Bug#671063: proftpd-basic: should renew dhparams.pem file (last updated on 2008-09-07)

Jonas Smedegaard dr at jones.dk
Tue May 1 15:53:31 UTC 2012


Package: proftpd-basic
Severity: grave
Tags: security
Justification: user security hole

proftpd-basic ships with a file /etc/proftpd/dhparams.pem with the
following header text:

# Note that these DH parameters should be refreshed every so often (e.g.
# every few years).  These parameters were last updated on 2008-09-07.

Seems to me that "few years" have gone by now, and will be long gone by
the end of the supported lifecycle of a stable Debian release.

I understand that the parameters are CPU-hungry to generate (I am trying
right now on a virtual server and only half way through after an hour),
so makes sense to not generate at install time, and probably not at
every build either.  I therefore suggest to not install the upstream
provided file but one shipped with the Debian packaging, provide a
custom build target to regenerate that file, and have the normal build
routines check the embedded timestamp and fail if more than one year
old.


Regards,

 - Jonas





More information about the Pkg-proftpd-maintainers mailing list