[Pkg-apache-commits] r1092 - in /trunk/ssl-cert/debian: changelog control dirs postinst postrm rules ssl-cert.lintian-overrides
sf at alioth.debian.org
sf at alioth.debian.org
Sun Nov 8 11:05:17 UTC 2009
Author: sf
Date: Sun Nov 8 11:05:16 2009
New Revision: 1092
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1092
Log:
* Fix purging in case the snakeoil ssl key has been removed manually.
Closes: #555042
* Use dpkg-statoverride for changing the group of /etc/ssl/private.
* Downgrade dependency on openssl-blacklist to a suggests. All vulnerable
keys should be upgraded by now.
Modified:
trunk/ssl-cert/debian/changelog
trunk/ssl-cert/debian/control
trunk/ssl-cert/debian/dirs
trunk/ssl-cert/debian/postinst
trunk/ssl-cert/debian/postrm
trunk/ssl-cert/debian/rules
trunk/ssl-cert/debian/ssl-cert.lintian-overrides
Modified: trunk/ssl-cert/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/ssl-cert/debian/changelog?rev=1092&op=diff
==============================================================================
--- trunk/ssl-cert/debian/changelog (original)
+++ trunk/ssl-cert/debian/changelog Sun Nov 8 11:05:16 2009
@@ -1,3 +1,13 @@
+ssl-cert (1.0.25) UNRELEASED; urgency=low
+
+ * Fix purging in case the snakeoil ssl key has been removed manually.
+ Closes: #555042
+ * Use dpkg-statoverride for changing the group of /etc/ssl/private.
+ * Downgrade dependency on openssl-blacklist to a suggests. All vulnerable
+ keys should be upgraded by now.
+
+ -- Stefan Fritsch <sf at debian.org> Sun, 08 Nov 2009 11:47:27 +0100
+
ssl-cert (1.0.24) unstable; urgency=low
* Print error message if debconf fails. Closes: #288045
Modified: trunk/ssl-cert/debian/control
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/ssl-cert/debian/control?rev=1092&op=diff
==============================================================================
--- trunk/ssl-cert/debian/control (original)
+++ trunk/ssl-cert/debian/control Sun Nov 8 11:05:16 2009
@@ -10,7 +10,8 @@
Package: ssl-cert
Architecture: all
-Depends: ${misc:Depends}, openssl (>= 0.9.8g-9), adduser, openssl-blacklist
+Depends: ${misc:Depends}, openssl (>= 0.9.8g-9), adduser
+Suggests: openssl-blacklist
Description: simple debconf wrapper for OpenSSL
This package enables unattended installs of packages that
need to create SSL certificates.
Modified: trunk/ssl-cert/debian/dirs
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/ssl-cert/debian/dirs?rev=1092&op=diff
==============================================================================
--- trunk/ssl-cert/debian/dirs (original)
+++ trunk/ssl-cert/debian/dirs Sun Nov 8 11:05:16 2009
@@ -1,3 +1,4 @@
usr/sbin
usr/share/lintian/overrides
usr/share/ssl-cert
+etc/ssl/private
Modified: trunk/ssl-cert/debian/postinst
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/ssl-cert/debian/postinst?rev=1092&op=diff
==============================================================================
--- trunk/ssl-cert/debian/postinst (original)
+++ trunk/ssl-cert/debian/postinst Sun Nov 8 11:05:16 2009
@@ -15,7 +15,7 @@
# Check if the generated snakeoil key/cert has been generated
# from a vulnerable openssl version and replace it if necessary.
-if [ -n "$2" ] ; then
+if [ -x /usr/bin/openssl-vulnkey -a -n "$2" ] ; then
check_key=""
check_vuln_version 0 "$2" 1.0.13-0ubuntu0.7.04.1
check_vuln_version 1.0.13-1 "$2" 1.0.14-0ubuntu0.7.10.1
@@ -47,9 +47,11 @@
# it will exit 0.
make-ssl-cert generate-default-snakeoil
-# Make sure the permissions on /etc/ssl/private are okay:
-chgrp ssl-cert /etc/ssl/private
-chmod g+x /etc/ssl/private
+# allow group ssl-cert to access /etc/ssl/private
+if ! dpkg-statoverride --list /etc/ssl/private >/dev/null 2>&1
+then
+ dpkg-statoverride --update --add root ssl-cert 710 /etc/ssl/private
+fi
# If we're upgrading from an older version, fix the unreadable key:
if dpkg --compare-versions "$2" lt 1.0.12; then
Modified: trunk/ssl-cert/debian/postrm
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/ssl-cert/debian/postrm?rev=1092&op=diff
==============================================================================
--- trunk/ssl-cert/debian/postrm (original)
+++ trunk/ssl-cert/debian/postrm Sun Nov 8 11:05:16 2009
@@ -1,16 +1,19 @@
#!/bin/sh -e
-
-# We're being removed; change this back
-chgrp root /etc/ssl/private
-chmod g-x /etc/ssl/private
if [ "$1" = purge ] ; then
rm -f /etc/ssl/certs/ssl-cert-snakeoil.pem \
/etc/ssl/certs/ssl-cert-snakeoil.pem.broken \
/etc/ssl/private/ssl-cert-snakeoil.key \
/etc/ssl/private/ssl-cert-snakeoil.key.broken
- rmdir /etc/ssl/private 2>/dev/null || true
- rmdir /etc/ssl 2>/dev/null || true
+ if dpkg-statoverride --list /etc/ssl/private 2>&1 | grep -q "root ssl-cert 710"
+ then
+ dpkg-statoverride --remove /etc/ssl/private
+ # /etc/ssl/private is also in package openssl, change permissions back
+ if [ -e /etc/ssl/private ] ; then
+ chgrp root /etc/ssl/private
+ chmod 700 /etc/ssl/private
+ fi
+ fi
fi
#DEBHELPER#
Modified: trunk/ssl-cert/debian/rules
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/ssl-cert/debian/rules?rev=1092&op=diff
==============================================================================
--- trunk/ssl-cert/debian/rules (original)
+++ trunk/ssl-cert/debian/rules Sun Nov 8 11:05:16 2009
@@ -20,6 +20,7 @@
dh_testroot
dh_compress
dh_fixperms
+ chmod 700 debian/ssl-cert/etc/ssl/private
dh_installdebconf
dh_installdeb
dh_gencontrol
Modified: trunk/ssl-cert/debian/ssl-cert.lintian-overrides
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/ssl-cert/debian/ssl-cert.lintian-overrides?rev=1092&op=diff
==============================================================================
--- trunk/ssl-cert/debian/ssl-cert.lintian-overrides (original)
+++ trunk/ssl-cert/debian/ssl-cert.lintian-overrides Sun Nov 8 11:05:16 2009
@@ -1,3 +1,4 @@
ssl-cert: no-debconf-config
ssl-cert: debconf-is-not-a-registry
ssl-cert: postinst-uses-db-input
+ssl-cert: non-standard-dir-perm etc/ssl/private/ 0700 != 0755
More information about the Pkg-apache-commits
mailing list