TurnKey Linux

webapp secret keys should be regenerated during installation

  1. Series 2009.02-hardy-x86
  2. Bug #337612
Bug #337612 reported by Alon Swartz
2
Affects Status Importance Assigned to Milestone
TurnKey Linux
Fix Released
High
Alon Swartz
2009.02-hardy-x86
New
Undecided
Unassigned

Bug Description

Some TurnKey appliances (joomla, mediawiki, django, rails) are vulnerable to a cryptographic weakness due to the usage of a non-secret key.

The secret keys are mainly used in generating/verifying cookie session data.

Revision history for this message
Alon Swartz (alonswartz) wrote :

All appliances in the 2009.02 release include this fix.

It is recommended to regenerate the secret key on existing installations of appliances released prior to 2009.02

Joomla
    variable: $secret
    path: /etc/joomla15/configuration.php

Mediawiki
    variable: $wgSecretKey
    path: /etc/mediawiki/LocalSettings.php

Django
    variable: SECRET_KEY
    path: /var/www/django-sites/apps/settings.py

Rails
    variable: :secret
    path: /var/www/railsapp/config/environment.rb

Changed in turnkeylinux:
assignee: nobody → alonswartz
importance: Undecided → High
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.