Bugzilla – Bug 1216293
VUL-0: fdo-client: package ships private keys
Last modified: 2024-07-12 16:31:32 UTC
While working on reproducible builds for openSUSE, I found that our fdo-client package ships 3 random private key files. If these private keys are used, they are not secure and some other way should be implemented. And if they are not used, they should be dropped.
reassign to maintainer. it seems generated during build, but not sure this makes sense.
SUSE:ALP:Source:Standard:1.0 https://build.opensuse.org/request/show/1125692 SUSE:Factory:Head https://build.opensuse.org/request/show/1125689 SUSE:SLE-15-SP3:Update:Products:MicroOS51 https://build.opensuse.org/request/show/1125697 SUSE:SLE-15-SP3:Update:Products:MicroOS52 https://build.opensuse.org/request/show/1125696 SUSE:SLE-15-SP4:Update:Products:Micro53 https://build.opensuse.org/request/show/1125695 SUSE:SLE-15-SP4:Update:Products:Micro54 https://build.opensuse.org/request/show/1125694 SUSE:SLE-15-SP5:Update:Products:Micro55 https://build.opensuse.org/request/show/1125693
OK, next run for ibs :-) https://build.suse.de/request/show/312952 SUSE:SLE-15-SP3:Update:Products:MicroOS51:Update 312953 SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update 312954 SUSE:SLE-15-SP4:Update:Products:Micro53:Update 312955 SUSE:SLE-15-SP4:Update:Products:Micro54:Update 312957 SUSE:SLE-15-SP5:Update:Products:Micro55:Update 312958
assigned to security-team@suse.de
SUSE-SU-2023:4550-1: An update that has one security fix can now be installed. Category: security (moderate) Bug References: 1216293 Sources used: SUSE Linux Enterprise Micro 5.5 (src): fdo-client-1.0.0+git20210816.baa09b5-150500.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4549-1: An update that has one security fix can now be installed. Category: security (moderate) Bug References: 1216293 Sources used: openSUSE Leap Micro 5.4 (src): fdo-client-1.0.0+git20210816.baa09b5-150400.3.3.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): fdo-client-1.0.0+git20210816.baa09b5-150400.3.3.1 SUSE Linux Enterprise Micro 5.4 (src): fdo-client-1.0.0+git20210816.baa09b5-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4548-1: An update that has one security fix can now be installed. Category: security (moderate) Bug References: 1216293 Sources used: openSUSE Leap Micro 5.3 (src): fdo-client-1.0.0+git20210816.baa09b5-150400.3.3.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): fdo-client-1.0.0+git20210816.baa09b5-150400.3.3.1 SUSE Linux Enterprise Micro 5.3 (src): fdo-client-1.0.0+git20210816.baa09b5-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4547-1: An update that has one security fix can now be installed. Category: security (moderate) Bug References: 1216293 Sources used: SUSE Linux Enterprise Micro 5.2 (src): fdo-client-1.0.0+git20210816.baa09b5-150300.3.3.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): fdo-client-1.0.0+git20210816.baa09b5-150300.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2023:4584-1: An update that has one fix can now be installed. Category: recommended (moderate) Bug References: 1216293 Sources used: SUSE Linux Enterprise Micro 5.1 (src): fdo-client-1.0.0+git20210816.baa09b5-150300.1.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
I've just checked and it looks like the version of fdo-client in ALP is still affected by this. Please submit there as well. SUSE:ALP:Source:Standard:1.0 fdo-client
(In reply to Alexander Bergmann from comment #12) > I've just checked and it looks like the version of fdo-client in ALP is > still affected by this. Please submit there as well. > > SUSE:ALP:Source:Standard:1.0 fdo-client As far I see, it is meanwhile there.
SUSE-SU-2024:2467-1: An update that has one security fix can now be installed. Category: security (moderate) Bug References: 1216293 Maintenance Incident: [SUSE:Maintenance:31502](https://smelt.suse.de/incident/31502/) Sources used: SUSE Linux Enterprise Micro 5.5 (src): fdo-client-1.0.0+git20210816.baa09b5-150500.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.