Your message dated Sat, 15 May 2010 22:47:43 +0000
with message-id <[email protected]>
and subject line Bug#571631: fixed in shibboleth-sp2 2.3.1+dfsg-2
has caused the Debian Bug report #571631,
regarding libapache2-mod-shib2: shib-keygen generates world-readable key file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
571631: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571631
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libapache2-mod-shib2
Version: 2.0.dfsg1-4+lenny2
Severity: critical
Tags: security
Justification: root security hole
When setting up a new SP, I observe the following:
irregular-apocalypse:/etc/shibboleth# ls -l sp*
ls: cannot access sp*: No such file or directory
irregular-apocalypse:/etc/shibboleth# shib-keygen
Generating a 2048 bit RSA private key
.....+++
...........................................................+++
writing new private key to 'sp-key.pem'
-----
irregular-apocalypse:/etc/shibboleth# ls -l sp*
-rw-r--r-- 1 root root 1164 Feb 26 15:39 sp-cert.pem
-rw-r--r-- 1 root root 1675 Feb 26 15:39 sp-key.pem
I believe that sp-key.pem should not be made world-readable, and
therefore suggest that the script changes its umask accordingly, and
then chmods the non-private certificate to be world-readable afterwards.
--- End Message ---
--- Begin Message ---
Source: shibboleth-sp2
Source-Version: 2.3.1+dfsg-2
We believe that the bug you reported is fixed in the latest version of
shibboleth-sp2, which is due to be installed in the Debian FTP archive:
libapache2-mod-shib2_2.3.1+dfsg-2_i386.deb
to main/s/shibboleth-sp2/libapache2-mod-shib2_2.3.1+dfsg-2_i386.deb
libshibsp-dev_2.3.1+dfsg-2_i386.deb
to main/s/shibboleth-sp2/libshibsp-dev_2.3.1+dfsg-2_i386.deb
libshibsp-doc_2.3.1+dfsg-2_all.deb
to main/s/shibboleth-sp2/libshibsp-doc_2.3.1+dfsg-2_all.deb
libshibsp4_2.3.1+dfsg-2_i386.deb
to main/s/shibboleth-sp2/libshibsp4_2.3.1+dfsg-2_i386.deb
shibboleth-sp2-schemas_2.3.1+dfsg-2_all.deb
to main/s/shibboleth-sp2/shibboleth-sp2-schemas_2.3.1+dfsg-2_all.deb
shibboleth-sp2_2.3.1+dfsg-2.diff.gz
to main/s/shibboleth-sp2/shibboleth-sp2_2.3.1+dfsg-2.diff.gz
shibboleth-sp2_2.3.1+dfsg-2.dsc
to main/s/shibboleth-sp2/shibboleth-sp2_2.3.1+dfsg-2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <[email protected]> (supplier of updated shibboleth-sp2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 15 May 2010 15:25:12 -0700
Source: shibboleth-sp2
Binary: libapache2-mod-shib2 libshibsp4 libshibsp-dev libshibsp-doc
shibboleth-sp2-schemas
Architecture: source i386 all
Version: 2.3.1+dfsg-2
Distribution: unstable
Urgency: low
Maintainer: Debian Shib Team <[email protected]>
Changed-By: Russ Allbery <[email protected]>
Description:
libapache2-mod-shib2 - Federated web single sign-on system (Apache module)
libshibsp-dev - Federated web single sign-on system (development)
libshibsp-doc - Federated web single sign-on system (API docs)
libshibsp4 - Federated web single sign-on system (runtime)
shibboleth-sp2-schemas - Federated web single sign-on system (schemas)
Closes: 571631
Changes:
shibboleth-sp2 (2.3.1+dfsg-2) unstable; urgency=low
.
* Modify shib-keygen to create the new certificate key group-readable by
_shibd and not world-readable. (Closes: #571631)
* Force source format 1.0 for now since it makes backporting easier.
