certs)

Debian Bug Tracking System Sat, 01 Jul 2006 07:11:14 -0700

Your message dated Sat, 01 Jul 2006 06:32:13 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#368420: fixed in linux-ftpd-ssl 0.17.18+0.3-6
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: ftpd-ssl
Version: 0.17.18+0.3-5
Severity: critical
Justification: breaks unrelated software

RC abuse of /etc/ssl/certs, rendering certificate validation
inoperable.

There are two problems with this packages use of /etc/ssl/certs:

    * Files in /etc/ssl/certs must be a+r
      - GNUTLS reads files in /etc/ssl/certs, and will not verify a
        remote certificate once it encounters an unreadable file in
        /etc/ssl/certs.

      - OPENSSL also must read files in /etc/ssl/certs, but seems to
        be more forgiving of errors incurred in the process.

    * This packages combines the key and cert into one file - which
      of course means it can't be world readable... and there for should
      not be in /etc/ssl/certs.  At least the key file should be in some
      package private /etc/ directory - with the appropriate
          permissions.

      You can still use a combined file, but it just needs to be
          elsewhere.

I noticed this when I couldn't connect to my corporate LDAP servers
using ldaps://,  but the breakage is going to be further spread (likely any
GNUTLS client app needing to lookup certificate chains)

-- System Information:
Debian Release: testing/unstable
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 
'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages ftpd-ssl depends on:
ii  libc6                         2.3.6-9    GNU C Library: Shared libraries
ii  libpam-modules                0.79-3.1   Pluggable Authentication Modules f
ii  libpam0g                      0.79-3.1   Pluggable Authentication Modules l
ii  libssl0.9.8                   0.9.8b-2   SSL shared libraries
ii  netbase                       4.25       Basic TCP/IP networking system
ii  openssl                       0.9.8b-2   Secure Socket Layer (SSL) binary a

ftpd-ssl recommends no packages.

--- End Message ---

--- Begin Message ---

Source: linux-ftpd-ssl
Source-Version: 0.17.18+0.3-6

We believe that the bug you reported is fixed in the latest version of
linux-ftpd-ssl, which is due to be installed in the Debian FTP archive:

ftpd-ssl_0.17.18+0.3-6_i386.deb
  to pool/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-6_i386.deb
linux-ftpd-ssl_0.17.18+0.3-6.diff.gz
  to pool/main/l/linux-ftpd-ssl/linux-ftpd-ssl_0.17.18+0.3-6.diff.gz
linux-ftpd-ssl_0.17.18+0.3-6.dsc
  to pool/main/l/linux-ftpd-ssl/linux-ftpd-ssl_0.17.18+0.3-6.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cai Qian <[EMAIL PROTECTED]> (supplier of updated linux-ftpd-ssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 01 July 2006 12:27:01 +0100
Source: linux-ftpd-ssl
Binary: ftpd-ssl
Architecture: source i386
Version: 0.17.18+0.3-6
Distribution: unstable
Urgency: low
Maintainer: Cai Qian <[EMAIL PROTECTED]>
Changed-By: Cai Qian <[EMAIL PROTECTED]>
Description: 
 ftpd-ssl   - FTP server with SSL encryption support
Closes: 368420
Changes: 
 linux-ftpd-ssl (0.17.18+0.3-6) unstable; urgency=low
 .
   * Move the certificate file to /etc/ftpd-ssl. Patch from James Westby
     <[EMAIL PROTECTED]>. (Closes: #368420)
   * Remove debian/conffile
Files: 
 a18ebe37c6a13fcdecc849d84ddfe2c3 921 net extra linux-ftpd-ssl_0.17.18+0.3-6.dsc
 accc2306b8a4341133966e9b8a79892d 5995 net extra 
linux-ftpd-ssl_0.17.18+0.3-6.diff.gz
 606c8094b438a156e4c20332faabebb0 49424 net extra 
ftpd-ssl_0.17.18+0.3-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iQEVAwUBRKZ1I8SMJEo6oWZwAQLHfgf+Kif1vLeFsgWBkt8W8yDynCOxgKNkDHXs
r9WBMa99ilp4gO1ar/sUQxU9gIpvtcR7kH80r/eSgVC6BR4Ctl2Y/KDQ0+GcN65X
qbwSeYe3fjrHPHVnmxoHrhcc91rmrV+pXHAR5+NlSNVCpmnPTeO0HFL3apHs6N2/
v95vl1Sy4PldcAEVd3BeKHUGL3Om6qhTincq/446zIn+B+c293qQ0r/RLAtFzOYO
6C3NnV0vBrbA7RiXDhtGrg384+vbBlbOAuwlTf2A7/IyUJqVYS6MeYILaWIKvhbw
vx6Rn2CZAXrE/2FcCXxqILoWroQcHv06C4GG31K0arBt5OZggzdQkw==
=1pUv
-----END PGP SIGNATURE-----

--- End Message ---

Bug#368420: marked as done (ftpd-ssl: RC abuse of /etc/ssl/certs)

Reply via email to