Detections
Analytics

GLSA-200803-30 : ssl-cert eclass: Certificate disclosure

low Nessus Plugin ID 31636

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200803-30 (ssl-cert eclass: Certificate disclosure)

 Robin Johnson reported that the docert() function provided by ssl-cert.eclass can be called by source building stages of an ebuild, such as src_compile() or src_install(), which will result in the generated SSL keys being included inside binary packages (binpkgs).
 Impact :

 A local attacker could recover the SSL keys from publicly readable binary packages when 'emerge' is called with the '--buildpkg (-b)' or '--buildpkgonly (-B)' option. Remote attackers can recover these keys if the packages are served to a network. Binary packages built using 'quickpkg' are not affected.
 Workaround :

 Do not use pre-generated SSL keys, but use keys that were generated using a different Certificate Authority.

Solution

Upgrading to newer versions of the above packages will neither remove possibly compromised SSL certificates, nor old binary packages. Please remove the certificates installed by Portage, and then emerge an upgrade to the package.
 All Conserver users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=app-admin/conserver-8.1.16' All Postfix 2.4 users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=mail-mta/postfix-2.4.6-r2' All Postfix 2.3 users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=mail-mta/postfix-2.3.8-r1' All Postfix 2.2 users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=mail-mta/postfix-2.2.11-r1' All Netkit FTP Server users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=net-ftp/netkit-ftpd-0.17-r7' All ejabberd users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=net-im/ejabberd-1.1.3' All UnrealIRCd users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=net-irc/unrealircd-3.2.7-r2' All Cyrus IMAP Server users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=net-mail/cyrus-imapd-2.3.9-r1' All Dovecot users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=net-mail/dovecot-1.0.10' All stunnel 4 users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=net-misc/stunnel-4.21' All InterNetNews users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=net-nntp/inn-2.4.3-r1'

See Also

https://security.gentoo.org/glsa/200803-30

Plugin Details

Severity: Low

ID: 31636

File Name: gentoo_GLSA-200803-30.nasl

Version: 1.16

Type: local

Published: 3/21/2008

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Low

Base Score: 1.9

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:conserver, p-cpe:/a:gentoo:linux:cyrus-imapd, p-cpe:/a:gentoo:linux:dovecot, p-cpe:/a:gentoo:linux:ejabberd, p-cpe:/a:gentoo:linux:inn, p-cpe:/a:gentoo:linux:netkit-ftpd, p-cpe:/a:gentoo:linux:postfix, p-cpe:/a:gentoo:linux:stunnel, p-cpe:/a:gentoo:linux:unrealircd, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 3/20/2008

Reference Information

CVE: CVE-2008-1383

CWE: 310

GLSA: 200803-30