Bug#795892: wheezy-pu: package ssl-cert/1.0.32+deb7u1

Mon, 17 Aug 2015 11:13:10 -0700 

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu

Please review ssl-cert_1.0.32+deb7u1 for inclusion in oldstable. The
main change is switching from sha1 to sha256 for new certificates
because browsers start marking sha1 as insecure.

ssl-cert (1.0.32+deb7u1) wheezy; urgency=medium

  * Switch to SHA2 for newly generated certificates. Closes: #733255, #773815
  * Set umask to make sure that the generated key is not world-readable
    for a short timespan while make-ssl-cert runs. Closes: #780828

 -- Stefan Fritsch <s...@debian.org>  Sun, 16 Aug 2015 13:27:23 +0200

Debdiff is attached

diff -Nru ssl-cert-1.0.32/debian/changelog ssl-cert-1.0.32+deb7u1/debian/changelog
--- ssl-cert-1.0.32/debian/changelog    2012-08-26 19:45:06.000000000 +0200
+++ ssl-cert-1.0.32+deb7u1/debian/changelog     2015-08-16 13:38:05.000000000 +0200
@@ -1,3 +1,11 @@
+ssl-cert (1.0.32+deb7u1) wheezy; urgency=medium
+
+  * Switch to SHA2 for newly generated certificates. Closes: #733255, #773815
+  * Set umask to make sure that the generated key is not world-readable
+    for a short timespan while make-ssl-cert runs. Closes: #780828
+
+ -- Stefan Fritsch <s...@debian.org>  Sun, 16 Aug 2015 13:27:23 +0200
+
 ssl-cert (1.0.32) unstable; urgency=low
 
   * Update Brazilian Portuguese, thanks to J. S. JĂșnior. Closes: #685887
diff -Nru ssl-cert-1.0.32/make-ssl-cert ssl-cert-1.0.32+deb7u1/make-ssl-cert
--- ssl-cert-1.0.32/make-ssl-cert       2012-06-09 20:25:20.000000000 +0200
+++ ssl-cert-1.0.32+deb7u1/make-ssl-cert        2015-08-16 13:38:05.000000000 +0200
@@ -99,8 +99,10 @@
 
 # create the certificate.
 
+umask 077
+
 if [ "$1" != "generate-default-snakeoil" ]; then
-    if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes \
+    if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
        -out $output -keyout $output > $TMPOUT 2>&1
     then
        echo Could not create certificate. Openssl output was: >&2
@@ -112,7 +114,7 @@
     cd $(dirname $output)
     ln -sf $(basename $output) $(openssl x509 -hash -noout -in $(basename $output))
 else
-    if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes \
+    if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
        -out /etc/ssl/certs/ssl-cert-snakeoil.pem \
         -keyout /etc/ssl/private/ssl-cert-snakeoil.key > $TMPOUT 2>&1
     then

Reply via email to