You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Stephen Dowdy <sd...@ucar.edu> on 2010/07/01 01:01:09 UTC
Security concerns with activemq tarball packaging
Hello,
I have some concerns about the download packages for ActiveMQ.
I tried to create a Jira account, but it didn't work (even after
getting the account signup confirmation), so i'm
posting this here in the hope one of the developers will catch it.
for apache-activemq-5.3.2-bin.tar.gz
1) package file/dir permissions allow world-write to key components
2) signing keys : 1 good, 1 expired, 1 not in KEYS file :-(
----------------------------
inconsistent ownership of files in tarball (some 0/0, some 501/501, some david/david)
world-writeable files by default:
-rwxrwxrwx david/david 83820 2010-04-26 15:57 apache-activemq-5.3.2/bin/wrapper.jar
-rwxrwxrwx david/david 592 2010-04-26 15:56 apache-activemq-5.3.2/conf/broker-localhost.cert
drwxrwxrwx 501/501 0 2010-04-26 15:57 apache-activemq-5.3.2/webapps/admin/
drwxrwxrwx 501/501 0 2010-04-26 15:57 apache-activemq-5.3.2/webapps/fileserver/
etc...
It would make me feel a lot better if ownerships were consistent and there weren't any
world writeable components in the distribution tarball. Yeah, i can change them
after extraction, but it's probably not good form to ship this way. (and it doesn't
make the DoD Security Readiness Review checks very happy)
----------------------------
# ~sdowdy/bin/gpg-quick-verify apache-activemq-5.3.2-bin.tar.gz.asc
gpg: keyring `/tmp/gnupg.root.MxBNumyn/secring.gpg' created
gpg: keyring `/tmp/gnupg.root.MxBNumyn/pubring.gpg' created
gpg: /tmp/gnupg.root.MxBNumyn/trustdb.gpg: trustdb created
gpg: key F5BA7E4F: public key "Hiram Chirino <hi...@hiramchirino.com>" imported
gpg: key 56F3E01B: public key "David Jencks (geronimo) <da...@yahoo.com>" imported
gpg: key 456DFEA9: public key "David M. Johnson (Dave Johnson) <sn...@apache.org>" imported
gpg: key 17AA5B25: public key "David Johnson <sn...@apache.org>" imported
gpg: key 69CC103E: public key "Gary Tully (key for apache releases) <ga...@gmail.com>" imported
gpg: key 2C983957: public key "Bruce Snyder <bs...@apache.org>" imported
gpg: key 6852C7DA: public key "Dejan Bosanac <de...@nighttale.net>" imported
gpg: Total number processed: 7
gpg: imported: 7 (RSA: 1)
gpg: no ultimately trusted keys found
%%%%% Checking apache-activemq-5.2.0-bin.tar.gz.asc
gpg: Signature made Thu 06 Nov 2008 03:48:13 AM MST using DSA key ID 69CC103E
gpg: Good signature from "Gary Tully (key for apache releases) <ga...@gmail.com>"
********* Okay, one GOOD signature *********
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1C79 8312 378D 94C0 4D94 7587 F135 DBE2 69CC 103E
%%%%% Checking apache-activemq-5.3.0-bin.tar.gz.asc
gpg: Signature made Thu 08 Oct 2009 04:36:52 AM MDT using DSA key ID 6852C7DA
gpg: Good signature from "Dejan Bosanac <de...@nighttale.net>"
gpg: Note: This key has expired!
******** Good, but expired key **********
Primary key fingerprint: A526 834C C957 4F59 465A 0C88 C31A 3F70 6852 C7DA
%%%%% Checking apache-activemq-5.3.2-bin.tar.gz.asc
gpg: Signature made Mon 26 Apr 2010 04:24:47 PM MDT using RSA key ID A2F9E313
gpg: Can't check signature: public key not found
******** doesn't exist in supplied KEYS file **********
/bin/rm -rf /tmp/gnupg.root.MxBNumyn
thanks,
--stephen
--
Stephen Dowdy - Systems Administrator - NCAR/RAL
303.497.2869 - sdowdy@ucar.edu - http://www.ral.ucar.edu/~sdowdy/