Hi, From: Richard A Nelson <[EMAIL PROTECTED]> Subject: Bug#368420: ftpd-ssl: RC abuse of /etc/ssl/certs Date: Sun, 21 May 2006 19:09:45 -0700
> Package: ftpd-ssl > Version: 0.17.18+0.3-5 > Severity: critical > Justification: breaks unrelated software > > RC abuse of /etc/ssl/certs, rendering certificate validation > inoperable. > > There are two problems with this packages use of /etc/ssl/certs: > > * Files in /etc/ssl/certs must be a+r > - GNUTLS reads files in /etc/ssl/certs, and will not verify a > remote certificate once it encounters an unreadable file in > /etc/ssl/certs. > > - OPENSSL also must read files in /etc/ssl/certs, but seems to > be more forgiving of errors incurred in the process. > > * This packages combines the key and cert into one file - which > of course means it can't be world readable... and there for should > not be in /etc/ssl/certs. At least the key file should be in some > package private /etc/ directory - with the appropriate > permissions. > > You can still use a combined file, but it just needs to be > elsewhere. > > I noticed this when I couldn't connect to my corporate LDAP servers > using ldaps://, but the breakage is going to be further spread (likely any > GNUTLS client app needing to lookup certificate chains) > As there is no upstream support anymore, can you provide a simple patch for it? Thanks, Qian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]