Package: ssl-cert
Version: 1.0.35
Severity: normal
make-ssl-cert appears to create the secret key material and then chmod
it to restrict permissions. This leaves a race condition where a
non-privileged user on the system can read the file before the
permissions change takes effect, thereby steali
On 12/26/2013 06:18 PM, Nick Kew wrote:
> You're ahead of us. Individual Apache folks like Jim have taken
> responsibility and moved to 4096-bit keys, but we haven't as a
> community had the discussion that might lead to pruning KEYS.
> My inclination is to say NO to requiring anyone to remove old
Hi apache folks--
In http://bugs.debian.org/732450, debian is preparing to
cryptographically verify OpenPGP signatures on apache upstream tarballs.
As part of the dicsussion, it's become clear that some of the keys in
https://www.apache.org/dist/httpd/KEYS are weak by any modern
consideration of
On 12/23/2013 06:48 AM, Arno Töll wrote:
> thanks for that suggestion. I added your patch for the upcoming package
> upload.
great, thank you!
> I did, however, add the full keyring of Apache developers that
> /could/ sign a release as listed in http://www.apache.org/dist/httpd/KEYS
While we're
Package: src:apache2
Version: 2.4.6-3
Severity: normal
Tags: patch
uscan from devscripts 2.13.3 has the ability to check OpenPGP
signatures on new upstream releases.
It looks like Jim Jagielski is signing apache2 releases (at least
those from 2.2 onward, which are all that we care about) with his
Package: libaprutil1-dev
Version: 1.4.1-3
Severity: normal
debian/patches/ship_find_apu.m4.patch seems to think that it is going
to cause find_apu.m4 to be shipped with one of the binary packages,
but it doesn't seem to have that effect.
find_apu.m4 ends up in the top level of debian/tmp, but nev
On 10/01/2010 11:58 AM, Stefan Fritsch wrote:
> 1024 bits are more than enough to satisfy the security expectations of
> an auto-generated "snake-oil" key for the life time of squeeze.
The key is not snake-oil. The X.509 *certificate* is snake-oil, what
with being self-signed and all. A perfect
Package: ssl-cert
Version: 1.0.26
Severity: normal
this is the shipped version of /usr/share/ssl-cert/ssleay.cnf, which
is used for make-ssl-cert to generate the default key and "snakeoil"
certificate.
-
#
# SSLeay example configuration file.
#
RANDFILE= /dev/uran
On 03/25/2009 05:51 PM, Daniel Kahn Gillmor wrote:
> Well, in this case, nothing went wrong (since the whole file was
> transferred across the socket). When i get a chance, i'll try to modify
> my code to do this over a network socket instead of a UNIX socket, and
> listen to
On 03/25/2009 05:17 PM, Stefan Fritsch wrote:
> I don't deny this and it is certainly not optimal, but it works as
> documented. I have poked upstream about it but I don't expect that it
> changes in the near future.
OK, fair enough. Is there anything in an upstream bugtracker? Should
we link th
I can verify that apache2-mpm-worker is indeed having this problem when
serving static files from a CIFS mount on a modern lenny system.
Each HTTP fetch is capable of pulling some smallish amount of bytes
(~10K for some connections i've tried) before the TCP connection
abruptly terminates.
On suc
11 matches
Mail list logo
