[Pkg-samba-maint] [samba] 06/13: Move world-readable private key file on upgrade
Ivo De Decker
idd-guest at moszumanska.debian.org
Sat Nov 23 07:09:49 UTC 2013
This is an automated email from the git hooks/post-receive script.
idd-guest pushed a commit to branch master
in repository samba.
commit ea3461ad995d34a0139676175c8fa88bc55c6187
Author: Ivo De Decker <ivo.dedecker at ugent.be>
Date: Mon Nov 11 15:24:04 2013 +0100
Move world-readable private key file on upgrade
---
debian/changelog | 2 ++
debian/samba.postinst | 16 ++++++++++++++++
2 files changed, 18 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index ee97fc4..bb40199 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ samba (2:4.0.11+dfsg-1) UNRELEASED; urgency=high
- CVE-2013-4475: ACLs are not checked on opening an alternate data stream
on a file or directory
- CVE-2013-4476: Private key in key.pem world readable
+ * Move world-readable private key file on upgrade to allow
+ auto-regeneration.
* Update samba-libs.lintian-overrides for moved libtorture0.
-- Ivo De Decker <ivo.dedecker at ugent.be> Sat, 02 Nov 2013 11:51:28 +0100
diff --git a/debian/samba.postinst b/debian/samba.postinst
index 8556508..60ae5a8 100644
--- a/debian/samba.postinst
+++ b/debian/samba.postinst
@@ -10,6 +10,22 @@ set -e
# them to be readable only by root.
umask 022
+if dpkg --compare-versions "$2" gt 2:4.0 &&
+ dpkg --compare-versions "$2" lt-nl 2:4.0.11+dfsg ; then
+ # CVE-2013-4475
+ KEYFILE=/var/lib/samba/private/tls/key.pem
+ if [ -e $KEYFILE ]
+ then
+ KEYPERMS=`stat -c %a $KEYFILE`
+ if [ "$KEYPERMS" != "600" ]
+ then
+ echo "moving world readable public key to /var/lib/samba/private/tls/CVE-2013-4475"
+ mkdir -m 700 /var/lib/samba/private/tls/CVE-2013-4475
+ mv -n /var/lib/samba/private/tls/*pem /var/lib/samba/private/tls/CVE-2013-4475
+ fi
+ fi
+fi
+
if dpkg --compare-versions "$2" lt-nl 2:3.6.15-2; then
if [ -e /etc/default/samba ]; then
# this config file's one setting is now obsolete; remove it
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list