Your message dated Tue, 31 Jul 2018 22:08:35 +0000
with message-id <[email protected]>
and subject line Bug#902831: fixed in wireguard 0.0.20180731-2
has caused the Debian Bug report #902831,
regarding wireguard-tools: /etc/wireguard permissions are open to the world,
leaking private keys
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
902831: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902831
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: wireguard-tools
Version: 0.0.20180625-1
Severity: normal
When installing wireguard-tools, the /etc/wireguard directory is created
that can contain configuration files for the wg-quick service to use.
These configuration files will contain the private key of the local
machine for the VPN configuration, and as such, the default mode (755)
for the directory is unsuitable for production use, since it creates an
opportunity for any user to be able to print out the contents of the
configuration files (if they were not changed to mode 600 themselves),
and potentially break the security model of the Wireguard VPN altogether.
I propose changing the default mode of the /etc/wireguard directory to 600.
I do this on my own machines and there is no functionality impact for the
software, only that the private keys become completely inaccessible for
anyone but root.
--- End Message ---
--- Begin Message ---
Source: wireguard
Source-Version: 0.0.20180731-2
We believe that the bug you reported is fixed in the latest version of
wireguard, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <[email protected]> (supplier of updated wireguard
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 31 Jul 2018 18:00:49 -0400
Source: wireguard
Binary: wireguard wireguard-dkms wireguard-tools
Architecture: source
Version: 0.0.20180731-2
Distribution: unstable
Urgency: medium
Maintainer: Daniel Kahn Gillmor <[email protected]>
Changed-By: Daniel Kahn Gillmor <[email protected]>
Description:
wireguard - fast, modern, secure kernel VPN tunnel (metapackage)
wireguard-dkms - fast, modern, secure kernel VPN tunnel (DKMS version)
wireguard-tools - fast, modern, secure kernel VPN tunnel (userland utilities)
Closes: 902831
Changes:
wireguard (0.0.20180731-2) unstable; urgency=medium
.
* ship /etc/wireguard mode 0700 by default (closes: #902831)
Checksums-Sha1:
5ed947b5763909b33438e5c624f724a34406e1f2 1508 wireguard_0.0.20180731-2.dsc
9c1ec7afcabedfb146df593ce84bfe863b71f7fc 23620
wireguard_0.0.20180731-2.debian.tar.xz
2820e6f5919da7ec936d3d61808cbb78c56e110f 7198
wireguard_0.0.20180731-2_amd64.buildinfo
Checksums-Sha256:
da9b842ea9a14eb720f5a00300095b39b53bffabf506f91d6d68c3ae3ee2e2f0 1508
wireguard_0.0.20180731-2.dsc
115d2b61061260d2c3e7cdf282577639522e77dd0d02255bcf3bd0a141a0f137 23620
wireguard_0.0.20180731-2.debian.tar.xz
c479f2d742fda9754c5d5549cc5515477bd2d41d0aa07c4e42f7709b2552e1f7 7198
wireguard_0.0.20180731-2_amd64.buildinfo
Files:
28d269704bade56df64a4913f55a295d 1508 net optional wireguard_0.0.20180731-2.dsc
f00834498a9c4cfeba2b8eb163d78230 23620 net optional
wireguard_0.0.20180731-2.debian.tar.xz
f3b29500357cac83990154967c02d482 7198 net optional
wireguard_0.0.20180731-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQTTaP514aqS9uSbmdJsHx7ezFD6UwUCW2DcXwAKCRBsHx7ezFD6
U5AjAP9omKT4Z1W/4+hs8a5i6YeEO05i1bHqymSFOQipwASljwEAyxej6PugSUaB
B4iR8IlV3FDl4X5RJaXwXTzRpFIdkwE=
=lg7Y
-----END PGP SIGNATURE-----
--- End Message ---