl certificate during src_install(). This makes
all binary packages contain the ssl certs which is a security threat.
The net-nds/openldap package has understood this and calls docert from
pkg_postinst() and even includes this comment:
# You cannot build SSL certificates during src_install that will make
# binary packages containing your SSL key, which is both a security risk
# and a misconfiguration if multiple machines use the same key and cert.
# Additionally, it overwrites
The net-im/ejabberd seems to create ssl cert from antoher script.
The vulnerable packages are:
app-admin/conserver
mail-mta/postfix
net-analyzer/sguil-server
net-firewall/nufw
net-ftp/netkit-ftpd
net-irc/ptlink-ircd
net-irc/unrealircd
net-mail/cyrus-imapd
net-mail/cyrus-imspd
net-mail/dovecot
net-misc/stunnel
net-nntp/inn
www-servers/nginx
Should I create a bug for every vulnerable package?
>From a binary packagers perspective I would really prefer to create the
certs from init.d script.
Thanks!
Natanael Copa
--
gentoo-dev@gentoo.org mailing list