Gentoo Security Advisory GLSA 200803-30 (ssl-cert.eclass)

  1. Network Vulnerabilities
  2. Gentoo Local Security Checks
  3. Gentoo Security Advisory GLSA 200803-30 (ssl-cert.eclass)
Summary
The remote host is missing updates announced in advisory GLSA 200803-30.
Solution
Upgrading to newer versions of the above packages will neither remove possibly compromised SSL certificates, nor old binary packages. Please remove the certificates installed by Portage, and then emerge an upgrade to the package. All Conserver users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-admin/conserver-8.1.16' All Postfix 2.4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=mail-mta/postfix-2.4.6-r2' All Postfix 2.3 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=mail-mta/postfix-2.3.8-r1' All Postfix 2.2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=mail-mta/postfix-2.2.11-r1' All Netkit FTP Server users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-ftp/netkit-ftpd-0.17-r7' All ejabberd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-im/ejabberd-1.1.3' All UnrealIRCd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-irc/unrealircd-3.2.7-r2' All Cyrus IMAP Server users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-mail/cyrus-imapd-2.3.9-r1' All Dovecot users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-mail/dovecot-1.0.10' All stunnel 4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-misc/stunnel-4.21' All InterNetNews users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-nntp/inn-2.4.3-r1' http://www.securityspace.com/smysecure/catid.html?in=GLSA%20200803-30 http://bugs.gentoo.org/show_bug.cgi?id=174759
Insight
An error in the usage of the ssl-cert eclass within multiple ebuilds might allow for disclosure of generated SSL private keys.
Severity
Low Severity
Classification
Related Vulnerabilities