CAcert System Admins discussion list

[Wytze van der Raay <wytze AT cacert.org>]

Hi Guillaume,

On 20.04.2012 01:31, Guillaume ROMAGNY wrote:
> Sure we need to upgrade, but is it a rush ? so we can wait debian packages
> ? because at worst, the system may crash when parsing a wrong X509 or RSA
> public key (and the security advise is quite limited in fact). there is
> nothing saying possible remote execution or anything the front end or
> signing machine can be leaking the Root private keys.
> 
> Am I right or not ?

The worst case would not just be a crash, but a successful exploit of some
buffer overflow resulting in e.g. running a remote shell on the webdb server.
That would not affect the signer, but would still be a threat to the
integrity and privacy of the CAcert user/certificate database. Whether this
is really possible, we don't know, but we deemed it unlikely that it would
be possible within 24 hours after release of the security advisory. Hence
we've not turned off the service but have used the official Debian update,
which came out quite fast actually. Only we needed some more time to sleep,
and evaluate it on Debian Lenny. Inspection of the log files has not revealed
any suspect activities.

Regards,
-- wytze

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature