FS#40769 : [goagent] CA cert with known private key, TLS MITM

FS#40769 - [goagent] CA cert with known private key, TLS MITM

Attached to Project: Community Packages
Opened by L.J (april4) - Monday, 09 June 2014, 11:43 GMT
Last edited by Felix Yan (felixonmars) - Sunday, 22 June 2014, 15:40 GMT

Task Type	Bug Report
Category	Packages
Status	Closed
Assigned To	Felix Yan (felixonmars)
Architecture	All
Severity	Critical
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
GoAgent vulnerabilities: CA cert with known private key, TLS MITM

Additional info:
* package version(s):
All GoAgent version

Steps to reproduce:
http://seclists.org/fulldisclosure/2014/Jun/9

This task depends upon

Closed by Felix Yan (felixonmars)
Sunday, 22 June 2014, 15:40 GMT
Reason for closing: Not a bug

Comment by Felix Yan (felixonmars) - Monday, 09 June 2014, 14:57 GMT

Well, I don't think we have the problem in our packages.

1. We didn't ship the bundled CA certs, so no known keys were included.
2. We run goagent with "nobody" user by default, so the built-in key import-tool won't work (the user nobody won't have a valid nssdb).

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#40769 - [goagent] CA cert with known private key, TLS MITM

Details

Loading...