Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#40769 - [goagent] CA cert with known private key, TLS MITM
Attached to Project:
Community Packages
Opened by L.J (april4) - Monday, 09 June 2014, 11:43 GMT
Last edited by Felix Yan (felixonmars) - Sunday, 22 June 2014, 15:40 GMT
Opened by L.J (april4) - Monday, 09 June 2014, 11:43 GMT
Last edited by Felix Yan (felixonmars) - Sunday, 22 June 2014, 15:40 GMT
|
DetailsDescription:
GoAgent vulnerabilities: CA cert with known private key, TLS MITM Additional info: * package version(s): All GoAgent version Steps to reproduce: http://seclists.org/fulldisclosure/2014/Jun/9 |
This task depends upon
1. We didn't ship the bundled CA certs, so no known keys were included.
2. We run goagent with "nobody" user by default, so the built-in key import-tool won't work (the user nobody won't have a valid nssdb).