Bug#619439: Please do _not_ distribute gnutls-params in the package
Klaus Ethgen
Klaus at Ethgen.de
Wed Mar 23 21:56:47 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package: exim4-base
Version: 4.74-2
Severity: grave
The file /var/spool/exim4/gnutls-params can be find in exim4-base. This
file is of security relevance for TLS sessions of exim. So this file
must not shared between different installations and must not be readable
by other than exim itself.
If the file do not exists it will be created by exim4 (It can be
precreated by postinst but this is not needed; see [0]).
I send this report from a sid system but it is also and more important,
relevant for the stable version 4.72-6! I do not know, when this file
went to the package but as the file date is 2008-07-19 that must be long
ago and even be an issue for the old-stable!
To say it again, this is a heavy security issue of exim4!
Regards
Klaus Ethgen
- --
Klaus Ethgen http://www.ethgen.ch/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus at Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBTYpsnZ+OKpjRpO3lAQom1Qf6AnHlCpHR/3DLsSBfC5PwHIKyFYFaZWTs
RokWVzURWfeVlrqYmyuHS71bbSA5oU8YooVSLsb2SRq+Upvp1CMVZ4Iv2OSow8L4
PujKTQFWy94a/tkTF/TlmrWBEAbNsrOQ/08veFFReLcvanRx7kcCktESIxib1iZu
Z7jf5Z1Rtnnq2sWLbaojWFYH1Wb2OMGMy4ibgXY42FeRPmd4BzdmIowjBJQrptjG
djEQ1YR756HnN/nggcRzdYaLfNjReH/K/DEcYHBviaM8HNqBSdchpdp4dQG06hvF
qpMyBQcOoHhZh5nbiyrQfOq+ijL5lWCor1Ax4fW7+jP6RPF46mpJng==
=rcMN
-----END PGP SIGNATURE-----
More information about the Pkg-exim4-maintainers
mailing list