Debian Bug report logs -
#746758
ldnsutils: CVE-2014-3209: ldns-keygen creates private key world readable
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, unknown-package@qa.debian.org:
Bug#746758; Package src:ldnsutils.
(Sat, 03 May 2014 10:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonas Smedegaard <dr@jones.dk>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, unknown-package@qa.debian.org.
(Sat, 03 May 2014 10:45:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ldnsutils
Severity: important
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
The ldns-keygen tool creates a keypair, one of which should be kept
private. The tool apparently use default access rights for all files,
leading to the private key being created world readable.
- Jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQF8BAEBCgBmBQJTZMh7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ3NjQ4ODQwMTIyRTJDNTBFQzUxRDQwRTI0
RUMxQjcyMjM3NEY5QkQ2AAoJEE7BtyI3T5vW+QgIAJdT1+2r/0fOHcL1DXn/JkF+
EccUvBXSNjhnxmWJdmYGwosKzZt6aL4S1vxZPaBvhnINTAy0uDmjt3Ct75nft9GC
1hwYJl3IZRbmmHFadK5a1xKizD/NTz/ndB+fIbR+QjvYdmsUItWKL9226alzrheA
bCDI3RnFFeDFjjGVrxkCXEG59G5ZlWZrD95KhXVcxhM5B6qMZbgM/qU2Pis2eH18
3cz40jPTDAsw238Bvom86d9jX9n/NUJ2xS1GBAxdSt083VuwTivr0cVkE/lbvuA7
FLJiq/gfJXGOE42xXvtmTvsHAsZY8olF4vUSzmfkDODW78bpvzbRIgavxLRGUO8=
=PU+Q
-----END PGP SIGNATURE-----
Marked as found in versions ldnsutils/1.6.6-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 03 May 2014 15:09:14 GMT) (full text, mbox, link).
Bug reassigned from package 'src:ldnsutils' to 'src:ldns'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 03 May 2014 15:24:04 GMT) (full text, mbox, link).
No longer marked as found in versions ldnsutils/1.6.6-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 03 May 2014 15:24:05 GMT) (full text, mbox, link).
Marked as found in versions ldns/1.6.6-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 03 May 2014 15:24:06 GMT) (full text, mbox, link).
Changed Bug title to 'ldnsutils: ldns-keygen creates private key world readable' from 'ldnsutils: ldsn-keygen creates private key world readable'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 03 May 2014 15:27:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#746758; Package src:ldns.
(Sun, 04 May 2014 13:21:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Leon Weber <leon@leonweber.de>:
Extra info received and forwarded to list. Copy sent to Ondřej Surý <ondrej@debian.org>.
(Sun, 04 May 2014 13:21:08 GMT) (full text, mbox, link).
Message #20 received at 746758@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Upstream bug: <https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=573>
-- Leon.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#746758; Package src:ldns.
(Mon, 05 May 2014 04:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Ondřej Surý <ondrej@debian.org>.
(Mon, 05 May 2014 04:57:04 GMT) (full text, mbox, link).
Message #27 received at 746758@bugs.debian.org (full text, mbox, reply):
Control: retitle 746758 ldnsutils: CVE-2014-3209: ldns-keygen creates private key world readable
Hi,
On Sun, May 04, 2014 at 03:12:42PM +0200, Leon Weber wrote:
> Upstream bug: <https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=573>
A CVE was assigned now for this issue: CVE-2014-3209 (please include
this for reference in your changelog when fixing the issue).
Regards,
Salvatore
Changed Bug title to 'ldnsutils: CVE-2014-3209: ldns-keygen creates private key world readable' from 'ldnsutils: ldns-keygen creates private key world readable'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 746758-submit@bugs.debian.org.
(Mon, 05 May 2014 04:57:04 GMT) (full text, mbox, link).
Message sent on
to Jonas Smedegaard <dr@jones.dk>:
Bug#746758.
(Mon, 05 May 2014 04:57:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#746758; Package src:ldns.
(Fri, 16 May 2014 01:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Leon Weber <leon@leonweber.de>:
Extra info received and forwarded to list. Copy sent to Ondřej Surý <ondrej@debian.org>.
(Fri, 16 May 2014 01:03:04 GMT) (full text, mbox, link).
Message #37 received at 746758@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 05.05.2014 06:52:30, Salvatore Bonaccorso wrote:
> A CVE was assigned now for this issue: CVE-2014-3209 (please include
> this for reference in your changelog when fixing the issue).
