activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephen Dowdy <sdo...@ucar.edu>
Subject Security concerns with activemq tarball packaging
Date Wed, 30 Jun 2010 23:01:09 GMT
Hello,

I have some concerns about the download packages for ActiveMQ.
I tried to create a Jira account, but it didn't work (even after
getting the account signup confirmation), so i'm
posting this here in the hope one of the developers will catch it.

for apache-activemq-5.3.2-bin.tar.gz

  1) package file/dir permissions allow world-write to key components
  2) signing keys : 1 good, 1 expired, 1 not in KEYS file :-(

----------------------------
inconsistent ownership of files in tarball (some 0/0, some 501/501, some david/david)
world-writeable files by default:

-rwxrwxrwx david/david   83820 2010-04-26 15:57 apache-activemq-5.3.2/bin/wrapper.jar
-rwxrwxrwx david/david     592 2010-04-26 15:56 apache-activemq-5.3.2/conf/broker-localhost.cert
drwxrwxrwx 501/501           0 2010-04-26 15:57 apache-activemq-5.3.2/webapps/admin/
drwxrwxrwx 501/501           0 2010-04-26 15:57 apache-activemq-5.3.2/webapps/fileserver/
 etc...

It would make me feel a lot better if ownerships were consistent and there weren't any
world writeable components in the distribution tarball.  Yeah, i can change them
after extraction, but it's probably not good form to ship this way.  (and it doesn't
make the DoD Security Readiness Review checks very happy)

----------------------------
# ~sdowdy/bin/gpg-quick-verify apache-activemq-5.3.2-bin.tar.gz.asc
gpg: keyring `/tmp/gnupg.root.MxBNumyn/secring.gpg' created
gpg: keyring `/tmp/gnupg.root.MxBNumyn/pubring.gpg' created
gpg: /tmp/gnupg.root.MxBNumyn/trustdb.gpg: trustdb created
gpg: key F5BA7E4F: public key "Hiram Chirino <hiram@hiramchirino.com>" imported
gpg: key 56F3E01B: public key "David Jencks (geronimo) <david_jencks@yahoo.com>" imported
gpg: key 456DFEA9: public key "David M. Johnson (Dave Johnson) <snoopdave@apache.org>"
imported
gpg: key 17AA5B25: public key "David Johnson <snoopdave@apache.org>" imported
gpg: key 69CC103E: public key "Gary Tully (key for apache releases) <gary.tully@gmail.com>"
imported
gpg: key 2C983957: public key "Bruce Snyder <bsnyder@apache.org>" imported
gpg: key 6852C7DA: public key "Dejan Bosanac <dejan@nighttale.net>" imported
gpg: Total number processed: 7
gpg:               imported: 7  (RSA: 1)
gpg: no ultimately trusted keys found
%%%%% Checking apache-activemq-5.2.0-bin.tar.gz.asc
gpg: Signature made Thu 06 Nov 2008 03:48:13 AM MST using DSA key ID 69CC103E
gpg: Good signature from "Gary Tully (key for apache releases) <gary.tully@gmail.com>"
********* Okay, one GOOD signature *********
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1C79 8312 378D 94C0 4D94  7587 F135 DBE2 69CC 103E
%%%%% Checking apache-activemq-5.3.0-bin.tar.gz.asc
gpg: Signature made Thu 08 Oct 2009 04:36:52 AM MDT using DSA key ID 6852C7DA
gpg: Good signature from "Dejan Bosanac <dejan@nighttale.net>"
gpg: Note: This key has expired!
******** Good, but expired key **********
Primary key fingerprint: A526 834C C957 4F59 465A  0C88 C31A 3F70 6852 C7DA
%%%%% Checking apache-activemq-5.3.2-bin.tar.gz.asc
gpg: Signature made Mon 26 Apr 2010 04:24:47 PM MDT using RSA key ID A2F9E313
gpg: Can't check signature: public key not found
******** doesn't exist in supplied KEYS file **********
/bin/rm -rf /tmp/gnupg.root.MxBNumyn


thanks,
--stephen
-- 
Stephen Dowdy  -  Systems Administrator  -  NCAR/RAL
303.497.2869   -  sdowdy@ucar.edu        -  http://www.ral.ucar.edu/~sdowdy/


Mime
View raw message