Package: live-config Version: 3.0.23-1 Severity: normal [When asked privately in IRC, dba didn't consider this a security issue, so I'm reporting it normally.]
It looks like /lib/live/config/1100-sslcert is trying to regenerate the snakeoil key & cert at boot time, similar to how SSH host keys are handled in 1170-openssh-server. AFAICT this code will never run, because it looks for "sslcert" when it should look for "ssl-cert". If someone builds a live SOE with a daemon, and that daemon is stupid enough to use the snakeoil certs instead of generating its own, that daemon will be using the same key across all boots/instances. If an attacker got hold of the SOE, they could extract the build-time snakeoil key and use it for MITM type things. (Of course, any daemon that generates its own certs would need an equivalent to this script, or be similarly affected. Same thing if someone builds a live SOE with dropbear or lsh instead of openssh.) -- To UNSUBSCRIBE, email to debian-live-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130506102857.5394.15679.report...@twb.cyber.com.au