Upstream commited a patch for this issue: <http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=169f38c1e25750f935838b670871056428977e6b>
-- Leon.
[signature.asc (application/pgp-signature, inline)]
Information stored
:
Bug#746758; Package src:ldns.
(Fri, 16 May 2014 01:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Leon Weber <leon@leonweber.de>:
Extra info received and filed, but not forwarded.
(Fri, 16 May 2014 01:09:05 GMT) (full text, mbox, link).
Message sent on
to Jonas Smedegaard <dr@jones.dk>:
Bug#746758.
(Fri, 16 May 2014 01:09:08 GMT) (full text, mbox, link).
Reply sent
to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility.
(Mon, 16 Jun 2014 11:24:05 GMT) (full text, mbox, link).
Notification sent
to Jonas Smedegaard <dr@jones.dk>:
Bug acknowledged by developer.
(Mon, 16 Jun 2014 11:24:05 GMT) (full text, mbox, link).
Message #50 received at 746758-close@bugs.debian.org (full text, mbox, reply):
Source: ldns
Source-Version: 1.6.17-4
We believe that the bug you reported is fixed in the latest version of
ldns, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 746758@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated ldns package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 Jun 2014 11:40:18 +0200
Source: ldns
Binary: libldns1 libldns1-dbg libldns-dev ldnsutils python-ldns
Architecture: source amd64
Version: 1.6.17-4
Distribution: unstable
Urgency: high
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description:
ldnsutils - ldns library for DNS programming
libldns-dev - ldns library for DNS programming
libldns1 - ldns library for DNS programming
libldns1-dbg - ldns library for DNS programming (debug symbols)
python-ldns - Python bindings for the ldns library for DNS programming
Closes: 746758
Changes:
ldns (1.6.17-4) unstable; urgency=high
.
* [CVE-2014-3209]: fix ldns-keygen writing private DNSKEYs with default
umask (Closes: #746758)
Checksums-Sha1:
ec5dc314e871ac74c5a4cd2730dc4e9fcea4a2b9 2144 ldns_1.6.17-4.dsc
788fca5eba45b660d4c002288f132759cc613574 13088 ldns_1.6.17-4.debian.tar.xz
f6ee5dee692e081fedf9fa65fceb7d6365830314 153596 libldns1_1.6.17-4_amd64.deb
e92eb468c61a158c91bdb6b57a90f8e86d8802f7 270814 libldns1-dbg_1.6.17-4_amd64.deb
c9b1bf699c5e9b8c609fc40838e533edafeb9dd5 308538 libldns-dev_1.6.17-4_amd64.deb
6023b8025a433d791f0899e50f14538fa002f181 140728 ldnsutils_1.6.17-4_amd64.deb
1043d941909573bc9eea0adfad5449d1118f467f 179812 python-ldns_1.6.17-4_amd64.deb
Checksums-Sha256:
32caf94f6a93d26d71acf2f94a5fb77787136f6087d6297a07738e2213e903f0 2144 ldns_1.6.17-4.dsc
4d03f17721b5fc424e89c0948c4d8947b9c9a3f93f9a52e2f2b808435275e2f8 13088 ldns_1.6.17-4.debian.tar.xz
669b51860ac04544ffdc7eb0d252945882981ccbb4b4bff42322d35ef1a9b892 153596 libldns1_1.6.17-4_amd64.deb
8b7db6b78d70905bd17392bd462ed5d3feb85df8045d1d9bcc3e259af6047b5f 270814 libldns1-dbg_1.6.17-4_amd64.deb
