On Mon, Mar 12, 2007 at 14:38:02 +0800, Thomas Goirand wrote:
Julien Cristau wrote:
Package: dtc-xen
Version: 0.2.6-5
Severity: serious
Tags: security
Hi,
dtc-xen creates files in /etc/dtc-xen in its postinst, in particular ssl
private keys, and only after that chmods them.
Julien Cristau wrote:
right, shipping ssl private keys in the package, that sounds like a good
idea... not.
No, my idea was to put a blank file in the package so it had the correct
rights from the beginning, but I new there would have been some problems
as it would have been marked conffile.
Package: dtc-xen
Version: 0.2.6-5
Severity: serious
Tags: security
Hi,
dtc-xen creates files in /etc/dtc-xen in its postinst, in particular ssl
private keys, and only after that chmods them. This means that they is
a race condition which makes these files readable by anyone.
Cheers,
Julien
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Julien Cristau wrote:
Package: dtc-xen
Version: 0.2.6-5
Severity: serious
Tags: security
Hi,
dtc-xen creates files in /etc/dtc-xen in its postinst, in particular ssl
private keys, and only after that chmods them. This means that they is
a
4 matches
Mail list logo