* Update debhelper compatibility level to V7.
- Use dh_prep instead of dh_clean -k.
* Update standards version to 3.8.4 (no changes required).
Checksums-Sha1:
5b8d484180951359a341341afe5cacec982c7d23 1650 shibboleth-sp2_2.3.1+dfsg-2.dsc
eae28aef3e497dd394957bdca03cf86c165f213d 18414
shibboleth-sp2_2.3.1+dfsg-2.diff.gz
37187a4edfa3a10e9d027960d4335e11d8ca4b6a 227514
libapache2-mod-shib2_2.3.1+dfsg-2_i386.deb
784991847110d38567dfe9b1b24d32b4c08b7cab 958472
libshibsp4_2.3.1+dfsg-2_i386.deb
851422b6a4fe097a91b146613bb68f7356a77d42 43442
libshibsp-dev_2.3.1+dfsg-2_i386.deb
c102b26ea1ebe93e348bf044a022eed9b8ff967d 311642
libshibsp-doc_2.3.1+dfsg-2_all.deb
c30904f0ab5e0aeb9fb69a14f7e8e5ad52e39bb9 18648
shibboleth-sp2-schemas_2.3.1+dfsg-2_all.deb
Checksums-Sha256:
dccfdb861d8eba5e420c840c5949b0494ce2ea0dc98d16e858c5e1c8a71a29c6 1650
shibboleth-sp2_2.3.1+dfsg-2.dsc
55f2140ededddfe8ae7486ac322c131ab6840981a46b85099c6f26888cb45f0a 18414
shibboleth-sp2_2.3.1+dfsg-2.diff.gz
cd67a51b755c76e6faf4ad1fd8f219ac1b5d0de5896f89995ff1953e23a1b644 227514
libapache2-mod-shib2_2.3.1+dfsg-2_i386.deb
6aef1212acdd6ac5ab578faac9ecc098f8089729600b1d783869235a997c1e66 958472
libshibsp4_2.3.1+dfsg-2_i386.deb
26ed703fff84534b4c886c501e7d7a6ddcd9a57b105b03759d5d305b263f5641 43442
libshibsp-dev_2.3.1+dfsg-2_i386.deb
3507c57241f72ddc37b63f259282b1a17c12e76672fa4f7d438de6c4d2a75c8b 311642
libshibsp-doc_2.3.1+dfsg-2_all.deb
ae57a1fb65e958d50b2e18e43adf1dfa78e9ae04c27670f8448ee5f409ea6408 18648
shibboleth-sp2-schemas_2.3.1+dfsg-2_all.deb
Files:
6829a9120402753f57d77546ad6df6ee 1650 web extra shibboleth-sp2_2.3.1+dfsg-2.dsc
a4aa44001d057a1e967690ecf700062a 18414 web extra
shibboleth-sp2_2.3.1+dfsg-2.diff.gz
55ef411f24c2e1cce84562ed162d7dfe 227514 httpd extra
libapache2-mod-shib2_2.3.1+dfsg-2_i386.deb
00cb0adbb850cdfc4c49ef3d2506b8d6 958472 libs extra
libshibsp4_2.3.1+dfsg-2_i386.deb
d586e90a23d79c4fbecacb4c376819bb 43442 libdevel extra
libshibsp-dev_2.3.1+dfsg-2_i386.deb
136100276d238d95631aa3c94534b5f1 311642 doc extra
libshibsp-doc_2.3.1+dfsg-2_all.deb
19cdc02f95062a174db32e26f1ac3e93 18648 text extra
shibboleth-sp2-schemas_2.3.1+dfsg-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkvvI+AACgkQ+YXjQAr8dHZDOQCeMnXycfVEH+MKa8vkrKEttNzE
AdsAoMLW/A/1wm4O3NcjjxUdZbtKcwHu
=/vtN
-----END PGP SIGNATURE-----
--- End Message ---
