quassel-core generates an insecure certificate upon installation
Bug #1455990 reported by
Michael Marley
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
quassel (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
After installation, quassel-core generates a 1024-bit certificate using the SHA1 hash. Both of these are considered deprecated and somewhat insecure. The attached patch updates the postinst script to generate a 4096-bit certificate using the SHA256 hash instead.
The SHA256 certificate will not cause any compatibility problems because OpenSSL 1.0.0 and later support SHA256 certificates. All supported versions of Ubuntu and Debian have at least 1.0.1 and the supported Windows and Mac builds of Quassel are additionally compiled with a recent enough version to support the SHA256 certificate.
Related branches
information type: | Public → Public Security |
To post a comment you must log in.
The attachment "certificate. debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]