469c972e17caaffc69e76f633ee4910f0c1d8b324d0025a0a64918427acd6fa2 308538 libldns-dev_1.6.17-4_amd64.deb
425c614b0446edc147b2afc4da0c5e455569fc96ffb0378cc45ba111e3ac3329 140728 ldnsutils_1.6.17-4_amd64.deb
5e59b4b0b161b42af3b03aa1390a0a1518e4ae3e6212b82930b1a3cd81c439f2 179812 python-ldns_1.6.17-4_amd64.deb
Files:
fe37214fbd3bee26b36795f6994507a1 153596 libs extra libldns1_1.6.17-4_amd64.deb
d1a9ea81f13971b1b8d3a1180e8540ab 270814 debug extra libldns1-dbg_1.6.17-4_amd64.deb
917f077fa6cb92f720fb5343a5e9f0a3 308538 libdevel extra libldns-dev_1.6.17-4_amd64.deb
b78d269d2c7c22aaa7ce381e8bae00e8 140728 net extra ldnsutils_1.6.17-4_amd64.deb
0755dbcdeb752b67d6c58b067f93f390 179812 python extra python-ldns_1.6.17-4_amd64.deb
de126754f9cb8bf77dc6b9cab62fdd32 2144 net extra ldns_1.6.17-4.dsc
53eb32ba3a8e11fe4b4475a039acbf0d 13088 net extra ldns_1.6.17-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJTns2xAAoJEAyZtw70/LsH+ssP/i0+Bo9PHsbNQRIO3CBO9IU/
+fwDme56orDhL3IwGt19R65FfjHw2RzUsiiuhpRIVlRDhTLV9w9M6TwI3vgn5t5j
R1ArDADfRCCjxPZGjylrJYtucIUiaUu6W7NAOte/jeYJrwmqrN5jKw0Os/Ziu9gj
a96SYr1IK+bX339RVy63eWSEwr9zmjTf9ZmVNSWFdMaB70p39koa5B4/GCHd8jbx
2JKeaun+OA9/bVt3GSM2nfB4UjZ3i5koOaV9YLWLaC1T5BqrF8LRTNGeNannK5Zj
n7DneKXmQaIqtv3B4+eNu1VJp+L1OV9zX3zmVWgpqd5A/yzdYuk0KkNm86X1UD7O
5LBcCIJnnD/1rHNgm2WDSnDhjRtC2SgsxI9V976IbgptmP1zWQYGGuAJIwuzVcH/
MOkObWaHTCYF1I7kiJCzP4X7jh9dJ8yQlrzowkm5q2PSIsOCyJSBPFVO51nYMMKs
0eqsCBO/MGef0wGu9tFY0NQFES5rNjRp3X3sZmgmda53qWtqlNFDN/vyeVl9XwL8
CgnNIIBHE9IcskeLUjSw9j5dngHEWkQCyjakwp4k9c8iScf09yqCZklnJsRrIZJ8
ys+1LsifH2avIoVoxZADbZZxm1JlZwjjXzgNxoiopUGstxljwm18VaRIWVC9SySP
SsSz3mgv2fNwNtRUc4Il
=Mq+3
-----END PGP SIGNATURE-----
Reply sent
to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility.
(Sat, 21 Jun 2014 18:33:14 GMT) (full text, mbox, link).
Notification sent
to Jonas Smedegaard <dr@jones.dk>:
Bug acknowledged by developer.
(Sat, 21 Jun 2014 18:33:14 GMT) (full text, mbox, link).
Message #55 received at 746758-close@bugs.debian.org (full text, mbox, reply):
Source: ldns
Source-Version: 1.6.13-1+deb7u1
We believe that the bug you reported is fixed in the latest version of
ldns, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 746758@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated ldns package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 13 Jun 2014 11:06:52 +0200
Source: ldns
Binary: libldns1 libldns1-dbg libldns-dev ldnsutils python-ldns
Architecture: source amd64
Version: 1.6.13-1+deb7u1
Distribution: wheezy
Urgency: medium
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description:
ldnsutils - ldns library for DNS programming
libldns-dev - ldns library for DNS programming
libldns1 - ldns library for DNS programming
libldns1-dbg - ldns library for DNS programming (debug symbols)
python-ldns - Python bindings for the ldns library for DNS programming
Closes: 746758
Changes:
ldns (1.6.13-1+deb7u1) wheezy; urgency=medium
.
