Bug#464930: marked as done (ssl-cert: please use 'hostname -f' in /usr/sbin/make-ssl-cert)

Your message dated Sun, 10 Feb 2008 22:02:05 +0000 with message-id <E1JOKFR-000120-6Q@ries.debian.org> and subject line Bug#464930: fixed in ssl-cert 1.0.15 has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.)

Debian bug tracking system administrator (administrator, Debian Bugs database)

attached mail follows:

Package: ssl-cert
Version: 1.0.14
Severity: important
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: ubuntu-patch origin-ubuntu hardy

make-ssl-cert currently uses 'hostname' to set the cn of the default snake oil certificate. This results in a cn set to a relative hostname, not an FQDN (which would be given by 'hostname -f'). This yields a suboptimal certificate: OpenLDAP, for instance, will map 'localhost' to the fqdn when verifying certificates, which will properly fail to match the relative hostname in most cases, and there's also the issue that having a certificate that only works with the relative hostname ensures that users will only /connect/ using the relative hostname, opening a subtle attack vector in the form of hostname collisions in the domain search list.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

The attached patch implements this change in the most trivial fashion. However, it's probably also reasonable to have the unqualified hostname as an alternative name in the certificate for convenience; in that case, it makes sense to add a subjectAlternativeName to the snakeoil cert as well, including the value of $(hostname). If you prefer, I can look at implementing this.

Incidentally, is this package actually maintained today? I notice that the maintainer is listed as "Debian Apache Maintainers", and that none of the uploaders listed have been active in Apache maintenance for some time...

Cheers,

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    
http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

attached mail follows:

Source: ssl-cert Source-Version: 1.0.15 We believe that the bug you reported is fixed in the latest version of ssl-cert, which is due to be installed in the Debian FTP archive: ssl-cert_1.0.15.dsc to pool/main/s/ssl-cert/ssl-cert_1.0.15.dsc ssl-cert_1.0.15.tar.gz to pool/main/s/ssl-cert/ssl-cert_1.0.15.tar.gz ssl-cert_1.0.15_all.deb to pool/main/s/ssl-cert/ssl-cert_1.0.15_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 464930@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Tollef Fog Heen <tfheen@debian.org> (supplier of updated ssl-cert package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 10 Feb 2008 20:22:54 +0100 Source: ssl-cert Binary: ssl-cert Architecture: source all Version: 1.0.15 Distribution: unstable Urgency: low Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Changed-By: Tollef Fog Heen <tfheen@debian.org> Description: ssl-cert - simple debconf wrapper for OpenSSL Closes: 230391 287692 292157 293821 384591 384595 444902 445589 446210 446311 446488 446640 446640 446670 446679 446878 446900 447138 447441 447900 447909 447921 448226 464930 Changes: ssl-cert (1.0.15) unstable; urgency=low .
* Use 'hostname -f' for the snakeoil CN instead of 'hostname', since
relative hostnames are subject to namespace collisions that could be exploited (and also because OpenLDAP doesn't care for them when connecting to localhost). Thanks to Steve Langasek for the patch. Closes: 464930
* Debconf templates and debian/control reviewed by the debian-l10n-
english team as part of the Smith review project. Closes: #445589
* [Debconf translation updates]
* Bulgarian. Closes: #446210
* Galician. Closes: #446488
* Spanish; Castilian. Closes: #446311
* Finnish. Closes: #446640
* Czech. Closes: #446670
* Portuguese. Closes: #446679
* Finnish. Closes: #446640
* Turkish. Closes: #446878
* Vietnamese. Closes: #446900
* Basque. Closes: #447138
* Italian. Closes: #447441
* Russian. Closes: #447900
* Slovak. Closes: #447909
* German. Closes: #447921
* French. Closes: #448226
* Do getent group rather than getent passwd in postinst. Closes: 444902
* Make the default SSL cert have a lifetime of 10 years rather than 30
days. Closes: 293821
* Add set -e to postinst and postrm. Closes: 384591
* Make default openssl config pull RANDFILE from the environment.
Closes: 384595.
* Only ask for hostname, drop questions about country, organisation and
such. Closes: 230391, 287692.
* Handle relative output file paths correctly by using basename when
symlinking to the hash file. Closes: 292157.
* Fix lintian warnings (clean-should-be-satisfied-by-build-depends
debhelper and newer-debconf-templates).
* Add buid-dependency on po-debconf.
Files: 2a62363c956540ab4f58d6c57da6a005 683 utils optional ssl-cert_1.0.15.dsc 5dded65992ee4c562baedcd556d1f20f 18311 utils optional ssl-cert_1.0.15.tar.gz 280b6896d694ce1fb88fe6ca7cbe64df 7938 utils optional ssl-cert_1.0.15_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHr3EPQSseMYF6mWoRAjeFAJ9HrV6Tmzzrsaq1ssA1OPO3Qffg3QCgurKt Pa/pMnaT07HCZGsPM10ZyJw= =YgL1 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org