Miroirs/slackware-current
1
0
Fork 0
mirror of git://slackware.nl/current.git synced 2025-01-03 23:03:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
slackware-current/patches/source/openssl/certwatch
Patrick J Volkerding fcc29dbb40 Thu Mar 17 19:46:28 UTC 2022 
patches/packages/bind-9.18.1-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and the following security issues:
  An assertion could occur in resume_dslookup() if the fetch had been shut
  down earlier.
  Lookups involving a DNAME could trigger an INSIST when "synth-from-dnssec"
  was enabled.
  A synchronous call to closehandle_cb() caused isc__nm_process_sock_buffer()
  to be called recursively, which in turn left TCP connections hanging in the
  CLOSE_WAIT state blocking indefinitely when out-of-order processing was
  disabled.
  The rules for acceptance of records into the cache have been tightened to
  prevent the possibility of poisoning if forwarders send records outside
  the configured bailiwick.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0667
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0635
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0396
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220
  (* Security fix *)
patches/packages/bluez-5.64-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release:
  Fix issue with handling A2DP discover procedure.
  Fix issue with media endpoint replies and SetConfiguration.
  Fix issue with HoG queuing events before report map is read.
  Fix issue with HoG and read order of GATT attributes.
  Fix issue with HoG and not using UHID_CREATE2 interface.
  Fix issue with failed scanning for 5 minutes after reboot.
patches/packages/openssl-1.1.1n-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a high severity security issue:
  The BN_mod_sqrt() function, which computes a modular square root, contains
  a bug that can cause it to loop forever for non-prime moduli.
  For more information, see:
    https://www.openssl.org/news/secadv/20220315.txt
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
  (* Security fix *)
patches/packages/openssl-solibs-1.1.1n-x86_64-1_slack15.0.txz:  Upgraded.
patches/packages/qt5-5.15.3_20220312_33a3f16f-x86_64-1_slack15.0.txz:  Upgraded.
  Thanks to Heinz Wiesinger for updating the fetch_sources.sh script to make
  sure that the QtWebEngine version matches the rest of Qt, which got the
  latest git pull compiling again.
  If a 32-bit userspace is detected, then:
  export QTWEBENGINE_CHROMIUM_FLAGS="--disable-seccomp-filter-sandbox"
  This works around crashes occuring with 32-bit QtWebEngine applications.
  Thanks to alienBOB.
2022-03-18 13:29:58 +01:00

130 lines
4 KiB
Bash
Raw Blame History

#!/bin/sh
#
# Will check all certificates stored in $CERTDIR for their expiration date,
# and will display (if optional "stdout" argument is given), or mail a warning
# message to $MAILADDR (if script is executed without any parameter
# - unattended mode suitable for cron execution) for each particular certificate
# that is about to expire in time less to, or equal to $DAYS after this script
# has been executed, or if it has already expired.
# This stupid script (C) 2006,2007 Jan Rafaj
########################## CONFIGURATION SECTION BEGIN #########################
# Note: all settings are mandatory
# Warning will be sent if a certificate expires in time <= days given here
DAYS=7
# E-mail address where to send warnings
MAILADDR=root
# Directory with certificates to check
CERTDIR=/etc/ssl/certs
# Directory where to keep state files if this script isnt executed with "stdout"
STATEDIR=/var/run
########################### CONFIGURATION SECTION END ##########################
PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAY_IN_SECS=$((60*60*24))
DATE_CURRENT=$(date '+%s')
usage()
{
echo "Usage: $0 [stdout]"
echo
echo "Detailed description and configuration is embedded within the script."
exit 0
}
message()
{
cat << EOF
WARNING: certificate $certfile
is about to expire in time equal to or less than $DAYS days from now on,
or has already expired - it might be a good idea to obtain/create new one.
EOF
}
message_mail()
{
message
cat << EOF
NOTE: This message is being sent only once.
A lock-file
$STATEDIR/certwatch-mailwarning-sent-$certfilebase
has been created, which will prevent this script from mailing you again
upon its subsequent executions by crond. You dont need to care about it;
the file will be auto-deleted as soon as you'll prolong your certificate.
EOF
}
unset stdout
case $# in
0) ;;
1) if [ "$1" = "-h" -o "$1" == "--help" ]; then
usage
elif [ "$1" = "stdout" ]; then
stdout=1
else
usage
fi
;;
*) usage ;;
esac
for dir in $STATEDIR $CERTDIR ; do
if [ ! -d $dir ]; then
echo "ERROR: directory $dir does not exist"
exit 1
fi
done
for binary in basename date find grep mail openssl touch ; do
if [ ! \( -x /usr/bin/$binary -o -x /bin/$binary \) ]; then
echo "ERROR: /usr/bin/$binary not found"
exit 1
fi
done
find $CERTDIR -type f -maxdepth 1 | while read certfile ; do
if [ "$certfile" != "/etc/ssl/certs/ca-certificates.crt" ]; then
certfilebase="$(basename "$certfile")"
inform=PEM
echo "$certfile" | grep -q -i '\.net$'
if [ $? -eq 0 ]; then
# This is based purely on filename extension, so may give false results.
# But lets assume noone uses NET format certs today, ok?
continue
fi
echo "$certfile" | grep -q -i '\.der$'
if [ $? -eq 0 -o "$(file "$certfile" | egrep '(ASCII|PEM)')" == "" ]; then
inform=DER
fi
# We wont use '-checkend' since it is not properly documented (as of
# OpenSSL 0.9.8e).
DATE_CERT_EXPIRES=$(openssl x509 -in "$certfile" -inform $inform -noout -enddate | sed 's/^notAfter=//')
DATE_CERT_EXPIRES=$(date -d"$DATE_CERT_EXPIRES" +%s)
if [ $(($DATE_CERT_EXPIRES - $DATE_CURRENT)) -le $(($DAYS * $DAY_IN_SECS)) ]
then
if [ $stdout ]; then
message
else
if [ ! -f $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" ]; then
subject="$0: certificate $certfile expiration warning"
message_mail | mail -r "certwatch@$HOSTNAME" \
-s "$subject" \
$MAILADDR 2>/dev/null
# echo "Mail about expiring certificate $certfile sent to $MAILADDR."
# echo "If you need to send it again, please remove lock-file"
# echo "$STATEDIR/certwatch-mailwarning-sent-$certfilebase ."
# echo
fi
touch $STATEDIR/certwatch-mailwarning-sent-"$certfilebase"
fi
else
if [ ! $stdout ]; then
if [ -f $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" ]; then
rm $STATEDIR/certwatch-mailwarning-sent-"$certfilebase"
fi
fi
fi
fi
done
Reference in a new issue View git blame Copy permalink