* [CVE-2014-3209]: fix ldns-keygen writing private DNSKEYs with default
umask (Closes: #746758)
Checksums-Sha1:
cba655bcb503a51419b78a7d7ac4f3006a85a38e 2156 ldns_1.6.13-1+deb7u1.dsc
900e87ec46d0c2031074a80c884a217329ffa8e2 13660 ldns_1.6.13-1+deb7u1.debian.tar.gz
d80ce04c37e2cb67a1b65772a94a5ca19a84ee8b 167112 libldns1_1.6.13-1+deb7u1_amd64.deb
a7d53ebc25433d7b3093722b26379a0211bab299 349548 libldns1-dbg_1.6.13-1+deb7u1_amd64.deb
d069b6c28b8e116fb65a20c7bdfe568370851966 599868 libldns-dev_1.6.13-1+deb7u1_amd64.deb
e4d7b4f9ebcae3e3b87235ff2dee1f6432f2b7d0 173264 ldnsutils_1.6.13-1+deb7u1_amd64.deb
2adc30dab7212ca70724d83d9abe30de2fabd569 425526 python-ldns_1.6.13-1+deb7u1_amd64.deb
Checksums-Sha256:
c338ba37cdb1087d88b6e49882e17d501d9a714790a4ad98d6cea0523665a9a9 2156 ldns_1.6.13-1+deb7u1.dsc
8f9c93455a806e5ee1f2f87dfe0bad4d27188f0b141a6c90f91a8acac2cca489 13660 ldns_1.6.13-1+deb7u1.debian.tar.gz
f23c1f858b8693338068ee436156db95c0e31f7424dd64b20e6acb6cdffdb139 167112 libldns1_1.6.13-1+deb7u1_amd64.deb
a55dff9594a0c3396996265be5c98894d118baf46bd739ed6f3cf351396532c3 349548 libldns1-dbg_1.6.13-1+deb7u1_amd64.deb
726e07ab8230a3a14026a3381e968da3de748f05085594ce67c48ba1b3f09aec 599868 libldns-dev_1.6.13-1+deb7u1_amd64.deb
a388a272acc252c9c66ab86fa94995d569a332068768c5a6648a8fb9a80475e8 173264 ldnsutils_1.6.13-1+deb7u1_amd64.deb
47b7f915cf2bb23f47f4e747115fb7d50c96611f285acbf2720e61a4f0c25692 425526 python-ldns_1.6.13-1+deb7u1_amd64.deb
Files:
1bcdfbdcdc4de0bc6f52f54688819c78 2156 net extra ldns_1.6.13-1+deb7u1.dsc
46f73a07d589e717c31ee4ef48f00e81 13660 net extra ldns_1.6.13-1+deb7u1.debian.tar.gz
451ef1cd8f58b2dc8b3ad51af7951418 167112 libs extra libldns1_1.6.13-1+deb7u1_amd64.deb
ce59db4474d05d1e87d06763ec7d0d93 349548 debug extra libldns1-dbg_1.6.13-1+deb7u1_amd64.deb
ee6351949ec7dc5718c867522480df31 599868 libdevel extra libldns-dev_1.6.13-1+deb7u1_amd64.deb
3cbe8b4ce565699494f567e1370da898 173264 net extra ldnsutils_1.6.13-1+deb7u1_amd64.deb
45f748a79a4ccfc160b73ccb9009b738 425526 python extra python-ldns_1.6.13-1+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJTotc9AAoJEAyZtw70/LsHJj8P/1sJdojuGB/7OYHdACv9l63/
kNJuq6vucDqbO05ogXUzE6w9HzaQHmZCBAuOf/DUa+x9Dlx26VhUuRCUoHXAJLHg
M51nKh+uh4MJ81EYYju8OuEg+g8YbsbILJoZYU56vz7y+r9cpRmS6FeBGmlWtgAK
DmduQLiYF+AklDCywFI6q9MZOm2pKcpqMFmzJKbYm+N3aRRsI08SaGJRFHF9gQhW
nK9WqWzqdqsCQ1cCdtdvwmRQ0XWgKzojbzdU5jjS05+DGQ26zQ8XYm9Kbth94uzn
aqmuz1JW8xWqAqlbsttYadorcjLkzsDqsN6j1273Nu+3dgUhEcsk4ab8Jrh+ClaO
HVUHeltRGtYDWa0b+GoqDR+6U8B1oFjt3tTAwA0/s+m5brFzHQRac5vqAPik+E/0
/le4LmJ9glnUuxR2WESzZIaQd8iYc9P526E9W1ipKCe7RlaaAXHqTDufTZ8qtAMo
8zPekgOJ5xayfOP9Hn1wRiu3y1A5z8i6he5/rv+8A6SM7clVrURw7xk/8/MWM64+
JpT0or2L/pH9eQanZj1cBgVINdGMFbjZpg2cYiymiTrXS4wLE4rHlVOpRDRUIhvS
2lyEYcnVVlDadOx73cmw/SNyMhSTsA2dH1nHszGxis8JtWalTnJkT/Gc4ltOyIwN
XSFDmLG2ABeWR5EqhbbV
=PTMm
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 14 Aug 2014 07:32:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:02:13 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon