Ubuntu
casper package

The SSL certificate is the same in any Live box

Bug #337723 reported by Juanje Ojeda
254
Affects Status Importance Assigned to Milestone
casper (Guadalinex)
Fix Released
High
Juanje Ojeda
casper (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Binary package hint: casper

The SSL certificate '/etc/ssl/private/ssl-cert-snakeoil.key' is the same in any Ubuntu live system running as far as the key is generated by the package when the filesystem.squashfs is created. And this filesystem.squashfs is the same to all the CDs people download and burn.

This certificate is used by different servers (mail, web, ftp and so) but also is used for browsing over https which could be a security issue if every user use the same ssl certificate that you can get easily from the live cd.

Ubiquity (live-installer) already does it, but the live system doesn't.

This issue happens in Jaunty but is also in the earlier versions.

Tags: live ssl ssl-cert
Juanje Ojeda (juanje)
Changed in casper:
assignee: nobody → juanje
importance: Undecided → High
status: New → Fix Committed
Colin Watson (cjwatson)
Changed in casper:
status: New → Fix Committed
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package casper - 1.161

---------------
casper (1.161) jaunty; urgency=low

  [ Juanje Ojeda ]
  * Regenerate SSL certificate at boot so that it isn't the same for all
    live CD users (LP: #337723).

 -- Colin Watson <email address hidden> Tue, 10 Mar 2009 10:39:21 +0000

Changed in casper:
status: Fix Committed → Fix Released
Juanje Ojeda (juanje)
Changed in casper:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.