[PATCH] Protect the generated key material by setting umask in keygen.sh
Ferenc Wagner
wferi at niif.hu
Fri Mar 5 16:52:33 UTC 2010
This is the upstream fix for https://bugs.internet2.edu/jira/browse/SSPCPP-106:
http://svn.middleware.georgetown.edu/view/cpp-sp?view=rev&revision=3231
---
configs/keygen.sh | 1 +
debian/changelog | 6 ++++++
2 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/configs/keygen.sh b/configs/keygen.sh
index 534516c..54f01b9 100755
--- a/configs/keygen.sh
+++ b/configs/keygen.sh
@@ -66,6 +66,7 @@ subjectAltName=$ALTNAME
subjectKeyIdentifier=hash
EOF
+umask 177
if [ -z "$BATCH" ] ; then
openssl req -config sp-cert.cnf -new -x509 -days $DAYS -keyout sp-key.pem -out sp-cert.pem
else
diff --git a/debian/changelog b/debian/changelog
index c6a8516..2ca03e3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+shibboleth-sp2 (2.0.dfsg1-4+lenny3) stable-security; urgency=high
+
+ * SECURITY: Fix permissions of generated keys. (Closes: #571631)
+
+ -- Ferenc Wagner <wferi at niif.hu> Fri, 05 Mar 2010 17:53:43 +0100
+
shibboleth-sp2 (2.0.dfsg1-4+lenny2) stable-security; urgency=high
* SECURITY: Partial fix for improper handling of URLs that could be
More information about the Pkg-shibboleth-devel
mailing list