Bug#671063: proftpd-basic: should renew dhparams.pem file (last updated on 2008-09-07)
Jonas Smedegaard
dr at jones.dk
Tue May 1 15:53:31 UTC 2012
Package: proftpd-basic
Severity: grave
Tags: security
Justification: user security hole
proftpd-basic ships with a file /etc/proftpd/dhparams.pem with the
following header text:
# Note that these DH parameters should be refreshed every so often (e.g.
# every few years). These parameters were last updated on 2008-09-07.
Seems to me that "few years" have gone by now, and will be long gone by
the end of the supported lifecycle of a stable Debian release.
I understand that the parameters are CPU-hungry to generate (I am trying
right now on a virtual server and only half way through after an hour),
so makes sense to not generate at install time, and probably not at
every build either. I therefore suggest to not install the upstream
provided file but one shipped with the Debian packaging, provide a
custom build target to regenerate that file, and have the normal build
routines check the embedded timestamp and fail if more than one year
old.
Regards,
- Jonas
More information about the Pkg-proftpd-maintainers
mailing list