Bug#608719: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)

Sun, 02 Jan 2011 15:24:17 -0800 

Package: dovecot-common
Version: 1:1.2.15-3
Severity: normal

It looks like dovecot-common's postinst script creates a new X.509
certificate and places it in /etc/ssl/certs/dovecot.pem.  This
certificate is for use as the IMAP or POP server's end entity
certificate.

However, /etc/ssl/certs/ is used elsewhere in debian (e.g. the default
for wget's --ca-directory option) as a directory of legitimate root
certificate authorities -- *not* end entity certificates.

Since the generated end-entity certificate is self-signed, it defaults
to having CA:TRUE set as an X.509v3 extension, which means that if the
associated public key is somehow compromised, it can be subseqently
used by the attacker to sign arbitrary certificates.  This in turn
means that all parts of debian on that system that rely on
/etc/ssl/certs/ as a clean directory of trustworthy root CAs can have
their otherwise-secure communications intercepted and tampered with.

A more reasonable place to put the certificate might be
/etc/ssl/dovecot.pem or /etc/dovecot/server-certificate.pem

Thanks for maintaining dovecot in debian!

Regards,

      --dkg

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.37-rc5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dovecot-common depends on:
ii  adduser                 3.112+nmu2       add and remove users and groups
ii  libbz2-1.0              1.0.5-6          high-quality block-sorting file co
ii  libc6                   2.11.2-7         Embedded GNU C Library: Shared lib
ii  libcomerr2              1.41.12-2        common error description library
ii  libdb4.8                4.8.30-2         Berkeley v4.8 Database Libraries [
ii  libgssapi-krb5-2        1.8.3+dfsg-4     MIT Kerberos runtime libraries - k
ii  libk5crypto3            1.8.3+dfsg-4     MIT Kerberos runtime libraries - C
ii  libkrb5-3               1.8.3+dfsg-4     MIT Kerberos runtime libraries
ii  libldap-2.4-2           2.4.23-7         OpenLDAP libraries
ii  libmysqlclient16        5.1.49-3         MySQL database client library
ii  libpam-runtime          1.1.1-6.1        Runtime support for the PAM librar
ii  libpam0g                1.1.1-6.1        Pluggable Authentication Modules l
ii  libpq5                  8.4.5-0squeeze2  PostgreSQL C client library
ii  libsqlite3-0            3.7.4-2          SQLite 3 shared library
ii  libssl0.9.8             0.9.8o-4         SSL shared libraries
ii  openssl                 0.9.8o-4         Secure Socket Layer (SSL) binary a
ii  ucf                     3.0025+nmu1      Update Configuration File: preserv
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

dovecot-common recommends no packages.

Versions of packages dovecot-common suggests:
ii  ntp                 1:4.2.6.p2+dfsg-1+b1 Network Time Protocol daemon and u

-- Configuration Files:
/etc/default/dovecot changed [not included]

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to