Ferenc Wagner <wf...@niif.hu> writes: > Upstream fixed this by using umask 177.
Russ, How should we proceed with this bug? I'm not sure it warrants a security update, so I didn't want to push this patch. Thanks, Feri. >From 8012fbf3cfb48df91ff26dc30cda23fb739386e7 Mon Sep 17 00:00:00 2001 From: Ferenc Wagner <wf...@niif.hu> Date: Fri, 5 Mar 2010 17:52:33 +0100 Subject: [PATCH] Protect the generated key material by setting umask in keygen.sh This is the upstream fix for https://bugs.internet2.edu/jira/browse/SSPCPP-106: http://svn.middleware.georgetown.edu/view/cpp-sp?view=rev&revision=3231 --- configs/keygen.sh | 1 + debian/changelog | 6 ++++++ 2 files changed, 7 insertions(+), 0 deletions(-) diff --git a/configs/keygen.sh b/configs/keygen.sh index 534516c..54f01b9 100755 --- a/configs/keygen.sh +++ b/configs/keygen.sh @@ -66,6 +66,7 @@ subjectAltName=$ALTNAME subjectKeyIdentifier=hash EOF +umask 177 if [ -z "$BATCH" ] ; then openssl req -config sp-cert.cnf -new -x509 -days $DAYS -keyout sp-key.pem -out sp-cert.pem else diff --git a/debian/changelog b/debian/changelog index c6a8516..2ca03e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +shibboleth-sp2 (2.0.dfsg1-4+lenny3) stable-security; urgency=high + + * SECURITY: Fix permissions of generated keys. (Closes: #571631) + + -- Ferenc Wagner <wf...@niif.hu> Fri, 05 Mar 2010 17:53:43 +0100 + shibboleth-sp2 (2.0.dfsg1-4+lenny2) stable-security; urgency=high * SECURITY: Partial fix for improper handling of URLs that could be -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
