thr3ads.net - Secure testing team - [Secure-testing-team] Bug#671063: proftpd-basic: should renew dhparams.pem file (last updated on 2008-09-07) [May 2012]

If this information is useful, please help other people find it:
Share via:

Jonas Smedegaard

2012-May-01 15:53 UTC

[Secure-testing-team] Bug#671063: proftpd-basic: should renew dhparams.pem file (last updated on 2008-09-07)

Package: proftpd-basic
Severity: grave
Tags: security
Justification: user security hole

proftpd-basic ships with a file /etc/proftpd/dhparams.pem with the
following header text:

# Note that these DH parameters should be refreshed every so often (e.g.
# every few years).  These parameters were last updated on 2008-09-07.

Seems to me that "few years" have gone by now, and will be long gone
by
the end of the supported lifecycle of a stable Debian release.

I understand that the parameters are CPU-hungry to generate (I am trying
right now on a virtual server and only half way through after an hour),
so makes sense to not generate at install time, and probably not at
every build either.  I therefore suggest to not install the upstream
provided file but one shipped with the Debian packaging, provide a
custom build target to regenerate that file, and have the normal build
routines check the embedded timestamp and fail if more than one year
old.


Regards,

 - Jonas

Secure testing team - May 2012 - Bug#671063: proftpd-basic: should renew dhparams.pem file (last updated on 2008-09-07)

[Secure-testing-team] Bug#671063: proftpd-basic: should renew dhparams.pem file (last updated on 2008-09-07)