Package: libapache2-mod-shib2 Version: 2.0.dfsg1-4+lenny2 Severity: critical Tags: security Justification: root security hole
When setting up a new SP, I observe the following: irregular-apocalypse:/etc/shibboleth# ls -l sp* ls: cannot access sp*: No such file or directory irregular-apocalypse:/etc/shibboleth# shib-keygen Generating a 2048 bit RSA private key .....+++ ...........................................................+++ writing new private key to 'sp-key.pem' ----- irregular-apocalypse:/etc/shibboleth# ls -l sp* -rw-r--r-- 1 root root 1164 Feb 26 15:39 sp-cert.pem -rw-r--r-- 1 root root 1675 Feb 26 15:39 sp-key.pem I believe that sp-key.pem should not be made world-readable, and therefore suggest that the script changes its umask accordingly, and then chmods the non-private certificate to be world-readable afterwards. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
